crimeware on the net
play

Crimeware on the Net The Behind the scenes of the new web economy - PowerPoint PPT Presentation

Nov 24, 2022 •333 likes •650 views

Crimeware on the Net The Behind the scenes of the new web economy Iftach Ian Amit Director, Security Research Finjan BlackHat Europe, Amsterdam 2008 Who Am I ? (iamit) Iftach Ian Amit In Hebrew it makes more sense

  1. Crimeware on the Net The “Behind the scenes” of the new web economy Iftach Ian Amit Director, Security Research – Finjan BlackHat Europe, Amsterdam 2008

  2. Who Am I ? (iamit) • Iftach Ian Amit – In Hebrew it makes more sense… • Director Security Research @ Finjan • Various security consulting/integration gigs in the past – R&D – IT • A helping hand when needed… (IAF) 2 BlackHat Europe – Amsterdam 2008

  3. Today’s Agenda • Terminology • Past vs. Present – 10,000 feet view • Business Impact • Key Characteristics – what does it look like? – Anti-Forensics techniques – Propagation methods • What is the motive (what are they looking for)? • Tying it all up – what does it look like when successful (video). • Anything in it for us to learn from? – Looking forward on extrusion testing methodologies 3 BlackHat Europe – Amsterdam 2008

  4. Some Terminology • Crimeware – what we refer to most malware these days is actually crimeware – malware with specific goals for making $$$ for the attackers. • Attackers – not to be confused with malicious code writers, security researchers, hackers, crackers, etc… These guys are the Gordon Gecko‟s of the web security field. The buy low, and capitalize on the investment. • Smart (often mislead) guys write the crimeware and get paid to do so. 4 BlackHat Europe – Amsterdam 2008

  5. How Do Cybercriminals Steal Business Data? Criminals’ activity in the cyberspace Federal Prosecutor: “Cybercrime Is Funding Organized Crime” 5 BlackHat Europe – Amsterdam 2008

  6. The Business Impact Of Crimeware Criminals target sensitive business data using crimeware • Gain access to employee financial Employee information • Steal Identity information Data • Discover passwords Sophisticated • Steal financial statements Financial and Organized • Steal money through online accounts • Steal proprietary data Data Criminals • Gain customer record information • Brand damage • Access customer accounts Customer • Steal customer identities • Financial theft • Impair customer relationships Data • Data theft • Password theft • Identity theft • Compromised computers to steal resources • Employee productivity loss Federal Prosecutor: “Cybercrime Is Funding Organized Crime” 6 BlackHat Europe – Amsterdam 2008

  7. The Business Impact Of Crimeware How much is business data worth to criminals? BlackHat Europe – Amsterdam 2008

  8. Key Characteristics of Crimeware Financially motivated criminals are utilizing new methods to infect PCs with crimeware that steals sensitive data Propagation Methods Anti-Forensic Methods Hosted on compromised legitimate and Evade signature-based detection by Web 2.0 sites over the globe utilizing code obfuscation and controlled with frequent location changes exploits visibility in the wild URL and Reputation-based Anti-Virus signatures will not match today‟s malicious code filtering solutions will not block these sites 8 BlackHat Europe – Amsterdam 2008

  9. Anti Forensics • Code Obfuscation – Not the one you are used to… • Single serve exploits – One per customer please • Geographical preference – More on this later when we talk $$$… 9 BlackHat Europe – Amsterdam 2008

  10. Dynamic Code Obfuscation 10 BlackHat Europe – Amsterdam 2008

  11. Dyn. Code Obf. – the neosploit way (2.0.15) BlackHat Europe – Amsterdam 2008

  12. Obfuscation and IFRAMES • Have become in 2007 the main driving tools for distributing malware and malicious code in general. – They are even signatured by AV – while as we see the obfuscation or IFRAME itself may NOT be malicious… Source: top 10 web threats in 2007 http://www.sophos.com/pressoffice/news/articles/2008/01/toptendec07.html 12 BlackHat Europe – Amsterdam 2008

  13. Crimeware Profile Google Inc. - The Ghost In The Browser Analysis of Web-based Malware Crimeware binaries and their URL locations are changing every hour 13 BlackHat Europe – Amsterdam 2008

