The Discovery of Botnets on our Enterprise Networks Can be an Indicator of an Advanced Targeted Attack.
In Part 1 of this series, ‘Advanced Threats and Nation States,’ the focus was on advanced targeted attacks and the methods used by nation states to launch them. In Part 2, we’ll take a closer look at criminal circuits and the advanced threat methods used by them—most prominently those involving botnets.
Botnets are frequently found on today’s corporate networks. A growing number of the infections caused by botnets are in fact symptoms of an advanced targeted attack. As such, it is beneficial to understand the evolution of botnets so we can react appropriately and keep our networks safe. Botnets have evolved greatly from when they first surfaced a decade ago.
In 2003, as email spam became a major problem, service providers were tracking down and blocking the IP addresses from which the spam was emanating. Subsequently, service providers shut down open email relays, compromised servers and shunned dedicated spam farms. Since there were generally only a few IP addresses under the control of spammers, they would soon be put out of business as a result. Many believe this is what led to the deployment and propagation of the first botnets by spam circuits. These botnets represented a completely new model for the spammers. Rather than focusing on optimizing the few servers they did control, they would focus on infecting and remotely controlling the vast number of computers they did not yet control. A botnet (short for ‘robot network’) is a network of computers infected by malware and under the control of a ‘botmaster.’ Each individual machine under the control of the botmaster is known as a bot.
The result was the birth of the Bagle, Bobax, Mytob and SDbot botnets. Although primitive at the time, their births ensured the financial success of the growing criminal underworld for the next decade—and perhaps well beyond. Let’s take a closer look at their evolution and use as an advanced threat method by criminal circuits.
The criminal underground is focused on obtaining money, and financial botnets are at the very center of its malware innovation. The first financial botnets were keyloggers. These tools captured the login and password IDs of users and forwarded them to specific command and control (C2) servers. Once botmasters parsed their way through the users’ logs, they would often come across valuable credentials for customer banks and financial institutions. As a result, commercial bank accounts—protected only by usernames and passwords—were compromised. Money was transmitted at great speed through wires and Automated Clearing Houses (ACH) to accounts in Eastern Europe. Thus, financial fraud—at Internet scale and speed—was born.
The banking industry reacted promptly. In 2005, the FFIEC provided guidance for banks, recommending multifactor authentication for high-risk accounts. This left the burden of interpreting and implementing this guidance with the individual banks. Many top-tier banks complied and interpreted the FFIEC guidance, applying it to commercial accounts with large money movement capabilities. These banks secured their commercial accounts using the best technologies at the time. Unfortunately, others did not. Many of those who didn’t suffered major financial losses from keyloggers.
The success of Zeus has led to the advancement of antimalware software to specifically combat it. Many banks now offer software for deployment on customer endpoints, as well as advanced antifraud analytic models to detect Zeus. Zeus (and it’s latest incarnation Citadel) has also evolved over the years – continuing to frustrate banks worldwide. And, Trojans like Bugat and SpyEye have also met with success as financial botnets.
A New World Order
The success of Zeus and other financial botnets led to another set of problems for the financial underworld: how to move money. This was initially solved by the creation of the mule economy. Mules are money-transporting intermediaries between compromised accounts and fraudsters. While fraudsters have focused on creating malware and running botnets, mule organizations have emerged to ensure stolen money is transmitted back to the malware crews. Mule organizations recruit, train and micromanage the mules to assure they quickly transmit stolen funds to the cybercriminals. For this ‘service,’ mules charge fees of up to 40 percent of the stolen funds.
Individual mules, however, often receive little-to-no compensation. Some of them have been duped by romance or work-from-home scams—only realizing they are part of a criminal network when the FBI knocks on the door. Others are certainly criminals—often with US J-1 Work visas or forged passports—focused on maximizing their personal gain for a few months’ work. Yet, because unsuspecting mules are generally used only once and then discarded, any bottleneck in financial fraud the past years has been the inability of criminal circuits to recruit enough mules to move stolen money. With the recent availability of prepaid debit and credit cards, more fraudsters are moving to these as ‘virtual mules’ and we should expect an uptick in bank fraud as a result.
