Introduction:
Just when you thought it could not get any weirder we bring you yet another installment of Bombs, Bullets, and Bits! In fact this is Episode V and of the ongoing series and today’s installment focuses on the wonderment of open market promotion, marketing, and salesmanship within the sub-economic ecosystems of the underground. Before we get going though I feel it is important to address a few key areas of economic theory in order to set the stage accordingly.
Adam Smith and Underground Sub-Economic Ecosystem of the Internet:
Adam Smith is revered the world over by economists and non-economists alike. Smith (b.1723 – d.1790), wrote what is considered to be by many as one of the most important texts in economics and philosophy, The Wealth of Nations. He is credited with coining the phrase and concept of the “invisible hand of the market” which, when allowed to move of its own volition, influences and churns economic cycles, conditions and markets in a natural manner reflecting basic and complex principles of conditions such as supply and demand. If you’ve not studies Smith’s works I would suggest picking up his The Wealth of Nations, as it is timeless. In the event you have not but are interested in understanding the basic premises of Smith’s philosophy (and if you intend on reading the remainder of this installment while being able to tie it all together), here is a short synopsis of the salient points contained therein:
- Every good and / or service has a “natural price” as determined by the weight given to it by its supplier, seller and the potential buyers
- If the price for a good and / or service exceeds that natural price then more resources (sellers, suppliers etc.) will be attracted to that market seeking to make a profit
- The price will return to it’s “natural” level over time as a result of market conditions
- ‘Supply’ should be viewed as a force or condition that tents to impact the price of a good or service based on availability and demand
- “Demand” should be viewed as a force that increase the price of a good or service. Demand is also driven and influenced by supply (depending on what the good or service is)
- If the two (‘Supply’ and ‘Demand’), are in equilibrium; a state of stability in the market than they will remain in balance. Should that stability fluctuate away from equilibrium, the natural cycle associated with competition rises once more and a return to ‘normalized’ pricing occurs
- These cycles never cease; they are in effect, in a state of kinetic motion
Relevance to the Underground and You:
Ok, at this point you may be thinking “thanks for the economic philosophy lesson, but what does this have to do with the underground, malware, hackers etc.”, I’m glad you asked. As we established above, every good and or service has what Smith called a “natural price”. This “natural price” is determined by a variety of factors including at a high level:
- Supply
- Demand
As one might expect availability, efficacy or desired effect (what it does vs. what it does not do), and application are all capitalized upon by the seller when targeting potential buyers and consumers. This is true in all markets to and including the various ‘sub-ecosystems’ of the underground. In conducting research on botnets I recently ran across quite a bit of ‘marketing’ and solicitation, the likes of which would’ve made any professional sales team proud. Want access to source code for a botnet to do with what you will? DDoS? SPAM? Malicious Code Infection? No problem, you can do it all with the right package. In fact, in one case, the case of the ‘Blazebot’ botnet which I originally began tracking around a year ago, the author offered the following features to the highest bidder in the botnet’s final form factor:
Figure 1: Examples of Marketed Features In the Underground
| Installation: | |
| Service Startup ActiveX Startup Anti Debugger thread Anti Dumping Mechanism File Protection (can be seen on video) Two types of process protection Windows Firewall exception Shared memory between service and userland app (ring 3) User impersonation (Service steals a token from userland App to steal their data) Pure API sockets (no ocx, csocketmaster or whatever) Ring3 API unhooking |
|
| Commands: | Update -Allows users to update the bots with a newer version Dump -This will cover the retrieving of: |
In this case the author decided to take his project to the open market and solicit private bids. Bids (which were rejected by the author), ranged from $50 USD to $400 Euros. In the end the author sold the entire source code package to a private party who wished to remain anonymous for an undisclosed amount. As part of the author’s campaign for a purchaser, he engaged in competitive marketing initiatives specifically targeting the ZeuS Botnet and community. A key selling point made by the author was that unlike ZeuS he was selling the entire source code package not simply binaries thusly enabling the buyer to establish their footprint in the Botnet world in any number of ways all of which were at the command of the new owner. Additionally, the author demonstrated the ability of the code to bypass detection of some 22 Anti-Malware engines.