  14. Location, Location, Location index.php • Have you been to our fine //checks and saves user's IP hashed with browser //to avoid future browser's hangup establishment before? function CheckAddUser() { … – You can only get the $rcount=@mysql_num_rows($res); “good” stuff once… if ($rcount>0) { //found data, prevent view echo ":["; exit; } else { //not found, add $query = "INSERT INTO ".$dbstats."_users VALUES ('".$ipua."')"; mysql_query($query); • Where do you come } from? settings.php: $BlockDuplicates=1; //send exploits only once – You may not be worth $CountReferers=1; //make referrer's statistics $OnlyDefiniedCoutries=0; //send exploits only to the exposure… counties in the list $CoutryList="RU US UA"; //2-letter codes ONLY! (see readme for details) Source: Mpack 0.94 source code 14 BlackHat Europe – Amsterdam 2008

  15. Crimeware Toolkits 15 BlackHat Europe – Amsterdam 2008

  16. A glimpse into the code License_load: License_Verification: ... push edi push ebp push offset aNeosploit_key mov ebp, esp • lea eax, [ebp+string] Modern toolkits are push edi push eax push esi lea eax, [ebp+var_188] push ebx provided in their binary push eax sub esp, 38h call license_load mov ebx, [ebp+arg_0] form, with licensing add esp, 10h mov edi, [ebp+arg_8] test eax, eax push offset aServer_addr jz loc_8049918 call _getenv mechanisms, built in add esp, 0Ch mov [ebp+var_1C], eax obfuscation, configuration ... push 100h ; size_t call form_parse push 0 ; int lea edi, [ebp+var_38] push ebx ; void * files, user management xor eax, eax call _memset cld mov ecx, [ebp+var_1C] (for supporting multiple mov ecx, 7 add esp, 10h rep stosd xor edx, edx mov [esp+4E8h+var_4E8], 0 test ecx, ecx attackers under the same call _GeoIP_new jz short loc_804CC25 add esp, 10h kit), and DB functionality. test eax, eax mov ebx, eax online_test: ... • mov [ebp+var_20], 1 The snippets here are sub esp, 8 push edx push [ebp+timer] push 0 ; int push eax taken from a disassembly push ebx ; void * call _GeoIP_country_id_by_addr push [ebp+arg_4] ; int add esp, 10h call connect_to_homeserver of Neosploit version 2.0.15 cmp eax, 0FFh add esp, 10h jle loc_8049933 test eax, eax (first time analysis – in.cgi) jz short loc_804CDDE BlackHat Europe – Amsterdam 2008

  17. Neosploit code ... call js_crypter_put mov [esp+4E8h+var_4E8], offset aStartquicktime call add_function push offset exp_superbuddy_is_decoded push 0D90FC7h loc_8049BE8: push 0CAh sub esp, 0Ch push offset exp_superbuddy sub esp, 8 push [ebp+timer] call decode_data push [ebp+var_7C] ; char * add esp, 18h call get_ip_hash push [ebp+var_54] ; int push 0 add esp, 10h push offset exp_superbuddy call referer_validate cmp eax, [ebp+var_468] call js_crypter_put add esp, 10h mov [esp+4E8h+var_4E8], offset aStartsuperbudd jnz loc_8049ABE test eax, eax call add_function push offset exp_audiofile_is_decoded jnz short loc_8049C07 push 0A1E716h push 145h push offset exp_audiofile call decode_data add esp, 18h push [ebp+var_84] push 0 push offset exp_audiofile push [ebp+var_2C] call js_crypter_put push offset a?o6PURU mov [esp+4E8h+var_4E8], offset aStartaudiofile lea ebx, [ebp+var_338] call add_function push ebx push offset exp_gom_is_decoded call _sprintf push 1F040Ah add esp, 0Ch push 0D9h push offset exp_gom push ebx call decode_data push offset aData add esp, 18h push offset exp_quicktime_opera push 0 push offset exp_gom call js_crypter_put mov [esp+4E8h+var_4E8], offset aStartgom sub esp, 8 call add_function push 0 push offset exp_wvf_is_decoded push [ebp+var_4AC] push 84C0B8h push 10Dh call js_crypter_put push offset exp_wvf mov eax, [ebp+var_4AC] call decode_data add esp, 18h add esp, 10h push 0 test eax, eax push offset exp_wvf call js_crypter_put mov [esp+4E8h+var_4E8], offset aStartwvf ... BlackHat Europe – Amsterdam 2008

