8/27/17
1
TalesfromtheRussianundergroundINFECTIONTECHNOLOGIESANDECONOMICSDR. LUCA ALLOD I
E INDHOVEN UN IVERS ITY OF TECHNOLOGY
DEPARTMENT OF MATHEMAT ICS AND COMPUTER SC IENCE – SECUR ITY GROUP
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 1
@securescientist
EconomicestimatesofcybercrimeIndustry/academiadeliverswildestimatesofsizeofcybercrime,exploitedvulnerabilities,risk..
Two(+1)maincentralpoints:◦ Vulnerability=bad◦ 0-dayvulnerability=extrabad◦ Hugemoneyforcybercriminals
ThesegenerateaHUGEamountofestimatesonnature/valueofcybercrime◦ Estimate≈ f(no.vulns xno.systems xavg alarms,$/system)◦ Andofcourseeverybody’sestimatesarewidelydifferent
◦ Symantec->300B;McAffeeà 1000B
Canthesefigurescharacterizethereal economy?
Whatcanwesayifwelookattheactual economicvalueofattacks?
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 2
lovingthecyber-bomb?
8/27/17
2
OutlineDebunkingnumbers(indulgemefor4slides)◦ Wehavealookatwhatcurrentestimatesareaboutandtheconfusionthattheygeneratewhenyouconsiderthemtogether
◦ Takeway:weasacommunitydonothaveaclearpictureofmalwareeconomics
Cybercrimemarkets(coreoftalk)◦ Weexploreoneprominent(russian)cybercrimemarket:trends,prices,comparisonswith“legitimate”markets
◦ Takeway:theeconomyisthere,isexpanding,andcompareswellwithcompetition
Playingwithmalware:B-LAB&ExploitKitsinternals(casestudy)◦ B-LAB:studentlaboratorybeingbuiltatTU/e(quickintro)◦ Welookattheinternalsofsuccessfulproductsinthemarkets(exploitkits)◦ Takeway:productsarewell-engineered,bothoffensiveanddefensivecomponents
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 3
Debunkingnumbers
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 4
8/27/17
3
(1):economysize(they’reallrich)
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 5
https://www.theguardian.com/technology/2013/oct/30/online-fraud-costs-more-than-100-billion-dollars
SymantecCyberCrimereport2011
(2):0-daycosts&ROI(we’realldoomed)
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 6
https://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/#572a997e2660
http://resources.infosecinstitute.com/cybercrime-and-the-underground-market/
8/27/17
4
(3):actualattacks(theyarefew)
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 7
Before We Knew It An Empirical Study of Zero-Day Attacks In The Real World Leyla BilgeTudor Dumitras
The Heavy Tails of Vulnerability ExploitationLuca Allodi
Insummary:
180-daysworldwide2drive2Mattacks16drivenothing
Irrespectiveofsw categories• Millionsofattacksà 5%of
exploits• 95%ofexploitsà nothing
18
(4):Lost$$/infecteduser(we’reconfused)Exploit=20.000-100.000USD
Botnetfor200USD/2000infections
Averagebreak-even caseforexploitvendor:◦ Adobe+Java+Windows◦ (15k+70k+90k)USD/200USD≈900sales◦ Everybundle=1.7Minfections
◦ Eachexploitdrives600kinfections
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 8
• Finally..• Approx 200-days
• what matters is theorder ofmagnitude• Assumebundles of3exploitseach• Totinfections=1.7Mx(20/3)=11M
• 388000M/11M=35k
à Every infected user mustlose ≈ 𝟑𝟓k• …• Mhh..
