The Day Before Zero

This week Damballa will be represented at the 2010 BlackHat USA event in Las Vegas with me presenting on Thursday (29th July) at 11:15am. I’ll be covering the topic “Becoming the six-million-dollar man” – a closer look at some of the more sophisticated ways in which criminal botmasters are monetizing their botnets and laundering the proceeds, and how they’re becoming millionaires.

Come join the fun. I can probably guarantee that you’ll learn several of the new ways for making money from botnets – such as identity laundering and reputation hijacking.

Here’s the abstract for my presentation:

Starting a life of Internet crime is easy; in fact you’ve probably already doing it as far as the RIAA is concerned. Now that you’ve chosen to embark upon a new career, how are you going to get dirty, filthy, stinking rich? How do you become a millionaire?
The tool of choice has got to be botnets. Building them is just the start. How do you monetize the tens or hundreds of thousands of machines under your control? Should you harvest confidential and personal information from the victims, or would it be more prudent to become a specialist service provider to other botnet operators? Which models work best, and how can you become a six-million-dollar man within a year?

– Gunter Ollmann, VP Research

As many will have already observed, there’s been a public falling out between the Anti-Malware Testing Standards Organization (AMTSO) and a number of established independent testing organizations (and advocates of independent testing). While the melee between the protagonists has been continuous over the last few months, there’s been considerable entrenchment in July.

When I read the joint blog “Testing and Accountability” released simultaneously last week by several of the biggest names in desktop anti-virus, my heart sunk and I shook my head. Then on Tuesday I encountered the posting “The rise of the rogue AV testers” – a reposting of an essay that was published in the current issue of Virus Bulletin magazine – and I could hardly believe the thinly veiled trashy sniping I was reading. While the security industry is hardly short on FUD marketing, such an overt attempt at crafting a new threat specifically aimed at discrediting independent testing labs is extremely disquieting to me and I believe it shames many of the professionals working in the anti-malware field.

Let’s be clear, as a vendor, there’s tremendous attraction to being able to define the testing criteria of the products I make. Being able to join a consortium of like minded vendors, creating an entity such as AMTSO, and then be able to define a standard suite of product tests that you know you’ll be able to perform well against (or, at the very least be able to perform better than anyone else can – and, failing that, being able to influence changes on test I don’t particularly like), is extremely appealing – which is one of the reasons I was an advocate for my previous (then current) employer joining and taking a driving position within the organization. I believe that many of the objectives of organizations like AMTSO are worth community respect and support.

But I’m also a strong advocate for advancing the realm of testing and ensuring that the testing adequately reflects the nature of the threat customer organizations are up against. It’s one of the things that the researcher inside of me will always cause some degree of heart-burn for the product management teams I work with – and it’s something I spent many years doing when running specialized attack-based consulting teams around the world. Not only that, but I also happen to know several of the independent testing companies being not-so-subtly targeted in this AMTSO spat and have worked with them in the past to refine certain tests (mostly in the IDS/IPS and vulnerability scanning realms) – I like them – and they’re honestly trying to improve the business of security. But, like all of us, they’ve got bills to pay.

I also want to make another thing clear – I’ve got skin in the game here. This company, Damballa, is focused upon dealing with many aspects of the evolving threat that legacy security technologies have failed to offer effect solutions for – a key component of what we do is being able to identify which corporate assets have been compromised or are under remote command and control, as fast as inhumanly possible. What we’ve repeatedly found is that the vast majority of malware binaries being downloaded into enterprise corporations on a daily basis (and infecting corporate systems) are undetected by the desktop anti-virus suites and network-based layers of defense. Not only that, but anti-virus detection of the captured malicious binaries remains poor for a scarily long time – even assuming that the enterprise customer was willing to share the sample with their preferred anti-virus vendor.

Independent testing services such as those offered by Virustotal are greatly valued by the community, but they are often misunderstood – even by anti-malware researchers. For example, you’ll quite often hear that a particular malware sample that’s been posted to the site for analysis will yield results such as “90.24% coverage” or, as is more often the case, “4.87% coverage”. These numbers are a reflection of the overall anti-virus vendor product coverage. But in reality, for enterprise networks and consumers, the percentages are irrelevant – the only thing that matters is whether the anti-virus product they happen to be using and rely upon detected it or not.

Anti-malware vendors have got their work cut out for themselves. The bad guys do (and will continue to) have the upper hand in this threat/detection model. I can liken it to a professional game of Poker in Las Vegas. Sure there are rules to the game, a sequence to the moves, and some degree of skill and patience will enable you to capitalize on the random play of cards, but in the game against malware authors and distributors they have two crushing advantages – they already know what cards you’re holding, and they happen to know what the next card’s out of the deck will be.

