HOW TO DO RESEARCH IN CYBERCRIMEКак проводить исследования/расследования в области киберпреступлений

by Alex Starov

HackIT 2016

Pragmatic Security “PragSec” Lab

2

OurResearch

Security

Privacy

Cybercrime

WANTED: Cybercrime Research• Models of online crimes• Ecosystems of attackers/hackers• Financial infrastructures • Measurement studies of real

underground economies• Different aspects of fraud• Fraud prevention • Effectiveness of protection

countermeasures • Case studies of current attack

methods • Social engineering• …

3

Today we have 3 lessons① Let’s detect them / Обнаружим их…② Going undercover / Под прикрытием③ Let’s catch them / Полное разоблачение

4

LESSON #1Let’s detect them!

(based on http://securitee.org/files/webshells_www2016.pdf)

5

IDEA: We can investigate crime artifacts• What most attackers do after hacking a server?

6

Web shells / backdoors• At its simplest form, a web shell is a script that attackers upload to compromised web servers in order to remotely control them

7

Example of a Real-life PHP Shell

8

Example of a Real-life PHP Shell

9

Are web shells important?

10

Wow, attackers on Ukrainian Power Grid also used a backdoor web shell!

11

Let’s Google It: Hackers May Search for Shells12

Such attempts can be detected, though…13

https://some_our_url.com/c99.php

Daily Statistics on Captured Requests for Shells via Google Dorks

14

Our Objectives: Let’s define

• Conduct a comprehensive large-scale study of web shells, their nature and the surrounding ecosystem of hackers

• Inspect visible and invisible features of real-life malicious shells and how attackers can use them

• Find useful information for countermeasures, at least for their detection by IDS or scanners…

15

First of all: Data Collection

• Starting with a combined set of 1449 shells, we derived a unified set of more than 500 real unique shells!

• Including variations of c99, r57, WSO, B347k, NST, NCC, Crystal, etc.

16

Filtering Normalization Deobfuscation Normalization

https://www.unphp.net

SHELL FEATURESStatic & Dynamic Analysis

17

Interface Features (static taint analysis)

18

Silent Server-side Activity on 31.4% (intercepted by PHP’s runkit framework)

19

Silent Server-side Activity: Commands

20

Group Aggregated examplesMain System Info id(71), uname(41), echo $OSTYPE(23), pwd(16), whoami(13)

More System Info ls -la(7), df -h(2), uptime(2), ps aux(1), free -m(1)

Check Installed which *(4), wget -help(5), javac -version(2), perl -v(1)

Internet Usage cd /tmp, lynx | curl | GET *(8), wget | curl | lwp-download *(6)

Other actions echo abcr57(19), killall -9 host(1), crontab (1)

Silent Server-side Activity: files

21

Group # Shells Examples/var/www/html/*/* 21 write test.txt, read own PHP file/etc/* 8 named.conf, hosts, passwd, fstabhttp://* 7 send own URL, load api.php, sender.txt*.php 6 dbs.php, shell.php, errors.php, ss.php, etc./tmp/* 5 qw7_sess, shellcode.so, Ra1NXphp.ini 5 write to php.ini or ini.php.htaccess 5 write .htaccess or sym/.htaccess*.txt 5 kampret.txt, data.txt, cpaccount.txt/proc/* 4 cpuinfo, meminfo, partitions, version*.sql.gz 2 read N-Cool-073115-0850am.sql.gzOther 2 1.sh and libworker.so

Test more: Stealthiness

Hiding the code:• 20.6% with increased token count after deobfuscation• 20.8% use eval() with avg. of 15.2 calls, up to 91

Hiding the path:• 16% check HTTP User-Agent against a blacklist(61 shells give 404 if your user agent contains “Google”)• 2.3% return 404 until get proper POST/GET parameters

22

Even more: Bypassing Antivirus EnginesOriginal PHP shells:• 90% detected by at least one scanner of VirusTotal• Best scanners detect 72.5% and 67.2%

Deobfuscated shells:• Overall accuracy decreases to 88.5%• Avg. detection rate decreases from 15 to 10 scanners• E.g., one specific shell was detected by 22 and after deobfuscation – by only 2

=> Another useful finding!

23

Authentication in Shells

24

Is something wrong here?

25

Answer: Authentication Bypass

26

Simulated Register Globals Unprotected Features

Authentication Bypass – совпадение?• 52.0% provide authentication in the code

• 30.8% of authentication codes can be bypassed

ÞNo honor among thieves! The original shell-distributor injects a backdoor in the backdoor

ÞAnd finds out the location of already deployed shells via homephoning?!

27

BACKDOORS IN WEBSHELLSDeploying a Honeypot Server

28

Honeypot Architecture

29

Results on Homephoning

30

29.2% on the client-side• With an average of two domains per shell• Overall 149 domains / 108 IPs were contacted

4.8% on the server-side• 70% connect to one of the 21 domains• Located in USA, Republic of Korea, China

Client-side Homephoning Targets31

Logs We Get on the Honeypot

46.167.121.166 - -[02/Jul/2015:22:56:42 +0000] "GET /images/ftpmaster.php HTTP/1.1" 404 520 "-" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"

32

Attacker’s IP addressWeb shell’s path

Attacker Connections Daily • In the 8 weeks of our experiment:

• We recorded 690 web shell access attempts from 71 unique IP addresses located in 17 countries• Top 3: Turkey, USA, and Germany

• 16.4% of homephoning shells were visited by attackers

33

USING THEIR WEAPONDetecting web shells via… the same homephoning!

