Алексей Старов - Как проводить киберраследования?
2 likes1,061 views
The document details research methodologies for investigating cybercrime, primarily focusing on web shells, fraudulent online schemes, and collaborative efforts with law enforcement. It covers the detection and analysis of web shells, the study of technical support scams, and the collaboration with authorities for tackling online financial fraud. Emphasis is placed on large-scale data collection, analysis techniques, and contributions to improving cybersecurity measures.
![Logs We Get on the Honeypot
46.167.121.166 - -
[02/Jul/2015:22:56:42 +0000] "GET
/images/ftpmaster.php HTTP/1.1" 404 520
"-" "Mozilla/5.0 (Windows NT 6.1;
rv:31.0) Gecko/20100101 Firefox/31.0"
32
Attacker’s IP address
Web shell’s path](https://image.slidesharecdn.com/hackit-starov-161010204741/85/-32-320.jpg)
![Logs We Get for Stale Domains
187.99.230.117 - -
[01/Jan/2016:00:19:04 +0000] "GET
/logz/yaz.js HTTP/1.1" 404 507
"http://www.XXXXXXXXXXXXXXXX.ua/files/X
XXXXXXXX_ca6a456dc0b461cHNAL.php"
"Mozilla/5.0 (Windows NT 6.1; rv:43.0)
Gecko/20100101 Firefox/43.0"
37
Attacker’s IP address Compromised
website](https://image.slidesharecdn.com/hackit-starov-161010204741/85/-37-320.jpg)
![MORE: Requests from localhost…
75.151.74.150 - - [12/Dec/2015:22:46:15
+0000] "GET /yazciz/ciz.js HTTP/1.1" 404 503
"http://localhost:8080/c99%20with%20pass%20a
li.php" "Mozilla/5.0 (Windows NT 6.3;
rv:42.0) Gecko/20100101 Firefox/42.0"
44
Участники CTF, будьте осторожны
с чужими шеллами! J](https://image.slidesharecdn.com/hackit-starov-161010204741/85/-44-320.jpg)
Алексей Старов - Как проводить киберраследования?
- 1. HOW TO DO RESEARCH IN CYBERCRIME Как проводить исследования/расследования в области киберпреступлений by Alex Starov HackIT 2016
- 2. Pragmatic Security “PragSec” Lab 2 Our Research Security Privacy Cybercrime
- 3. WANTED: Cybercrime Research • Models of online crimes • Ecosystems of attackers/hackers • Financial infrastructures • Measurement studies of real underground economies • Different aspects of fraud • Fraud prevention • Effectiveness of protection countermeasures • Case studies of current attack methods • Social engineering • … 3
- 4. Today we have 3 lessons ① Let’s detect them / Обнаружим их… ② Going undercover / Под прикрытием ③ Let’s catch them / Полное разоблачение 4
- 5. LESSON #1 Let’s detect them! (based on http://securitee.org/files/webshells_www2016.pdf) 5
- 6. IDEA: We can investigate crime artifacts • What most attackers do after hacking a server? 6
- 7. Web shells / backdoors • At its simplest form, a web shell is a script that attackers upload to compromised web servers in order to remotely control them 7
- 8. Example of a Real-life PHP Shell 8
- 9. Example of a Real-life PHP Shell 9
- 10. Are web shells important? 10
- 11. Wow, attackers on Ukrainian Power Grid also used a backdoor web shell! 11
- 12. Let’s Google It: Hackers May Search for Shells 12
- 13. Such attempts can be detected, though… 13 https://some_our_url.com/c99.php
- 14. Daily Statistics on Captured Requests for Shells via Google Dorks 14
- 15. Our Objectives: Let’s define • Conduct a comprehensive large-scale study of web shells, their nature and the surrounding ecosystem of hackers • Inspect visible and invisible features of real-life malicious shells and how attackers can use them • Find useful information for countermeasures, at least for their detection by IDS or scanners… 15
- 16. First of all: Data Collection • Starting with a combined set of 1449 shells, we derived a unified set of more than 500 real unique shells! • Including variations of c99, r57, WSO, B347k, NST, NCC, Crystal, etc. 16 Filtering Normalization Deobfuscation Normalization https://www.unphp.net
- 17. SHELL FEATURES Static & Dynamic Analysis 17
- 18. Interface Features (static taint analysis) 18
- 19. Silent Server-side Activity on 31.4% (intercepted by PHP’s runkit framework) 19
- 20. Silent Server-side Activity: Commands 20 Group Aggregated examples Main System Info id(71), uname(41), echo $OSTYPE(23), pwd(16), whoami(13) More System Info ls -la(7), df -h(2), uptime(2), ps aux(1), free -m(1) Check Installed which *(4), wget -help(5), javac -version(2), perl -v(1) Internet Usage cd /tmp, lynx | curl | GET *(8), wget | curl | lwp-download *(6) Other actions echo abcr57(19), killall -9 host(1), crontab (1)