The way AMTSO members have been approaching their dismissal of independent testing results – and the arguing of the merits of various testing scenarios as being “unfair” – leaves a lot to be desired. AMTSO have been remiss to look closer at their own testing standards and ensure they reflect the kinds of threat their customers expect their products to defend against. All this nonsense about not creating new malware samples that haven’t been seen in the wild, not using hacker tools to obfuscate and trick detection systems, ensuring that malware samples have to be shared for validity reasons, etc. come on, who’s trying to fool who?

I’ve been through at least once before. Anti-virus guys – take a look at the history of IDS/IPS testing. It went through the same pains; albeit at a much faster cut-throat pace. Contention with independent researchers and entities selling new vulnerabilities, development of public tools specifically designed to evade detection technologies, vendors developing tools and payloads designed to bypass competitor technologies, product “enhancements” specifically designed just to pass known product testing criteria that had no practical application outside of a lab, etc. and the products gradually improved. Existing techniques were enhanced or replaced, new technologies were invented and (potential) customers were able to make better informed decisions about the products they selected and the vendors they chose to partner with.

Oh, and one last thing. Consider it a bone to pick . I was considering doing a detailed analysis and discussion of the “public” AMTSO documents relevant to the topic – in particular:

• AMTSO Fundamental Principles of Testing
• AMTSO Best Practices for Dynamic Testing
• AMTSO Best Practices for Validation of Samples

But I can’t. In order to download and access these principled documents I’d need to first agree to the AMTSO License Agreement – which I don’t think I can. Clauses, such as the following, cause that product management heartburn I mentioned previously to become infectious amongst my management team:

• Non-Assertion. Adopter agrees, to the extent that it has any patents which cover the use of the Final Specifications in any manner permitted under Sections 2(a) and 2(b), not to assert, for the licensed use of any Final Specifications, any such patents against the Contributors, AMTSO, its Members, or any Adopter.
• Affiliates. Adopter (excluding its Affiliates) represents and warrants that it has power to cause all patents owned or controlled by it and its Affiliates to be licensed as set forth in this Agreement.
• Prohibition on Registration of the Name. Adopter shall not register or attempt to register the Name or any name, trademark, or service mark confusingly similar to the Name, or register any second level domain name that uses the Name in a way likely to create confusion regarding the ownership of the second level domain name, anywhere in the world. If Adopter holds a second level domain name that uses the Name as described above, then Adopter will (1) redirect it to the official AMTSO website and (2) assign it to AMTSO upon request of AMTSO.

Come on! I have to agree with these terms if I download the documents from the official AMTSO site? I’m certainly no lawyer, but I’ve worked with enough other organizations pulling together industry testing standards to know this isn’t something I’d associate with an open testing standards. If you want to see how testing methodologies and testing guides can make a real impact on security and pull valuable expertise from around the world, I’d suggest that the AMTSO board/members look to the poster-child that is OWASP. Check out the OWASP Testing Guide v3 – no “sign your life away” clauses there either.

– Gunter Ollmann, VP Research

Last month I gave a couple of presentations covering the current state of cellular mobile botnets – i.e. malware installed on mobile phone, smartphone and cellular devices designed to provide remote access to the handset and everything on it. While malware attacks against dumb and smart phones are nothing new, the last 3 years of TCP/IP default functionality, compulsory data plans, access and provisioning of more sophisticated development API’s, have all made it much easier for malware developers to incorporate remote control channels in to their malicious software. The net effect is the growing “experimentation” of cellular botnets.

I purposefully use the term “cellular” so as to focus attention on the botnet agents’ use of the mobile Telco’s cellular network for Internet access – rather than more localized WiFi and Bluetooth services. Worms such as Commwarrior back in 2005 made use of Bluetooth and MMS to propagate between handsets – but centralized command and control (CnC) was elusive at the time (thereby greatly limiting the damage that could be caused, and effectively neutering of any criminal monetization aspirations). More recently thoughh, as access to the TCP/IP stack within the handsets has become more accessible to software developers through better API functionality by the OS vendors, the tried and tested CnC topologies for managing (common) Internet botnets are be successfully applied and bridged to cover cellular botnet control.

Discussions about Smartphone botnets are making it to the media more frequently – albeit mostly the IT and security press – for example, “Botnet Viruses Target Symbian Smartphones“. Based upon the last couple of presentations I’ve given on the topic, lots of people are worried about cellular botnet advances – no more so than the Telco providers themselves.

