8/27/17

1

TalesfromtheRussianundergroundINFECTIONTECHNOLOGIESANDECONOMICSDR. LUCA ALLOD I

E INDHOVEN UN IVERS ITY OF TECHNOLOGY

DEPARTMENT OF MATHEMAT ICS AND COMPUTER SC IENCE – SECUR ITY GROUP

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 1

@securescientist

EconomicestimatesofcybercrimeIndustry/academiadeliverswildestimatesofsizeofcybercrime,exploitedvulnerabilities,risk..

Two(+1)maincentralpoints:◦ Vulnerability=bad◦ 0-dayvulnerability=extrabad◦ Hugemoneyforcybercriminals

ThesegenerateaHUGEamountofestimatesonnature/valueofcybercrime◦ Estimate≈ f(no.vulns xno.systems xavg alarms,$/system)◦ Andofcourseeverybody’sestimatesarewidelydifferent

◦ Symantec->300B;McAffeeà 1000B

Canthesefigurescharacterizethereal economy?

Whatcanwesayifwelookattheactual economicvalueofattacks?

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 2

lovingthecyber-bomb?

8/27/17

2

OutlineDebunkingnumbers(indulgemefor4slides)◦ Wehavealookatwhatcurrentestimatesareaboutandtheconfusionthattheygeneratewhenyouconsiderthemtogether

◦ Takeway:weasacommunitydonothaveaclearpictureofmalwareeconomics

Cybercrimemarkets(coreoftalk)◦ Weexploreoneprominent(russian)cybercrimemarket:trends,prices,comparisonswith“legitimate”markets

◦ Takeway:theeconomyisthere,isexpanding,andcompareswellwithcompetition

Playingwithmalware:B-LAB&ExploitKitsinternals(casestudy)◦ B-LAB:studentlaboratorybeingbuiltatTU/e(quickintro)◦ Welookattheinternalsofsuccessfulproductsinthemarkets(exploitkits)◦ Takeway:productsarewell-engineered,bothoffensiveanddefensivecomponents

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 3

Debunkingnumbers

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 4

8/27/17

3

(1):economysize(they’reallrich)

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 5

https://www.theguardian.com/technology/2013/oct/30/online-fraud-costs-more-than-100-billion-dollars

SymantecCyberCrimereport2011

(2):0-daycosts&ROI(we’realldoomed)

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 6

https://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/#572a997e2660

http://resources.infosecinstitute.com/cybercrime-and-the-underground-market/

8/27/17

4

(3):actualattacks(theyarefew)

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 7

Before We Knew It An Empirical Study of Zero-Day Attacks In The Real World Leyla BilgeTudor Dumitras

The Heavy Tails of Vulnerability ExploitationLuca Allodi

Insummary:

180-daysworldwide2drive2Mattacks16drivenothing

Irrespectiveofsw categories• Millionsofattacksà 5%of

exploits• 95%ofexploitsà nothing

18

(4):Lost$$/infecteduser(we’reconfused)Exploit=20.000-100.000USD

Botnetfor200USD/2000infections

Averagebreak-even caseforexploitvendor:◦ Adobe+Java+Windows◦ (15k+70k+90k)USD/200USD≈900sales◦ Everybundle=1.7Minfections

◦ Eachexploitdrives600kinfections

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 8

• Finally..• Approx 200-days

• what matters is theorder ofmagnitude• Assumebundles of3exploitseach• Totinfections=1.7Mx(20/3)=11M

• 388000M/11M=35k

à Every infected user mustlose ≈ 𝟑𝟓k• …• Mhh..

• 0days vssales vscosts vsactual exploitsvslosses

• We aremissing something

8/27/17

5

Let’sputsomeorder:Theemergenceofamalwareeconomy

Simplisticview:◦ “Hackerswanttomakemoney”

◦ It’snotastrivialasthat

Whatweobserveisanadaptiveecosystemthat:◦ Outsourcesthetechnicalchallengeofdeployinganattack◦ Respondstodemandandchangesintargetpopulation◦ Regulatestradingactivities

Attackevolutiondrivenbyeconomicmechanisms◦ Developwhat’soptimal◦ Ignorewhatcostsmorethanthemarginalbenefititintroduces◦ Exploitdevelopment,malwaredeployment

