Skull Session on Spam and Abuse

Download Report

Transcript Skull Session on Spam and Abuse 

ISPs and the threat from the
Underground Economy
Mike O’Reirdan
Comcast Distinguished Engineer
26th March 2009
Agenda
• The Underground
Economy
• Not just a technical
issue
• The threat to the
industry
“….Internet is at Serious risk…
botnets could eat the Internet”
Vint Cerf
World Economic Forum
Davos January 2007
• Malware and assorted
wickedness
• What is the industry
doing right now?
Spam is a part of the malware issue
• Competent ISPs have a reasonable handle on
spam
– Economic problem rather than a technical one
• Costs are servers, software and staff
• End user spam levels are low
• The issue now is malware
• Direct threat to whole Internet
– Personal data
– Infrastructure attacks
• Estonia, Georgia, Kyrgyzstan
– Spamming
THE UNDERGROUND ECONOMY
• Parallels with other crime waves
• Good example is numbers rackets
– Initially run by amateurs or small scale criminals
• Organised crime saw the opportunities offered and easy money to be made
– Moved in, made rackets more sophisticated, technically more complex
• Same has happened to online fraud
• Mainly operated out of poorly policed environments such as Eastern Europe, West Africa and China
– Weak legal environment
– High level of organised crime
– Good educational systems
• Now a complete underground economy turning over billions of dollars.
– Low physical risk to the criminal
– Low cost of entry
– High returns, FBI estimate $67B per year
– Very hard to prosecute
Unlike the numbers rackets, they even have advertising
Advertising for Criminals!
Legal perspective
 Jurisdictional problems
 International issues
 Getting support in multiple jurisdictions
 A single “crime” will almost certainly be perpetrated in many countries
 Some countries have weak legal systems in relation to cyber crime
 Many DAs find it easier to prosecute “regular” crime
 Easier to see a drugs haul than a server with stolen identities
 Requires specialised training
 Not seen as a large enough crime
 Inadequate resources
 Few agents are trained to combat cyber crime
 Overseas presence is heavily strained
 The FBI believes that supporters of terrorist groups are using phishing schemes to raise
funds for groups that they support
 Moves are afoot to make the issue legally the responsibility of the ISPs
 Richard Clarke (Former special adviser to the President on Cyber security)
 "[The FCC] could, for example, say to all the ISPs, 'You will do the following things to reduce fraud, bot nets, malicious activity, etc."
 Other agencies are looking at the revocation of some common carrier privileges
Educational and cultural perspective
• Population old enough to use, but not educated enough to defend
themselves
– Like asking your granny to gap the spark plugs on her car
• Many efforts to educate from a number of agencies
– FTC
• Main agency charged with messaging public about online safety
• Relatively poorly resourced, good in that it listens to industry
– ISPs
• Public perception is that the ISPs are not “doing enough”
• Many ISP offer free protection with leading AV and firewall offerings but many
customers do not know or chose not to use it
• Little idea of scale of criminality on the Internet
• Expectation of freedom to surf
• Regulation seen as an inhibitor to the development of the Internet
• Privacy has yet to be redefined on the Internet
The threats to ISPs
Underground Economy is biggest threat
 Attacks motivated by money, ROI on cost of attack
 Subscribers are the target
Various guises
 Malware
 DDOS
 Phishing
 Spear-phishing
Glory threat remains
 Not negligible
 Web site defacement, attacks on infrastructure such as DNS
 Social engineering is a massive threat
The prevalence of malware and bots
• Recent unpublished data shows that the level of
infection for broadband ISPs ranges between 10
and 25% in the USA and substantially higher in
some other countries.
• Main aim is to extract information which can be
sold in the “Underground Economy”
• Volumes of malware have increased massively
– Now seeing up to 20m pieces per annum (Symantec)
• Moving to the single use binary
– Like a one time code pad, much harder to defend against
– Renders many current defense mechanisms useless
A brief history of Malware
• “Hobbyist Phase (1986-2000): Viruses written largely out of
curiosity, or for bragging rights
– Payloads tended to be limited to propagation, destruction, or
political/personal messages
• Criminal/Commercial Phase (Early 2000s-Present): Bots,
Backdoors, Password-Stealers, Spyware, Adware
– Shift from parasitic to static malware; steep growth in malware creation
rates