Sure, there are plenty of ways of infecting a Smartphone – successful vectors to date have been through Trojaned applications, fraudulent app store applications, USB infections, desktop synchronization software, MMS attachments, Bluetooth packages, unlocking platform application downloads/updates, etc. – but relatively little has been publicly discussed about the use of exploit material. As we all unfortunately know, one of the key methods of infecting desktop computers is through the exploitation of software vulnerabilities. Are we about to see the same thing for Smartphones? Will cellular botnets similarly find that handset exploitation will be the way to propagate and install botnet agents?

In all likelihood, vulnerability exploitation is likely to a lesser problem for Smartphone – at least in the near future. Given the diversity in hardware platforms, operating systems and chip architectures, it’s not as easy to create reliable exploits that can affect more than one manufacturers line of product. That said though, some product lines are numbered in the tens of millions of devices, and the OS’s are becoming increasingly better at making the underlying hardware transparent for malicious software and exploitation. I’ll also add that there are plenty of vulnerabilities, “reliable” exploits up for sale and interested researchers bug hunting away – but at the moment there’s little financial gain for professional botnet operators compared to the well established (and much softer) desktop market of exploitable systems. But we have to be careful to not marginalize the threat, it’s worth understanding that botnets are already being developed and (in very limited and targeted distribution) are being used for installing botnet agents on vulnerable handsets.

This is of course causing increasing heartburn for the mobile telco providers – since their subscription models essentially mean that they’re responsible for cleaning up infected handsets and removing the malicious traffic, much more so than traditional ISP’s are. If a handset is infected, their customer will likely incur a huge bill and (as what typically happens) the Telco will not be able to recover the losses from the customer. Attempts to recover the cost from the customer will increasingly yield two results – 1) they won’t be a customer any longer and 2) the negative PR will have them rolling in pain.

Fortunately, as the cellular botnets become more common and sophisticated in their on-device functionality, they’re also going to become more mainstream and closely related to classic Internet botnets. What this means is that their CnC channels and infrastructure will increasingly be close to (or the same as) “standard” botnets. Which in turn means that cellular botnets can be thwarted at the network layer within the mobile Telco operator’s own networks (similar to what some major ISP’s are trialing with their residential customers) – thereby turning the threat in to something that they can protect against. How is that possible? Well, a quick browse of the Damballa website should provide a fair bit of insight in to that – and perhaps I’ll post a follow-up blog on key techniques sometime soon.

– Gunter Ollmann, VP Research

Common wisdom over the last couple of decades has been to never write down the passwords you use for accessing networked services. But is now the time to begin writing them down? Threats are constantly evolving and perhaps it’s time to revisit one of the longest standing idioms of security – “never write a password down”.

Back in the day, a password was a critical part of the corporate identity system. You supplied your user ID and password pair in order to get online and to access key corporate resources. Access controls then extended the authentication model to enable  greater control of what users could see, do and change. As new systems came online, and as business extended beyond the in-house corporate networks, additional (i.e. separate) authentication systems came in to play. Despite multiple attempts at developing and deploying single sign-on (SSO), most employees still need to juggle a dozen passwords in order to do their work. If they have external Internet accounts as well, then they’ll be juggling several dozen additional passwords. Once you thrown in their personal Internet accounts (webmail, Twitter, Facebook, LinkedIn, PayPal, Amazon, etc.) you’re quickly neck-deep in password soup.

Whats traditionally been the problem with writing down password anyway? Well, since passwords are the critical ingredient for access control, corporate security teams have long “educated” employees in to never writing them down. To do so would potentially expose yourself to impersonation – and you’d ultimately be responsible for whatever (damage) the impersonator did in your name.

In the meantime, Internet guides, popular PC magazines, and practically every website that forces you to create a login account, all extol the virtues of never writing your passwords down. They also give you lots of additional advice – such as “use a strong password”, “use a unique password”, “never use the same password on a different site”, etc. All of which make it incredibly difficult for any practically minded human to keep track of which password belongs to which website. The net result being that the “password rules” are being repeatedly broken.

Now, to ease some of this burden, there have been a spurt of software tools that’ll help remember passwords on your behalf. For example, the popular web browsers all provide some capability in this area. The problem though is that the bad guys have better tools. Practically all of today’s malware(along with all those botnets you hear about each day) have the built-in capabilities of grabbing/stealing both the passwords you’ve remembered and type in each time you visit a favorite website, and the passwords being conveniently “remembered” by the software on your computer.

