Archive for the 'Monitoring & Reporting' Category

Introducing: SSL Blacklist (SSLBL)

In the past year, there was a lot of discussion about Secure Sockets Layer (SSL). More service providers and internet users started using SSL for access to various services. But not only regular internet users and internet services have been using SSL encryption more. Cybercriminals also rely on SSL more often in order to bypass IDS / IPS based detection mechanisms and content scanners.

A while ago I started to play a bit with an open source intrusion detection / prevent system (IDS / IPS) called Suricata, which is being developed and maintained by the Open Information Security Foundation (OISF). A cool feature that Suricata comes with is an SSL/TLS module which is able to fingerprint SSL/TLS certificates. Since some malware families switched from plain HTTP to HTTPS recently, I decided to maintain and publish a collection of SHA1 fingerprint associated with bad SSL certificates.

Introducing: SSL Blacklist (SSLBL)

The goal of SSLBL is to provide a list of bad SHA1 fingerprints of SSL certificates that are associated with malware and botnet activities. Currently, SSLBL provides an IP based and a SHA1 fingerprint based blacklist in CSV and Suricata rule format (see SSLBL for more information). SSLBL helps you in detecting potential botnet C&C traffic that relies on SSL, such as KINS (aka VMZeuS) and Shylock. Happy malware hunting!

Follow abuse.ch on Twitter:
https://twitter.com/abuse_ch

FBI disrupts GameOver ZeuS and CryptoLocker Botnet

The U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) today announced the disruption of the infamous GameOver ZeuS botnet and the CryptoLocker Ransomware.

GameOver ZeuS (GOZ), also known as P2P ZeuS or ZeuSv3, is a sophisticated ebanking Trojan mainly used to commit ebanking fraud and steal credentials from the victims computer. GOZ is a further development of ZeuS / Zbot and has already been around for four years now. GOZ is one of the few botnets that are using P2P techniques for their command & control (C&C) infrastructure. However, this wasn’t always the case. The botnet operators behind GOZ made several updates to the source code over the years of operating the botnet to improve its resilience against takedown attempts.

Below is a chart that illustrates the development of GOZ over time.

Development of GOZ over time

Development of GOZ over time (click to enlarge)

As shown on the timeline above, it all started in September 2010 when a new malware appeared – it was obviously based on the source code of ZeuS, but was using a domain generation algorithm (DGA) to calculate the current botnet C&C domain. AV vendors named this new threat Murofet and LICAT. The Murofet / LICAT botnet was around for nearly a year. Months after Murofet appeared, ZeuS Tracker started to blacklist DGA domains used by Murofet as soon as they had been registered. With this, ZeuS Tracker could provide near-real-time protection to Internet users. In cooperation with the responsible domain name registrar, new Murofet domains could get suspended within hours after they appeared on ZeuS Tracker. In the beginning of September 2011, abuse.ch (again, in cooperation with the responsible domain name registrar) started to sinkhole Murofet domains instead of suspending them. This enabled abuse.ch to collect information about the size and geolocation of the Murofet botnet:

ZeuS v3 Botnet SIze

Murofet / LICAT botnet size as of September 2011 (click to enlarge)

The highest count of infected IPs the sinkhole could record was more than 100k infected IPs within a time period of 24 hours, and most of the infected IPs were located in India (IN), Italy (IT) and the USA.

ZeuS v3 Botnet Geo Location

Geo IP location of Murofet / LICAT infected computers as of September 2011 (click to enlarge)

In mid September 2011, no new Murofet / LICAT domain names was being registered any more. Nearly at the same time, security researchers all over the world saw a specific kind of new malware that showed the same behavior on a compromised computer as ZeuS did. However, instead of just using the HTTP to communicate with the botnet C&C server, weird UDP and TCP connections would be observed on infected computers. Analysis of the new Trojan revealed that it was based on the ZeuS source code as well, but using P2P communication to communicate with other infected drones and receive commands from the botnet operator. However, stolen data was still being dropped to a webserver using HTTP POST. The HTTP POST requests all used the same URL patterns: /gameover.php, /gameover2.php, /gameover3.php. GameOver ZeuS was born.

ZeuS V3 P2P Network

P2P ZeuS C&C communication as of September 2011 (click to enlarge)

Using P2P techniques has a big benefit for botnet operators; it makes their botnet more resilient against takedown attempts. Since the disappearance of Murofet / LICAT and the appearance of P2P ZeuS was nearly at the same time, it is obvious that GameOver ZeuS is a successor of Murofet / LICAT. However, it is unclear whether this development was a reaction of the criminals to the takedown / sinkholing attempts carried out by abuse.ch since July 2011. Later in 2011, GameOver ZeuS abandoned the component that was responsible for the HTTP gameover.php traffic. With this, ZeuS Tracker was no longer able to list the associated GameOver ZeuS activity on ZeuS Tracker because the main operations had been fully migrated into the P2P infrastructure. However, GameOver ZeuS was still using a HTTP component along with a DGA as fallback mechanism, in case the P2P botnet was disrupted. Because of this, sinkholing of at least parts of the botnet was still possible. Below is a chart that illustrates the number of unique IP addresses infected with GameOver ZeuS, reported to the non-profit organisation Shadowserver. Source of the data are not only the sinkholes operated by abuse.ch, but also sinkholes operated by other security researchers around the globe.

goz_sinkstats_201405

# of unique IPs infected with GOZ in May 2014 (click to enlarge)

In the early days, GameOver ZeuS was mainly targeting financial institutions in the US. During their years of operating the botnet they soon enlarged their target list to include financial institutions in the Europe and Asia as well. For example, in 2013 Swiss Internet users were hit by a spam run that was distributing GameOver ZeuS in Switzerland.

The GameoOver ZeuS botnet was developed further several times, mainly aimed to harden the P2P component of GameOver ZeuS. The main reason for this were several takedown attempts carried out by security researchers in the past years. There are some excellent papers around that are describing GameOver ZeuS, and especially their P2P component:

GameOver ZeuS is not the only botnet to take advantage of P2P techniques. ZeroAccess, a clickfraud botnet that was recently taken down by Microsoft and EUROPOL, was using P2P techniques as well. While using P2P techniques is a good choice by the botnet operators to hide their infrastructure and make their botnet more resilient against takedown attempts, the GOZ takedown carried out by the FBI is already the second takedown within this year that is hitting a P2P botnet. This is a good example and an even better statement from Law Enforcement Agencies and security researchers around the globe, which shows that criminals can’t hide themselves, no matter what kind of technology they are using.

Over all I think it is fair to say that GameOver ZeuS was one of the biggest threats for financial institutions and their customers. Some security researchers even views GameOver ZeuS as the “largest bank-theft botnet” ever. Finally, I want to express my congratulation to the FBI and all people involved for their investigations and say thanks for their efforts to make the Internet a safer place.

*** Further reading about GameOver ZeuS ***




economics-recluse
Scene
Urgent!