Put simply, cybercrime, especially financial malware, has the potential to be quite the lucrative affair. That’s only because the bad guys have the tools to make their work quick and easy, though. Cripple the automated processes presented by certain malware platforms, and suddenly the threats — and the losses –aren’t quite so serious.
CSO Online had the opportunity to chat with Shape Security’s senior threat researcher, Wade Williamson, at this year’s Black Hat conference, and he offered a brief background of these types of popular malware platforms before putting the threat landscape into perspective.
[Black Hat USA 2014: Talking botnets and ad campaigns]
Williamson maintains that, despite its perceived “downfall,” Zeus is still one of the most popular botnet platforms out there, and that’s for a number of reasons. For one, the source code for Zeus previously leaked, allowing people who know how to code to more or less build on top of it for free. Also, it was one of the most common building blocks for many of the high-profile piece of malware that came after it; it’s the very reason that it can be difficult to distinguish between Citadel and Zeus, for example. Ultimately, Zeus served as the “innovative wedge” that can be seen in man-in-the-browser financial malware today,
That said, there’s a new up and comer in town in the form of Pandemiya.
“If you rewind about six years ago, SpyEye was actively marketing and saying, ‘We’re better than Zeus,’” says Williamson. “But they eventually merged and then you got iterative changes on top of the Zeus codebase. Pandemiya, on the other hand, is the new entrant and you’re starting to see it challenge the monolith [Zeus].”
Be it Pandemiya or Zeus, however, the goals behind them are more or less the same. According to Williamson, there are two major branches to attack strategies now. The first is working on making the botnet harder to take down, which some coders have accomplished by implementing P2P communication between the bots.
“It used to be that C&C servers are the brain behind this big botnet and everyone wants to take that down,” says Williamson. “But now botnets are using P2P communication, so there is no central server. They spread over the machines themselves, just like a P2P network, and it becomes hard to root this thing out even if you knew who was behind it.”
The other branch has less to do with the older approach of password theft and more about automating the transfer of money, which is where Williamson says the “state of the art” technology is now.
“Pandemiya and Zeus are all ultimately about automation and the man-in-the-browser process,” he says.
[RSA researchers discover new alternative to Zeus]
While it used to be easy for attackers to hit victims with a man-in-the-browser attack and simply wait for a login, banks got wise to the practice and implemented secondary authentication mechanisms; it was no longer enough for attackers to just acquire usernames and passwords. As such, they had to adopt a different approach.
“I’m in this guy’s browser, I can just wait until he completes all authentication, and then I’m going to be on the inside,” says Williamson. “Eventually, he’s going to send money to someone else. If you can automate that transaction, it makes it impossible to discern what’s real and what’s the bot.”
“From the bank’s perspective, I can’t just tell my customer to go away,” he says. “Being able to selectively break an automation is the key for disrupting these attacks. It’s true of anything that uses automation, like DDoS.”
What the good guys can do is affect change at the website level, and change what the underlying markup code of the website is each time it loads without changing the user interface. This way the website always looks the same to the user and their experience isn’t disrupted, but the code supporting it looks different, thus stumping the botnet on the infected machine. After all, automation needs the page to be predictable to automate against it; if it can’t figure out how to put in a username and password and hit the submit button, automation doesn’t work anymore.
“So now your botnet that knows what to do when it gets to, say, Bank of America, sees this and says, ‘This is gobbledygook’ and doesn’t know what to do,” says Williamson.
The economy of cybercrime
Like the malware itself, what the economy of cybercrime comes down to is automation: attackers can make money quickly and easily because with botnets, they don’t have to do the heavy lifting. And the bad news for the good guys is that defending networks from such attacks is an arduous process.
[Businesses can do more in battle against Gameover Zeus-like botnets]
“If you can automate one of these attacks, it’s the reason 10 guys can make millions a month because scripts are doing work in the background,” says Williamson. “And for someone defending networking, every small change from an attacker makes you go back to square one, write a signature for it, etc. Every time a web server burps with a new piece of malware, you have to go reanalyze it.”
The trick then is to turn the tables and put all of the hard work on the side of the attacker. By crippling automated processes — by constantly changing website code, for example –the attackers are now the ones being forced to constantly do the hard cerebral work as they go back to square one and manually adjust their game plans. Suddenly, cybercriminals are raking in less money over time and their economy begins to crumble.
“If you can force someone to rewind to 10 years ago where they have to do everything themselves, it kicks the stool out from under a lot of attacks,” says Williamson. “How do I monetize stolen credit cards? How do I know if they’ve logged into their bank? If you can’t deal with those sites automatically, everything deescalates.”
By way of example, Williamson explained when a target is breached and criminals get their hands on stolen credit cards, their value on the black market jumps substantially — say, from 20 cents to anywhere from 40 to 80 dollars apiece — once they have been verified. It’s what gives the stolen cards value, so criminals have an automated process to determine whether or not the cards are, in fact, verified.
“So let’s say they take a thousand of those cards and go to the Red Cross and make a one dollar donation with each of them,” says Williamson. “It’s something that people aren’t going to notice. They make the donations and say, okay, 900 out of 1,000 of them worked. So when they sell the cards, they say that the cards are from this area in the country and they have a 90% success rate. People pay a really high premium for [a rate that high].”
[New Gameover Zeus botnet keeps growing, especially in the US]
The key, then, is breaking that verification process, since that’s where all the value in the cybercriminal economy gets generated. To do so, defenders need to take advantage of the fact that the entire process is automated; again, without changing the GUI of the site in question, the ID of field names can be changed to a random string, ensuring that each user interaction is unique. This, of course, breaks the automated process when it can’t find the fields that it’s attempting to fill out.
“If you think about this in the context of testing credit cards, the script says, ‘Put in the number here, address, hit submit, and if I get a good verify back, I know it works,’” says Williamson. “And since nothing was ever submitted, it looks like they went zero for a thousand.”