Common Internet Threats What an Attacker Might Do Once They Have

Home , Botnet, Form grabbing, Mebroot, Torpig

What an attacker might do once they have access. • Steal password file, credit card numbers, personal data. Common Internet Threats • Create new user accounts and back doors. • Replace existing libraries and application with malware. Tom Chothia Intro. to Computer Security, • Log key strokes. Lecture 19 • Send Spam. • Performs DoS attacks. • Install RootKit.

RootKit Man in the Browser Attacks

• Malware installed on Machines • Rootkits can be set to attack the browser. • Typically: – Gives repeated, root access to machine. • In this case all certificates can be faked. – Often installs other payloads – Hard to detect • Anything that looks like a credit card no. or bank log in can be collected. • E.g. Mebroot which alters the Master Boot Record of a machine to load • TLS and web defense can’t stop this. before the OS.

Botnets Botnet Command and Control

• Most attackers are in it to make money. C&C • A single credit card number or spam e- 131.253.18.12 mail isn’t worth very much.

• Networks of hacked computers (bots) are organised into large networks Bot Bot Bot Bot Bot Bot (botnets). Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot

1 Denial-of-service attack Fast Flux

• With this many computers it’s easy to • Instead of using a IP address bots look over load some web site. for a URL.

• Easiest type of attack uses (rents) a • To stop the IPs getting blocked new IP botnet to perform a distributed denial-of- addresses are registered every few service attack. mins.

• Often used to blackmail companies, or • Makes it impossible to go after the for political reasons. hosts.

Botnet Command and Control Zeus

• Zeus is one of the large botnets. C&C – Uses Fast Flux www.ealo.net – Many C&C servers – Spreads mainly via Trojans. – Man-in-the-browser (form grabbing) – Sends Spam, Phishing. Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot • Code is available for sale on black Bot Bot Bot markets.

Domain Flux Conflicker

• Bots continuously generates new URLs. • Computer Worm that installs a botnet – E.g. based on a hash of the date and a – more than 10 million infections. secret value. – first version would not infect computers • Botmasters know and register the URL with Ukrainian keyboard layout. – spreads NetBIOS buffer overflows and in advance. guessing admin passwords. • Even if all C&C is shut down, bots will – uses Domain Flux and P2P switch to a new URL in a few days. • Largely contained by security researchers • We can try to block all future URLs who have blocked tens of thousands of (hard) domain names.

2 P2P Torpig/Mebroot

• More recent malware sets itself up as a • Mebroot is a root kit, that writes itself P2P network. into the Master Boot Record. – Executes before OS loads • Malware connects to C&C and other – Very hard to detect. bots. • Spreads via drive by downloads. • Downloads and installs other payloads. • If the main C&C goes down botmasters can connect to any bot and update them • Torpig is a botnet downloaded and all with a new C&C. installed by Mebroot.

Torpig Botnet take over paper

In 2009 a team from the University of It took 10 days for California, Santa Barbara reverse Mebroot to replace engineered Torpig’s domain flux algorithm. Torpig with a new payload.

Looking ahead they noticed that some For 10-days they had Torpig URLs weren't registered. complete control of the botnet and saw all data. So they decided to register the addresses themselves.

Underground Markets Roles Market places

1. Attacker that steals the data (e.g. via • Internet Relay Channel (IRC) botnet’s, phishing etc). – Anyone can connect and live chat 2. Cashiers: take credit cards and bank accounts and removes cash. • Web forums, less common now. 3. Drops: people who provide a place to send goods. • Tor Hidden services, growing fast 4. Service sellers: bot masters rent – Although attacked by FBI in the last few botnets for spam, DDoS, phishing. months. 5. Based on web forums and IRC

3 Bitcoin Electronic Currency Other Payment Methods

• Based on partial SHA hash collisions: • “Webmoney” online payment based in – If you can find a partial collision you have Russia minted a bitcoin. • Western Union money transfer • Passed from one person to another by signing an entry in a public database. • Closed down: – E-Gold another digital currency: trading • Only the person with the signing key shut down in 2009 due to crime can pass it on. – Liberty Reserve based in Costa Rica, taken down in May.

Typical Transaction 1: Typical Transaction 1:

• Hacker steals 1000 fullz (credit card • Cashiers meets “drops” in Internet chat number, CVV, name, address, etc.) rooms who agree to receive goods.

• Sells them on forum for 10 bitcoins • Cashiers orders goods online and has (£4300) them sent to the “drops”

• Buyer sells then in groups of 20 to • Drops sell goods and send half the cashiers for £300 in “Webmoney” money to the Cashiers via Western Union.

Typical Transaction 2: Reading

• Bot master offers network for DDoS attack at £200 a day. • The Symantec Internet Security Threat Report, 2014. • Attacker hires the botnet to attack small – what happened in cyber security last year company, bring down their site. • http://www.symantec.com/ • Attacker anonymously contacts the security_response/publications/ company and asks for £10,000 in threatreport.jsp bitcoins to stop.