Archive for the 'Monitoring & Reporting' Category

Page 4 of 9

How Criminals Defend Their Rogue Networks

It is common that cybercriminals are hosting their stuff in rogue networks (renting out so-called Bulletproof hosted servers). Many of you may remember the year 2008, when a well known Bulletproof hoster named McColo was knocked offline. We can say that this nearly was a historical moment in the history of the world wide web, where the Internet community clearly showed that they didn’t want to tolerate Cybercrime any longer. The McColo takedown was the beginning of a series of takedowns initiated by security researchers, law enforcement agencies and volunteers; In 2010, the well known Russian based Bulletproof hoster Troyak was cut off from the Internet, followed by the takedown of Group Vertical.

The series of takedowns continued in the beginning of 2011, when in January 14 rogue ISPs were disconnected from the Internet. Since then we didn’t see any new Bulletproof hosters popping up… or did we? Where did all the Cybercriminals move to? If we take a look at the ZeuS Tracker statistic (Top ten ZeuS hosting ISPs) we don’t see any network that would look too much like a Bulletproof hoster.

So the Internet appears to be free from cybercrime… *cough* – unfortunately I have to disappoint everyone who thought that the Internet is getting rid of Cybercrime: The Bulletproof hosters are still here. I still see a lot of fraud, malware, phishing etc popping up on a daily basis. But where is it hosted? As you probably know, Cybercriminals can be very creative. They found several ways to hide themselves from the radar of the security industry and from the eyes of security researchers. Some of there tactics are very old, while some of them are pretty new.

FastFlux hosting
FastFlux hosting is a pretty old technique and still an issue (but not that big any more): Cybercriminals are hosting their infrastructure on FastFlux botnets to hide the real botnet controllers (mothership) and to make their infrastructure more hardened against takedowns. During the past few months the situation haven’t really changed. The number of FastFlux hosted ZeuS botnet controllers is more or less constantly 19. What is new is the fact that the Cybercriminals have also started to host SpyEye botnet controllers on FastFlux botnets. Currently SpyEye Tracker tracks 8 SpyEye C&Cs controllers that are hosted on FastFlux botnets.

Domain Generation Algorithms (DGA)
A much more sophisticated way to serve/host botnet control infrastructure are so called Domain Generation Algorithms (DGA). The criminals are using an algorithm that is using date and some salt as parameter to generate the domains the infected computers (bots) should contact. In this way the domains are being ‘fluxed’ on a daily basis – meaning the CnC domains that are used by the bots are changing every day, or in some cases several times a day –  which makes it hard to take down the botnet control infrastructure. Last year, a special version of ZeuS (murofet/LICAT) that used the DGA technique covered some media attention. But in fact the technique isn’t new: Torpig, a sophisticated banking Trojan, has been using a DGA since 2008. Torpig even utilized the Twitter trend API, as mentioned in this old post by unmaskparasites.

How ever sophisticated this technique sounds, DGA can have a benefit for security researchers: If you are able to reverse engineer the code, you are able to identify the algorithm used by the Trojan. In this way it is possible to generate the domain names that the Trojan will use in the future and register them to sinkhole the botnet. However, there are some Trojans that are generating more than 50’000 domains per day. This would mean that you have to register 50’000 domains every day to sinkhole the botnet effectively.

Using custom DNS servers
Another interesting tactic that I’ve seen recently is the use of custom DNS servers. Some Trojans are using custom DNS servers that are under control of the criminals themselves. The Trojan resolves the domain name used as botnet controller using a custom DNS server. The benefit for the criminal is, that only the DNS server that is under control of himself is resolving the domain name correctly. In fact this means when a security researcher tries to access the domain it appears that it does not exist.

Also, the criminal can use well known domain names like google.com or facebook.com as botnet controllers. Due to the fact that the Trojan resolves the domains using the custom DNS servers the criminal can point the domain name to his botnet controller. In this case the benefit for the criminal is that e.g. google.com appears in the sandbox reports of the Security Industry and may lead to false positives in security products. So the criminals can catch two birds with one stone: Hiding their botnet infrastructure behind a well known domain name and making Security Products imprecise.

Since version 10338 (1.3.38, first seen around April 4 2011), certain SpyEye versions has been seen utilizing such a feature. The botnet master can define custom DNS servers that are being stored in a file called “dns.txt” that is served to the bots within the SpyEye configuration file. However, usually public DNS servers are listed in this dns.txt file, like the ones offered by Google. This is a trick to avoid local DNS blackholing and to avoid detection by looking at local DNS server logs.