  18. Propagation techniques • How did THAT code turned out on THAT site – Anyone remember bankofindia.com? • Helpful HTML tags (infamous iframes…) • And of course, bling… $$$ 18 BlackHat Europe – Amsterdam 2008

  19. On My Site? No way! 19 BlackHat Europe – Amsterdam 2008

  20. Way… It’s all business • You can get paid to put a snippet of HTML on your site that will spur “installations” (= infections). Guaranteed high “install” rate, updated code (remember the toolkit), bypass of security measures… • “ The number of legitimate Web sites compromised by attackers has surpassed those purposefully created by attackers ” – Jan 22 nd , Websense security labs. 20 BlackHat Europe – Amsterdam 2008

  21. Evasive attacks – increasing the infection rates 21 BlackHat Europe – Amsterdam 2008

  22. What’s the end game? • Holy grail of web attacks: successful installation of crimeware Trojan (aka – rootkit+keylogger+otherstuff) 22 BlackHat Europe – Amsterdam 2008

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IODEF Extensions for Phishing and Other E-Crimeware Patrick Cain Latest Status New draft

IODEF Extensions for Phishing and Other E-Crimeware Patrick Cain Latest Status New draft

IODEF Extensions for Phishing and Other E-Crimeware Patrick Cain Latest Status New draft out. Missed deadline by a little; should show up in repository soon. draft-ietf-inch-phishingextns-02 One Technical change Many

452 views • 5 slides
Vitali Kremez Impact Agenda The Wind of Time Shakes the Underground | High- Tech Cybercrime

Vitali Kremez Impact Agenda The Wind of Time Shakes the Underground | High- Tech Cybercrime

How North Korean Hackers are Working with Eastern European Cybercriminals @VK_Intel Vitali Kremez Impact Agenda The Wind of Time Shakes the Underground | High- Tech Cybercrime & APT | Most Sophisticated & Resourceful Crimeware

509 views • 27 slides
H v FETAL ASSESSMENT CENTRE WRONGFUL SUFFERING CLAIMS IN SOUTH AFRICA- TO RECOGNISE OR NOT TO

H v FETAL ASSESSMENT CENTRE WRONGFUL SUFFERING CLAIMS IN SOUTH AFRICA- TO RECOGNISE OR NOT TO

H v FETAL ASSESSMENT CENTRE WRONGFUL SUFFERING CLAIMS IN SOUTH AFRICA- TO RECOGNISE OR NOT TO RECOGNISE Presentation by Jessica Viljoen and Christopher Morcom With Special Thanks to Advocates Paul Hoffman SC, Pat Van Den Heever and Natalie

201 views • 19 slides
October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

Florida Public Transportation Association Annual Conference Florida Transit Safety Network October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and rear- ending collisions Show Florida transit Motorbus

443 views • 43 slides
2017 Annual Passenger Counts Bicycle Advisory Committee July 20, 2017 Agenda Item #6

2017 Annual Passenger Counts Bicycle Advisory Committee July 20, 2017 Agenda Item #6

7/17/2017 2017 Annual Passenger Counts Bicycle Advisory Committee July 20, 2017 Agenda Item #6 Presentation Outline Purpose and Count Methodology 2017 Challenges 2017 Count Results Summary Next Steps 2 1 7/17/2017

288 views • 11 slides
DRAFT PLAN & DRAFT EIR April 25, 2017 San Francisco County Transportation Authority

DRAFT PLAN & DRAFT EIR April 25, 2017 San Francisco County Transportation Authority

DRAFT PLAN & DRAFT EIR April 25, 2017 San Francisco County Transportation Authority Meeting Ken Kirkey, MTC Planning Director Plan Bay Area 2040 establishes a 24-year regional vision for growth and investment. Image Source:

329 views • 18 slides
SUNSET ON TV IN CHINA DUE TO SMOG GLOBAL TRENDS: FUTURE CONSUMERS TOO MANY BRANDS TOO MUCH

SUNSET ON TV IN CHINA DUE TO SMOG GLOBAL TRENDS: FUTURE CONSUMERS TOO MANY BRANDS TOO MUCH

SUNSET ON TV IN CHINA DUE TO SMOG GLOBAL TRENDS: FUTURE CONSUMERS TOO MANY BRANDS TOO MUCH INFORMATIONS GLOBAL TRENDS: FUTURE CONSUMERS GENERATION Z < 20 YEARS OLD MAKE IT HAPPEN REALISTIC PLURALISTIC MENTALITY GENERATION Z |

