Agenda Agenda

(1)

1

Luis Corrons

PandaLabs Technical Director

(2)

Agenda Agenda

1.1. Malware figuresMalware figures

2.2. WhoWho isis behindbehind this?this?

3.3. Web AttackWeb Attack ToolkitsToolkits

4.4. A Real CaseA Real Case

5.5. UndergroundUnderground Shopping Shopping CartCart 6.6. WhereWhere toto buy?buy?

(3)

3

Malware figures

(4)

Malware

Malware evolution evolution

Source: PandaLabs

Malware detected per year

(5)

5

Source: PandaLabs

(6)

Malware

Malware evolution evolution by by type type

(7)

7

Who Who is is behind behind this this ? ?

(8)

Yesterday

Yesterday ’ ’ s s Bad Bad Guys Guys

Blaster.B Nestky / Sasser CIH 29-A

Jeffrey Lee Parson Sven Jaschan Chen Ing-Hau Benny

(9)

9

Jeremy Jaynes Andrew Schwarmkoff

James Ancheta

(10)

Web Web Attack Attack Toolkits Toolkits

(11)

11

(12)

MPack

(13)

13

Tracking Tracking Mpack Mpack for for 2 months 2 months (April ( April & May 2007): & May 2007):

41 different41 different serversservers withwith MpackMpack runningrunning 366,717 web pages366,717 web pages ““iframed”iframed”

More thanMore than 1 million1 million usersusers infected (1,217,741)infected (1,217,741)

(14)

(15)

15

Login

(16)

IcePack

(17)

17

Operating System

(18)

IcePack

Browser

(19)

19

(20)

IcePack

Referrers

FTP import

FTP checker

(21)

21

iFramer

Country blocking

(22)

FirePack

(23)

23

(24)

Neosploit

(25)

25

- Nuclear traffic

- Multi exploits pack - Nuclear Malware Kit - Prime Exploit System - Web-Attacker

- SmartPack

(26)

A Real Case

(27)

27

(28)

–– ProxyProxy

•

• 5 -5 - $2.5$2.5

•• 1,000 -1,000 - $300$300

–– DDoSDDoS

•

• 1 hour1 hour -- $20$20

•• 24 24 hourshours -- $100$100

•• MajorMajor projectsprojects startingstarting at $200at $200

(29)

29

–– Spam: Spam: < 192,000,000 e< 192,000,000 e--mail mail addressesaddresses

•• USA (USA (homehomeusers) users) –– 117,000,000117,000,000

–– US$150 / millionUS$150 / millionmessagesmessages

•• USA (enterprisesUSA (enterprises) ) –– 4,000,0004,000,000

–

– US$150 / millionUS$150 / millionmessagesmessages

•

• Western Western EuropeEurope (home(home users) users) –– 45,000,00045,000,000

•• Western Western EuropeEurope (enterprises(enterprises) –) – 902,256902,256

•• RussiaRussia (home(home users) users) –– 20,700,00020,700,000

•• RussiaRussia (enterprises(enterprises) ) –– 5,000,0005,000,000

(30)

–– Personal Personal cryptorcryptor ($15, ($15, updatesupdates $5)$5) –– ABLoaderABLoader ($60, builder($60, builder $500)$500)

–– RooTRooT iFrameiFrame ($25 Russian($25 Russian, $50 , $50 EnglishEnglish)) –– SpamPHPSpamPHP Script ($2)Script ($2)

(31)

31

MPack MPack Dream

Dream DownloaderDownloader Limbo

Limbo

Total

Total InvestmentInvestment: : 1,500$

1,500$

(32)

(33)

33

(34)

(35)

35

Win32.exe = Trojan downloader Win32.exe = Trojan downloader Installed

Installed::

Spammer

Spammer TrojanTrojan Rogue

Rogue AntiSpywareAntiSpyware

(36)

Rogue

Rogue AntiSpywareAntiSpyware

Commissions

Commissions paidpaid perper installation:installation:

$0.40 USA, Canada

$0.20 UK, France, Germany, Italy, Spain, Belgium, Luxembourg, Mo

$0.20 UK, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaconaco

$0.05 Austria, Denmark, Finland, Sweden, Norway, The Netherlands

$0.01 China, Korea, Japan

(37)

37

LetLet’s do some maths’s do some maths China, Korea, Japan:

China, Korea, Japan: $0.01 * 70,300 = $703$0.01 * 70,300 = $703 Finland, Norway

Finland, Norway……:: $0.05 * 70,300 = $3,515$0.05 * 70,300 = $3,515 UK, France

UK, France…:…: $0.20 * 70,300 = $14,060$0.20 * 70,300 = $14,060 USA, Canada:

USA, Canada: $0.40 * 70,300 = $28,120$0.40 * 70,300 = $28,120 And the same numbers in 30 days

And the same numbers in 30 days…… China, Korea, Japan:

China, Korea, Japan: $0.01 * 70,300 * 30 = $21,090$0.01 * 70,300 * 30 = $21,090 Finland, Norway

Finland, Norway……:: $0.05 * 70,300 * 30 = $105,450$0.05 * 70,300 * 30 = $105,450 UK, France

UK, France…:…: $0.20 * 70,300 * 30 = $421,800$0.20 * 70,300 * 30 = $421,800 USA, Canada:

USA, Canada: $0.40 * 70,300 * 30 = $843,600$0.40 * 70,300 * 30 = $843,600

(38)

WhoWho’’s paying these Rogue s paying these Rogue AntiSpywareAntiSpyware installations?installations?