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 9

CybercrimeMarkets

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 10

8/27/17

6

Twotypesofmarkets“TOR-basedmarkets”→Can’tbereachedfrom“standard”internet◦ →“anetworkinsidetheNetwork”◦ Typicallydrugsandotherillegalgoodmarkets◦ Find.onionservice,scrapedata

“Closedmarkets”→canbereachedontheInternet◦ Mosttechmarketsareofthistype◦ Organised indifferentmarkets

◦ Typically“national”→Russian,chinese,brazilian

◦ Marketsareclosed,entrybyselection◦ Find.ru website,youstillneedtogetin(notaseasyasusingafakeemail)

◦ AmongmostinfluentthereareRussianmarkets

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 11

InfiltratingclosedmarketsBackgroundchecksonrequestor

Proofofbelongingtothe(russian)“hacking”community◦ Nohack-on-request◦ Reputation

Language-specific

TodayweexploretheoneofthemostprominentRussianmarkets◦ Tradeofmosttoolsreportedbysecuritycommunity◦ Activefor7years(2010-today)

Infiltratedfor4+years◦ 1.5years“break”aswe’vebeenkickedoutofmarket◦ TORaccess(toavoidfiringtoomanyalarms)

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 12

8/27/17

7

MarketorganisationSeveralarea-specificmarkets◦ Virology→malware,exploits,packs,…◦ Access→FTPServers,shells,SQL-i,…◦ Servers→VPN,proxies,VPS,hosting,…◦ Socialnetworks→accounts,groups,…◦ Spam→emailing,databases,maildumps,…◦ Internettraffic→connections,iframes,…◦ finance→bankaccounts,moneyexchange,…◦ Work→lookupforandofferjobs

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 13

Top10on“virusologia”

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 14

ExploitKit“RIGv3”

TooltoencryptmalwareExploitKit“Neutrino”

SaleofOfficeexploits

Dropper“Nuclear”(EKit)KernelexploitsforWindows

Cryptonlineservice

Webattacksinjector

Malwarebots

8/27/17

8

Exampleoftrade:exploits

Theexploithasafullycustomisable shellcode.

ThepackageincludesademothatopensacommandconsolewithSYSTEMprivileges.

Thehighdegreeofefficiencyoftheexploitreducestheriskoffailuretovirtuallyzero- thatis,tenconsecutivesuccessfulrunsonthesamesystem.

Thus,itisbestused"UseAfterFree"andnot"PrayAfterFree"asithappenswithother"manufacturers".

ExploittestedfortheseAvs

(cantestagainstothersuponrequest)

Price:5000USD

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 15

Exampleoftrade:malware1.61kb(UPX- 24kb);

2.Multi-threadedfileencryption;

3.NewalgorithmbasedonAES-256usingRSA-2048

4.Youcansetpricesbasedoncountry

5.Handyticketsystem

...

12.Infectiondisabledforthesecountries:AMAZBYGEKGKZMDRUTJTMUAUZ(CSI);

…

1.Noprice,get50%ofrevenue.

2.AbsolutelydonottouchCSIcountries.

3.Instantpayments

....

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 16

8/27/17

9

Exampleoftrade:roguecertificates

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 17

Price:400USD

Exampleoftrade:mobilebots

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 18

8/27/17

10

Exampleoftrade:mobilebots

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 19

RealAppInjectedpage

Price:4000$lifetimeupdates

●

●●

●

●

●

●

●

●

●

●

●

●

●

0

5

10

15

20

2010 2011 2012 2013 2014 2015 20162010 2011 2012 2013 2014 2015 2016

Cou

nt o

f new

aut

hors

New authors Cumulative

Focusonexploits:anexpandingmarket

Sellers(n=22)

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 20

●

●●

●

●

●

●

●●

●

●

●

●

●

●

●

●

●

●

●

●

●●

●

0.0

2.5

5.0

7.5

10.0

2010 2011 2012 2013 2014 2015 2016 2017

Occurrences

● ● ●EKIT MALWARE STANDALONE

Exploitpackages(n=38)

Exploitpackage=bundleofoneormoreexploitstradedasoneproduct

8/27/17

11

●

●

●

●

●

●

●●

● ●

●

●

●

●

●

●

●

●

●

●

● ●

●

●0

3

6

9

2010 2011 2012 2013 2014 2015 2016 2017

Occurrences

● ● ●adobe microsoft oracle

Zoominbundledexploits

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 21

GartnerHypeCycleUndergroundexploits

Wikipedia:The hype cycle provides a graphical and conceptual presentation of the maturity of emerging technologies through five phases.