266 views • 7 slides
Kin Availability and Fertility in a Historical Nuclear Family Society: Sweden in 1900 Martin Dribe

Kin Availability and Fertility in a Historical Nuclear Family Society: Sweden in 1900 Martin Dribe

Kin Availability and Fertility in a Historical Nuclear Family Society: Sweden in 1900 Martin Dribe and Bjrn Eriksson Centre for Economic Demography Department of Economic History Lund University Lund, Sweden Martin.Dribe@ekh.lu.se

473 views • 23 slides
Presentation Template This deck is a workbook, designed to help you complete the project

Presentation Template This deck is a workbook, designed to help you complete the project

Design X Social Challenge 2020 Presentation Template This deck is a workbook, designed to help you complete the project successfully. Please follow the instructions provided in each slide. IMPORTANT INSTRUCTIONS: If you have a Google

485 views • 27 slides
Home visiting Attendees will explore home visiting as a relationship based intervention where

Home visiting Attendees will explore home visiting as a relationship based intervention where

7th Annual ECMH Conference 2016 Donna SwansonPerrelet, C Muecke, J Brady, A HallFiske OBJECTIVES Home visiting Attendees will explore home visiting as a relationship based intervention where nature and nurture meet to Working with

382 views • 5 slides
approaches in supporting homeless and vulnerable people 14 June 2012 Intergenerational families

approaches in supporting homeless and vulnerable people 14 June 2012 Intergenerational families

Inter-generational and whole-family approaches in supporting homeless and vulnerable people 14 June 2012 Intergenerational families & support Faculty of Ann Phoenix Thomas Coram Research Unit Scope of the paper 1. What do we mean by

951 views • 64 slides
Axis Design Architects - April 2018 SHAP housing performance standard - research, recommendations

Axis Design Architects - April 2018 SHAP housing performance standard - research, recommendations

SHAP housing performance standard research, recommendations and tools for analysis Axis Design Architects - April 2018 SHAP housing performance standard - research, recommendations and tools for analysis Standards document or a framework for

638 views • 9 slides
The Next Decade Trends in Domestic Leisure Tourism Phil Evans Head of Policy and Insight

The Next Decade Trends in Domestic Leisure Tourism Phil Evans Head of Policy and Insight

The Next Decade Trends in Domestic Leisure Tourism Phil Evans Head of Policy and Insight VisitEngland is the national tourist board for England, responsible for marketing England to domestic and established overseas markets and for

703 views • 41 slides
A PROJE CT ST AT E ME NT PROJE CT DAT A GE OS will b e the la rg e st ne t-ze ro e

A PROJE CT ST AT E ME NT PROJE CT DAT A GE OS will b e the la rg e st ne t-ze ro e

GE OS NE T - ZE RO E NE RGY MIXE D- USE NE IGHBORHOOD ARVADA, CO A PROJE CT ST AT E ME NT PROJE CT DAT A GE OS will b e the la rg e st ne t-ze ro e ne rg y, : 25.3 a c re s T OT AL ACRE AGE DAT urb a n mixe d-use

538 views • 20 slides
Regulator Ottawa June 12, 2018 The CNSCs Mandate Regulate the use of nuclear energy and

Regulator Ottawa June 12, 2018 The CNSCs Mandate Regulate the use of nuclear energy and

Meet the Nuclear Regulator Ottawa June 12, 2018 The CNSCs Mandate Regulate the use of nuclear energy and materials to protect health, safety and security and the environment Implement Canada's international commitments on the peaceful use

450 views • 16 slides
John L. Santikos Charitable Foundation 2018 Capital & Naming Rights Funding Protocol 1/2018

John L. Santikos Charitable Foundation 2018 Capital & Naming Rights Funding Protocol 1/2018

John L. Santikos Charitable Foundation 2018 Capital & Naming Rights Funding Protocol 1/2018 2016 Statistics 82 accurate 37 LOIs 14 finalists 8 grants considered considered awarded LOIs received $37,054,179 $17,467,025 $9,272,280