Today, as financial fraud continues to grow, there is increasing demand to infect more and more machines. This has given rise to the ‘pay-per-install’ economy. The focus of this criminal group is to install other fraudster’s malware on consumer machines with the goal of receiving a fee every time an install is successful. As a result, specialized malware such as Bredolab and Blackhole Exploit Kit have been leveraged to infect tens of millions of PCs with financial malware—including keyloggers, ransomeware and spam. For example, BredoLab installed a wide-range of malware families, spanning password stealers, rootkits, backdoors, banking trojans, fake anti-virus software and spam malware. Pay-per-install usually uses a shotgun approach, attempting to infect as many machines as possible. Every day, multiple new infection campaigns are lunched. However, many last only a few hours—not nearly enough time for many traditional security companies to react to protect their customers. In recent weeks, even the NBC website has been compromised with the Citadel malware. When ‘interesting’ machines are successfully compromised—like those in a military installation or within a Fortune 500 development team—they can be auctioned off to nation states who will exploit them for data theft.
Also emerging is an economy to host cyber fraud infrastructure and management. Bulletproof hosting services ensure that C2 servers remain responsive and untouchable by law enforcement. With the emergence of new currency models like webmoney, liberty reserve and bitcoin, money can be moved without triggering alarms. And, the use of VPN services means that botmasters never use their real IP addresses, assuring there are no activity logs for law enforcement to use as prosecutory evidence. Many of the botnet arrests around Zeus and Bredolab have occurred when botmasters used their criminal infrastructure for personal activities—including logging on to their Facebook page or ordering pizza for home delivery.
Interestingly, even amongst divergent criminal groups there is cooperation for financial gain. In November 2011, Zeus botnet crews teamed up with DirtJumper DDoS crews to launch a series of devastating attacks on US banks. For example, once the Zeus crews would steal up to $1 million from a commercial bank account, the DirtJumper crew would subsequently launch a DDoS attack to incapacitate the bank’s website. As a result, the victim would not be able to access the bank website—therefore unable to notice the major drop in their account balance. Meanwhile, the bank would be focused on restoring connectivity rather than searching for fraud. In the end, the banks became aware of the connection between the Zeus and DirtJumper DDoS crews and thefts stopped.
The recent Operation Ababil DDoS attacks on banks this year were not focused on cyber fraud. However, in the initial DDoS attacks, those behind them published in advance which banks they would attack and when. Fraudsters took notice, phoning the bank’s call centers when their websites went down to take advantage of lowered security authentication standards and easier transaction approvals.
With the Citadel Trojan was released and deployed, it’s creators offered legitimate bug tracking and product roadmap requests. But when Citadel captured the attention of the security community, they disappeared into the shadows. Meanwhile, DDoS vendors like Gwapo have actually gone to the trouble of creating advertisements for their services and posting them on YouTube.
With the evolution of the cyber threat landscape, there is now cooperation between criminals and nation states. According to Kaspersky Lab’s January 2013 report on the Red October (AKA Rocra) malware, there is strong evidence that Russian-speaking cybercriminals assisted a foreign Nation State to build it. This advanced malware operated for years, stealing information from governments and diplomatic missions across Eastern Europe, Western Europe, North America and the ex-Soviet republics.
The alignment of mercenary cybercriminals and Nation State hackers represents a major threat to intellectual property worldwide. And Kaspersky’s report may be the tip of an iceberg. Financial botnets like Zeus—which are both advanced and highly configurable—have also been implicated in data theft. For example, Zeus can be configured to only become active when certain websites are visited—making it much less likely to be detected when targeting an individual organization. Zeus will then take screenshots and send an instant message to the botmaster, which allows him to take control of the fully authenticated session in real time. Similarly, the ‘Poetry Group’ has carried out attacks on Polish and Japanese governments in recent months. Other corporate espionage groups prefer to reuse financial botnet malware, since it is less likely to be detected and more likely to be dismissed as a commodity malware infection.
Consequently, the discovery of botnets on our networks can now be an indicator of an advanced targeted attack. In 2013, we expect that criminal networks will increase their focus on obtaining stolen certificates (to sign more malware and achieve more successful installs), improving their botnets, more effectively hiding their C2 servers and lowering their antimalware detection rates. All of these techniques will help criminal circuits find new ways of hiding their servers and their proceeds, while also helping nation states steal more sensitive data. In the next column, we will take a closer look at Hacktivists and their nefarious activities before exploring the CRIME methodology for seeing and detecting advanced threats and zero-day attacks.
Related Resource: The Rising Threat of Corporate Cybercrime: Cybercriminal Motives and Methods
Related Resource: Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks