anonymity is king - virus bulletin · anonymity is king virus bulletin 2015: prague october 1, 2015...
TRANSCRIPT
Anonymity is King Virus Bulletin 2015: Prague
October 1, 2015
Copyright 2015 Trend Micro Inc. 2
“A man is least himself when he talks in his own person, But give him a mask and he will tell you the truth”
Copyright 2015 Trend Micro Inc. 3
Speakers
Michael John Marcos
Anthony Joe Melgarejo
Threat Research Engineer, Trend Micro
SME – Banking Trojan
Threat Research Engineer, Trend Micro
SME - Ransomware
Copyright 2015 Trend Micro Inc. 4
Deep Web
• part of the Internet that is inaccessible to conventional search engines, and consequently, to most users.
Copyright 2015 Trend Micro Inc. 5
WHAT’S OUR STORY?
Copyright 2015 Trend Micro Inc. 6
What’s our story
• How it all began?
• How do cybercriminals exploit this technology?
• What can we do to investigate?
• What’s next?
Copyright 2015 Trend Micro Inc. 7
HOW IT ALL BEGAN?
Copyright 2015 Trend Micro Inc. 8
Botnet Topology
• Star
C&C Server
Copyright 2015 Trend Micro Inc. 9
Botnet Topology (cont’d)
• Multi-server
C&C Servers
Copyright 2015 Trend Micro Inc. 10
Takedowns.. Everywhere..
Copyright 2015 Trend Micro Inc. 11
Solution
Copyright 2015 Trend Micro Inc. 12
Deep Web traffic is Encrypted.
Copyright 2015 Trend Micro Inc. 13
Deep Web offers Deception.
Infected Machine C&C Server
uhwikih256ynt57t.onion
lp4t52xp5vlhyhkb.onion
s6cco2jylmxqcdeh.onion
Copyright 2015 Trend Micro Inc. 14
Deep Web provides Resilience and High Availability.
Infected Machine lp4t52xp5vlhyhkb.onion
C&C Server 1
C&C Server 2
C&C Server 3
Active
Offline
Reserved
Copyright 2015 Trend Micro Inc. 15
HOW DO CYBERCRIMINALS EXPLOIT THIS TECHNOLOGY?
Copyright 2015 Trend Micro Inc. 16
Tor - The Onion Router TOR CLIENT
Unencrypted
Copyright 2015 Trend Micro Inc. 17
Hidden Services
TOR CLIENT
HIDDEN SERVICE
IP2
IP3
IP1
RP
DB
IP1-3
PK
PK
Cookie
RP
IP1-3
PK
Cookie
Copyright 2015 Trend Micro Inc. 18
KINS
Copyright 2015 Trend Micro Inc. 19
KINS - Static Analysis
32-bit executable 64-bit executable
TOR executable
Copyright 2015 Trend Micro Inc. 20
Installation
Inject
--HiddenServiceDir "%appdata%\tor\hidden_service"
--HiddenServicePort "1080 127.0.0.1:23318"
--HiddenServicePort "5900 127.0.0.1:26824"
KINS Infection Flow
Copyright 2015 Trend Micro Inc. 21
Tor pre-requisites
Tor Browser Installation
Copyright 2015 Trend Micro Inc. 22
Tor2web
Allows Internet users to access
Tor hidden services without using
Tor Browser
Copyright 2015 Trend Micro Inc. 23
Using Tor2Web
Tor: • http://duskgytldkxiuqc6.onion
Tor2web:
• http://duskgytldkxiuqc6.tor2web.org
• http://duskgytldkxiuqc6.onion.to
• http://duskgytldkxiuqc6.onion.cab
• etc...
