230 likes | 337 Vues
securing and enabling dynamic business. Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC. March 21 st , 2011. Lance James. Lance James Director of Intelligence, Vigilant, LLC Founder of Secure Science Corporation Brief Bio:
E N D
securing and enabling dynamic business Spy VS Spy Countering SpyEye with SpyEyeLance JamesDirector of IntelligenceVigilant, LLC March 21st, 2011
Lance James • Lance James • Director of Intelligence, Vigilant, LLC • Founder of Secure Science Corporation • Brief Bio: • Infosec over a decade, development, research, network intrusion, cryptography (IIP/I2P), IntelliFound, Daylight • Author of “Phishing Exposed”, • Co-Author of “Emerging Threat Analysis” • 3rd Book on it’s way (counter-intelligence) • Loves Karaoke • Very Hyper (but I am getting old)
Research • SpyEye • Web Panel based C&C • DIY Builder Kits • Merging with Zeus • $1000-$3000 WMZ • Law • Title 18 USC 1030 • Color of Right • Expectation of Privacy
Components of SpyEye • Trojan • Build it yourself • Data interception • Formgrabs • Credit Cards • Software Collection • Process hooking • Kills Zeus/Zeus Merger • UPX Packed (most cases)
Components of SpyEye • Web-based Panel • SYN 1 (Blind Drop) • Formgrabber/Data Manager • FTP Theft • Bank of America • Theft Stats • CN 1 (Command & Control) • Binary Updates • Configuration Updates • Statistic collection • Plugins • Backconnect (SOCKS5/FTP)
What we know • Web Panel Investigation • Build Inference (directories and files) • Debug.log (general traffic) • Error.log (possible leaked IP’s and other info) • Tasks.log (what it’s doing) • Backup.sh (sql dump and passwords) • Config.ini (settings) • Understand the code • AJAX driven • AJAX queries and refreshes for data
Case Study • CnCHost: 91.211.117.25/sp/admin (currently down) • History: specific URI discovered publicly 09/07/2010 • Prior attacks from this IP discovered 07/26/2010 (same operator) • ASN 48587 (known for malicious activity) • Location: Ukraine (UA) • AS Name: Private Entrepreneur ZharkovMukolaMukolayovuch • Malware Life-cycle: Monday 08/30/10 – Friday, 09/24/10 (25 days) • Unique computers infected: 28,590 • Unique binaries distributed: 2,325
C&C Advancement & Law • C&C has many world readable files • Including Frm_grab.php • Doesn’t work without AJAX environment • Same concept as request 1 world readable file • Many requests at once • Very useful intelligence • Very complicated Legally • Explain what we did to a jury or judge • Explain it to attorney • DOJ conservative to risk
How it works • C&C Target (SYN 1) main page password protected (illegal in US to log in)
Eating Dog Food • Log in to local C&C setup Fire up Proxy, Set Servers to Stun!
Kibbles & Bits Proxy Setup – either with burp or netsed Header Modification Browser proxy configuration
Target Acquired When this changes we know we are connected
Results • All data compromised in real time • Bot GUIDS per data compromise • Dates of compromises • Bonus points! • Bad guy activity • The day before 0 • Settings • We can update the botnets (Not Approved)
Spy Wars Adversary is quick, no boundaries Jedi tools Jedi Council Disciplined Philosophy Jedi skill Limited by Law
Be the Smart Jedi • May the Force Be With Us • We’re gonna need it • Do or Do Not! • There is no try • Yoda is awesome
Contact Thank You! Lance James Director of Intelligence ljames@thevigilant.com http://www.thevigilant.com