Why would writing down a password be good? Well, it’s not a question of being good – just better. Granted, anything you type on your computer can (and will) be grabbed by the malware it’s been compromised with- but the lowest hanging fruit for the bad guys lies with all the stuff you’ve already asked your computer to remember on your behalf. After 3 months of use, web browser “remember” functions may have captured 50+ sets of authentication details. Within a few seconds of computer compromise, all three moths worth of stored credentials will have been copied and stolen (oh, and they’re neatly formatted and sorted) – so the malware doesn’t need to do any work, and it doesn’t matter if your anti-virus software gets an update tomorrow capable of detecting the malware and removing it. The damage is already done.

Staying hidden on a victims computer is not a trivial task for many malware – particularly wide-spread Internet malware (anythingwith a name you may have read about). There are lots of things that can go wrong. AV updates may detect the infection, dropper websites may be taken down, uploading sites may be sinkholed, CnC domains may be hijacked, etc. so it’s become important for modern malware to steal as much information as possible within the shortest possible time. Factors such as conveniently storing all your authentication details on your computer and recycling popular (i.e. memorable) passwords reduce the time the malware needs to be operating in order to steal critical data.

What about a few high-level odds?

• 1:3 – home PC being infected with malware with password stealing capabilities in a given year.
• 1:4 – home PC being infected with a botnet agent in a given year
• 1:8 – corporate PC being infected with malware with password stealing capabilities in a given year
• 1:12 – corporate PC being infected with a botnet agent in a given year
• 1:160 – your car being stolen  in a given year
• 1:700 – your home being burgled
• 1:600,000 – being struck by lightning

I think it’s time to revisit the “never write a password down” idiom. Prioritizing best practices in password management, I’d be inclined to list them in the following order:

1. Don’t use the same password on multiple websites
2. Don’t let your computer “remember” your password!
3. Use a “strong” password – preferably something with 12+ mixed characters
4. Don’t use a predictable algorithm – e.g. abc<siteName>123
5. Change your passwords regularly. For sites with lots of personal information and associated monies, change every 2-3 months. For other sites, try every 6-12 months.
6. Don’t reuse past passwords – even if you think it’s a cool password.
7. Don’t write your password down.

Yes, that’s right – writing down your passwords come in at a distant 7th place. In practical terms, even if you only manage the first 4 on the list, you’re probably going to be juggling at least a couple of dozen passwords (or more thank likely that’ll be 40+ on a regular basis for most people that spend any time online). The probability that your computer(s) will be compromised and that the information will be stolen by the bad guys malware is much, much greater than the probability that someone will manage to break in to your house and target all the post-it notes you’ve stuck around your screen with all your passwords on them. In corporate environments there’s a higher probability that the evening cleaning crew would gain visibility of he passwords (so post-it notes aren’t to be recommended), but that risk of an insider threat is still going to be lower than your work computer being compromised.

The first 6 password recommendations would trump the 7th in most cases – provided you take care in how and where you write your passwords down. Be smart about it… but don’t underestimate the risks posed by modern malware either.

– Gunter Ollmann, VP Research

When do your corporate security practices warrant FTC monitoring? When you fail to maintain the minimum levels of system protection and customer’s private data happens to drip from your porous applications.

“When a company promises consumers that their personal information is secure, it must live up to that promise,” says David Vladeck, head of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.

“Patrons of social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure,” he says.

(courtesy of Byron Acohido’s The Last Watchdog blog)

This follows the news that Twitter has agreed to settle with the FTC after charges of failing to safeguard their customers personal information. The net result? Twitter must establish a comprehensive security program and will be subject to government monitoring for the next 10 years.

Personally I’ve got to wonder whether other organizations are going to come under similar levels of examination from the FTC in the near future. Take for example the recent disclosure of personal iPad customer data via flaws in a key online management application – AT&T iPad Breaches Are About App Security, Not Mobile Devices, Experts Say.

Their are of course a couple of obvious questions here:

• What is the minimum level of security required for protecting a customer’s personal data?
• What constitutes a Comprehensive Security Program?

These two cases (Twitter and AT&T) share a number of similarities – poor application logic, weak security implementations, and ease of compromise. While “minimum” security levels can be interpreted in many different ways, since there’s no agreed or definitive manual that organizations can use, I’d be inclined to offer a couple nuggets of security advice.

1. Don’t be the “lowest hanging fruit” in your business sector. Look around. For example, if all the buildings around yours have 9′ high barbed wire fences and bars on their first floor windows, it’s more than likely a great idea to invest minimally in the same level of security. Similarly, when it comes to corporate security make sure you have a functional defense in depth system of interlocking (and overlapping) protection and detection technologies – and know how to use them!
2. Make sure you’re testing your own defenses! At a minimum, you need to run the standard suites of automated vulnerability scanning and probing tools – both at the network and application levels. Any newly-minted CISSP graduate will know whats required in order to achieve this basic level.