• 0days vssales vscosts vsactual exploitsvslosses
• We aremissing something
8/27/17
5
Let’sputsomeorder:Theemergenceofamalwareeconomy
Simplisticview:◦ “Hackerswanttomakemoney”
◦ It’snotastrivialasthat
Whatweobserveisanadaptiveecosystemthat:◦ Outsourcesthetechnicalchallengeofdeployinganattack◦ Respondstodemandandchangesintargetpopulation◦ Regulatestradingactivities
Attackevolutiondrivenbyeconomicmechanisms◦ Developwhat’soptimal◦ Ignorewhatcostsmorethanthemarginalbenefititintroduces◦ Exploitdevelopment,malwaredeployment
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 9
CybercrimeMarkets
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 10
8/27/17
6
Twotypesofmarkets“TOR-basedmarkets”→Can’tbereachedfrom“standard”internet◦ →“anetworkinsidetheNetwork”◦ Typicallydrugsandotherillegalgoodmarkets◦ Find.onionservice,scrapedata
“Closedmarkets”→canbereachedontheInternet◦ Mosttechmarketsareofthistype◦ Organised indifferentmarkets
◦ Typically“national”→Russian,chinese,brazilian
◦ Marketsareclosed,entrybyselection◦ Find.ru website,youstillneedtogetin(notaseasyasusingafakeemail)
◦ AmongmostinfluentthereareRussianmarkets
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 11
InfiltratingclosedmarketsBackgroundchecksonrequestor
Proofofbelongingtothe(russian)“hacking”community◦ Nohack-on-request◦ Reputation
Language-specific
TodayweexploretheoneofthemostprominentRussianmarkets◦ Tradeofmosttoolsreportedbysecuritycommunity◦ Activefor7years(2010-today)
Infiltratedfor4+years◦ 1.5years“break”aswe’vebeenkickedoutofmarket◦ TORaccess(toavoidfiringtoomanyalarms)
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 12
8/27/17
7
MarketorganisationSeveralarea-specificmarkets◦ Virology→malware,exploits,packs,…◦ Access→FTPServers,shells,SQL-i,…◦ Servers→VPN,proxies,VPS,hosting,…◦ Socialnetworks→accounts,groups,…◦ Spam→emailing,databases,maildumps,…◦ Internettraffic→connections,iframes,…◦ finance→bankaccounts,moneyexchange,…◦ Work→lookupforandofferjobs
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 13
Top10on“virusologia”
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 14
ExploitKit“RIGv3”
TooltoencryptmalwareExploitKit“Neutrino”
SaleofOfficeexploits
Dropper“Nuclear”(EKit)KernelexploitsforWindows
Cryptonlineservice
Webattacksinjector
Malwarebots
8/27/17
8
Exampleoftrade:exploits
Theexploithasafullycustomisable shellcode.
ThepackageincludesademothatopensacommandconsolewithSYSTEMprivileges.
Thehighdegreeofefficiencyoftheexploitreducestheriskoffailuretovirtuallyzero- thatis,tenconsecutivesuccessfulrunsonthesamesystem.
Thus,itisbestused"UseAfterFree"andnot"PrayAfterFree"asithappenswithother"manufacturers".
ExploittestedfortheseAvs
(cantestagainstothersuponrequest)
Price:5000USD
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 15
Exampleoftrade:malware1.61kb(UPX- 24kb);
2.Multi-threadedfileencryption;
3.NewalgorithmbasedonAES-256usingRSA-2048
4.Youcansetpricesbasedoncountry
5.Handyticketsystem
...
12.Infectiondisabledforthesecountries:AMAZBYGEKGKZMDRUTJTMUAUZ(CSI);
…
1.Noprice,get50%ofrevenue.
2.AbsolutelydonottouchCSIcountries.
3.Instantpayments
....
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 16
8/27/17
9
Exampleoftrade:roguecertificates
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 17
Price:400USD
Exampleoftrade:mobilebots
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 18
8/27/17
10
Exampleoftrade:mobilebots
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 19
RealAppInjectedpage
Price:4000$lifetimeupdates
●
●●
●
●
●
●
●
●
●
●
●
●
●
0
5
10
15
20
2010 2011 2012 2013 2014 2015 20162010 2011 2012 2013 2014 2015 2016
Cou
nt o
f new
aut
hors
New authors Cumulative
Focusonexploits:anexpandingmarket
Sellers(n=22)
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 20
●
●●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
0.0
2.5
5.0
7.5
10.0
2010 2011 2012 2013 2014 2015 2016 2017
Occurrences
● ● ●EKIT MALWARE STANDALONE
Exploitpackages(n=38)
Exploitpackage=bundleofoneormoreexploitstradedasoneproduct
8/27/17
11
●
●
●
●
●
●
●●
● ●
●
●
●
●
●
●
●
●
●
●
● ●
●
●0
3
6
9
2010 2011 2012 2013 2014 2015 2016 2017
Occurrences
● ● ●adobe microsoft oracle
Zoominbundledexploits
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 21
GartnerHypeCycleUndergroundexploits
Wikipedia:The hype cycle provides a graphical and conceptual presentation of the maturity of emerging technologies through five phases.