- 21. Silent Server-side Activity: files 21 Group # Shells Examples /var/www/html/*/* 21 write test.txt, read own PHP file /etc/* 8 named.conf, hosts, passwd, fstab http://* 7 send own URL, load api.php, sender.txt *.php 6 dbs.php, shell.php, errors.php, ss.php, etc. /tmp/* 5 qw7_sess, shellcode.so, Ra1NX php.ini 5 write to php.ini or ini.php .htaccess 5 write .htaccess or sym/.htaccess *.txt 5 kampret.txt, data.txt, cpaccount.txt /proc/* 4 cpuinfo, meminfo, partitions, version *.sql.gz 2 read N-Cool-073115-0850am.sql.gz Other 2 1.sh and libworker.so
- 22. Test more: Stealthiness Hiding the code: • 20.6% with increased token count after deobfuscation • 20.8% use eval() with avg. of 15.2 calls, up to 91 Hiding the path: • 16% check HTTP User-Agent against a blacklist (61 shells give 404 if your user agent contains “Google”) • 2.3% return 404 until get proper POST/GET parameters 22
- 23. Even more: Bypassing Antivirus Engines Original PHP shells: • 90% detected by at least one scanner of VirusTotal • Best scanners detect 72.5% and 67.2% Deobfuscated shells: • Overall accuracy decreases to 88.5% • Avg. detection rate decreases from 15 to 10 scanners • E.g., one specific shell was detected by 22 and after deobfuscation – by only 2 => Another useful finding! 23
- 25. Is something wrong here? 25
- 26. Answer: Authentication Bypass 26 Simulated Register Globals Unprotected Features
- 27. Authentication Bypass – совпадение? • 52.0% provide authentication in the code • 30.8% of authentication codes can be bypassed ÞNo honor among thieves! The original shell- distributor injects a backdoor in the backdoor ÞAnd finds out the location of already deployed shells via homephoning?! 27
- 28. BACKDOORS IN WEBSHELLS Deploying a Honeypot Server 28
- 30. Results on Homephoning 30 29.2% on the client-side • With an average of two domains per shell • Overall 149 domains / 108 IPs were contacted 4.8% on the server-side • 70% connect to one of the 21 domains • Located in USA, Republic of Korea, China
- 32. Logs We Get on the Honeypot 46.167.121.166 - - [02/Jul/2015:22:56:42 +0000] "GET /images/ftpmaster.php HTTP/1.1" 404 520 "-" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0" 32 Attacker’s IP address Web shell’s path
- 33. Attacker Connections Daily • In the 8 weeks of our experiment: • We recorded 690 web shell access attempts from 71 unique IP addresses located in 17 countries • Top 3: Turkey, USA, and Germany • 16.4% of homephoning shells were visited by attackers 33
- 34. USING THEIR WEAPON Detecting web shells via… the same homephoning! 34
- 35. Stale domain-based inclusions 35 2012 • example.com adopts web analytics <script src="http://analytics.com/a.js"/> 2014 • Analytics goes bankrupt and allows analytics.com to expire • example.com does not update their website 2015 • analytics.com is registered by an attacker! • malicious JS pushed to example.com… (Nikiforakis et al., 2012)
- 36. Stale (expired) domains called by web shells and now registered by us! 36
- 37. Logs We Get for Stale Domains 187.99.230.117 - - [01/Jan/2016:00:19:04 +0000] "GET /logz/yaz.js HTTP/1.1" 404 507 "http://www.XXXXXXXXXXXXXXXX.ua/files/X XXXXXXXX_ca6a456dc0b461cHNAL.php" "Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0" 37 Attacker’s IP address Compromised website
- 38. Compromised Websites Found Local businesses and organizations: • an order service in Iran • a travel portal in China • a software company in Russia • a shipping company in US • college website in Morocco More critical websites: • a hospital website in Peru • a legal consultation office in Russia • a security services company in Vietnam 38
- 39. Victim Websites based on Server Location 39
- 40. Victim Websites taking into account TLDs 40
- 41. Victim Websites and Victim Servers 41
- 42. All Attackers Detected in Logs 42
- 43. Top 10 Targets for Attacks 43
- 44. MORE: Requests from localhost… 75.151.74.150 - - [12/Dec/2015:22:46:15 +0000] "GET /yazciz/ciz.js HTTP/1.1" 404 503 "http://localhost:8080/c99%20with%20pass%20a li.php" "Mozilla/5.0 (Windows NT 6.3; rv:42.0) Gecko/20100101 Firefox/42.0" 44 Участники CTF, будьте осторожны с чужими шеллами! J
- 45. Takeaway Notes Idea: исследовать артефакты веб взломов – web shells Methods: масштабный сбор шеллов, статический и динамический анализ, установка honeypot-серверов, использование “stale domains” во благо Tools: UnPHP, OpenWPM/Selenium, PHP’s runkit, VirusTotal’s API, MaxMind’s GeoLite2, много скриптов Contribution: • Know your enemy – информация для сканеров и IDS • Мониторинг соответствующих “stale domains” дает возможность быстро находить веб взломы и обезоруживать вредоносные шеллы! 45
- 46. LESSON #2 Going undercover (based on https://arxiv.org/abs/1607.06891) 46