But that really is a minimum level of security proficiency. It doesn’t offer you much more protection than the equivalent of ensuring that you’re keeping your shoelaces tied up so that you don’t trip over them (like any mother tells her kids). Obviously, you should be aiming to raise your security awareness beyond this (e.g. “don’t run with scissors”) – especially if you’re required to pursue a “Comprehensive” security program.

– Gunter Ollmann, VP Security

It’s more than a little disappointing that the anti-malware industry is still fixated upon measuring a threat by the quantity of malware being distributed. Despite the fact that you could learn within an hour or two’s study (e.g. watching YouTube) how to generate a million brand spanking new, unique and “undetectable” malware by the end of the week, many people end up doing their best impressions of a stranded carp gasping for air as they attempt to digest the latest round of hefty malware statistics from security vendors.

But, for precisely the same reason you can generate your own personalized million malware samples, smarter analysis and threat mitigation techniques make the number counting largely irrelevant. Sure, signature-based detection systems have gone the way of the dinosaur and so too have hash matching black-list processes – both defeated by serial variant production systems – but smarter systems can peer deeper in to the binary file and automatically peel back the layers of armoring and obfuscation to get to the malicious core. Once you have your fingers wrapped around the heart of the badness contained within the binary, it becomes much easier to ascertain and understand the true nature of the threat.

Why is this important? Well, in the first instance, the criminals who pump out the most malware aren’t necessarily the biggest threat. For example, a criminal operator may be distributing their latest piece of uber-malware through a massive spam campaign. Even though they may have sent out 5 million spam emails containing the malicious file as an attachment, very few of the messages will probably make it their intended victims – largely due to anti-spam technologies that utilize a heuristic based upon observing the same binary destined for multiple mail-boxes (regardless of the message’s text content) – and every anti-malware security vendor will have been alerted and have analyzed a copy of it within a few hours. So, despite the malware’s “uber” status and the “millions of samples observed worldwide”, the threat is minimal in reality.

Meanwhile let’s say a different malware author creates a million serial variants of the same uber-malware, but because each sample binary “looks” different it falls under dozens of different generic malware names (should it ever be “detected”), it becomes practically impossible to cluster all the different samples in to a single threat – so the single attack is attributed to dozens of lesser attacks. All this of course is assuming that the malware author didn’t first QA each of their serial variant malware samples before release – and only a few thousand were subsequently caught with heuristic or behavioral analysis engines that happened to get updated during the authors release cycle or while the malware was waiting patiently in the victims inbox prior to be opened.

Because the first attack makes it so easy to count the captured malware and the second attack is evasive, only the first will get much public attention – even though, by actually being in a position to count the distributed malware’s volume, the threat to the targets has already been neutered. Consequently, the “smaller” threat (and the criminal operator) slips under the radar once again. If the malware from the second attack had been analyzed correctly (i.e. peeling back the onion), the size and sophistication of the attack would have been evident and organizations would have been able to correctly prioritize that threat.

Meanwhile, as far as “counting the malware” goes, both attacks consisted of the same – single – piece of malware. 6 million, 5 million, 1 million or one single piece of malware? Which number do you think makes sense to worry about? Where does the threat really lie – in the number sent, the number captured and counted, or the sophistication of delivery?

Greater care needs to be taken by the industry in evaluating the malware threat. Big numbers always sound great and garner a lot of public and media interest, but it’s rarely an indicator of where the real threat lies for those tasked with protecting the enterprise network.

– Gunter Ollmann, VP Research

Ever since the Google hack disclosures back in January this year, the term “Advanced Persistent Threat” (or “APT” if you prefer to use TLA‘s) has been tossed about in various forums and associated with security, hacking, terrorism, state sponsored attacks, botnets, advanced malware, next generation malware, etc. – the net result is that the term means quite different things to different people.

Depending upon how much of a security purist you are, your perspective of what an APT encompasses could be pretty broad or downright specific. For example, there are a clutch of security purists who, being mostly former US military, strongly associate the term with traditional state-sponsored attacks against US infrastructure. Therefore, for something to be labeled an APT, it requires the threat to be backed or endorsed by an hostile political regime and require tools, tactics and technologies outside the normal threat spectrum (and not within everyday reach of criminals).

On the other hand, you’ll find another clutch of security purists that take the term “Advanced Persistent Threat” precisely as you’d expect to interpret each word in the English dictionary.

