1. No category

My software has a vulnerability: should I worry?

SECONOMICS
Offensive technologies
Fall 2015
Lecture 2 – A techno-economic
overview of the cybercrime markets
Luca Allodi
1
https://securitylab.disi.unitn.it/doku.php?id=course_on_offensive_technologies
Outline
SECONOMICS
• What are cybercrime markets
– Low-tech and high-tech types of markets
• High-tech cybercrime markets
– Exploit kits
– Demographic stats of market activities
– Market sustainability
• What makes a market a good market
• How are trades organized
• How is punishment enforced (for cheaters, rippers)
• The MalwareLab: a setup example
– Testing exploit kits in a controlled environment
2
What is a market
SECONOMICS
• A market is a system by which services or goods are traded in
exchange of a compensation
• There can be many types of markets
– Financial markets
– Work / Job position markets
– ..
• A marketplace is a venue where the market is held
– Physical (a town’s square)
– Virtual (a website, a chat, other or mixed means)
– The terms “market” and “marketplace” will be used interchangeably in
this lecture
3
SECONOMICS
What are the (cybercrime) black markets
• .. a “black market” economy, built around for profit
cybercrime, in which a large number of geographically
distributed actors trade in data, knowledge and services
[Kurt et al. 2015]
→ Held in virtual marketplaces
– Originally IRC
– Now mostly web-forums
• Trading of
– Attacking tools
– Highly efficient exploits; Vulnerabilities
– Accounts, money laundry, CCNs..
4
Underground-based market
• “TOR-based markets” →Can’t be reached from
“standard” internet
– → “a network inside the Network”
– Typically drugs and other illegal good markets
• “Closed markets” → can be reached on the Internet
– Most tech markets are of this type
– Markets are closed, entry by selection
– Organised in different markets
• Typically “national” → Russian, chinese, brazilian
– Among most influent there are Russian markets
• We infiltrated several
Fabio Massacci - Luca Allodi
Types of markets
SECONOMICS
• Low-tech markets
– “Spamadvertised” or fake goods
– Hosting, stolen credentials, ..
• High-tech markets
– Cybercrime markets
• Attack delivery technologies
• Malware/specialized payloads (Zeus, Clickbots, ..)
– “Private” markets
• A few players selling high-tech malware to selected
customers
6
Low-tech market: example for
spamadvertised goods [Kurt et al. 2015]
SECONOMICS
7
High-tech markets: cybercrime
as market service
• Technological vs human vectors for attacks
– We are interested in the former
• Technical competences are concentrated in an underground
markets for attacks
– Trade of advanced exploitation vectors
• Vulnerabilities, exploits and malware
• Delivery mechanisms
• Exploit and tool developers sell the technology to multiple clients
– Can combine several different technologies to personalise the
attack
Fabio Massacci - Luca Allodi
High-tech Cybercrime Markets:
Why should we care? (Premise)
SECONOMICS
• How many of you drive..?
• Have ever took a flight..?
• Make phone calls..?
• Eat..?
• How many of you can build a car?
• Build an airplane?
• Build a phone?
• Cook (warming-up pizza does not classify as cooking)?