– The point is stealth and data, and uncontrolled propagation is bad for
business”
David Marcus
(Mcafee)
• Expect to see twenty million items of Malware reported this year
(Symantec)
• Aim of the bot designers is to provide a highly reliable piece of
software that will undetectably run with very little end user impact
Three principal methods of malware distribution
• Email
– Large amount of malware is distributed via SMTP
• User opens email
• Opens attachment or clicks on URL
• Exploit is used to transfer malware to user
– Initial malware is downloader
– Brings down full exploit
• Web exploits
– Exploited servers
• User visits web site
– Vulnerable browser / OS is exploited
– Exploit is used to transfer malware to user
» Initial malware is downloader
» Brings down full exploit
• IM
– Message to attract user to exploited server
• User visits servers
– Exploit is used to transfer malware to user
» Initial malware is downloader
» Brings down full exploit
Technical perspective
• Botnets technology varies
–
IRC
• Original location of bots on the Internet
• Easier to track
• Some IRC botnets use “anti-sandboxing” techniques
–
Often “captured bots” run in sandbox
• Still in use but slowly being obsoleted for sophisticated users
–
Recent DDOS attack on CastleCops
– HTTP proxy bots
• Extensive usage
–
Principally spam
• Actively worked by leading researchers
• Easily hides C+C traffic within normal port 80 traffic requiring extensive filtering to detect
– P2P
• Big problem area due to levels of sophistication
• Using modified generally available protocols such as eDonkey
• Encrypted payloads and communications
• Requires traffic analysis approach
End user perspective
• AV has significant issues
– Challenged in effectiveness
• Estimates range from 70 to 30% effective
– Overwhelmed by quantity of malware
• New variants in the range of 1000s per day
• Over 212K new threats reported to Symantec in 1H 2007
• Biggest challenge is remediation
– Cost to remediate is high
– Tools have limited effectiveness
– Often requires specialist knowledge
Some other challenges
• OS Issues
– Poor OS Security
• Pre XP SP2 is still a major issue
• Improving with Vista
– OS not easily separated from data
• Most cases, best remediation is a re-install
• Long term need to work with Microsoft and other OS vendors to allow easy nuking
of OS with out loss of user data
• ISP Issues
– Provisioning
• Provisioning dirty and vulnerable PCs onto the network
– Window of vulnerability between manufacture and sale
» Estimated to be up to 1 month
– Could catch users when being re-provisioned to new homes etc..
• No regular checks for cleanliness
– Currently no tools exist for this at SP scale
Examples of the “Bad guy’s” work
• Black Energy
– DDOS bot
• Zeus
– Outsourced Crimeware
• Outsourced “Captcha” cracking
– A new export industry for Bangladesh
Black Energy
• Cheap easily deployed DDOS bot
•Coded in Russia
•Used to attack sites for extortion or political ends
•Costs $40
Server: this is the server where the
++++++++C&C system is running
Outfile: the backdoor filename.
Execute After: set the length of time after
which the infection is triggered
Request Rate: set time frequency for
request between bot and master
Build ID: unique Bot ID
Default Command: this is executed if the bot
cannot communicate with the master server
Right Panel: these options are used in the
network DDoS attacks
Like all good economies, outsourcing works
• Zeus Crimeware SaaS
– Crimeware as a service
– Open source HTTP bot and associated command and control centre
– Generates difficult to detect bots running as rootkits
– Used for key logging and credential theft
– Deployed Zeus platforms are rented out to third parties
– Easily updated code
– White hat Zeus tracking site https://zeustracker.abuse.ch
Captcha crackers
• Captcha breakers
– “We are an expert group for inputing captcha for you with
very low price and high accuracy. We can input 10k to
100k (depending on how many you can offer to us) per
day with accuracy at least 70% (for simple captcha such
as yahoo, it is above 95%). We also own expert
programmers who can help you with writting your spiders
or other softwares to get and manage all the captchas. “
• Captcha are no use any longer to protect high
value sites when a low cost cracking service exists
Conclusions from the trenches
• Sure, spam is still a problem, but not what it once was..
• No, we are not just going to solve it using technical means
alone
• The new issue facing the ISPs is malware
– Suppressing spam will help in controlling malware but……
• Needs solving on multiple fronts
– Technical
– Legal
– Educational
– Cultural
• Our customers need help here so we need help
• Academic community has a role to play