There are of course all sorts of problems. For example, what precisely constitutes “advanced”? To the average corporate security defender, “spear phishing” may be sufficiently different to all the bulk spam their company gets each day to meet the criteria for “advanced”. Meanwhile, for a system administrator only partially familiar with the network worms of the early 2000′s, the current batch of Brazilian banker Trojans would be more than “advanced”. And, for the CEO of some large company, the prospect of being hacked and backdoored over their WiFi connection during the flight between Atlanta and San Francisco would likely lie between “advanced” or downright magical.

The point is, depending upon your experience with cyber threats and your ability to validate their technical capabilities, one man’s APT may be another’s script-kiddie hack or yesterday’s news. I think that Arthur C. Clarke said it best – “Any sufficiently advanced technology is indistinguishable from magic” (or in this case “advanced”).

To date, the term APT has been thrown about so often and used in so many different ways, that it’s probably impossible to revert it back to what most security purists would like (or insist). This obviously isn’t a new problem for the community. Another term that has been subjected to the precisely same social and media stresses is “Hacker“. You can check out the history of what “hacker” means – but today’s interpretation is completely different from what was intended – and yet people still use the term in various ways with different people.

There’s a problem though, just as the term “hacker” can have negative and positive connotations depending upon who you’re talking to, “APT” may be a door opener or a closer (for example, with close security friends and colleagues, we’re hackers – with prospective customers we’re Penetration Testers and Security Consultants – if we’re responding to press attention we’re whitehat or ethical hackers – and, in other places we’ll use the context of bug hunters and reverse engineers – all depending upon how you think the person you’re speaking to will react to the word “hacker”). This is becoming more pronounced of late. For example, here are some (paraphrased) quotes I’ve heard lately:

• “I don’t need any more IPS – I’ve got tonnes of the stuff. I need to prevent APT’s”
• “I’ve already got anti-virus, now I need Advanced Malware detection capabilities.”
• “I have an incident response team that covers APT’s. I need protection against NG Malware.”
• “I need to stop the malware from China. Get me an anti-APT gateway!”
• “APT’s only affect the government and Google. No foreign government would be interested in us.”
• “APT’s? I’ve got a dozen of them squirming in my network. How do I block them?”

There are several more laughable quotes and a bundle of R-rated ones that I’ll refrain from posting here. The point is that the term APT means different things to different people – and will continue to do so – regardless of any purists intentions to clarify what the term means. On a related note though, trying to clarify things by dividing the various interpretations of APT in to separate sub-definitions (each with its own TLA) is inevitably doomed to failure. As someone once mentioned to me, “the problem with standards is that everyone wants their own”.

– Gunter Ollmann, VP Research

Most of the “popular” Internet botnets are quite adept at identity and credential theft. Granted, this is usually just the first phase of a successful botnet breach and the lowest hanging (digital) fruit, but it remains one of the more profitable data streams for the botnet’s criminal operators.

However there’s a big gap between criminals that know how to build a botnet and automatically steal tens-of-thousands of identities, and those that are capable of really monetizing the stolen credentials. In most cases the folks who can turn a stolen identity (or the keys to an online bank account) in to cold hard cash aren’t the same as the folks tuning the scripts behind the latest e-banking phishing scam or banking Trojan.

So, if you happen to be a semi-skilled botnet operator with control over 50,000 victim computers and along the way have managed to extract some 40,000 user identities and 2,000 online banking credentials, the question quickly becomes “how do I find someone willing to pay me for this data?”

You could go to any number of hacker or carder Web sites and offer your goodies up for sale there. That’s getting a little tougher nowadays though. Many of these “hacker” sites are run by (or cooperate with) law enforcement. Details about who you are, where you’re connecting from, how big a player you are, etc. are all up for grabs and, as such, these forums have increasingly become “less reliable” over the last 3-5 years.

Paste Bins

One increasingly popular vehicle for botnet operators and identity thefts to “advertise” their latest caches of stolen goodies are the paste bins. Paste bin sites were originally conceived as places where developers could conveniently share source code and other notes etc. without having to worry too much about the codes formatting getting corrupted, and to bypass many of the problems associated with trying to share code segments over email, HTML formatting, and long streams of source code.

Apart from the ability to host a lot of textual information for free – making it ripe for spam abuse – paste bins typically allow visitors to make anonymous postings, which is ideal for botnet criminals seeking buyers for their stolen data.

Anyhow, I was discussing this aspect of pate bins with a colleague here at the office earlier today and figured I’d share some information about how paste bins are being used to perpetuate crime, and how their popularity has been increasing.