•  One of a technological market’s goal is to outsource
technicalities to third parties that deliver a final product the
costumer can use without knowing (all) the details
9
A technological case study:
Exploit Kits
SECONOMICS
3
2
1
1. Requests web page to
malicious server
2. Receives HTML exploit
page
3. If exploit is successful,
shellcode downloads
malware of some sort
4. Computer is infected
Exploit Kits
What’s an Exploit Kit
• Essentially, a website
– When user contacts the server, the latter launches an attack
against him
– If successful, it typically infects the system
• Attacks exploit software vulnerabilities
– Browser, plugin, operating system
– Independently of the exploited vulnerability, ekits attack from
browser
– Multiple kits on the market. Famous ones: Blackhole, RIG,
Crimepack, Neutrino, BleedingLife, …
Fabio Massacci - Luca Allodi
Phase 1. Attack bootstrap
• Goal: user need be infected without having to
interact with the attack in any way but opening a
webpage (ideally)
– Webpage need not be malicious
– Legit page might load malicious payload (without
knowing it)
• ADs
• Attacker iFrames
• Catchy click-bait Facebook video
• Link in email
Fabio Massacci - Luca Allodi
Phase 1. Attacks “in the wild”
Fabio Massacci - Luca Allodi
Baseline workings (1)
Hacker/Exploit
kit owner
Exploit Kit
iFram
e
Popular website homepage
User
15
Baseline workings (2)
Hacker/Exploit
kit owner
Exploit Kit
Points to
iFram
e
Popular website homepage
User
16
Baseline workings (3)
Hacker/Exploit
kit owner
Exploit Kit
Points to
iFram
e
Popular website homepage
User
17
Baseline workings (4)
Hacker/Exploit
kit owner
Exploit Kit
Points to
iFram
e
Popular website homepage
User
Baseline workings (5)
Hacker/Exploit
kit owner
Exploit Kit
Points to
iFram
e
Popular website homepage
attacks
User
19
Baseline workings (5)
Hacker/Exploit
This
kit owner
is the GET response. Can’t remove it
without breaking the web
Points to
Exploit Kit
iFram
e
Popular website homepage
This is the original GET
request
attacks
User
20
Phase 2. Software vulnerabilities
• Attack exploits software vulns
• Sw vulns can be exploited by means of (machine)
code that the system can interpret
• Typically two types
– Scripting code (javascript, VBscript,..) that the
browser interprets
– Malformed files (.swf, .pdf, .applet) loaded by plugins
or third party sw
Fabio Massacci - Luca Allodi
Third party traffic
• Exploit kits only work if they receive victim traffic
– Direct links, ads, iframes, redirections, ..
• Underground has services that trade
connections
– “Maladvertising”, spam, iframes on legit websites
• Attacker “buys” 1000 connections from italian
users using IE 7
– User loads the webpage the attacker compromised,
and if characteristics match traffic is redirected
Fabio Massacci - Luca Allodi
Traffic redirection (1)
Exploit kit
owner
Exploit Kit
iFram
e
ADs
Popular website homepage
User
23
Traffic redirection (2)
Exploit kit
owner
Exploit Kit
iFram
e
ADs
Popular website homepage
Traffic Broker / Hacker
User
24
Traffic redirection (3)
Buys traffic
Exploit kit
owner
Exploit Kit
iFram
e
ADs
Popular website homepage
Traffic Broker / Hacker
User
25
Traffic redirection (4)
Buys traffic
Exploit kit
owner
Exploit Kit
iFram
e
ADs
Popular website homepage
Traffic Broker / Hacker
User
attacks
26
Traffic redirection (5)
Exploit kit
owner
Exploit Kit
Buys traffic
iFram
This in intrinsic
of the ad-based web model
e
ADs
Popular website homepage
Traffic Broker / Hacker
User
attacks
27
Phase 3. Malicious code execution
• Vulnerability exploit is not, by itself, enough to
deliver full attack → exploit != infection
• Need that the payload of the attack sends
something back to the attacker
– Examples: A root sheel; a download request for malware
• Payload of an attack is usually called “shellcode”
– Usually written in machine code (low level)
– Directly loaded in memory by the attacker through the
exploit
– System executes it
Fabio Massacci - Luca Allodi
Exploit Kits - Internals
Tech vector: summary
• Infection process
1. Victim browser contact the malicious website
2. Webpage attacks vulnerabilities on victim’s system
3. If attack works, shellcode is exectured
•
Typically downloads and install malware on system
(drive-by)
• How does an exploit kit look like from inside?
– Leaked source codes of 30+ exploit kits
– Vulns and exploits on 70+ kits
Fabio Massacci - Luca Allodi
Offensive components
• At the contact with the victim
1. Detects browser and operating system (88%)
2. Checks system hasn’t been attacked yet (64%)
•
via IP checking
3. Checks if system is actually vulnerable
4. Launches appropriate attack
• Less sophisticated kits launch the attack even if system
isn’t sophisticated enough (36%)
Fabio Massacci - Luca Allodi
Exploit kits: attacks
• You need one exploit to be successful for the
attack to be successful
• Typically 10-12 exploits per kit
– Recently we see ekits with 3-5 exploits
– Most often not very recent (2-3 years)
• Exploits typically attack vulns on:
– Adobe Flash, Acrobat Reader, Internet Explorer,
Java, other plug-ins
Fabio Massacci - Luca Allodi
Question:
• Why do exploit kits use plugin vulnerabilities?