Exploits“À lacarte”

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 22

Alleged0days

actualtradeexploits

vs

8/27/17

12

Comparewithlegitimatemarket(s)

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 23

Excerptof(bootstrapped)exploitpricesintheundergroundmarket

Chrome,FFcompare

MicrosoftEdgeRCE

(Finifter etal.Usenix 2013)

Newexploitintroduction

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 24

0.00

0.25

0.50

0.75

1.00

0 300 600 900Days between introduction of new exploit

Frac

tion

of e

xplo

its

adobe microsoft oracle

MALWARE STANDALONE EKIT

2010

2011

2012

2013

2014

2015

2016

2017

2010

2011

2012

2013

2014

2015

2016

2017

2010

2011

2012

2013

2014

2015

2016

2017

05

101520

Coun

t of e

xplo

its

Repackaged First appearance

EKITSInnovationdrivers

• MostexploitsintroducedbyEKITSandSTANDALONE• Rateofintroductionisratherslow

• 50%ofexploitsupdatedafter6months• Slowest25%after1.5yrs• Fastest25%after2months

• Mostexploitsthatarere-packedcomefromEKITs

8/27/17

13

ExploitkitsoperationExploitkitsarewebsitesthatservevulnerabilityexploitsandultimatelytomalware

Affectclientsidevulnerabilities

Dropmalwareuponsuccessfulexploitation◦ Fullycustomizable

Typicallyfeature<10exploits◦ Trendisdecreasingintime◦ Nowmanyexploitkitsfeature3-4exploits

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 25

Baselineworkings

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 26

Popularwebsitehomepage

Hacker/Exploitkitowner

iFrame

ExploitKit

User

Pointsto

attacks

8/27/17

14

Baselineworkings

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 27

Popularwebsitehomepage

Hacker/Exploitkitowner

iFrame

ExploitKit

Userattacks

Pointsto

This is theGETresponse.Can’t remove itwithout breakingtheweb

This is theoriginal GETrequest

ThirdpartytrafficExploitkitsonlyworkiftheyreceivevictimtraffic◦ Directlinks,ads,iframes,redirections,..

Undergroundhasservicesthattradeconnections◦ “Maladvertising”,spam,iframes onlegitwebsites

Attacker“buys”connectionsfromspecificusers,withspecificconfigurations◦ Javascript checkslocalconfiguration◦ Sendstoremoteserver◦ Remoteserverredirectstoexploitkit◦ Userloadsthewebpagetheattackercompromised,andifcharacteristicsmatchtrafficisredirected

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 28

8/27/17

15

Traffic redirection

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 29

Popularwebsitehomepage

ExploitKit

User

Exploitkitowner

iFrame

ADs

TrafficBroker/Hacker

Buystraffic

attacks

Drive-byattacks“inthewild”

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 30

8/27/17

16

Canbuytrafficfrom“trafficbrokers”◦ Userdoesnothavetoclickonanything◦ Automaticredirect

High-qualitytrafficderivesfromselectionofconnectionbasedonrequestedcriteria◦ Geographicsource◦ Installedsoftware

Sellingtraffic

Infect1Mmachines:isitworthit?

Action Economiceffort(1st year)

Buyexploitkits(20% efficiency) 2000USD

Requiredconnections 5x106

Setup 50-150USD

Traffic(assuming2USD/1000 conn.) 10.000USD

Maintenance(IP/domain flux,packing..) 150USD

Updates(assuming2/yr) ~200USD

Total ~12.400USD– 12.500USD

BreakevenROI/BOT ~0.01 USD

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 32

Comparethiswithinitial0-dayestimateof35k$/bot..