Paste bins are also very interesting from a threat research perspective. Despite being anonymous, they typically have well indexed pages – which means that they’re very easy to search.

For example, if you’re in the market for some stolen credentials you’ll find thousands of advertising posts such as the following:

As you’d expect, there is plenty of information out there and up for sale and the sellers are easy enough to track down and engage in conversation – offering up email addresses, ICQ/IRC numbers, phone numbers, etc.

In general, credentials and stolen banking details are sold in batches (i.e. in bulk), and most of the advertisers provide a lot of detail about the quality/freshness/scope of their data. For example, the following depicts the level of detail associated with the credit cards that are available (in batches of 1,000 cards).

I’ve pixelated some of the example above (and below) to hide the real victims credentials that have been offered up by the criminal as a sample. In many cases the criminals doing the advertizing have so much data available for sale that they display swathes of samples – typically designed to show the depth of detail and “freshness” of the stolen credentials. For example, the following criminal is selling batches of stolen MasterCard credentials…

(Click to enlarge)

How do you uncover these details? Well, there’s the easy way and then there’s the hard way. The easy way is to visit the various paste bin Web sites and use their local search engine to hunt for key words such as “MasterCard” or “CardType:” etc.

Then there’s the hard way – you can use Google. OK, so it’s not really that hard. The point is that it’s easy to uncover these criminal advertisements. For example, the following reveals 800+ recent ads on the popular Pastebin.com site…

It’s important to point out that these advertisements aren’t exclusive to the various paste bin sites – they’re just another vehicle for the criminals to hook up with other criminals and sell their stolen goodies. For example, doing a search for just one of the stolen (but freely available) MasterCard numbers offered up in the earlier screen shot revealed another 127 different sites hosting the same criminal ad.

You’ll find the paste bins sites being abused in a lot of different ways, but they’re increasingly being used as a convenient source of anonymous criminal advertising and for sharing stolen data (both encrypted and unencrypted).

Meanwhile, simple Google searches such as “facebook.com site:pastebay.com” will yield lists of thousands of stolen Facebook credentials…

I’m hoping that the various paste bin providers will help clean up the situation – but I’m not planning on holding my breath while they do so.

– Gunter Ollmann, VP Research

The business of botnet building is precisely that – a business. When organizations look to the threat from a compromised asset perspective they too often fail to appreciate whats really happening. A typical reaction is thus “why are they targeting me?”

If you step back a little – somewhere between the proverbial 10,000ft and the weeds – you’ll begin to notice some of the intricacies of whats happening in the criminal botnet building world. Granted, there’s a lot of confusion as the security vendors throw about various threat terminology and often use them interchangeably depending upon their perspective, but in reality it’s not too complicated.

First off, don’t take it personally. The criminals aren’t necessarily targeting your organization because they’ve developed a certain dislike for who you are, rather they’re after the things your organization (and many others) contains. For example, rather than being focused upon stealing the digital keys to your particular corporate banking account – they’re after any keys they can find, and if they happen to stumble upon the mother lode then that’s damned lucky on their part. In all likelihood though they may not even recognize that they’ve obtained the keys until much later. You see, the vast majority of botnet building is automated and, as such, the successful criminal operators harvest so much information they often struggle to sift out the really valuable nuggets. That’s not to say that you can count on them to not recognize the inherent value of what they’ve obtained.

A critical component of modern “commercial” botnet building lies with “campaigns”. While some newbie or highly specialized botnet builders will seek to construct a botnet through a single vector (e.g. drive-by downloads from a cluster of Web sites they maintain), the majority of professional botnet building criminals launch and run multiple campaigns. These campaigns tend to use different delivery vehicles (e.g. drive-by downloads, spam, malicious binary seeding) and often leverage different campaign “themes” (e.g. pharmaceutical, keygens, free videos).

The purpose of launching multiple campaigns – most of which are launched and executed in parallel to one another – is to effectively “carpet bomb” a series of targeted organizations. The multiple vectors for exploitation and themes are there to increase the probability that some of the botnet malware agents will make it inside the targeted organizations – and it doesn’t matter which delivery vehicle or was successful. Well, actually, the delivery vehicles and campaigns do matter – but only in the sense of tuning future campaigns against other targets.

While the onslaught of multiple campaigns can be confusing to the victim organization, it can be just as confusing to the security vendors as they sift through threat intelligence  harvested from malware samples, spam traps, sinkholes, domain registrations, Web scan results, etc. As such, many of the successes in understanding the campaigns associated with a particular botnet operator occur after the campaigns have been underway for a few days.

Example of botnet building campaigns…

The diagram above depicts the complexity in understanding the various campaigns run by a team of professional botnet builders.

(A) The criminals have created a cache of new botnet agents. Each agent is unique and has be quality assured to guarantee that common host-based security defenses (e.g. anti-virus, IPS, behavioral engines, etc.) cannot currently detect them.

From their secure location, the criminals VPN in to a couple of hosting facilities (B) and (C). These hosting facilities have been chosen because they offer services that make it difficult for law enforcement to prosecute or takedown the servers that (A) are using. More than likely, the servers are hosted in multiple locations around the world.

Hosting facility (B) has its own local cache of botnet agents ready for deployment, and is currently running three campaigns in parallel. Two campaigns are spear phishing related, with the third executing a targeted Search Engine Optimization (SEO) campaign. Meanwhile, over at the (C) facility, two additional campaigns are underway – a pair of drive-by download sites (supported by social network related phishing messages).

Each of the 5 campaigns (D) are seeking to deliver the botnet agents and subsequently breach the targets network and host-based defenses. Once successful, the various botnet agents will connect to their command and control (CnC) servers and consequently become part of the criminals botnet. The CnC servers aren’t depicted in the diagram above. In most cases the CnC’s are situated within hosting infrastructures independent of (B) and (C) - for added resilience and flexibility.

Interestingly enough, while the targeted organization may have observed components of the 5 campaigns, it is unlikely that they would have initially been associated with a single criminal attack.The malware being used would have provided no hints to the nature of the real attack – in fact there’s a high probability that the various malware components would not have been attributed to the same (single) campaign, given how different they are from each other (read our paper on the topic of Serial Variant production).

Trying to track back a particular campaign (in isolation) would have just identified the particular hosting facility. Tracking back the CnC’s used by the botnet agents fortunately provides the glue to understanding the linkages between the various campaigns and makes it easier to understand the objectives of the criminals – which subsequently allows organizations to prioritize and order its remediation steps.

– Gunter Ollmann, VP Research

News broke recently that there’s a new Storm Worm doing the rounds.  Late last week a detailed analysis of the new Storm Worm malware variant has been posted by The Honeynet Project at their website.

Based on the analysis I conducted over the weekend, this particular threat is indeed very similar to the old Storm Worm – with at least 67% of the code being the same – and the most notable difference being that the P2P functionality of the old version has been dropped from the new version. The command protocol is now reliant upon HTTP instead of simple TCP connections.

Now let’s go to the juicy stuff, analyzing the CnC.

From the malware samples I’ve obtained, I was able to extract two critical CnC’s. Let’s call them CnC Domain B and CnC Domain C. Based upon our historical data trove, Domain B is also being used for CnC by other malware families – while Domain C is only being utilized by the new Storm Worm variant – at least for now.

The other malware families that utilize Domain B for CnC also make use of Domain A. This other domain is not utilized by the new Storm Worm variant (at least it’s not present in the malware samples I have had the chance to analyze so far). Domain A is being utilized by another family of botnet malware. For a graphical representation, please see Figure 1 below.

Figure 1: C&C Relationships with other Malware Families

From the figure,above,  the lettered boxes show different malware families positioned within a timeline as to when we first uncovered them. The cloud represents the domains they utilize for CnC. So from here, a pattern is starting to emerge. It would appear that the botmaster’s campaign can be easily traced by overlapping CnC Domains.

In Dec 2009, a family of malware (Malware A) utilized Domain A as its CnC in an infection campaign. By the second month of 2010, multiple malware families materialized and utilized CnC Domain A together with a new CnC (Domain B). Then, by April 2010, the new Storm Worm variant was identified by security researchers and it utilized CnC Domain B, and no longer referenced Domain A for CnC. Instead it utilized a new CnC domain – CnC Domain C. If the pattern proves to be correct, we will see new malware families that will utilize CnC Domain C.

Another observation I’ve made is that there are multiple malware families – each of them probably with serial variants – utilizing a handful of CnC’s. This is obviously a continued source of headaches for anti-virus host-based solutions; not only in detection but also in clean up.

One important question to ask is “Will the new malware families used in future campaigns be detected by my AV host solution?”

The answer is, unfortunately, probably not. But one thing is certain, whatever malware families are used for the next few campaigns, the CnC domains will likely not change as much or as frequently as the malware variants themselves. Disrupting the CnC – the command tether linking the infected host and the botmaster together -  is where you need to focus your protection nowadays.

– Christopher Elisan, Senior Research Analyst