Copyright 2015 Trend Micro Inc. 24
CTB-Locker - Overview
ECDH
TOR AND TOR2WEB
BITCOIN
Copyright 2015 Trend Micro Inc. 25
CTB-Locker Infection Flow
Installation
Inject
Public Key
Bitcoin Address
Payment Site
Copyright 2015 Trend Micro Inc. 26
CTB-Locker: Payment Sites
Copyright 2015 Trend Micro Inc. 27
Blocked Payment sites
Copyright 2015 Trend Micro Inc. 28
CTB-Locker: Leveraging Tor2web availability
Copyright 2015 Trend Micro Inc. 29
Advantages of Malware using Tor2web
• No need for Tor installation • No Tor network traffic in the system • Availability of variety
Copyright 2015 Trend Micro Inc. 30
HTTP REQUEST
DELIVERY STATUS
DATABASE STORE
GARLIC MESSAGE
HTTP REQUEST
DELIVERY STATUS
DATABASE STORE
I2P - Invisible Internet Project
CLIENT CLIENT
ROUTER WEB
SERVER
SERVER
ROUTER
CLIENT OUTBOUND TUNNELS SERVER INBOUND TUNNELS
CLIENT INBOUND TUNNELS SERVER OUTBOUND TUNNELS
HTTP REQUEST
DELIVERY STATUS
DATABASE STORE
HTTP REQUEST
Copyright 2015 Trend Micro Inc. 31
Dyreza
Copyright 2015 Trend Micro Inc. 32
Dyre capabilities NAT
System
Informatiom
Copyright 2015 Trend Micro Inc. 33
Dyreza: Call Home via I2P
Copyright 2015 Trend Micro Inc. 34
Dyreza: Domain generation algorithm
Copyright 2015 Trend Micro Inc. 35
As Malware Support Portal
• CRYPVAULT – crypto-ransomware
Support Portal URL
key file
(Instructions) (Brief)
(Warning Message)
As Malware Support Portal (cont’d)
Upload key file
Copyright 2015 Trend Micro Inc. 37
As Malware Support Portal (cont’d)
Real-time Chat Technical Support
Copyright 2015 Trend Micro Inc. 38
As Command and Control Server
• Slempo – Android Backdoor malware
• Trojanized version of Orbot
• Backdoor Commands
Copyright 2015 Trend Micro Inc. 39
As Command and Control Server (cont’d)
TOR URL
} stolen information
Copyright 2015 Trend Micro Inc. 40
As File Server hosting malware
• Chanitor, a downloader malware
• It uses Tor2Web URLs to deploy a banking trojan, VAWTRAK in the infected system
Harcoded Tor2Web URLs
Copyright 2015 Trend Micro Inc. 41
WHAT CAN WE DO TO INVESTIGATE?
Copyright 2015 Trend Micro Inc. 42
Forensics / Detection
Good sources of information to extract Deep Web artifacts:
• Command-line arguments
• Installed files and folders
• Prefetch (.pf) files
• Network Traffic
Copyright 2015 Trend Micro Inc. 43
Forensics / Detection (cont’d)
• Command-line arguments
Copyright 2015 Trend Micro Inc. 44
Forensics / Detection (cont’d)
• Installed files and Folder
– Installation Date
– Last Execution Date
– Other info (e.g. generated Deep Web URL, version and etc.)
Copyright 2015 Trend Micro Inc. 45
Forensics / Detection (cont’d)
• Prefetch files
Copyright 2015 Trend Micro Inc. 46
Forensics / Detection (cont’d)
• Network Traffic logs
Copyright 2015 Trend Micro Inc. 47
WHAT’S NEXT
Copyright 2015 Trend Micro Inc. 48
Conclusion
• Cyber criminals will continue to use Deep Web to evade attribution
Copyright 2015 Trend Micro Inc. 49
Over the years..
2012 2013 2014 April 2015 Skynet Sefnit Chewbacca CryptoWall 3.0
Atrax BitCrypt CTB Locker Zbot Bifrose Dyre Onionduke VaultCrypt CryptoWall 2.0 TeslaCrypt LusyPOS Babar Slempo Chanitor Torrent Locker Vawtrak
April 2015 – October 2015
Tox
ORX Locker
Encryptor RaaS
Cryptoapp
AlphaCrypt
Troldesh
Copyright 2015 Trend Micro Inc. 50
Copyright 2015 Trend Micro Inc. 51
Conclusion
• Cyber criminals will continue to use Deep Web to evade attribution. • More cybercriminal groups will be attracted to Deep Web. • Being one-step ahead.
Copyright 2015 Trend Micro Inc. 52
QUESTIONS?
Copyright 2015 Trend Micro Inc. 53
Conclusion
Thank You !!!
Michael John Marcos,
Anthony Joe Melgarejo
October 2015