Are we losing the fight?

A practical overview how malware threatens the internet economy at the example of mebroot/torpig

Why do people transact online?

Because online transacting is Fast Convenient Safe

Because people are confident that Their information is secure

Is this value proposition being eroded?

Online crime is affecting consumer confidence worldwide

Is the message getting through?

“Malicious Software”, OECD Ministerial Meeting on the Future of the Internet Economy, Seoul, South Korea, 17-18 June, 2008

Barak Obama used “botnets”, “malware” and “conficker” in his Cyber Security Policy announcement And e.g. A fairly technical conficker analysis was listed

as a bibliography

Highlights from OECD report Malware, in the form of botnets, has become a critical part of a self sustaining cyber

attack system. The use of malware has become more sophisticated and targeted. Many attacks are smaller and attempt to stay “below the radar” of the security and law enforcement communities.

The effectiveness of current security technologies and other protections in detecting and containing malware is challenged by the shrinking of the time between the discovery of vulnerabilities in software products and their exploitation.

The behaviour of market players confronted with malware (whether Internet service providers, e-commerce companies, registrars, software vendors or end users) is influenced by mixed incentives, some working to enhance and some to reduce security. There are many instances in which the costs of malware are externalised by players at one stage of the value chain onto other players in the value chain.

A wide range of communities and actors – from policy makers to Internet service providers to end users – has a role to play in combating malware. There is still limited knowledge, understanding, organisation and delineation of roles and responsibilities in this broad community of actors.

Current response and mitigation are mainly reactive. There is a need for more structured and strategic co-ordination at national and international levels with involvement of all actors to more adequately assess and mitigate the risk of malware.

No single entity has a global understanding of the scope, trends, development and consequences of malware and thus the overall malware problem is difficult to quantify. Data on malware are not consistent and terminology for cataloguing and measuring the occurrence of malware is not harmonised.

Although its economic and social impacts may be hard to quantify, malware used directly or indirectly can harm critical information infrastructures, result in financial losses, and plays a role in the erosion of trust and confidence in the Internet economy.

Threats

Denying access (e.g. DDOS) Extorting money (Ransom) Espionage Stealing Information

UserID, password, address, mobile phone

Stealing money Banking, Adware, Fake Software, money

laundering

Information Stealing

Two approaches Hack into a webserver and steal lots of

personal information at one time Use malware to perpetrate identity

theft / online fraud

server attackclient attack

Why the shift?

Firstly, server attacks are still highly successful through insecure server software see e.g. VISA malware report

However a client attack has several key advantages Circumvent all server security put into place e.g. By

banks Get access to the info in realtime (e.g. OTP) Use the compromized PC for further action (e.g.

Botnet or even “just” account login▪ Bullit Country, Kentucky lost $415,000 USD in one such

attack (http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html?wprss=securityfix)

How

There are way too many options to choose from

The bad guys are advertising their services with considerable competition with rating systems and references

More and more “ready-to-run” kits are available (Crimeware-as-a-service)

Crimeware-as-a-service

More and more kits are available as a hosted service (e.g. ZeusCrimeware) "[Q] What is

▪ [A] is a mix between the ZeuS Trojan and MalKit, A browser attack toolkit that will steal all information logged on the computer. After being redirected to the browser exploits, the zeus bot will be installed on the victims computer and start logging all outgoing connections.

[Q] How much does it cost?▪ [A] Hosting for costs $50 for 3 months. This includes the following:

▪ # Fully set up ZeuS Trojan with configured FUD binary.▪ # Log all information via internet explorer▪ # Log all FTP connections▪ # Steal banking data▪ # Steal credit cards▪ # Phish US, UK and RU banks▪ # Host file override▪ # All other ZeuS Trojan features▪ # Fully set up MalKit with stats viewer inter graded.▪ # 10 IE 4/5/6/7 exploits, # 2 Firefox exploits, # 1 Opera exploit"▪ We also host normal ZeuS clients for $10/month.▪ This includes a fully set up zeus panel/configured binary"

