Crimeware-­as-­a-­Service

Underground Business Models :
Crimeware-­‐as-­‐a-­‐Service  (CaaS)  
Melissa  A.  Livengood,  CISSP  
September  14,  2011

Abstract

As society becomes more computer dependent and everyday services evolve to the Internet, the malware threat landscape continues to expand. Hackers are constantly improving their techniques to counteract new detection technologies as quickly as vendors develop these defenses. Today's hackers are organized and driven, they have their own established ecosystem that targets information security's weakest link, the user. By utilizing sophisticated methods to evade antivirus engines, host intrusion prevention services and firewall access controls, these organized cyber criminals continue to be relentless in their pursuit of sabotaging systems and stealing valuable information. The underground cyber network is a complex system with specific roles and a defined structure.  This highly organized, dark network of cyber thieves utilize custom exploit kits, ransomware and botnets via Crimeware-­as-­a-­service, which enables the cyber criminal to stay one step ahead, while the user and vendor race to adapt to the threat.

1 INTRODUCTION:

The global evolution of malware, and specifically the growth of information technology threats designed to proactively evade security measures, explains why the underground cyber network maintains their success. Security companies are mostly reactive, while a few are able to offer zero-­‐day subscription services for sell. However, having security measures in place, there is not a single solution that will protect the consumer one hundred percent of the time. Today's threats are customized and take advantage of the service-­‐driven Internet  society.  The underground cyber network capitalizes on the users' dependency of the latest and greatest software and services the Internet can offer.  The need for this "service oriented" industry has given these criminals a stable income.  The Internet, cloud services, and custom applications are used by cyber criminals to create their own version of "software-as-a-­service".

Malicious code, botnets and exploits kits have given birth to an organized underground business model called Crimeware-­as-a-­Service (CaaS).  CaaS provides malware on demand to the infected host where the actual viral code does not reside on the host, but in the cloud, similar to software-­as‐a-­service.  An example of a specific type of CaaS is the instance of a bot variant that can mutate remotely via a command over HTTP.  This allows polymorphism of the malicious code which helps to evade antivirus engines.

The exponential growth in malware in recent years is an undeniable fact, as security companies have been affirming for some time now.  Monthly malware statistics from Kasperky Labs for January 2011 showed that 187,234,527 malicious programs were detected on users' computers around the globe and 213,915,256 network attacks were blocked (Zakorzhevsky, 2011).

2 CYBERCRIME ORGANIZATIONS

Finjan, in their Web Trends Q2 Report, conducted research in the cybercrime organization structure and business model.  Finjan contacted several (re)sellers of stolen data and conducted online interviews with them.  Base on the answers Finjan received, they were able to conclude the modern cyber crime organization is comparable to an organized crime organization.  Figure 1 shows the organization chart of a typical cybercrime group compared to a typical mafia family (Finjan, 2008).

Figure 1. Visual comparison of a cybercrime organization and a typical mafia family

3 CRIMEWARE

Crimeware is widely exploited by the criminal underground that seeks to improve its economy by the easiest means. The gist: "Criminals have started to use online cybercrime services instead of having to deal themselves with the technical challenges of running their own Crimeware server, installing Crimeware toolkits or compromising legitimate websites," says Finjan.  In other words, it's point, click and hack (Dignan, 2008).

Cybercrime thieves operate in a market that is sensitive to location and economic trends, they cannot use a "one-­‐scheme-­‐fits-­‐all" approach. The attacks must be customized for each geographic region and focus on a selected group of users and/or businesses. These attacks are often called "campaigns" and incorporate Crimeware toolkits, Trojans and Botnets to do their dirty work (Finjan, 2008).

RANSOMEWARE

In the last two years, the security community as seen as increase in malicious code holding data hostage, known as ransomware. In recent ransomware campaigns, it has been bundled with a fake antivirus trojan that not only asks the user for money to rid the computer of all the "bad" viruses, but also instructs the user to pay $50 for a "File Decryptor" or lose your data. This is an example of the cyber criminals using an additional strategy to optimize their profit. Using the scare tactic, the ransomware tells users that they have been infected with a "bad" virus and then locks the user out of their files. This scheme is used to convince the victim that the "bad" virus is holding their data hostage and by paying the fee for this "antivirus" product, it will be able to clean the computer and decrypt the locked files. This method scares the user into paying the ransom to rid their computer of the virus and unlock their files. Unknown to the user, they have just paid a ransom to the virus itself.