Fabio Massacci - Luca Allodi
Defensive components
• Many exploit kits defend themselves against
AV/robot detection
• Payload and malware obfuscation (82%)
– Obfuscation + crypto
– Malware packers
• Block IP to avoid probes (78%)
• Evasion robots+crawlers (3 kits only)
• Some even check whether the domain on which the
exploit kit is hosted is included in antimalware lists
Fabio Massacci - Luca Allodi
Defensive components: Venn Diagram
Fabio Massacci - Luca Allodi
Packers
• Antivirus sofware usually recognise the signature of the
malware in memory
• Compare suspicious file and DB of signatures
– If match, stop exectution, remove
• Packers → Essentially pieces of sw that “wrap” the malware
and modify, this way, the malware’s signature
– The binary memory imprint of the packed malware changes
– Goal is malware obfuscation
• Attacker can send a “fresh” attack with a lower detection
rate from AVs
Fabio Massacci - Luca Allodi
Management Console
Fabio Massacci - Luca Allodi
Kit exploration: Crimepack
Fabio Massacci - Luca Allodi
Details on attacks
Fabio Massacci - Luca Allodi
Define and inject exploit and shellcode
Fabio Massacci - Luca Allodi
Administer
Fabio Massacci - Luca Allodi
Exploit selection
Fabio Massacci - Luca Allodi
High-tech Cybercrime Markets:
Why should we care? (Reprise)
SECONOMICS
• How many of you can build an actual exploit and delivery
mechanism that
• Freshly encrypts all its instances to decrease AV detection rates
• Reliably executes its shellcode avoiding ASLR/DEP
• Reliably delivers an encrypted payload
• That silently installs on the victim machine
• And returns the control to the parent process without having it throwing any
exceptions?
→ Commoditization of attacks greatly increases attackers
capabilities
• With 10.000$ US$/yr you can build a 1M bots botnet
• And to break even you need to get 1 US$ cent out of each.
• You do not believe it?
44
Underground markets
High-tech Cybercrime Markets
• This technology is trade in underground, closed markets
• We have infiltrated several
• Today we explore the most prominent one
– Russian Market
– On open Internet but closed access
• Entry-barrier requires credible background, russian language, and passing
an entry test
• Infiltrated for 4+ years
– 1.5 years “break” as we’ve been kicked out of market
• Much work to get back in
– TOR access (to avoid firing too many alarms)
Fabio Massacci - Luca Allodi
Market organisation
• Several “themes”
–
–
–
–
–
–
–
–
–
[Вирусология] → Virusologia → malware, exploits, packs, …
[Доступы] → Access → FTP Servers, shells, SQL-i, …
[Серверы] → Servers → VPN, proxies, VPS, hosting, …
[Социальные сети] → Social networks → accounts, groups, …
[Спам] → Spam → emailing, databases, mail dumps, …
[Траф] → Internet traffic→ connections, iframes, …
[Финансы] → finance → bank accounts, money exchange, …
[Работа] → Work → look up for and offer jobs
[Разное] → other
Fabio Massacci - Luca Allodi
Market activity
800
600
400
200
0
Volume of discussion around products
Variation in market activity
2013
2014
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Year
Fabio Massacci - Luca Allodi
Introduction of new goods in the
market
800
600
400
0
200
Volume of discussion around products
60
40
20
0
New products introduced in the market
80
Variation in no. of new goods
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Year
Fabio Massacci - Luca Allodi
2005
200
Top 10 on “virusologia” (08.06.15)
Exploit Kit “RIG v3”
•
•
•
•
Malware
Exploits
Crypto/packers
Exploit kits
Tool to encryptmalware
Exploit Kit “Neutrino”
Sale of Office exploits
Dropper “Nuclear” (EKit)
Kernel exploits for Windows
Crypt online service
Web attacks injector
Malware bots
Fabio Massacci - Luca Allodi
Details of a kit in the market
Rate di successo del kit → *Il rate dipende dalla qualità del traffico che si riceve
Rate di installazione
Zeus malware: 50-60%
Loader: 80-90%
Ultimi prezzi
Servizi addizionali
Contatti del venditore
Lunedì – Sabato
Dalle 7 alle 17,
Fuso orario di Mosca
Fabio Massacci - Luca Allodi
Selling traffic
• Can buy traffic from “traffic brokers”
– User does not have to click on anything
– Automatic redirect
• High-quality traffic derives from selection of
connection based on requested criteria
– Geographic source
– Installed software
Fabio Massacci - Luca Allodi
Infect 1 M machines: is it worth it?