Up On Olympus:
ZeuS is another wonderful example of this. Currently, active orders are being solicited for 1.4.x.x of ZeuS with prices ranging from $4000 USD to $8000 USD depending on which modules are desired for specific functionality. ZeuS is an interesting case in that older versions of the Botnet are easily had in the wild and can be used effectively though newer, more easily obfuscated versions of the code are available. ZeuS is in extremely high demand, selling on a pre-order basis. A testimony to its popularity and continued success for its authors, sellers and suppliers is its continued effectiveness in bypassing detection and delivering extremely high success rates in compromising hosts, impregnating them with malicious code & content packages with the end game being the establishment of participation within the greater command & control fabric. These examples are certainly not representative of all examples of activity within the underground however they provide a clear and concise view of just how supply and demand are working on a routine basis.
APTs, Web Browsers and Information Security
The recent event news surrounding the Google cyberattack and the fact that web browsers were exploited to facilitate these attacks come as no surprise. In fact, I recall in 2006 and 2007 when speaking at various seminars, user groups and large events such as ISACA, NASACT and ASIS, among others, I would lead in with the following question:
If I had a give away for you today and gave you the choice, would you rather have $1000 or this brand new 1GB USB thumb drive. Almost unanimously the hands would raise for the $1000 cash because people want the cash.
The whole point of this series of presentations was to point out that security had everything to do with information and viruses, worms, Trojans, bots, etc were simply mechanisms used to enable access to that information. I also pointed out that the web browser would enable these types of attacks simply because of how a web browser functions.
I submit to you today, the same thing that I would tell folks 3 years ago and more, that the web browser is the most widely used application in user land and as such, will allow and enable quite serious attacks against our infrastructure and critical information in the years to come. We do our banking via the web browser, we order pizza through a web browser, I attend conference calls and presentation via the web browser, people attend college through the web browser. You get my point. It was only a matter of time before we realized a large scale compromise that was PUBLICLY announced that was enabled by flaws in the web browser and the near ubiquitous use of the browser on every computing device a user, consumer or employee of an organization uses to go about their daily business.
I remember the first time I mentioned to an audience that the use of the web browser when taken into an information security context was like inviting a thief into your home or place of business and giving them access to your safe. I had to explain that because a web browser and plug-ins like Java, XML, Active X, VML and others “just run” once the browser is launched, it’s no different than giving someone free reign to do whatever they want in your home or office when it comes to valuables.
This series of attacks and exploits of Internet Explorer have proven that point more than ever. The opportunity was there 3 years ago and now the first of many attacks have arrived. But the one thing that we must absolutely remember is that it’s not just these attacks that are all about access to confidential information, trade secrets and intellectual property; nearly all computer attacks have been about access to confidential information, whether it be credit card information of consumers or a chemical company’s intellectual property.
Security is about protecting information pure and simple, everything else is just a by product of that.
For more information on the presentations I mentioned above please check out:
http://bit.ly/8gQfrz
http://bit.ly/74tBEM
Botnets, Malware and the Fortune 100
After a much too long hiatus and sabbatical of sorts, I’m back to contributing to the efforts here at Cassandra.
Anyhow, I came across this article very recently and, while it was published in September, it is a very timely topic given some of the conversations I’ve had with my colleagues here at Cassandra. Follows is my philosophical post. But first I have to give the folks at Defence Intelligence the proper credit and recognition as the Fox News article referenced above comes from their work.
The first line stating that at least 50 of the companies in the Fortune 100 are compromised by an information stealing botnet was not surprising to me at all. But it did get me to thinking about the state of security programs, processes and technology in these organizations, among others. While it might be easy to blame specific industries and their focus on regulatory compliance rather than security (yes, they’re different and we’ll discuss that in another article) or lay blame at the feet of lack of budget and resources, lack of technology savvy or some other excuse. We must first understand that the Fortune 100 are the largest companies in the U.S.
Let’s start with a few assumptions:
1 – The Fortune 100 are likely to be among the most savvy companies in the world when it comes to adopting and using people, processes and technology to enable their business.
2 – They are more likely to have the resources to enable effective information security programs than smaller companies.
3 – They are likely to have established an CISO or equivalent position.
4 – They are likely to be considered very coveted accounts by technology and security vendors. Therefore, we can expect that they are at least made aware of the latest innovations in technology and security and should certainly be made aware of those vendors’ research efforts into current threats.
Now that I’ve made a few assumptions, I want to dive in to the thoughts that I had on this article.
As I read the article and made these assumptions in my mind, I asked myself – “If over 50% of the Fortune 100 has been compromised, what does that say about the rest of the companies in the US?” The reality is that there is really no way to know what it means for the rest of the companies, however we can probably very safely assume that over 50% of them are compromised as well.