34

Stale domain-based inclusions

35

2012• example.com adopts web analytics

<script src="http://analytics.com/a.js"/>

2014• Analytics goes bankrupt and allows analytics.com to expire• example.com does not update their website

2015• analytics.com is registered by an attacker!• malicious JS pushed to example.com…

(Nikiforakis et al., 2012)

Stale (expired) domains called by web shells and now registered by us!

36

Logs We Get for Stale Domains

187.99.230.117 - -[01/Jan/2016:00:19:04 +0000] "GET /logz/yaz.js HTTP/1.1" 404 507 "http://www.XXXXXXXXXXXXXXXX.ua/files/XXXXXXXXX_ca6a456dc0b461cHNAL.php" "Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0"

37

Attacker’s IP address Compromised website

Compromised Websites FoundLocal businesses and organizations:

• an order service in Iran• a travel portal in China • a software company in Russia • a shipping company in US• college website in Morocco

More critical websites:

• a hospital website in Peru• a legal consultation office in Russia

• a security services company in Vietnam

38

Victim Websites based on Server Location

39

Victim Websites taking into account TLDs

40

Victim Websites and Victim Servers

41

All Attackers Detected in Logs

42

Top 10 Targets for Attacks

43

MORE: Requests from localhost…75.151.74.150 - - [12/Dec/2015:22:46:15 +0000] "GET /yazciz/ciz.js HTTP/1.1" 404 503"http://localhost:8080/c99%20with%20pass%20ali.php" "Mozilla/5.0 (Windows NT 6.3; rv:42.0) Gecko/20100101 Firefox/42.0"

44

Участники CTF, будьте осторожны с чужими шеллами! J

Takeaway NotesIdea: исследовать артефакты веб взломов – web shells

Methods: масштабный сбор шеллов, статический и динамический анализ, установка honeypot-серверов, использование “stale domains” во благо

Tools: UnPHP, OpenWPM/Selenium, PHP’s runkit, VirusTotal’s API, MaxMind’sGeoLite2, много скриптов

Contribution:• Know your enemy – информация для сканеров и IDS• Мониторинг соответствующих “stale domains” дает возможность

быстро находить веб взломы и обезоруживать вредоносные шеллы!

45

LESSON #2Going undercover

(based on https://arxiv.org/abs/1607.06891)

46

Another source of ideas

47

Another source of ideas

48

http://securit13.libsyn.com/episode--64

Technical Support Scam

49

OK, then Our Motivation• This scam has become so prevalent that the Internet Crime Complaint Center released a Public Service Announcement in November 2014

• This type of scam costs users millions of dollars on a yearly basis…• No systematic research yet, and protection is wanted!

50

What attributes common to TSS?• Usually they block navigation with alerts• Preceded by a long redirection chain• Presence of a phone number• Scareware-like keywords

51

address

financial

message

email

using

virus

breachtracking

carry

communications

ancientresult

callstalkers

thefts

administrator

www

exehacked

logsservices

suspendedrestart

situation

attention

dupedcontacting

webcam

oops

passwords

registry

prevent

technicians

connection

adware

disabled

blocked

popaccess

reserved

runworm

program

frame live

warning

unknown

wrong

classified

info

attack

actions

desk

detailscomputing

inject

something

malware

calling

copyright

especially

technical

vpn

follow

harmful

response

engineering

anonymous

significant

shut

browsing

location

containing

dear

installed

visit

current

continue

causing

caused

exposed

apply

acts

useful

warriors

leaked

often

concealed

reason

tcp

theft

social

rights

firew

all

major

disk

logins

identity

removed

hard

locked

cause

viruses

password

type

deleted

fix

page

autobased

form

port

comtrick

softw

are

harmfullterms

crash

mpqr

What delivery methods they can use?• Hmm, AD NETWORKS?..

Let’s look on what websites:http://droobox.comhttp://stackovertlow.comhttp://tackoverflow.comhttp://stackkoverflow.comhttp://twwitter.comhttp://fecebook.comhttp://facbeook.com…

52

Typosquatting is a famous trick!53

We need a large-scale crawler54

Redundant Crawlers

JS Interceptor

MITM Proxy

Detector (ML)

Typosquattingdomains

Shortened URLsLinks from spam emails… More than 1000

unique scam domains and 100 phone numbers per week!

A this point, we found thousands ofPhone numbers & providers

• 8004699439 (e.g., ATL) • 8004699439 (e.g., Twillio) • 8443074809 (e.g., WilTel)• 8008704502• 8009214167• 8442035085• 8442318194• 8442338231• 8442439201• …

Scam Domains• system-checker-51.nl• system-warning.com• tfn13.in• update-softwareinfo.com• virus-alerts.in• virus-check-error.net• virus-watch.xyz• window-scan.pw• www.pcsol.co• www.security-alert404.com• …

55

THINK: What we can do useful?