Action
Economic effort (1st year)
Comprare exploit kit (efficienza 20%)
2000 USD
Connessioni necessarie
5 x 106
Installazione/set-up
50-150 USD
Traffico (assumendo 2USD/1000 conn.)
10.000 USD
Manutenzione (cambio IPs, signature attacco..)
150 USD
Aggiornamenti (assumendo 2/yr)
~ 200 USD
Total
~ 12.400 USD – 12.500 USD
Breakeven ROI/BOT
~ 0.01 USD
Fabio Massacci - Luca Allodi
SECONOMICS
Yes but.. This guys are criminals, right?
• Criminals selling illegal tools to other criminals in a tax- &
control-free market
• Are we sure that those markets function properly?..
• .. And are not reduced to a “wanna-be scammer scammed by a scammer”
situation?
• The tools are reportedly in the wild and infect machines, so it
looks like the markets work. But how?
54
Operating a cybercrime market
SECONOMICS
The Principal-Agent problem
• In any market, there is a selection problem between the player
that needs the service, and the player who offers it
• Think of a typical car scenario:
• Your car brakes down
• You do not know much about cars / do not have time to repair it yourself
• You, the Principal, are willing to pay a mechanic, the Agent, to get the job
done
• How do you choose the right agent for the job?
• How do you assess the veridicality of his “diagnose”?
• How do you know that the agent is not going to rip you off?
• E.g. by loosening a bolt so that in 2-3 months you’ll come back to him?
56
SECONOMICS
Information asymmetry
• “Information asymmetry” characterises many economic relations
(e.g. in a market)
• It has initially been shown by Akerloff et al. in 1970, for the “used
cars market”
• The Market for "Lemons": Quality Uncertainty and the Market Mechanism
• It is apparent anytime the Principal and/or the Agent cannot make
a decision based on complete information
• Or does not possess “technological” means to assess the good/monitor the
operations of the other party
• E.g. you don’t know enough about cars to assess the mechanic’s work
• Information Asymmetry can be analyzed in terms of
• Adverse selection
• Moral hazard
57
Adverse selection and Moral hazard
(zipped)
SECONOMICS
• Adverse selection  the Principal has a hard time choosing the
Agents that are most suitable for him / her
• Moral hazard  the Principal has a hard time controlling that the
Agent will not change his/her behavior after the contract is signed
• In the black markets…
• Adverse selection  the Buyer has a hard time figuring out that the Seller
offers a product suitable for his/her needs
• Moral hazard  the Buyer has a hard time in controlling the Seller after the
purchase happened, e.g. to have the product delivered and functioning as
promised
60
SECONOMICS
Black markets vs Adverse Selection
• Principal  Buyer ; Agent  Seller
• How does the Buyer choose the right Seller with the right product
for him?
• Sellers surely have no EU Certification for the quality and characteristics of
their products
• How to choose the product?
• Easiest solution: test it
• Sellers (especially new ones) often provide trial versions of their
products
• .. Or give you demonstrations of their functionalities
61
SECONOMICS
62
SECONOMICS
Black markets vs Moral Hazard
• Let’s assume that the buyer paid an Exploit Kit license to the seller
• How can the buyer trust the seller in not changing his behavior?
• E.g. stealing the buyer’s infections by dropping his own malware to the machines
attacked by the buyer?
• Two mechanisms: Reputation and User History
• There is a very strong regulatory mechanism in place
• Bad users can be reported
• “Offender lists” are maintained
• Scammers are put to “public shame”
63
SECONOMICS
Market Fairness
• A market only exists when there are sellers that enter the markets and
buyers that exchange money for products or services
• Imagine yourself (a criminal) trying to sell your product in a new market
• Would you really mind scamming people if there is no “punishment” you fear?
• Would you spend effort time and money in making a good product if you feel like
anybody (e.g. the competition) can just ruin you by telling everybody you are a
scammer?