EXPLOIT KITS

An exploit kit, sometimes referred as an exploit pack, is a toolset that automates the exploitation of client-­‐side vulnerabilities, targeting web browsers and third party applications.  These customized kits serve the criminals with a preloaded package ready to deploy. There are no technical skills requiring the attacker to know how to code or build exploits. The kit does all the work for the attacker, identifying the web browser dependencies and sending the exploits that apply to that particular browser configuration. A typical exploit kit provides a user-­‐friendly web interface for the cyber criminal to use to manage and track the infection attack. The kit provides a full service framework to exploit for profit, a common methodology in the CaaS model.

Exploit kits are used as a launching platform to deliver other payloads including backdoors, spyware and bot infection. Each particular exploit kit is marketed toward a set of vulnerabilities and manageability.

The most popular exploit kits are listed in Figure 3 below from M86 Security Labs Recap Report (M86 Security Labs, 2011).

Figure 3. Most Popular Exploit Kits, M86 Security Labs Recap Report, January -­‐ June, 2011

FULL SERVICE BOTNETS

Cyber crime threats are more complex in today's Internet society. The old days of typical worms and viruses inflicting damage to the hard drive or causing the machine to go into a recursive boot, are rare. The dark Internet forces became wise and decided to use their skill to not damage the computer, but to use the computer as a host for their nefarious activities. Why destroy the machine when you can turn it into a profit? Welcome to the world of botnets, where one user is a part of a regional or global collection of "zombie" computers waiting for the next command from their master.

COREFLOOD BOTNET

In April of 2011, the Federal Bureau of Investigation (FBI) estimated the Coreflood botnet to consist of "hundreds of thousands" of infected PCs (FBI, 2011). Coreflood, being another example of a CaaS operation, provided computers readily available for lease or purchase by malicious actors through the underground market.

Coreflood began as a botnet modeled to provide proxy services and DDoS‐for‐hire operations. However, it eventually evolved into a more serious line of service, financial crime.  Coreflood had the ability to capture all user information needed to allow someone to access online banking accounts. For the underground market, this was an easy sell and to the cyber criminal, this was an easy heist.

The Coreflood botnet has been found in systems on college campuses, law firms, defense contractors and small businesses. This was a huge marketing point for the underground cyber network of thieves running this collective, the financial impact is nothing to undersell. In response to this, the FBI took action by seizing five command and control servers and twenty-­nine domain names used by the Coreflood botnet. In an aggressive effort to assist victims, the FBI was able to re-­‐route infected computers to a government controlled server that issued a shutdown command. By taking this action, the FBI was able to stop the malware from running on the infected computers and the Coreflood botnet would not be able to introduce new versions of the malware to the infected host thus ending the CaaS polymorphism operation.  Figure 4 below highlights the decreased activity of the Coreflood botnet after the FBI takedown which took place on April 13th, 2011 (Zetter, 2011).

Figure 4. FBI vs. Coreflood Botnet

SPYEYE TROJAN/BOTNET

The SpyEye Crimekit is a sophisticated piece of malware consisting of a main access frontend and a form-­‐grabber access panel which is customized through the "builder". It's been known to sell in the cybercrime underground market for a base version price of $6,000 . A build of SpyEye with plug-­‐in options, allowing a more customized, targeted version of the malware has seen a price tag of $10,000. Figure 5 shows an example of the SpyEye builder, version 1.3.34 (Krebs, 2011).

Figure 5. SpyEye builder, version 1.3.34

Depending on what version of the SpyEye builder is being used, the following settings are available:

• Encryption Key: Enabling protection of the config. bin file.

• Compress build by UPX: Allowing compression and minimal obfuscation.

• Anti-­‐Rapport: Customized option, providing cloaking to evade Trusteer Rapport software.

• Firefox webinjects: Option to use webinjects in Mozilla Firefox.

• webfakes: Ability to spoof the contents of HTTP and HTTPS page resources without connecting to the original web server in both Internet Explorer and Mozilla Firefox.

• ccgrabber: Plug-­‐in option to collect credit card numbers by analyzing the POST requests made by the user and checking these against the Luhn algorithm¹.

• SOCKS5 backdoor: Allows communication to remote control host via SOCKS protocol.

• FTP backdoor: Allows communication to host via FTP protocol.

• RDP backdoor: Enables RDP protocol on host for command and control.

• Bug report: Plug-­‐in allows the bot to send back technical details if the application crashes.

• ffcertgrabber: Plug-­‐in enabling the collection of certificates from the Firefox certificate store.