What is not made clear in the article or in the research details I’ve been able to review thus far is how deep the compromise goes into these organizations. Are we talking hundreds or thousands of systems or are we talking a few to tens? That would help put some of this into a better context for this article, but lacking that information I’m going to do my best to illustrate what this could mean from an information security perspective.
Maybe the question to ask is, “What did the other 47% do right?” or were they not tested? There is much to be learned from the research and this report but one thing is very clear to me, these companies have plenty with which to be concerned when it comes to the state of their information security programs.
More later…
This article has been making the rounds around the IT/Security blog world, and I couldn’t help but weigh in and comment on it. The story being passed around is a scary one: An employee of the Massachusetts state government was found to have a fairly large quantity of child pornography in the browser cache of his state-issued laptop. He was, of course, arrested and charged with possession of child porn. During the course of mounting his defense against these charges, it was found that his machine had some form of malware that was “programmed to visit as many as 40 child porn sites per minute,” a clearly impossible task for a human who actually wants to see what’s on those sites. It became clear to all involved that the pornographic images found were very unlikely put there by him, and the charges were dropped. All’s well that ends well, right? Wrong.
The first problem here is that this opens Pandora’s box a crack, as it tends to raise the standard of proof for the conviction of real offenders. In fact, prosecutors are already calling this the “SODDI” (Some Other Dude Did It) defense. Their skepticism is probably warranted here: every real offender will point to this case and try to make the government (who has the burden of proof, at least in a United States court) prove that a virus wasn’t the reason illegal child pornography was on a particular machine.
There’s another problem here, though. This opens up a whole new world for profit-motivated malware authors. It’s actually a play on the old ransomware attack: traditionally, ransomware works on a “we’ve encrypted your files. Pay up or you’ll never see them again” basis. One problem in the business model for ransomware authors is that some people back up their machines (really!), and others simply won’t care about the data that is being held hostage. You can’t get someone to pay when they can simply respond “Screw you, I’ll just restore from backup”. The new twist on this is that, at least in concept, a ransomware author, instead of holding files hostage, can hold a person’s entire life hostage by planting a piece of malware of this type on someone’s machine and then threatening to expose that person.
Take for example the case of the person in the article. In this case this guy lost his job, his reputation, many of his friends, close to 250,000 dollars spent on his defense – and you can’t restore that from backup. Crimes involving the sexual exploitation of children are (justifiably) considered to be among the most grave transgressions against not only individual children, but society as a whole, and people who commit these crimes have richly earned society’s reproach. One unfortunate side-effect of that, however, is the fact that the mere accusation, even a false one, of a crime of that magnitude is enough to irrevocably harm one’s reputation. If the profit-motivated malware gangs hadn’t already figured this one out, they certainly have now, and I’d be willing to bet that we’re going to see at least sporadic attacks of this type (attacks against the reputation of an individual) in the very near future.
In an earlier post, I introduced the concept of “Advanced Persistent Threats” & “Designer Malware” at a very high level, the ‘101′ if you will. You may recall my reference to the article which Business Week ran in 2008 which addressed, briefly, the concept of Advanced Persistent Threats (APTs). No one knows for certain the true reach of such threats but it can safely be assumed based on both historical and current information, that instances of such threats continue to grow with many going unreported to authorities or information security professionals for fear of the consequences associated with having been found first vulnerable and second compromised. Though there are many means by which a given threat might be introduced into an organization, some work better than others. Some of the most successful in fact, still rely upon the most obvious and oldest of all threat vectors, human nature. Human nature is wondrous thing; complex, multi-faceted, representative of all that we are: good and bad. It aides in defining us however it is not what defines us.
In June of 2006, Mike Bond and George Danezis of the University of Cambridge Computer Laboratory released a paper which posed an interesting question regarding the role in which human nature plays with respect to exploitation and compromise of both systems and people. In fact, in their abstract Bond and Danezis stated the following “We study malware propagation strategies which exploit not the incompetence or naivety of users, but instead their own greed, malice and short-sightedness. We demonstrate that interactive propagation strategies, for example bribery and black-mail of computer users, are effective mechanisms for malware to survive and en-trench, and present an example employing these techniques. We argue that in terms of propagation, there exists a continuum between legitimate applications and pure malware, rather than a quantised scale.” I loved this paper from the first time I read and have had conversations with its authors regarding their views, I highly recommend it to anyone in our field as its relevance is indisputable as its timeliness.
