Anonymity is King
Virus Bulletin 2015: Prague October 1, 2015
“A man is least himself when he talks in his own person,
But give him a mask and he will tell you the truth”
2 Copyright 2015 Trend Micro Inc. Speakers Michael John Marcos Anthony Joe Melgarejo
Threat Research Engineer, Trend Threat Research Engineer, Trend Micro Micro SME – Banking Trojan SME - Ransomware
3 Copyright 2015 Trend Micro Inc. Deep Web • part of the Internet that is inaccessible to conventional search engines, and consequently, to most users.
4 Copyright 2015 Trend Micro Inc. WHAT’S OUR STORY?
5 Copyright 2015 Trend Micro Inc. What’s our story • How it all began? • How do cybercriminals exploit this technology? • What can we do to investigate? • What’s next?
6 Copyright 2015 Trend Micro Inc.
HOW IT ALL BEGAN?
7 Copyright 2015 Trend Micro Inc. Botnet Topology • Star
C&C Server
8 Copyright 2015 Trend Micro Inc. Botnet Topology (cont’d) • Multi-server
C&C Servers
9 Copyright 2015 Trend Micro Inc. Takedowns.. Everywhere..
10 Copyright 2015 Trend Micro Inc. Solution
11 Copyright 2015 Trend Micro Inc. Deep Web traffic is Encrypted.
12 Copyright 2015 Trend Micro Inc. Deep Web offers Deception.
uhwikih256ynt57t.onion
Infected Machine lp4t52xp5vlhyhkb.onion C&C Server
s6cco2jylmxqcdeh.onion 13 Copyright 2015 Trend Micro Inc. Deep Web provides Resilience and High Availability.
Offline
C&C Server 1
Active
Infected Machine lp4t52xp5vlhyhkb.onion C&C Server 2
Reserved
14 Copyright 2015 Trend Micro Inc. C&C Server 3 HOW DO CYBERCRIMINALS EXPLOIT THIS TECHNOLOGY?
15 Copyright 2015 Trend Micro Inc. Tor - The Onion Router
TOR CLIENT
Unencrypted
16 Copyright 2015 Trend Micro Inc. Hidden Services IP1-3
PK DB
IP1-3
PK PK IP1 IP2 HIDDEN Cookie SERVICE
RP TOR CLIENT RP IP3 Cookie
17 Copyright 2015 Trend Micro Inc. KINS
18 Copyright 2015 Trend Micro Inc. KINS - Static Analysis
32-bit executable 64-bit executable
TOR executable 19 Copyright 2015 Trend Micro Inc. KINS Infection Flow
Installation
Inject
--HiddenServiceDir "%appdata%\tor\hidden_service" --HiddenServicePort "1080 127.0.0.1:23318"
20 Copyright 2015 Trend Micro Inc. --HiddenServicePort "5900 127.0.0.1:26824"
Tor pre-requisites Tor Browser Installation
21 Copyright 2015 Trend Micro Inc. Tor2web
Allows Internet users to access Tor hidden services without using Tor Browser
22 Copyright 2015 Trend Micro Inc. Using Tor2Web Tor: • http://duskgytldkxiuqc6.onion
Tor2web: • http://duskgytldkxiuqc6.tor2web.org • http://duskgytldkxiuqc6.onion.to • http://duskgytldkxiuqc6.onion.cab • etc...