SpyEye gives cyber thieves the ability to siphon cash from online banking accounts of consumers and small businesses. The code in SpyEye is programmed to wait for the account holder to log into his or her online banking account, collects the balance figure to determine whether or not the account is sufficient, initiates the transfer behind the scenes and then transfers the funds stolen into a mule account that is set up and controlled by the cyber criminal or organization to receive the cash.

¹Luhn Algorithm is a simple checksum formula used by many credit card and government identification numbers as way of distinguishing valid numbers from collections of random digits.

The SpyEye author has recently taken a hit to his crimeware enterprise. A French researcher discovered how to crack SpyEye's licensing key, which unlocks the code for full use, and included his own tutorial (Damballa, 2011). This recent development has caused SpyEye prices to drop down to $100. Although researchers see the SpyEye crack as an opportunity to find weaknesses in the SpyEye code, this isn't necessarily a positive development. This event has only increased the availability of the SpyEye crimekit to those who could not afford it before, thus infections have increased. As of September 7th, SpyEye infections are alive and well with 182 Command and Control servers online with an antivirus detection rate of 25.28% (abuse.ch, 2011). Figure 6 shows a screenshot of the SpyEye Command and Control servers tracked by abuse.ch, denoting the type of hosting service.

Figure 6. SpyEye Tracker, https://spyeyetracker.abuse.ch/monitor.php

SpyEye has gained the reputation of the ultimate crimeware kit giving cyber criminals everything they need in one, easy-­‐to-­‐use application. The author of the code even provides customer service through his Jabber account.

CONCLUSION

CaaS illustrates the new breed of organized crime perpetrated over the Internet. CaaS gives even the technical novice the ability to penetrate today's corporate, government and personal networks. Cyber criminals are breaking through traditional security defenses, staying one step ahead of the game. We are in a new era of service-­‐driven attacks involving dynamic zero-­day malware tactics, traditional social engineering schemes and a structured hierarchy of cyber crime syndicates.

In order to mitigate the CaaS threat, traditional defenses must be able to evolve to a new level of security that can detect and block the sophisticated, service-­‐driven attacks. New technologies are needed that can recognize advanced malware entering through user services and prevent data theft.

User education is also key to survival in this new threat era. Users must be reminded of the traditional social engineering schemes that most likely will never go away. This traditional method will always be used by the cyber criminal as an entry point into the system. Once they get a foothold into the network, they will continue to break down defenses to get the access needed to obtain the data they seek.

Third party application patching is another issue that every user and entity must address. CaaS illustrates this well with the standard exploit kit. The kit does all the work, looking for an un-­‐patched application or end-­of-­life program to exploit and deliver their malicious payload.

Developing new detection technologies, applying user education and routine patching will help level the playing field in the cyber threat landscape. However, the cyber criminals don't need to play by the rules. Organizations must rely on a budget, resources and expert staff to be able to discover new methods, invest in a user education platform and enforce application security. Criminals only have to find zero-­‐day exploits for sale, botnets for rent and unsuspecting users to victimize.

REFERENCES

1. abuse. ch, (2011). SpyEye Tracker. from https://spyeyetracker.abuse.ch/
2. Damballa, (2011). "First Zeus, now SpyEye look @ the source code now!". from http://blog.damballa.com/?p=1357
3. Dignan, (2008). "The next big then? Crimeware-­as-­a-­service". from http://www.zdnet.com/blog/security/the-­next-­big-­thing-­crimeware-­as-­a-­service/1012
4. FBI, (2011). "Department of Justice Takes Action to Disable International Botnet". from http://www.fbi.gov/newhaven/press-­releases/2011/nh041311.htm
5. Finjan, (2008). "Web Security Trends Report -­ (Q2/2008). from http://www.m86security.com/labs/web-­security-­trends-­reports.asp
6. Krebs, (2011). "SpyEye Targets Opera, Google Chrome Users". from http://krebsonsecurity.com/tag/spyeye/
7. m86 Security, (2011). Recap Report. from http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_report_1h20
8. Zakorzhevsky, (2011). January Malware Statistics. from http://www.securelist.com/en/analysis/204792159/Monthly_Malware_Statistics_January_201
9. Zetter, (2011) "FBI vs. Coreflood botnet: round one goes to Feds". from http://arstechnica.com/tech-­policy/news/2011/04/fbi-­vs-­coreflood-­botnet-­round-­one-­goes-­to-­the-­feds.ars