Exploits“À lacarte”
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 22
Alleged0days
actualtradeexploits
vs
8/27/17
12
Comparewithlegitimatemarket(s)
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 23
Excerptof(bootstrapped)exploitpricesintheundergroundmarket
Chrome,FFcompare
MicrosoftEdgeRCE
(Finifter etal.Usenix 2013)
Newexploitintroduction
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 24
0.00
0.25
0.50
0.75
1.00
0 300 600 900Days between introduction of new exploit
Frac
tion
of e
xplo
its
adobe microsoft oracle
MALWARE STANDALONE EKIT
2010
2011
2012
2013
2014
2015
2016
2017
2010
2011
2012
2013
2014
2015
2016
2017
2010
2011
2012
2013
2014
2015
2016
2017
05
101520
Coun
t of e
xplo
its
Repackaged First appearance
EKITSInnovationdrivers
• MostexploitsintroducedbyEKITSandSTANDALONE• Rateofintroductionisratherslow
• 50%ofexploitsupdatedafter6months• Slowest25%after1.5yrs• Fastest25%after2months
• Mostexploitsthatarere-packedcomefromEKITs
8/27/17
13
ExploitkitsoperationExploitkitsarewebsitesthatservevulnerabilityexploitsandultimatelytomalware
Affectclientsidevulnerabilities
Dropmalwareuponsuccessfulexploitation◦ Fullycustomizable
Typicallyfeature<10exploits◦ Trendisdecreasingintime◦ Nowmanyexploitkitsfeature3-4exploits
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 25
Baselineworkings
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 26
Popularwebsitehomepage
Hacker/Exploitkitowner
iFrame
ExploitKit
User
Pointsto
attacks
8/27/17
14
Baselineworkings
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 27
Popularwebsitehomepage
Hacker/Exploitkitowner
iFrame
ExploitKit
Userattacks
Pointsto
This is theGETresponse.Can’t remove itwithout breakingtheweb
This is theoriginal GETrequest
ThirdpartytrafficExploitkitsonlyworkiftheyreceivevictimtraffic◦ Directlinks,ads,iframes,redirections,..
Undergroundhasservicesthattradeconnections◦ “Maladvertising”,spam,iframes onlegitwebsites
Attacker“buys”connectionsfromspecificusers,withspecificconfigurations◦ Javascript checkslocalconfiguration◦ Sendstoremoteserver◦ Remoteserverredirectstoexploitkit◦ Userloadsthewebpagetheattackercompromised,andifcharacteristicsmatchtrafficisredirected
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 28
8/27/17
15
Traffic redirection
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 29
Popularwebsitehomepage
ExploitKit
User
Exploitkitowner
iFrame
ADs
TrafficBroker/Hacker
Buystraffic
attacks
Drive-byattacks“inthewild”
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 30
8/27/17
16
Canbuytrafficfrom“trafficbrokers”◦ Userdoesnothavetoclickonanything◦ Automaticredirect
High-qualitytrafficderivesfromselectionofconnectionbasedonrequestedcriteria◦ Geographicsource◦ Installedsoftware
Sellingtraffic
Infect1Mmachines:isitworthit?
Action Economiceffort(1st year)
Buyexploitkits(20% efficiency) 2000USD
Requiredconnections 5x106
Setup 50-150USD
Traffic(assuming2USD/1000 conn.) 10.000USD
Maintenance(IP/domain flux,packing..) 150USD
Updates(assuming2/yr) ~200USD
Total ~12.400USD– 12.500USD
BreakevenROI/BOT ~0.01 USD
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 32
Comparethiswithinitial0-dayestimateof35k$/bot..