Fluxing domain names
After the takedown of several rogue ISPs in January 2011, I’ve seen a big amount of botnet controllers popping up in some suspicious networks. What got my attention was the fact that as soon as I had added a botnet controller to the tracker the domain disappeared and became unreachable. A few hours later a backup domain pointing to the same or nearby IP address in the same subnet came active.

I’ve seen this behaviour on several ISPs that are all looking quite suspicious to me. A good example is AS56659 BALTI-AS (also known as PermInterSvyaz LTD and BESTISP), a Ukraine-based ISP that is being routed by Er-Telecom -> synterra.ru. Currently, there are 5 ZeuS botnet controllers tracker by ZeuS Tracker, none of them are currently active. SpyEye Tracker currently tracks 11 SpyEye botnet controllers in that subnet. Only one is currently active. At first glance this AS does not look that suspicious, but if we take a look at this history of the subnet we see that it hosted more than 60 SpyEye botnet controllers since March 2011:

# Timestamp (UTC) | Domain | IP address | AS number | AS name | Country Code
2011-05-02 16:18:05 | opilori.com | 194.28.44.196 | AS56659 | BALTI-AS OOO | UA
2011-05-19 17:02:55 | gameopiloris.com | 194.28.44.159 | AS56659 | BALTI-AS OOO | UA
2011-06-11 20:51:10 | cmakdohaio93.in | 195.14.112.80 | AS56659 | BALTI-AS OOO | UA
2011-06-13 08:37:27 | cmakdohaio93.in | 195.14.112.80 | AS56659 | BALTI-AS OOO | UA
2011-06-16 13:53:34 | alunionylogen.ru | 195.14.112.72 | AS56659 | BALTI-AS OOO | UA
2011-06-16 19:51:46 | cmakdocolo19.in | 195.14.112.85 | AS56659 | BALTI-AS OOO | UA
2011-06-18 08:33:12 | ohiotexas1978.in | 195.14.112.94 | AS56659 | BALTI-AS OOO | UA
2011-06-19 15:08:48 | gameopiloris.com | 194.28.44.39 | AS56659 | BALTI-AS OOO | UA
2011-06-21 16:48:57 | zeblikino019.in | 195.14.112.105 | AS56659 | BALTI-AS OOO | UA
2011-06-26 14:28:59 | juengerbi781.in | 195.14.112.111 | AS56659 | BALTI-AS OOO | UA
2011-06-27 08:17:03 | ziabslikino47.in | 195.14.112.116 | AS56659 | BALTI-AS OOO | UA
2011-06-27 14:55:25 | dnsfiarfucktorylockup.in | 195.14.112.73 | AS56659 | BALTI-AS OOO | UA
2011-06-28 17:47:31 | hahahaitismydome.in | 195.14.112.125 | AS56659 | BALTI-AS OOO | UA
2011-06-29 14:24:51 | nemiroffvodka.in | 195.14.112.128 | AS56659 | BALTI-AS OOO | UA
2011-07-05 13:47:09 | cmakdomass19.in | 195.14.112.102 | AS56659 | BALTI-AS OOO | UA
2011-07-05 15:23:33 | halkozukin33.in | 195.14.112.118 | AS56659 | BALTI-AS OOO | UA
2011-07-05 16:08:27 | zelikinder019.in | 195.14.112.108 | AS56659 | BALTI-AS OOO | UA
2011-07-05 16:45:49 | abelopatianeer.ru | 195.14.112.97 | AS56659 | BALTI-AS OOO | UA
2011-07-06 12:19:17 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-06 13:23:26 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-06 21:02:21 | diexr.ru | 195.14.112.75 | AS56659 | BALTI-AS OOO | UA
2011-07-07 05:32:33 | diexr.ru | 195.14.112.137 | AS56659 | BALTI-AS OOO | UA
2011-07-07 05:39:20 | diexr.ru | 195.14.112.137 | AS56659 | BALTI-AS OOO | UA
2011-07-07 09:57:46 | 3qwpocol.com | 195.14.112.244 | AS56659 | BALTI-AS OOO | UA
2011-07-07 11:26:23 | 3qwpocol.com | 195.14.112.246 | AS56659 | BALTI-AS OOO | UA
2011-07-08 06:39:56 | 3qwpocol.com | 195.14.112.244 | AS56659 | BALTI-AS OOO | UA
2011-07-08 11:14:17 | 3qwpocol.com | 195.14.112.246 | AS56659 | BALTI-AS OOO | UA
2011-07-08 12:14:50 | 3qwpocol.com | 195.14.112.244 | AS56659 | BALTI-AS OOO | UA
2011-07-08 20:12:23 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-09 21:37:13 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-10 15:10:36 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-11 04:43:30 | diexe.ru | 195.14.112.245 | AS56659 | BALTI-AS OOO | UA
2011-07-11 05:25:34 | nokiamobilecorporation.in | 195.14.112.248 | AS56659 | BALTI-AS OOO | UA
2011-07-11 17:54:31 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-12 06:34:04 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-12 08:53:25 | unkvarante.ru | 195.14.112.136 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:17:31 | 3qwpocol.com | 195.14.112.242 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:19:35 | benbog.com | 195.14.112.218 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:35:57 | gaqwpo.com | 195.14.112.246 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:36:32 | bonobon7.com | 195.14.112.214 | AS56659 | BALTI-AS OOO | UA
2011-07-13 05:54:07 | colqwpo.com | 195.14.112.250 | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:00:11 | udostrejas.com | 195.14.112.60 | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:00:32 | starterkit1.com | 195.14.112.213 | AS56659 | BALTI-AS OOO | UA
2011-07-13 06:05:58 | diexr.com | 195.14.112.49 | AS56659 | BALTI-AS OOO | UA
2011-07-13 07:37:45 | lineclock.com | 195.14.112.27 | AS56659 | BALTI-AS OOO | UA
2011-07-14 10:35:32 | diexri.com | 195.14.112.240 | AS56659 | BALTI-AS OOO | UA
2011-07-14 11:48:02 | murkinduxck.co.tv | 195.14.112.204 | AS56659 | BALTI-AS OOO | UA
2011-07-15 08:34:38 | murkinduxck1.co.tv | 195.14.112.224 | AS56659 | BALTI-AS OOO | UA
2011-07-15 10:53:58 | wupd64.com | 195.14.112.216 | AS56659 | BALTI-AS OOO | UA
2011-07-15 17:25:45 | wupd643.com | 195.14.112.226 | AS56659 | BALTI-AS OOO | UA
2011-07-23 08:37:36 | etopala.com | 195.14.112.220 | AS56659 | BALTI-AS OOO | UA
2011-07-23 08:47:07 | 44qwpoco.com | 195.14.112.234 | AS56659 | BALTI-AS OOO | UA
2011-07-23 18:40:28 | etopala3.com | 195.14.112.229 | AS56659 | BALTI-AS OOO | UA
2011-07-24 08:29:53 | 44qwpoga.com | 195.14.112.69 | AS56659 | BALTI-AS OOO | UA