It is key to recognize and emphasize the importance of malware propagation strategies being diverse. The vehicle for delivery can take many forms and require many variables be present and available. Attempting to compromise both systems and personnel requires that a discretionary mode thought be employed in order to choose the most simplistic yet effective means for accomplishing the goal. In short, adherence to the principle identified and immortalized by William of Ockham “entia non sunt multiplicanda praeter necessitatem”, (“when you have two competing theories that make exactly the same predictions, the simpler one is the better.”), also known as Occam’s Razor.
With respect to Advanced Persistent Threats I’d like to focus the remainder of this entry on the reinvention of the Trojan. I am going to focus on Trojans today as of late, I’ve been dealing a lot with them and find the evolution revolution taking place with respect to them quite interesting. Like all malicious programs, Trojans rely upon obfuscation in order to avoid being identified, detected, shut down and / or removed by a user or administrator. This reliance upon obfuscation is paramount in the successful introduction and installation of Trojans as they typically attempt to convey a sense of benignity and / or usefulness to the user or environment they are being targeted toward or via the application or mechanism being used for this purpose. Often times this pseudo-benignity creates a false sense of security in the target and ideally finds the target susceptible and willing to install the Trojan without knowing exactly or truly what it does.
Many factors influence the manner in which the payload will operate and to what degree and what schedule but ultimately, the goal is to infiltrate, install and subsequently deliver the payload (again as defined by the author), within the host environment. Trojans themselves fall into the category of malware which lacks the native capability to self-propagate (a la viruses) or replicate (a la worms) which requires them to leverage an alternate mechanism for distribution. As mentioned above, the path of least resistance is often the best and depending who and what is identified as being the target of opportunity the choice of distribution method may vary with the net effect being the same. Popular means of distribution involve either exploitation of vulnerable systems via direct targeting, randomized exploitation via malicious websites and domains (a la ‘drive by infections’), peer-to-peer file sharing and /or the ever popular ’sneaker net’ via compromised USB.
As of late, it’s become more and more popular amongst malware authors in the underground to implement command and control mechanisms within Trojans enabling greater degrees of administrative response in addition to creating an environment which responds bidirectionally to the botmaster in question. Clampi, Monkif, Grups Trojan, and URLZone Trojan are great examples of this. It is important to note that the rate of change being noted is great and that the subsequent re-engineering of malware samples of this type more common. Changes such as these imply that the traditional use cases for such malware (though still applicable), are in fact also shifting. As a result, the need for greater degrees of awareness, beginning with solidly architected security programs & education / awareness campaigns be employed and coupled with both technical and procedural controls.
In my next post we’ll discuss the rampant growth and resurgence of rootkits and backdoors as they pertain to APTs and Designer malware and what potential impact they are having today and may have in the future.
Give Me Liberty or Give Me Yes!: These Prices Are Insane
Trojans are tricky. For a brief period of time (a few years back now), they were written off and believed to be trivialities; easily detected, easily dealt with and largely sooooo 2001. It would’ve been fool hardy to totally dismiss the Trojan as both a convenient and effective means of distributing malicious code and content and that is why security researchers of all denominations (blackhat, whitehat, grayhat – remind me to expand upon my feelings of grayhats at a later date), never did. The reality is that Trojans are as popular in the underground and as much en vogue (perhaps more so), today as they were ten years ago.
Trojans and exploit packs associated with Trojans, are quite easily obtained, assembled and had for what could be argued as minimal investments when the potential revenue to be had from their use is taken into account. Take for example the following Trojan and exploit packs currently being discussed within the underground. You’ll note the following about each:
- Detailed explanation of the associated / included exploitations (and if perhaps the vulnerability related data)
- Price
In other posts, I’ve discussed the movements and evolutions in the underground with respect to cybercrime and crimeware as a service (CaaS). The following information represents examples of both while additionally breaking down each pack (and value added services associated with / provided by the given vendor).
Unique Pack Sploit
latest: v.1.5 (0331)
exploits:
[+] modified Mdac for IE6
[+] Pdf (v.8.1.2 05.01.08) – new Pdf sploit for IE7, Opera & FF
[+] Adobe Acrobat 9 Exploit – new sploit (11.09.08)
[+] Pdf Double – two Pdf sploits
[+] Ms Office Snapshot – for IE6 and IE7
[+] Ie 7 XML Spl – new sploit for IE 7
[+] FF Embed – for FF <= 3.0.5**
[+] IE 7 Uninitialized Memory Corruption Exploit – new sploit for IE7 (18.02.09)
[+] Spl Amaya 11 – for Amaya 11
[+] Foxit Reader 3.0 (Build 1301) PDF Buffer Overflow Exploit (Universal) – all browsers
price: 600$
Notes on Unique Pack Sploit: Blended attacks & exploits with heavy emphasis on browser security weakness. Additionally, you’ll note exploits using MS Office and structured data formats.
YES Exploit System
latest: 1.2.0
exploits: alot. good crypted
price: 700$
Notes on YES Exploit System: Lots of buzz around this but not alot of detail; more research is required with respect to exploits and associated vulnerabilities . The authors (vendors) suggest its full of solid exploits and contains a crypto-pack.
Neon exploit system
latest version: 2.0.5
exploits:
- IE7 MC;
- PDF collab;
- PDF util.printf;
- PDF foxit reader;
- MDAC;
- Snapshot;
- Flash 9;
price: 400$, minor updates – free
Notes on Neon Exploit System: Fair number of exploits associated with this pack. Mainly targets Adobe vulnerabilities however the authors also include MDAC, MS Office Snapshot and a Flash exploit for good measure. Additionally, the vendor offers maintenance — scary right?
Nuclear
exploits:
MDAC – ie5, ie6
Snapshot – ie6, ie7
PDF Collab.collectEmailInfo – all browsers
PDF Util.printf – all browsers
PDF Collab.getIcon – all browsers
XML – ie7, ie8
MS09-002 – ie7, ie8
price: 900$
Notes on Nuclear: First off, it’s the most expensive of those discussed thus far, however the vibe in the underground suggests it’s quite effective. This remains to be seen in testing. You’ll note many of the same exploits (or promised exploits) present within this pack as in others with a few additional Microsoft exploits thrown in, specifically those targeting IE vulnerabilities.
Liberty Exploit System
latest: 1.0.5
exploits:
MS06-014 Internet Explorer (MDAC) Remote Code Execution Exploit
PDF util.printf(), PDF collab.collectEmailInfo(), PDF collab.getIcon()
Flash 9
MS DirectShow
Snapshot
Java 0day
price: 500$
Notes on Liberty Exploit System: From a blended malware exploit pack offering perspective it’s interesting. It combines may exploits targeting many potential system & application vulnerabilities. It’s getting a great deal of buzz and the authors are quite insistent that it’s effectiveness is indisputable.
The above is a statistical representation provided by the vendors to demonstrate the effectiveness of their tool. This particular shot demonstrates specifics regarding unique instances of exploits, downloads and success ratios in terms of percent.
My point in sharing this information on this blog is twofold:
- To educate those tasked with stewardship of enterprise environments & themselves
- To implore the industry to not dismiss the seriousness of the challenges and parties responsible for these threats
The seriousness of these threats and like threats, are growing and subsequently challenging professionals and amateurs alike. It is crucial that we prepare ourselves for the challenges ahead.
Social Psychology, Botnets and the Choices We Make
Botnets are both fascinating and exciting to study for security researchers. Though well defined over time, they are, I think, just really beginning to come into their own in the realm of malicious code / content and delivery. What makes them so attractive to researchers lies as much in fact as it does in fiction. The things which are whispered about on irc channels late at night when no one else is listening or discussed on forums the world over (some more open and candidly than others); those very things which both inspire and frighten us when their potential is realized. Evidence suggests their prevalence and importance will continue as the world we live in propels itself towards greater degrees of connectivity and advancement. A year ago most people wouldn’t have known what a botnet was were they asked about them on the street. Today, you’d be hard pressed to find someone who hasn’t at least been exposed to the concept through peripheral or personal experience. Yesterday a young man in Adelaide, Australia was charged with infecting more than 3,000 computers around the world with a virus designed to capture banking and credit card data. He has also been accused of illegally creating a capacity to disable computer systems (e.g. BOTNET) by bombarding them with unwanted traffic from up to 74,000 computers he controlled around the world. What’s interesting about this case isn’t the fact that he compromised 3,000 systems or that he alleged created a botnet with approximately 74,000 bots, but rather that he was a young man who saw this as a means by which to make a living.
As I don’t know this young person nor much about him other than what has been released by the Australian police to the media, I can’t help but think about the choices he made, what led him there and what it says about us all. Make no mistake, I believe a person must be held accountable for their actions and as such, face the consequences when appropriate however I wonder what (aside from the ability to turn a profit), motivated this young man to take the paths he did ultimately leading to this end. I feel this is an area where our industry has much to learn and in learning we can grow and ideally (hopefully), address some of these issues before they become problems.