56

We need to improve current blacklists!Domains

• Popular blacklists contain only 7% of TSS domains

• VirusTotal detects only 64%, by only 3.25 scanners on average

• We detect earlier

Phones• Online databases and available phone apps cover only 27.4%, with the best mobile app only 0.5% and websites almost 20% (mrnumber.com and 800notes.com)

57

Tools used so far:• Selenium/OpenWPM for large-scale crawlers• JavaScript interception• MITM Proxy for traffic dumps• Selenium for scraping• Python and R scripts for statistics and ML• VirusTotal APIs for domain checks• Android Console to simulate calls• …

58

We want more useful staff…• Don’t afraid to use your acting skills! • Again, use their weapon against them!

59

We called more than 60 phone numbers, having a prepared VM for each call

• Scammer: Thank you for calling technical support. How may I assist you?• Victim: Hi, good morning. I think I have a problem with my computer because

I was browsing the Internet and then it suddenly told me that I was infected with a virus and it asked me to call this number.

• Scammer: OK. Can you confirm for me, first of all, what Microsoft device you are using?

• Victim: I am using Windows 7. I do not know if that is what your question is.…

60

Techniques they use

• Stopped Services/Drivers• Event Viewer• Specific Virus Explained• System Information• Action Center• Fake CMD Scan• Netstat Scan

• Installed/Running Programs• Browsing History/Settings• Downloaded Scanner• Reliability/Performance• Temp folder• Registry• …

61

Gotcha! Found signs of scammer groups1) They use similar script and

methods, can handle many calls simultaneously

2) WHOIS records show similarities (some use CDNs and Cloudflare)

3) Corresponds to the clustering of domain-phone graphs, and JS

4) Used remote-access tools leak similar locations: regions of India, some from US and Costa Rica

62

Mad scientist vs. White-hat ScientistMad Scientist: doesn’t care! White Scientist: IRB approval!

63

Be careful and think of others!

What is an IRB?“The Institutional Review Board (IRB) is made up of a group of people such as scientists, doctors and some community people. The IRB looks at every protocol or research study before it is conducted on any people. Because some research studies involve risk, the IRB looks at the study to make sure the risks are justified and minimized. In addition, the IRB wants to make sure the Principal Investigator follows all the rules the federal government has set up to protect human subjects who so kindly volunteer to participate in a research study”

64

Takeaway NotesIdea sources: security news, blogs, podcasts, forums…

Methods: распределенный “crawler”, машинное обучение и другие “heuristics”, проверка “blacklists”, белая социальная инженерия

Contribution:•Определены техники, артефакты и группы скамеров•Механизм для быстрого определения доменов и телефонных номеров, используемых скамерами!

65

LESSON 3Let’s catch them

66

Collaboration with authorities is a plus!

67

Outline of the research

68

• Сотрудничая с FBI и USPIS получили доступ к серверам и другим артефактам вебсайтов, которые предлагали услуги по “reshipping scam”

• Услуга заключается в предоставлении способа монетизации денег с украденных кредитных карточек

Contribution:• Была посчитана суммарная выручка хакеров в 1.8 млрд долларов в год!• Изучена инфраструктура хакеров, их следы, а также предложены наиболее эффективные способы защиты

Steps of the fraud, let’s think together!69

Cooperation with UA cyber police① Если исследователь в области информационной безопасности (из

университета) обнаружил полезную информацию для киберполиции, к кому обратиться? Будет ли киберполициясодействовать в получении дополнительных данных?

Ответ: Если вы обнаружили информацию которая подлежит подследственности киберполиции немедленно обратитесь в Департамент киберполиции или в отделение по месту жительства или напишите электронное заявление на сайте киберполицииhttps://www.cybercrime.gov.ua/feedback5-ua Киберполиции в рамках своих полномочий будет проводить проверку.

70

Cooperation with UA cyber police (cont.)② Возможна ли обратная ситуация, т.е. аутсорсинг кибер-расследования в

университетских лабораториях? Участие киберполиции в научных исследованиях, публикациях и конференциях по защите информации?

Ответ: возможна, мы сотрудничаем с рядом аутсорсинговых компаний. В случае наличия конкретного предложения предоставьте пожалуйста конкретизированный план взаимодействий и мы его рассмотрим.

③ Если научное исследование выявило информацию, о которой для предостережения желательно уведомить граждан, поможет ли полиция распространить ее?

Ответ: Да, это входит обязанности киберполиции, а именно предупреждения преступлений.

71

Summary• LESSON 1: Мы обнаружили веб шеллы по всему миру, взломанные сайты и злоумышленников

• LESSON 2: Мы обнаружили много артефактов ложных технических поддержек и общались с мошенниками под прикрытием, т.е. “ловили на живца”

• LESSON 3: Мы сотрудничали с ФБР чтобы расследовать и предотвратить популярный способ обналичивания украденных карт

72

Are you ready to make the world a better place?! Questions?

73

ostarov@cs.stonybrook.eduwww.pragsec.com