Inside a BBB Malware Scheme: Mapping and Dissecting Attacker - - PowerPoint PPT Presentation

inside a bbb malware scheme mapping and dissecting
SMART_READER_LITE
LIVE PREVIEW

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker - - PowerPoint PPT Presentation

Sep 21, 2022 253 likes •458 views

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST 2008 Michael La Pilla VeriSign iDefense Malicious Code Operations Team June 26, 2008 Why Should Incident Responders Care? + US Commercial Accounts

slide-1
SLIDE 1

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure

Prepared for FIRST 2008

Michael La Pilla VeriSign iDefense Malicious Code Operations Team June 26, 2008

slide-2
SLIDE 2

2

Why Should Incident Responders Care?

+ US Commercial Accounts (the current target) NOT covered by Regulation E (read http://www.gpoaccess.gov/ecfr/ for more details in US) + Businesses of all size losing money, not just the banks

slide-3
SLIDE 3

3

Retail vs. Commercial

Trojan Attacker Consumer Level Attacks Business/Corporate Level Attacks

Victim PC

Standardized Data: Credit Card Numbers Debit Card Numbers

Victim PC

Custom Data: Bank Account Credentials Certificates Security Questions

Corporate System

Custom Data: Business Account Credentials Certificates VPN Keys Employee Data Contact Lists

slide-4
SLIDE 4

4

What is a “BBB Attack”

+ Targeted e-mail using social engineering + Coined after use of Better Business Bureau name + “BBB Attack” is like saying “Storm Worm” + 60+ documented attacks Feb 2007 – June 2008

4

slide-5
SLIDE 5

5

BBB Attacks - FTC

5

slide-6
SLIDE 6

6

US Courts – April 14, 2008

6

slide-7
SLIDE 7

7

US Courts – April 14, 2008

7

slide-8
SLIDE 8

8

US Courts – April 14, 2008

8

slide-9
SLIDE 9

9

Not Just BBB

9

slide-10
SLIDE 10

10

Multiple Attackers, Different Infrastructures

10

slide-11
SLIDE 11

11

The “A” Approach

Attachment [attackrelatedname].php log to txt file gl.php Legitimate PDF install.exe b.php Drop Site 1 (Tier 3) Install Site 1 (Hardcoded Tier 2) Real Government Web Site

slide-12
SLIDE 12

12

The “A” Approach (continued)

install.exe b.php Drop Site 1 (Tier 3) kit.zip DelZip179.dll Tier 1 server (hardcoded) 301 Redirect gl.php Tier 2 (Dynamic) Drop Site 2 b.php p.php Victim Machine nirsoft tools svchost.exe

slide-13
SLIDE 13

13

The “B” Approach

C&C Site http://[realstic-domain].tld/something.php Drop Site http://[bulletproof host]/[some letters]/parse.php Victim Machine [clever name].dll

slide-14
SLIDE 14

14

Demo #1 - BBBMapper.py

slide-15
SLIDE 15

15

Attack Mitigation Strategies

+ Variations on MFA + Transaction Verification + Server-side Detection + Credential Recovery / Victim IP Flagging + User Education + Transaction Fraud Detection + IDS/IPS Exploiting Lack of Attacker Innovation

slide-16
SLIDE 16

16

User Education…Really?

+ Never 100 percent, but many success stories + Explain the situation, potential variations, and give a picture + Water-cooler effect in action

slide-17
SLIDE 17

17

Snort Sigs For FIRST Member Organizations

+ Available via e-mail for any members, can be shared with entire list if posting signatures to list is permissible

slide-18
SLIDE 18

18

Demo #2 – The Real Payload

slide-19
SLIDE 19

Q&A

Michael La Pilla mlapilla@idefense.com VeriSign iDefense Malicious Code Operations Team

Special Thanks

+ Matt Richard + FIRST SC and Members + The kind folks from Conference & Publication Services, LLC for dealing with all our last minute changes