I assume that the criminals are using some kind of script to check ZeuS- and SpyEye Tracker periodically for new botnet controllers in their subnet. As soon as a new domain pops up they seem to remove it and switch over to a backup URL (both ZeuS and SpyEye have a feature that allows the cybercriminals to define backup URLs that the bots should contact when the main C&C is not reachable).

But what’s the benefit of this tactic for the criminal? Well, Cybercriminals have seen in the past that they will get de-peered quite quickly when they attract to much attention from law enforcement and security researchers. By fluxing the domain name as soon as it appear on a tracker, they ensure that the number of active botnet controllers stay as low as possible. Therefore they will not appear on the radar of the Internet community that fast and of course they can claim that they take action against fraudulent customers quickly.

Conclusion
What we can say is that BALTI-AS is a rogue network for sure. I haven’t seen any legit domain names being hosted there.

Also, the criminals are quite creative and will always try to not appear on the radar of the Internet community. It’s always a cat and mouse game between the infosec community and the criminals who are operating the different botnet infrastructures.

As we all know, things can change quite fast in the Internet. This is a big issue for policy makers and law enforcement. They are not able to act as quick as the criminals do. The cybercriminals knows this too and are trying to make profit with the failing of the law enforcement.

The Internet has no borders so we need a global solution to defend ourselves from cybercrime. But we are still failing to find a global solution. Fortunately, there are dedicated people out there that are determined to fight cybercrime. When these people cooperate, they are able to move mountains.

Good deeds are being done by these folks every day. We just need more of them. And we need governments and organisations across the world to follow in their footsteps.

How Big is Big? Some Botnet Statistics

There is a lot of malware out there, and sometimes it’s very difficult for security researchers or AV-vendors to estimate the extent of such a threat (eg. a trojan). One technique to do is called sinkholing: The goal is to register malicious botnet domains proactively or reactively to prevent the criminals exerting command and control over hijacked/infected computers, and at the same time warn ISPs of infected computers.

Some of you might already know that I am running a sinkhole. Therefore I thought it might be interesting to reveal some botnet Statistic based on the drone data I have collected on my sinkhole.

The following data has been collected over a period of 2 months. During this time I’ve sinkholed several botnets. To generate the statistics shown below I have picked out the highest peak of each malware family and printed it to the bar chart. In short this means that the chart shows the highest peak of each malware family during the past two months (within a 24 hour period).