ZeuEsta Feature List

ZeuEsta is capable of the following:•Exploit unpatched Internet Explorer (All versions)•Exploit unpatched Firefox (1/2)•Exploit unpatched Opera (9.62 and below)•Exploit Adobe Reader 6/7/8 (All browsers)•Log outgoing browser connections•Log outgoing FTP connections•Log outgoing POP3 connections•Log all IE site cookies•Log site passwords•Log ANY site defined in config•Steal banking information / accounts

•Steal Credit Cards•Issue remote commands•Download and execute files•Get website certificates•View ScreenShots•Use bots as elite socks4 proxy server•Host file override (Site blocking)•Check refers from which sites you get most hits•View exploit statistics to see exploit ratio for your traffic•Not detected by most Antivirus Engines•Plus lots more

CaaS

Mebroot

Mebroot is the nastiest piece of malware Mebroot is a rootkit that takes control of

a machine by replacing the system’s Master Boot Record (MBR). This allows Mebroot to be executed at boot time, before the operating system is loaded, and to remain undetected by most anti-virus tools

Mebroot will never write any file to the harddrive

Mebroot deploys Torpig

Mebroot will install the Torpig as payload and Torpig is by far the nastiest thing we have ever seen. Generally, it: will steal login and other personal or confidential details from

banking websites can inject any HTML content into any website (websites can be

encrypted with or without EVSSL.) without detection can capture CAPCHA and compromize virtual keyboards can use the information in real-time to defeat One-Time-

Passwords has configuration files for many banking sites so that it knows

exactly what to look out for is incredibly hard to detect works system-wide and therefore any browser is affected. (Yes,

you heard right. Firefox and Chrome users are also affected)

How? Drive-by install

Mebroot infects hosts and “adds” an invisible <IFRAME> which exploits current vulnerabilities Such as the GetIcon vuln in Adobe PDF

Reader

C&C structure

Infected Server

Infected Server

Drive by Install of

Torpig

Drive by Install of

Torpig

…

Infected Server

Drive by Install of

Torpig

…

Infected Server

Infected Server

Infected Server

Infected Server

…

Drive by Install of

Torpig

…

How does it look like?

Silently keylogging and webpage sniffing in the background

How does it look like?

Injecting HTML code into the website

How good is AV protecting me?

Server-side packaging

From Storm botnet, all request served executables with a 5-10 second delay Time MD5 Hash

0:01 3c45c216e84f8e11d8f430a4360dd6be0:02 73fe77dabc4b268c547fca44bcd2f06a0:03 f9d0e2c5158893060cfa91b0c05b6aa70:04 d1a01e06c9d97420839018dafe53ba730:05 c9df0d27a452f496852837621631f6ac0:06ca2651724de4406a0b30b1d5b61742d00:07 5b822630938e783efe4936e8eb90555a0:08 397c682495a9ac1f36dfdf7cf03637480:09 7137a99429cfdf67525dcf0d61be771f0:10 036502b7062c3eb2c83f7c7ebea29ec6

File: patch.exe, Length: 37642

Why is it so successful?

Mebroot / Torpig is the most sophisticated piece of malware you can find on the planet (master boot record, various kernel files, complicated boot process, code injection, server backend)

Deployment through drive-by from “private” or other compromized sites They use any FTP account details they steal

to compromize the websites or many private and small businesses

Why is it so successful?

They use the information very intelligently They only infect as many hosts as they have to in

order to stay under the radar▪ They only infect a small percentage and often only in

certain parts of the world (Geographic IP) The other main reason could be that they gather

much more information than they can use at any one time

They constantly update the malware to be virtually undetected Current AV engines are really bad in detecting an

infected system as Mebroot doesn’t write anything to the harddrive

Why will it continue to be successful

Use of more and more crypto inside trojans, render current defense strategies useless E.g. It is not possible anymore to sinkhole a

mebroot C&C server Very high quality code. The developers

belong to the best of their class. There are still a number of “deficiencies”

that allows us researchers to be somewhat in control, but this “advantage” will disappear

Why is it a threat?

