Information Security Today Home

New Books

Multilevel Modeling of Secure Systems in QoP-ML by Bogdan Ksiezopolski; ISBN 9781482202557
Securing Systems: Applied Security Architecture and Threat Models by Brook S. E. Schoenfield; ISBN 978-1-4822-3397-1
Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare by Thomas A. Johnson; ISBN 978-1-4822-3922-5
Data Privacy for the Smart Grid by Rebecca Herold and Christine Hertzog; ISBN 9781466573376
Multilevel Security for Relational Databases by Osama S. Faragallah, El-Sayed M. El-Rabaie, Fathi E. Abd El-Samie, Ahmed I. Sallam, and Hala S. El-Sayed; ISBN 9781482205398
Android Malware and Analysis by Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere; ISBN 9781482252194

Cybercrime as a Business—Part 2

Getting infected: The exploit/bot/ransom lifecycle

By Francis Turner, ThreatSTOP

In Part 1, I talked about using the cloud for business the criminal way, the benefits of the cloud, and how everything that applies to a regular business in the cloud also applies to the criminal business in the cloud, using examples of and

Today we're going to talk about the scheme, or the step-by-step process, that your computer goes through when it gets infected, by things like Trojans and ransomware, and what you can do to avoid that.

Step 1: Malspam

The first thing that happens is that some internet criminal comes up with a new exploit and then sells it on one of those marketplaces I mentioned earlier to someone else. The buyer comes up with a way to deliver the exploit to victims by; perhaps, creating an email that contains a link to the exploit inside it and a story that makes the victim likely to click on it. For example, the email in image below was a genuine story about a Norwegian fighter pilot on CNN last year.

CNN included a video to accompany the written story, but the hackers took that story and video and hijacked it pretty much at the same time that CNN had the real story and video online.

You would notice if you were to go to the link, it's not a CNN link at all, it's a fake. This is how you are going to get hijacked. Basically, hackers reused the story from CNN's email. You read the intriguing headline and of course want to click on it to learn more because it's interesting, but do you ever check the hyperlinks before you click on them to see where it will actually redirect you? Probably not. If you did, you would realize that that's the point when you want to hit cancel. Because instead of downloading a linked story, it will download a compressed folder called, "" And so it begins.

Step 2: Exploit

You, the victim, are convinced by the email to open the zip file and double click on the video that it contains. This video is actually an executable and it runs when you double-click on it.

First, it manages some exploit to get admin rights.

Next, it disables antivirus and Windows update security services if you have those running (and similar processes if you have a Mac) - basically taking over anything that might find it.

Next, it goes to some semi random domain and downloads something called logo.png depending on what network you are on, there are lots and lots of IDSs, IPSs, and things like that that will scan network traffic to see if anything looks suspicious. Typically they go looking for things like .zip, or .exe. They don't normally look for .png because it's a graphic file, which most people don't pay attention to.

From there, it gets downloaded and copied to someplace suitable where it can run with a random name (and an .exe type) that isn't going to clash with anything else.

Then, since it has admin rights, it creates a service on the computer calling itself "Google Update Service" since that's clearly trusted. It creates a bunch of registry keys that look legit and now every time you reboot, the Google Update Service is going to run as part of your service, and, of course, the Google Update Service is the bot that has been downloaded as logo.png.

Finally, after installing the service, the export is done and it will now run, for the very first time, this new bot: the Trojan.

Step 3: Trojan

The first thing the Trojan does is call home and says, "Hi, I’m a new computer. What should I do?" Usually, it will end up going to some semi random domain (or try a whole bunch of domains of which only one will actually work. The others will be there to confuse things). This is actually one of the really good ways to detect if you've got a bot on your network--seeing what domain records have been looked up and failed. If you see one particular computer making 200 or 300 attempted resolutions to some strange domains, none of which work, then that computer certainly has a problem.

Once the Trojan finds a domain that works, it sends some basic profile information, such as its external and Internal IP addresses, user, OS version, and then it is given by default a set of stuff to download. The classic thing it's going to do is download a Zeus bot consisting of a key logger, and other things that will replace your web browser display with what the criminals want when you try to log back in to your Internet banking portal.

Step 4: Trojan Send Data

Now the Trojan is running and knows what to do. Since you are in America, it obtained a whole bunch of details about American banks--Bank of America, Chase, Wells Fargo, whichever. If we were in the UK, it would be Royal Bank of Scotland or Barclay’s. If we were in France it would be BNP, etc. Depending on where you are, the Trojan knows your location (from when it did the call home).

So, now when you go to log into your bank account, the Trojan captures your login credentials using a keylogger. Then, it sends that to the call home location. At this point, you'll usually get a pop up that says something to the effect of, "As an added security measure, we need more details from you." It will be asked in a way that sounds totally really plausible.

Undoubtedly, lots of people fall for this trick. Now the hacker has obtained all of your banking details, they've cloned your credit card, and sold it on Rescator to somebody who's going to go to Best Buy and buy lots of stuff and get it delivered somewhere else so the criminals can then resell the product. They may also set up a wire transfer and syphon all of your money out in one go if you have a large balance.

Step 5: Ransom

One way or another, the criminal has gotten money from you, obtained access controls and whatever else they wanted from you. Eventually, you're rendered useless. At this point, you've probably run antivirus about five times, your bank account is probably empty, or close to empty, you've changed your credit card details and so on. Now that you're no longer of use to the criminal, they take it a step further and sell you down the river to another criminal who's now going to put ransomware on your computer. What is ransomware you ask? Basically, ransomware decrypts all of your files and then says if you pay us "X" amount of dollars, we’ll unencrypt it for you.

An example would be the Trojan calling home, downloads a new (encryption) file, and runs it. It then contacts a particular server and says "I was called from 'this guy' so ransomware criminal needs to pay the previous botnet 'owner' a referral fee. This is 'pay to infect:' it's affiliate marketing the criminal way. Just like how you get click thrus with banner ads on websites, these guys have exactly the same systems.

After it does its call home, it goes somewhere else to get an RSA key. An RSA key is so it can encrypt your files with a custom key that nobody else has. Now that is has the public RSA key, it goes and finds all your pictures, documents, and anything else it thinks is interesting, encrypts them, and then you get a message:

What does it mean? It means you won't be able to work on your files anymore, BUT with "their help" (because they're such nice people), they can "help" you get your files back. The pop up will demand payment and then show the user instructions on what to do. And you've got a deadline and if you go past the deadline, the amount doubles. Typically, it tells you how long you've got until the deadline expires--usually about four days. Sometimes they'll even decrypt one file for free just to prove they really can. Sometimes they actually even let you choose the file.


The above is the criminal lifestyle of the computer as it got infected, and how you would enrich involuntary contribution associates. And it's just one example when a computer gets infected by a bot.

In my next and final part, we’ll talk a little bit about the arms race and its evolution as it relates to hacking.

About the Writer

Francis Turner has worked for almost 30 years in the IT and data communication industries and is currently VP of Research and Security at ThreatSTOP where he leads the company's research into computer and network security threats (botnets, phishing and other cyber-threats). For more information, visit or follow @ThreatSTOP on Twitter.

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2015 Auerbach Publications