23 Copyright 2015 Trend Micro Inc.
CTB-Locker - Overview
ECDH BITCOIN
TOR AND TOR2WEB
24 Copyright 2015 Trend Micro Inc. CTB-Locker Infection Flow
Installation
Public Key Bitcoin Address Payment Site
Inject
25 Copyright 2015 Trend Micro Inc. CTB-Locker: Payment Sites
26 Copyright 2015 Trend Micro Inc. Blocked Payment sites
27 Copyright 2015 Trend Micro Inc. CTB-Locker: Leveraging Tor2web availability
28 Copyright 2015 Trend Micro Inc. Advantages of Malware using Tor2web • No need for Tor installation • No Tor network traffic in the system • Availability of variety
29 Copyright 2015 Trend Micro Inc. I2P - Invisible Internet Project
CLIENT OUTBOUND TUNNELS SERVER INBOUND TUNNELS
HTTP REQUEST HTTP REQUEST GARLIC MESSAGE HTTP REQUEST DATABASEHTTP REQUEST STORE DELIVERY STATUS DELIVERY STATUS DATABASE STORE DATABASE STORE SERVER CLIENT CLIENT ROUTER ROUTER WEB SERVER
DELIVERY STATUS CLIENT INBOUND TUNNELS SERVER OUTBOUND TUNNELS
30 Copyright 2015 Trend Micro Inc. Dyreza
31 Copyright 2015 Trend Micro Inc. Dyre capabilities
NAT
System Informatiom
32 Copyright 2015 Trend Micro Inc. Dyreza: Call Home via I2P
33 Copyright 2015 Trend Micro Inc. Dyreza: Domain generation algorithm
34 Copyright 2015 Trend Micro Inc. As Malware Support Portal • CRYPVAULT – crypto-ransomware (Warning Message)
(Brief) (Instructions)
Support Portal URL
key file
35 Copyright 2015 Trend Micro Inc. As Malware Support Portal (cont’d)
Upload key file As Malware Support Portal (cont’d)
Real-time Chat Technical Support
37 Copyright 2015 Trend Micro Inc. As Command and Control Server • Slempo – Android Backdoor malware • Trojanized version of Orbot • Backdoor Commands
38 Copyright 2015 Trend Micro Inc. As Command and Control Server (cont’d)
} stolen information
TOR URL
39 Copyright 2015 Trend Micro Inc. As File Server hosting malware • Chanitor, a downloader malware • It uses Tor2Web URLs to deploy a banking trojan, VAWTRAK in the infected system
Harcoded Tor2Web URLs
40 Copyright 2015 Trend Micro Inc. WHAT CAN WE DO TO INVESTIGATE?
41 Copyright 2015 Trend Micro Inc. Forensics / Detection Good sources of information to extract Deep Web artifacts: • Command-line arguments • Installed files and folders • Prefetch (.pf) files • Network Traffic
42 Copyright 2015 Trend Micro Inc. Forensics / Detection (cont’d) • Command-line arguments
43 Copyright 2015 Trend Micro Inc. Forensics / Detection (cont’d) • Installed files and Folder – Installation Date – Last Execution Date – Other info (e.g. generated Deep Web URL, version and etc.)
44 Copyright 2015 Trend Micro Inc. Forensics / Detection (cont’d) • Prefetch files
45 Copyright 2015 Trend Micro Inc. Forensics / Detection (cont’d) • Network Traffic logs
46 Copyright 2015 Trend Micro Inc. WHAT’S NEXT
47 Copyright 2015 Trend Micro Inc. Conclusion • Cyber criminals will continue to use Deep Web to evade attribution
48 Copyright 2015 Trend Micro Inc. Over the years.. 2012 April 20152013 – October 20152014 April 2015 Skynet Sefnit Tox Chewbacca CryptoWall 3.0 Atrax BitCrypt CTB Locker ZbotORX LockerBifrose Dyre Encryptor RaaSOnionduke VaultCrypt CryptoWall 2.0 TeslaCrypt Cryptoapp LusyPOS Babar AlphaCryptSlempo Chanitor Troldesh Torrent Locker Vawtrak
49 Copyright 2015 Trend Micro Inc.
50 Copyright 2015 Trend Micro Inc. Conclusion • Cyber criminals will continue to use Deep Web to evade attribution. • More cybercriminal groups will be attracted to Deep Web. • Being one-step ahead.
51 Copyright 2015 Trend Micro Inc. QUESTIONS?
52 Copyright 2015 Trend Micro Inc. Conclusion
Thank You !!! Michael John Marcos, Anthony Joe Melgarejo October 2015
53 Copyright 2015 Trend Micro Inc.