8/27/17
17
B-LAB&ExploitkitinternalsTECHNICALANDOPERATIONALRESEARCH@TU/E
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 33
TU/eBlackHat’s Lab(B-LAB)Isolatedinfrastructuretoplayaroundwithmalware,crypters,exploits,ransomware,nation-statemalware◦ E.g.Galileo’sRCSplatformfromHackingTeam+exploits(word,IE,flash,..)◦ 30+exploitkits◦ NSAmalware+exploits◦ … (addwhatyouwant)
+IoT testbed◦ B-LABconnectedtoafullymodularIoT testbedwithcontrollers,sensors,SCADA/ICSsystems,etc.◦ Deployattacksinvirtuallyanyenvironmentandevaluateeffectsontherealworld
LiveOctober2017(closedbeta)◦ Fullyoperativestart2018
Contactperson:me
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 34
8/27/17
18
Offensivecomponents
Deliverstheattack1. Detectsbrowserandoperatingsystem(88%)2. Checkssystemhasn’tbeenattackedyet(64%)
◦ viaIPchecking
3. Checksifsystemisactuallyvulnerable◦ Browserandpluginversions
4. Launchesappropriateattack◦ Lesssophisticatedkitslaunchtheattackevenifsystemisn’tsophisticatedenough(36%)
Exploitstypicallyattackvulns on:◦ AdobeFlash,AcrobatReader,InternetExplorer,Java,otherplug-ins
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 35
Bleeding Life– exploitselectionChecks presence ofAdobereader:
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 36
1. Initialise a_version.exists & a_version.version
2. Checks version ofadobereader
3. Gets theversion ofadobe,if it exists
4. Returns variable
Checks presence ofJava:1. Initialises variables j_version.exists, j_version.version &
j_version.build
2. Checks version ofjava
3. Same as before
4. Returns
8/27/17
19
Exploitintegration
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 37
Shellcode generated considering call-homeurl
Insert shellcode instack
Adds Javafileinwebpage
DefensivecomponentsManyexploitkitsdefendthemselvesagainstAV/robotdetection
Payloadandmalwareobfuscation(82%)◦ Obfuscation+crypto◦ Malwarepackers
BlockIPtoavoidprobes(78%)
Evasionrobots+crawlers
Somecheckwhetherthedomainonwhichtheexploitkitishostedisincludedinantimalwarelists
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 38
8/27/17
20
Defensive components:Venn Diagram
DR.LUCAALLODI- NETWORKSECURITY- UNIVERSITYOFTRENTO,DISI(AA2015/2016) 39
EKit interaction:Crimepack
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 40
8/27/17
21
Detailsonattacks
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 41
Defineandinjectexploitandshellcode
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 42
8/27/17
22
Administer
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 43
Exploitselection
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 44
8/27/17
23
ReadinglistMavrommatis,Niels Provos Panayiotis,andMoheeb AbuRajabFabianMonrose."Allyouriframes pointtous."USENIXSecuritySymposium.2008.
Kanich,Chris,etal."Spamalytics:Anempiricalanalysisofspammarketingconversion."Proceedingsofthe15thACMconferenceonComputerandcommunicationssecurity.ACM,2008.
Kotov,Vadim,andFabioMassacci."Anatomyofexploitkits."EngineeringSecureSoftwareandSystems.SpringerBerlinHeidelberg,2013.181-196.
Argyraki,Katerina,andDavidCheriton."Networkcapabilities:Thegood,thebadandtheugly."HotNets,Nov (2005).
Studer,Ahren,andAdrianPerrig."Thecoremelt attack."ComputerSecurity–ESORICS2009.SpringerBerlinHeidelberg,2009.37-52.
Grier,Chris,etal."Manufacturingcompromise:theemergenceofexploit-as-a-service."Proceedingsofthe2012ACMconferenceonComputerandcommunicationssecurity.ACM,2012.
L.Allodi,M.Corradin,andF.Massacci.Then andnow:onthematurity ofthecybercrime markets (thelesson that black-hat marketeers learned).IEEETrans.onEmerging Topics inComputing,PP(99),2015.
Huang,KurtThomasDannyYuxing,etal."FramingDependenciesIntroducedbyUndergroundCommoditization.”InProceedingsofWEIS2015.
DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 45