- 47. Another source of ideas 47
- 48. Another source of ideas 48 http://securit13.libsyn.com/episode--64
- 50. OK, then Our Motivation • This scam has become so prevalent that the Internet Crime Complaint Center released a Public Service Announcement in November 2014 • This type of scam costs users millions of dollars on a yearly basis… • No systematic research yet, and protection is wanted! 50
- 51. What attributes common to TSS? • Usually they block navigation with alerts • Preceded by a long redirection chain • Presence of a phone number • Scareware-like keywords 51 address financial message email using virus breach tracking carry communications ancient result call stalkers thefts administrator www exe hacked logs services suspended restart situation attention duped contacting webcam oops passwords registry prevent technicians connection adware disabled blocked pop access reserved run worm program frame live warning unknown wrong classified info attack actions desk details computing inject something malware calling copyright especially technical vpn follow harmful response engineering anonymous significant shut browsing location containing dear installed visit current continue causing caused exposed apply acts useful warriors leaked often concealed reason tcp theft social rights firewall major disk logins identity removed hard locked cause viruses password type deleted fix page auto based form port com trick software harmfull terms crash mpqr
- 52. What delivery methods they can use? • Hmm, AD NETWORKS?.. Let’s look on what websites: http://droobox.com http://stackovertlow.com http://tackoverflow.com http://stackkoverflow.com http://twwitter.com http://fecebook.com http://facbeook.com … 52
- 53. Typosquatting is a famous trick! 53
- 54. We need a large-scale crawler 54 Redundant Crawlers JS Interceptor MITM Proxy Detector (ML) Typosquatting domains Shortened URLs Links from spam emails … More than 1000 unique scam domains and 100 phone numbers per week!
- 55. A this point, we found thousands of Phone numbers & providers • 8004699439 (e.g., ATL) • 8004699439 (e.g., Twillio) • 8443074809 (e.g., WilTel) • 8008704502 • 8009214167 • 8442035085 • 8442318194 • 8442338231 • 8442439201 • … Scam Domains • system-checker-51.nl • system-warning.com • tfn13.in • update-softwareinfo.com • virus-alerts.in • virus-check-error.net • virus-watch.xyz • window-scan.pw • www.pcsol.co • www.security-alert404.com • … 55
- 56. THINK: What we can do useful? 56
- 57. We need to improve current blacklists! Domains • Popular blacklists contain only 7% of TSS domains • VirusTotal detects only 64%, by only 3.25 scanners on average • We detect earlier Phones • Online databases and available phone apps cover only 27.4%, with the best mobile app only 0.5% and websites almost 20% (mrnumber.com and 800notes.com) 57
- 58. Tools used so far: • Selenium/OpenWPM for large-scale crawlers • JavaScript interception • MITM Proxy for traffic dumps • Selenium for scraping • Python and R scripts for statistics and ML • VirusTotal APIs for domain checks • Android Console to simulate calls • … 58
- 59. We want more useful staff… • Don’t afraid to use your acting skills! • Again, use their weapon against them! 59
- 60. We called more than 60 phone numbers, having a prepared VM for each call • Scammer: Thank you for calling technical support. How may I assist you? • Victim: Hi, good morning. I think I have a problem with my computer because I was browsing the Internet and then it suddenly told me that I was infected with a virus and it asked me to call this number. • Scammer: OK. Can you confirm for me, first of all, what Microsoft device you are using? • Victim: I am using Windows 7. I do not know if that is what your question is. … 60
- 61. Techniques they use • Stopped Services/Drivers • Event Viewer • Specific Virus Explained • System Information • Action Center • Fake CMD Scan • Netstat Scan • Installed/Running Programs • Browsing History/Settings • Downloaded Scanner • Reliability/Performance • Temp folder • Registry • … 61
- 62. Gotcha! Found signs of scammer groups 1) They use similar script and methods, can handle many calls simultaneously 2) WHOIS records show similarities (some use CDNs and Cloudflare) 3) Corresponds to the clustering of domain-phone graphs, and JS 4) Used remote-access tools leak similar locations: regions of India, some from US and Costa Rica 62
- 63. Mad scientist vs. White-hat Scientist Mad Scientist: doesn’t care! White Scientist: IRB approval! 63 Be careful and think of others!