8/27/17

17

B-LAB&ExploitkitinternalsTECHNICALANDOPERATIONALRESEARCH@TU/E

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 33

TU/eBlackHat’s Lab(B-LAB)Isolatedinfrastructuretoplayaroundwithmalware,crypters,exploits,ransomware,nation-statemalware◦ E.g.Galileo’sRCSplatformfromHackingTeam+exploits(word,IE,flash,..)◦ 30+exploitkits◦ NSAmalware+exploits◦ … (addwhatyouwant)

+IoT testbed◦ B-LABconnectedtoafullymodularIoT testbedwithcontrollers,sensors,SCADA/ICSsystems,etc.◦ Deployattacksinvirtuallyanyenvironmentandevaluateeffectsontherealworld

LiveOctober2017(closedbeta)◦ Fullyoperativestart2018

Contactperson:me

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 34

8/27/17

18

Offensivecomponents

Deliverstheattack1. Detectsbrowserandoperatingsystem(88%)2. Checkssystemhasn’tbeenattackedyet(64%)

◦ viaIPchecking

3. Checksifsystemisactuallyvulnerable◦ Browserandpluginversions

4. Launchesappropriateattack◦ Lesssophisticatedkitslaunchtheattackevenifsystemisn’tsophisticatedenough(36%)

Exploitstypicallyattackvulns on:◦ AdobeFlash,AcrobatReader,InternetExplorer,Java,otherplug-ins

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 35

Bleeding Life– exploitselectionChecks presence ofAdobereader:

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 36

1. Initialise a_version.exists & a_version.version

2. Checks version ofadobereader

3. Gets theversion ofadobe,if it exists

4. Returns variable

Checks presence ofJava:1. Initialises variables j_version.exists, j_version.version &

j_version.build

2. Checks version ofjava

3. Same as before

4. Returns

8/27/17

19

Exploitintegration

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 37

Shellcode generated considering call-homeurl

Insert shellcode instack

Adds Javafileinwebpage

DefensivecomponentsManyexploitkitsdefendthemselvesagainstAV/robotdetection

Payloadandmalwareobfuscation(82%)◦ Obfuscation+crypto◦ Malwarepackers

BlockIPtoavoidprobes(78%)

Evasionrobots+crawlers

Somecheckwhetherthedomainonwhichtheexploitkitishostedisincludedinantimalwarelists

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 38

8/27/17

20

Defensive components:Venn Diagram

DR.LUCAALLODI- NETWORKSECURITY- UNIVERSITYOFTRENTO,DISI(AA2015/2016) 39

EKit interaction:Crimepack

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 40

8/27/17

21

Detailsonattacks

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 41

Defineandinjectexploitandshellcode

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 42

8/27/17

22

Administer

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 43

Exploitselection

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 44

8/27/17

23

ReadinglistMavrommatis,Niels Provos Panayiotis,andMoheeb AbuRajabFabianMonrose."Allyouriframes pointtous."USENIXSecuritySymposium.2008.

Kanich,Chris,etal."Spamalytics:Anempiricalanalysisofspammarketingconversion."Proceedingsofthe15thACMconferenceonComputerandcommunicationssecurity.ACM,2008.

Kotov,Vadim,andFabioMassacci."Anatomyofexploitkits."EngineeringSecureSoftwareandSystems.SpringerBerlinHeidelberg,2013.181-196.

Argyraki,Katerina,andDavidCheriton."Networkcapabilities:Thegood,thebadandtheugly."HotNets,Nov (2005).

Studer,Ahren,andAdrianPerrig."Thecoremelt attack."ComputerSecurity–ESORICS2009.SpringerBerlinHeidelberg,2009.37-52.

Grier,Chris,etal."Manufacturingcompromise:theemergenceofexploit-as-a-service."Proceedingsofthe2012ACMconferenceonComputerandcommunicationssecurity.ACM,2012.

L.Allodi,M.Corradin,andF.Massacci.Then andnow:onthematurity ofthecybercrime markets (thelesson that black-hat marketeers learned).IEEETrans.onEmerging Topics inComputing,PP(99),2015.

Huang,KurtThomasDannyYuxing,etal."FramingDependenciesIntroducedbyUndergroundCommoditization.”InProceedingsofWEIS2015.

DR.LUCAALLODI(TU/E)– UNDERGROUNDCYBERCRIMEECONOMICS 45