First of all, let’s have a look at each malware family I’ve sinkholed during this time.

Trojan Aliases Reference
Artro Renos, CodecPack Kaspersky Lab
Carberp Symantec
Gbot Sonicwall
Gozi SecureWorks
Ponmocup Swisyn, Changeup Microsoft
Ramnit abuse.ch
SpyEye EyeStye Symantec
TDSS Alureon, Tidsserv, TDL4 ESET
ZeuS Zbot, WSNPoem, ntos Symantec

As shown in the table above we have some banking trojans (Carberp, Gozi, SpyEye and ZeuS), some trojan droppers (Gbot, Ponmocup), a worm (Ramnit) and some Click fraud trojans (Artro, TDSS).

Note: The numbers of infected IPs for each trojan mentioned below does not necessarily reflect the exact botnet size. It does however work fairly well as a relative indication. Some trojans are malware kits being used to run several different botnets (Like ZeuS or SpyEye), where all are not being sinkholed.

Let’s take a look at the sinkhole statistics:

The chart above shows the total number of new and total IPs seen within 24hrs for each malware family. What really sticks out is the fact that the trojans that are being used to attack financial institutions (banking trojans) has a relatively small amount of infected computer (drones) compared to Gbot (that is used to drop/install additional malware on the victims computer) and the well-known click fraud rootkit called TDSS. The size of the TDSS botnet is 6 times the size of the Carberp botnet.

Why is this the case? It’s not very difficult to infect computers today. The trick is to find a good way to monetize the botnet. For banking trojans, the problem becomes getting money mules that the criminal can use for transferring/laundering the stolen money. A cybercriminal won’t benefit from a big botnet if he’s not able to cash out the money from the bank accounts of the victims. Also, banking trojans rather quickly gets attention from both Law Enforcement and individuals in the infosec community.

Doing click fraud is much easier: Who cares about click fraud? Nobody, except the companies that are actually offering/selling online advertisement. If you call someone and tell him “Hey, your computer is infected with a click fraud trojan” you will most probably get a answer like “WTF is click fraud?!?” and even if you explain the situation to him I’m pretty sure you will get an answer like “Well I don’t care, I hate online advertisements anyway. They only distract me when I’m surfing on porn sites… *erm* when I’m doing online shopping”.

Still, I’m not surprised that there are botnets out there that are even bigger than TDSS/TDL:

The chart above shows a botnet that is called Artro. It is also known as “The advertisement botnet” (Kaspersky) or Renos/CodecPack. It is 1,5 times bigger than TDSS. However, Artro is also doing some click fraud stuff. I sinkholed the Artro botnet a year ago. Back then, the botnet had a size of 330’000 infected computers (of course within 24hrs)!

So I’m asking myself: Does this answer our question “How Big is Big”? If we are serious we can say that 330’000 infected computers is quite enough and really big. That’s nearly the same amount of computers as there are inhabitants in the largest Swiss city (Zurich).

What would you say if I told you that there is a botnet out there that is much bigger than the Artro botnet?

Some weeks ago I came across a huge botnet that was pretty unknown to me and that I never had heard of before. Doing some research I came to the conclusion that this trojan was known as Ponmocup. When I’ve started to sinkhole this botnet I was shocked as I saw that more than 1,2 million (yes, 1’200’000) unique IPs connected to my sinkhole just within 24 hours..

Probably most of you don’t even know Ponmocup, so you may ask yourself how this botnet became that big. Well you already answered this question: The criminal obviously managed to stay under the radar for months (maybe even years). I’m sure there are even more botnets out there (like Artro and Ponmocup) that are quite big and still under the radar of the AV-industry / infosec community.

*** Conclusion ***
We have learned that the botnet sizes doesn’t really matter. The criminals don’t need to have a big botnet to make a lot of money: It always depends on the business model the criminals wants to adopt (doing ebanking fraud, clickfraud or whatever).

But what do we have to do to mitigate these threats? My approach is to try to identify such botnets and sinkhole them. Doing so I’m able to collecting data from the connecting bots, which are being fed into the Shadowserver Drone database. If you are an ISP, a company or running your own network/AS you can obtain free-of-charge Drone feed from Shadowserver for your AS. This allows you to get informed about infected computers within your network on a daily basis.

If you are an ISP/network owner I highly recommend you to subscribe to Shadowservers Drone feed (if you are not already subscribed).

You can subscribe and/or obtain more information about Shadowserver’s Reporting Service here:
http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

Follow me on Twitter:
twitter.com/abuse_ch

*** Further links ***




Scene
Urgent!