• → Unfair market leads to low-quality tech
• The system needs a mechanism to equilibrate incentives
• One of the main results from [Akerloff 1970]
• Evidence that high-tech cybercrime markets address these problems
with convincing instruments
• We’ll see three stories taken directly from the markets
64
Trials in cybercrime markets:
The
rules
(in
short)
• Anybody can report anybody else for trial
SECONOMICS
• Follow provided template for filing. Must include
• Name and profile of the offender
• Proof of the fact
• The reporter (accuser) and the reported (defender) enter the trial
• The defender has 24 hours to show up
• In particularly complicated cases the defender can be given up to 7 days
•  this decision is taken by the Judge (i.e. administrator)
• An investigation follows:
• Witnesses are called
• Evidence of either cases (accuser or defender) is provided
• Administrator takes a decision: Black List or Innocent
65
SECONOMICS
(1) The defender does not show up
• October 2013
• Accuser reports he has been scammed for 390 US $ by defender
• A moderator (“Arbiter”) advices to
“notify the defender with a personal message [about your report]”
• A third user shows up, reporting that
“[Contacting the defender is] Useless, he has not been online for a long time”
• Administrator gives the defender 48 hours to show up
• Four days later ( the 49th hour was Sunday) the administrator puts
the defender in the black list
66
SECONOMICS
(2) The defender loses the trial
• July 2012
• Payment of 3000 WMZ not received;
• defender is given 12 hours to show up
• Defender shows up after 4 hours
• Brings evidence of payment (very long discussion)
• Posts logs & screenshots of transaction
• Accuser answers that the payment has never been received
• He/She accuses the defender to have “blocked” or “intercepted” the payment
• Witnesses on his side show up to support his claims and trustworthiness
• Admin gives two options
• 1) Defender must provide final proof of transaction commit
• 2) Defender and Accuser resolve the case in private
•  after a month of discussion the defendant hasn’t provided conclusive
evidence  he ends up “in the Black” (i.e. listed as an offender)
67
SECONOMICS
(3) The defender wins the trial
• October 2012
• Accuser reports a failure on the defender’s side to close a
transaction
• Reports IRC log of their conversation
• Accuser pays defender while the latter was offline
• Defender does not acknowledge the payment and does not come back
online in a comfortable “time lapse” for the defender
• Defender shows up shortly after, shows that he never cashed
anything
• Admin intervenes and asks
“[Accuser] please do moneyback. To be precise, [defender] do not touch the
checks, and most importantly [accuser] get the money back in your wallet.”
• Accuser stops complaining
• Trial is closed and the defender is cleaned from any accusation
68
SECONOMICS
Some pointers
• In High-tech cybercrime markets both adverse selection
and moral hazard are convincingly addressed
• Pointer: what about the Private Markets?
• In this course you have access to Hacking Team data
• Is there evidence of product trials/tryouts?
• Or do clients buy motivated by word of mouth?
• How are claims by the client managed?
• Does the tech actually work as promised?
69
Bibliography
•
SECONOMICS
On Exploit Kits and attack mechanisms
– C.Grier etal. Manufacturing compromise: the emergence of exploit-as-a-service. In Proc. of
ACM CCS’12, pp. 821–832, 2012
– V.Kotov and F.Massacci. Anatomy of exploit kits.In Proc. of ESSOS’13, pp. 181–196, 2013.
– N.Provos et al. All your iFRAMEs point to Us. In Proceedings of Usenix Security 2008
•
On Cybercrime Markets
– C. Herley and D. Florencio. Nobody sells gold for the price of silver: Dishonesty, uncertainty
and the underground economy. In Proc. of WEIS’10, pp. 33–53, 2010.
– L. Allodi, M. Corradin, and F. Massacci. Then and now: on the maturity of the cybercrime
markets (the lesson that black-hat marketeers learned). IEEE Trans. on Emerging Topics in
Computing, PP(99), 2015.
– Huang, Kurt Thomas Danny Yuxing, et al. "Framing Dependencies Introduced by Underground
Commoditization.” In Proceedings of WEIS 2015.
•
On market fairness and agency (optional)
– Akerlof, George A. "The market for" lemons": Quality uncertainty and the market mechanism."
The quarterly journal of economics (1970): 488-500.
– Eisenhardt, Kathleen M. "Agency theory: An assessment and review." Academy of
management review 14.1 (1989): 57-74.
70

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz