Information Security Today Home

New Books

Multilevel Modeling of Secure Systems in QoP-ML by Bogdan Ksiezopolski; ISBN 9781482202557
Securing Systems: Applied Security Architecture and Threat Models by Brook S. E. Schoenfield; ISBN 978-1-4822-3397-1
Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare by Thomas A. Johnson; ISBN 978-1-4822-3922-5
Data Privacy for the Smart Grid by Rebecca Herold and Christine Hertzog; ISBN 9781466573376
Multilevel Security for Relational Databases by Osama S. Faragallah, El-Sayed M. El-Rabaie, Fathi E. Abd El-Samie, Ahmed I. Sallam, and Hala S. El-Sayed; ISBN 9781482205398
Android Malware and Analysis by Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere; ISBN 9781482252194

Cybercrime as a Business—Part 3

The Evolution of the Arms Race

By Francis Turner, ThreatSTOP

In Part 2, we talked about the criminal lifestyle of the computer as it got infected (from MalSpam, to exploit, to Trojan, to ransom), and how you, an "involuntary contribution associate" would enrich various criminals.

Today we're going to talk about the evolution of the arms race.

Initially, things were simpler. Electronic banking was so easy, it was just a username and password and nothing else. But then banks started to get worried because it was too simple. Today they're using two factor authentication and SMS messaging verification with mobile phones, but this hasnít stopped the criminals because they are able to infect your phone as well.

Working Around Two Factor Authentication

So, how have criminals evolved to also be able to do two factor authentication? Generally speaking they figure out a way to hijack your phone too. For example, there's a Trojan called EuroGrabber. It is customized for European (specifically German and Italian) customers. In Europe, when you do any banking transfer, they send you an SMS with something called a TAN (Temporary Account Number). Users have to enter the TAN received on their phone into the website so the transaction can move forward. The way it works is they get the banking Trojan on your computer and after you login, they redirect the page to their own page instead, which says something like, "In order to improve security, you must download the following app which will improve the security of the TAN process." Plus theyíll have lots of detailed instructions on how to do it to make it look realistic. And people do it.

Now they've downloaded the app onto your phone. They've also got your banking details out of the computer and into their drop server. Then when you decide to go to your online bank to do a transaction, the bank sends you the SMS message for that transaction, but what the hacker does it hijack it via the app on your phone. Usually the app message is delayed somehow or you don't see it at all. In the meantime, it's sending it to the C&C server, which then makes a transaction on your behalf, which then gets transferred to the mule account, who then forwards it on to the criminal.

This won't happen for every transaction; maybe every second or third or even every 10th transaction. People don't look at their bank transactions or at least look closely so they can milk you for months or years before you notice.

The Evolution of "Call Home"

The call home is the key part of the hacking problem because it's the only way a criminal can get the "stuff" out.

Originally, the call home was hard coded which turned out to be inefficient. First, because they had to have a server in one location (if they got taken down, they would be in trouble), secondly, malware researchers would go and dissemble the code and tell everyone what the serverís address was so it would get blocked. So, the first thing the hackers did was start using DNS. However with DNS, you can still figure out how to dissemble the malware and have something in place that blocks lookups to that domain name.

Now, hackers are using Dynamic DNS, and it's often the exact same Dynamic DNS servers that everybody else uses. So now, you can go to something like browserprotect.hopto.org (registered by a criminal) and the IP changes frequently because it is a dynamic domain. The hackers keep updating it continuously with different bots; almost like a peer to peer thing. Basically, every bot or various bots become master controllers and they take it in terms to update the Dynamic DNS name to their IP address. This sort of thing is called fastflux because the destination changes rapidly.

Fastflux is often combined with dynamically generated domains created by a Domain Generation Algorithm (DGA). A DGA is a program that creates a semi-random domain (or subdomain) based on things like the date and various constants (slat) provided by the creator. So for example a DGA might return 42135698.hopto.org today and 54395670.hopto.org tomorrow and some other set of numbers the day after etc. Or it might be a domain like gff22eda53a8c7d3343c82e6c78f910bef.tk or almost anything else. All that matters is that the criminal and the bots heís running both know that today they should use one particular combination.

Combining DGA with Fastflux

When you have things like DGA and fastflux, it looks like you've got a pretty surefire way to ensure your data can get out to a proxy that then forwards it to you. There are a couple of catches. The standard dynamic DNS providers such as Dyn or No-ip are pretty good at closing down accounts and domains that are being used for malware so you probably need to have your own domains (like the gff22eda53a8c7d3343c82e6c78f910bef.tk example above) rather than relying on *.hopto.org. Because if the dynamic DNS person kills your domains/account before your bots can call home youíve lost all ways to communicate with them. So in this case you need a long term secure DNS server that can be the name server for all your DGS domains. The way to attack this is to go look at the DNS server itself and figure out what that is. The DNS server is a bit harder to hide, however the hackers try to beat this too.

For example, in the picture below, they'll have a DGA like this:

If you look it up, you'll see it has a perfectly legit long time period of a name server (NS). Then you look at the NSIP and that's 5 seconds. But, when you do the A record, you'll see that's also 5 seconds. However, what's important is the A is really where the hackers are trying to go to; that's the fastflux bot. It's hard to block that because there could be hundreds of things there, and it changes every 5 seconds. What you need to remember is the way it works to do that DNS look up. When looking for its address, the first thing you do is get the name server for .net, go to the .net server and get the nameserver for the DGA domain from that .net server. That's where the weakness lies. The .net server will not allow that name server record it has--the "glue record"--to be a fast flux domain. It HAS to be long. So, if you can figure out what that is, you can block that, and that wonít change. And if you block that you will have blocked the malware.

Of course, in the end, you can get infected multiple different ways; this was just one example in a sea of many. You can get infected by someone giving you a USB stick with something on it that happens to be infected. You can get infected by going to the wrong site where someone is doing malwaretising. You can go to CNN.com where there's a banner ad that's owned by the bad guys and they inject some sort of exploit into the banner ad. Depending on what the exploit is, you might not have a way to say no to that.

I strongly recommend running no scripts and blocking those on whatever random sites you go to or new sites that are popular. But in the end, there is no single bullet to security. You need to have multiple layers of defense and have those all checked regularly.

About the Writer

Francis Turner has worked for almost 30 years in the IT and data communication industries and is currently VP of Research and Security at ThreatSTOP where he leads the company's research into computer and network security threats (botnets, phishing and other cyber-threats). For more information, visit www.threatstop.com or follow @ThreatSTOP on Twitter.

 
Subscribe to
Information Security Today







Bookmark and Share


© Copyright 2015 Auerbach Publications