University of Santa Barbara infiltrated one C&C server with astonishing results for just 10 days!!! The results are astonishing The sinkholed C&C Server collected almost 70GB of

data stolen credentials from 52,540 different infected

machines and some 297,962 unique credentials (username/password)

credentials of 8,310 bank accounts at 410 different financial institutions.

more than 11 million HTTP(S) Form Data, 1,258,862 email accounts, 1,235,122 windows password, …

Why is it a threat? contd

Quantifying the value of the financial information stolen by Torpig is an uncertain process because of the characteristics of the underground markets where it may end up being traded. However A report by Symantec indicated (loose) ranges of prices for

common goods and, in particular, priced credit cards between $0.10–$25 and bank accounts from $10–$1,000

If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83k and $8.3M.

Also, a Torpig server was seized in 2008, resultingin the recovery of 250,000 stolen credit and debit cards and 300,000 online bank account login credentials.

BUT STILL

Mebroot/Torpig will NOT use the information in realtime... It will collect the confidential information and use it at a later stage

However there are other high profile trojans that are doing exactly this such as yaludle (a silentbanker variant) Some Zeus variants Bankpatch (even fakes the online statement page

so that the fraudulent transactions doesn’t show up online)

Mebroot/Torpig use only a handful of available techniques... There is more to come.

So... Why should we be concerned?

Financial Impact Impacts on market players

Internet Service Providers Electronic Commerce Software Vendors Registrars End Users

Erosion of trust and confidence Risk to critical infrastructure

Financial Impact

Although precise data on online criminal activity and the associated financial losses is difficult to collect, it is generally accepted that malware contributes significantly to these losses (110)

One recent survey of 52 information technology professionals and managers estimated a slight decline in the direct damages associated with malware from EUR 12.2 billion in 2004, to EUR 10 billion in 2005, to EUR 9.3 billion in 2006. (Computer Economics) This decrease is largely attributed to the suspicion that indirect or

secondary losses are actually increasing Furthermore, the same survey found that most organisations

tracked the frequency of malware incidents but not the financial impacts.(Computer Economics)

Another survey estimated the annual loss to United States businesses at USD 67.2 billion. (United States Government Accountability Office 2007)

Impact on ISPs

Both costs and revenues are affected by malware Biggest cost is customer support and

abuse management Increased traffic volume, through Spam,

DOS Blacklisting could affect the branding of

the ISP

Impact on Ecommerce companies

DDoS, which increases costs Confidential data leakage

External (malware) Internal (malware) Internal (insider threat, ...)

Typically the user of the ecommerce site is affected

Transaction fees for payment processing

Impact on software vendors

Once a software company is affected by malware, the main costs are Branding, Education Loss of functionality, loss of service, ... Incident response management

Not to become affected, the costs are around SDL, testing, patching, ... These costs also apply to the users of

the software

Impact on Registrars

Make a lot of money from malware as the C&C servers typically use domain names with very little costs Security researchers quite often “sinkhole” tens of

thousands domains Main costs is abuse department Suspending domains may result in legal

liabilities Malware related domain-deregistration is a

complex issue where there is no clear breach of trademark or copyright

Risk of legal action

Impact on end users

End users are the typical target of malware

The economic impact of infected computers is distributed across the whole value system

Either the user suffers directly, or other players will suffer from such an

attack, through the compromized machine

Erosion of Trust and confidence

We as a society rely more and more on information systems

In recent years, a number of surveys have been conducted which show that consumers are concerned about security and privacy risks associated with providing information online or conducting transactions online. (121) The key point of these surveys is that if security and

privacy concerns were better able to be addressed, then many more consumers would use e-commerce, e-banking and various e-government services than currently is the case, thus enhancing the economic benefits and efficiencies expected from the use of these platforms.

The solution...

...is quite far away

However we can make a huge difference by looking at the following strategies Proactive prevention strategies Cooperation for response Legal framework / Law Enforcement Global co-operation