224 views • 21 slides
Symmetry methods for exotic nuclei P. Van Isacker, GANIL, France Role of symmetries in The

Symmetry methods for exotic nuclei P. Van Isacker, GANIL, France Role of symmetries in The

Symmetry methods for exotic nuclei P. Van Isacker, GANIL, France Role of symmetries in The nuclear shell model The interacting boson model Their relevance for RIBs RIA Theory meeting, Argonne, April 2006 ECT* doctoral training programme

477 views • 23 slides
Charge radius of 6 He and Halo nuclei in Gamow Shell Model G.Papadimitriou 1 W.Nazarewicz 1,2,4 ,

Charge radius of 6 He and Halo nuclei in Gamow Shell Model G.Papadimitriou 1 W.Nazarewicz 1,2,4 ,

Charge radius of 6 He and Halo nuclei in Gamow Shell Model G.Papadimitriou 1 W.Nazarewicz 1,2,4 , N.Michel 6,7 , M.Ploszajczak 5 , J.Rotureau 8 1 Department of Physics and Astronomy, University of Tennessee,Knoxville. 2 Physics Division, Oak

340 views • 19 slides
Search for tetrahedral states and X(5) Search for tetrahedral states and X(5) symmetry in Yb

Search for tetrahedral states and X(5) Search for tetrahedral states and X(5) symmetry in Yb

Search for tetrahedral states and X(5) Search for tetrahedral states and X(5) symmetry in Yb nuclei with N~90 symmetry in Yb nuclei with N~90 through Coulomb excitation using HIE- through Coulomb excitation using HIE- ISOLDE and Miniball

425 views • 21 slides
Spot Nuclei. Speed Cures Chih-Hui Ho, Chun-Han Yao, Po-Ya Hsu, Yao-Yuan Yang, Hsin-Yang Chen,

Spot Nuclei. Speed Cures Chih-Hui Ho, Chun-Han Yao, Po-Ya Hsu, Yao-Yuan Yang, Hsin-Yang Chen,

Spot Nuclei. Speed Cures Chih-Hui Ho, Chun-Han Yao, Po-Ya Hsu, Yao-Yuan Yang, Hsin-Yang Chen, Ying-Chuan Liao 1 Outline Introduction Dataset Approaches Pre-processing CNN Post-processing Results Future

191 views • 16 slides
Electromagnetic interactions of nuclei at the FCC-hh Igor Pshenichnov 1,*) , Sergey Gunin 1,2) 1)

Electromagnetic interactions of nuclei at the FCC-hh Igor Pshenichnov 1,*) , Sergey Gunin 1,2) 1)

Electromagnetic interactions of nuclei at the FCC-hh Igor Pshenichnov 1,*) , Sergey Gunin 1,2) 1) Institute for Nuclear Research, Russian Academy of Sciences, Moscow, Russia 2) Moscow Institute of Physics and Technology, Moscow Region, Russia *)

649 views • 44 slides
Nuclear radii and density distributions Y. Matsuda Kyoto University GCOE Symposium Feb. 12

Nuclear radii and density distributions Y. Matsuda Kyoto University GCOE Symposium Feb. 12

Nuclear radii and density distributions Y. Matsuda Kyoto University GCOE Symposium Feb. 12 2012 Kyoto University Clock Tower Centennial Hall International Conference Hall 2013 2 12 1 Contents Introduction Proton

540 views • 25 slides
the Excess Cosmic Radio Background at 1.4 GHz David R. Ballantyne Center for Relativistic

the Excess Cosmic Radio Background at 1.4 GHz David R. Ballantyne Center for Relativistic

The Contribution of Active Galactic Nuclei to the Excess Cosmic Radio Background at 1.4 GHz David R. Ballantyne Center for Relativistic Astrophysics, School of Physics, Georgia Tech The Cosmic Backgrounds Hauser & Dwek (2001) XRB was

432 views • 30 slides
Production and Separation of Exotic Beams via Fragmentation Reactions using MARS Kenneth

Production and Separation of Exotic Beams via Fragmentation Reactions using MARS Kenneth

Production and Separation of Exotic Beams via Fragmentation Reactions using MARS Kenneth Whitmore, William Jewell College Advisor: Dr. Robert Tribble, Texas A&M Cyclotron Institute Overview Motivation Physics behind MARS My

540 views • 26 slides

More recommend