- 64. What is an IRB? “The Institutional Review Board (IRB) is made up of a group of people such as scientists, doctors and some community people. The IRB looks at every protocol or research study before it is conducted on any people. Because some research studies involve risk, the IRB looks at the study to make sure the risks are justified and minimized. In addition, the IRB wants to make sure the Principal Investigator follows all the rules the federal government has set up to protect human subjects who so kindly volunteer to participate in a research study” 64
- 65. Takeaway Notes Idea sources: security news, blogs, podcasts, forums… Methods: распределенный “crawler”, машинное обучение и другие “heuristics”, проверка “blacklists”, белая социальная инженерия Contribution: •Определены техники, артефакты и группы скамеров •Механизм для быстрого определения доменов и телефонных номеров, используемых скамерами! 65
- 66. LESSON 3 Let’s catch them 66
- 67. Collaboration with authorities is a plus! 67
- 68. Outline of the research 68 • Сотрудничая с FBI и USPIS получили доступ к серверам и другим артефактам вебсайтов, которые предлагали услуги по “reshipping scam” • Услуга заключается в предоставлении способа монетизации денег с украденных кредитных карточек Contribution: • Была посчитана суммарная выручка хакеров в 1.8 млрд долларов в год! • Изучена инфраструктура хакеров, их следы, а также предложены наиболее эффективные способы защиты
- 69. Steps of the fraud, let’s think together! 69
- 70. Cooperation with UA cyber police ① Если исследователь в области информационной безопасности (из университета) обнаружил полезную информацию для киберполиции, к кому обратиться? Будет ли киберполиция содействовать в получении дополнительных данных? Ответ: Если вы обнаружили информацию которая подлежит подследственности киберполиции немедленно обратитесь в Департамент киберполиции или в отделение по месту жительства или напишите электронное заявление на сайте киберполиции https://www.cybercrime.gov.ua/feedback5-ua Киберполиции в рамках своих полномочий будет проводить проверку. 70
- 71. Cooperation with UA cyber police (cont.) ② Возможна ли обратная ситуация, т.е. аутсорсинг кибер-расследования в университетских лабораториях? Участие киберполиции в научных исследованиях, публикациях и конференциях по защите информации? Ответ: возможна, мы сотрудничаем с рядом аутсорсинговых компаний. В случае наличия конкретного предложения предоставьте пожалуйста конкретизированный план взаимодействий и мы его рассмотрим. ③ Если научное исследование выявило информацию, о которой для предостережения желательно уведомить граждан, поможет ли полиция распространить ее? Ответ: Да, это входит обязанности киберполиции, а именно предупреждения преступлений. 71
- 72. Summary • LESSON 1: Мы обнаружили веб шеллы по всему миру, взломанные сайты и злоумышленников • LESSON 2: Мы обнаружили много артефактов ложных технических поддержек и общались с мошенниками под прикрытием, т.е. “ловили на живца” • LESSON 3: Мы сотрудничали с ФБР чтобы расследовать и предотвратить популярный способ обналичивания украденных карт 72
- 73. Are you ready to make the world a better place?! Questions? 73 [email protected] www.pragsec.com