(39)

39

(40)

(41)

41

(42)

(43)

43

(44)

(45)

45

(46)

(47)

47

(48)

(49)

49

(50)

(51)

51

(52)

Underground

Underground Shopping Shopping Cart Cart

(53)

53

•

• MPackMPack

–– US$700US$700

–– DreamDownloaderDreamDownloader + US$300+ US$300 –– AddingAddingnewnewexploitexploit + US$50-+ US$50-150150 –– AvoidAvoidAV detectionAV detection + US$20-+ US$20-3030

•• IcePackIcePack

–– Lite:Lite: US$30US$30 –– Platinum:Platinum: US$400US$400

•• FirePackFirePack

–– US$3US$3,000,000

•• TrafficTraffic ProPro

–– US$40US$40

•• EcoreEcore

–– BundleBundle US$590 (forUS$590 (fora domaina domain/ ip/ ipwithwithecoreecoreinstalled).installed).

–– DomainDomain/ additional/ additional ipip US$490US$490 –

– HelpHelpforforthetheinstallationinstallation US$15US$15

(54)

Underground

Underground Shopping Shopping Cart Cart

–– MalwareMalware

•

• KeyloggerKeylogger TellerTeller 2.0 2.0

–– TypicalTypicalkeylogger; keylogger; itituses stealthuses stealthtechniquestechniquesandandisisquite complete: US$40quite complete: US$40

•• WebmoneyWebmoney TrojanTrojan

–

– ItItcaptures captures WebmoneyWebmoneyaccounts: US$500 (accounts: US$500 (thethefirstfirst100 will100 will obtainobtainititforforUS$400!)US$400!)

•• WMTWMT-spy-spy: :

–– AnotherAnotherTrojanTrojantotoobtainobtainWebMoneyWebMoneyaccounts, accounts, butbut cheapercheaperthanthanthethepreviouspreviousoneone –– TrojanTrojan US$5US$5

–– UpdatesUpdates US$5US$5 –– BuilderBuilder US$10US$10

•• SNATCH TROJAN: SNATCH TROJAN:

–

– ItItstealsstealspasswordspasswordsandandhas has rootkitrootkitfunctionalitiesfunctionalities: : US$600 US$600

•• Limbo: Limbo:

–– BankingBankingTrojan, Trojan, keyloggerkeylogger, etc. , etc. US$1,000US$1,000

(55)

55

•

• PolarisPolaris

–– PolymorphicPolymorphicencryptionencryptionforforyouryourexecutablesexecutables US$20US$20

•• FreejoinerFreejoiner

–

– HidesHidesyouryourexecutablesexecutablesjoiningjoiningthemthemwithwithotherotherfiles US$30 + US$5 perfiles US$30 + US$5 perupdateupdate

•

• My joinerMy joiner

–– OtherOtherjoinerjoinerbelongingbelongingtotothethecreatorcreatorofofPinchPinch US$10US$10

•• PityPity JoinerJoiner

–

– JustJustanotheranotherjoinerjoiner US$7US$7

(56)

Underground

Underground Shopping Shopping Cart Cart

–– OtherOther ToolsTools

•

• FTP checkerFTP checker

–– ProgramProgramtotovalidatevalidatestolenstolenFTP FTP accountsaccounts. . US$15US$15

•• DreamDreamBotBot BuilderBuilder

–

– FloodsFloodsserversservers US$500 + US$25 US$500 + US$25 perperupdateupdate

(57)

57

•

• Spam HostingSpam Hosting:: US$200US$200

•• DedicatedDedicated spam spam serverserver US$500US$500

•• +10,000,000 Mails per+10,000,000 Mails per dayday US$600 US$600

•

• SMS spam (perSMS spam (per messagemessage)) US$0.2US$0.2

•• ICQ (1,000,000)ICQ (1,000,000) US$150 US$150 Mailing

Mailing listslists forfor spam:spam: (US$)(US$) ACCOUNTS

ACCOUNTS USAUSA GERMANYGERMANY RUSSIARUSSIA UKRANIAUKRANIA 1,000,000

1,000,000 100100 100100 100100 100100

3,000,000

3,000,000 200200 200200 200200 200200

5,000,000

5,000,000 300300 300300 300300 --

8,000,000

8,000,000 500500 500500 500500 --

16,000,000

16,000,000 900900 -- -- --

32,000,000

32,000,000 15001500 -- -- --

(58)

Underground

Underground Shopping Shopping Cart Cart

–– AccountsAccounts

•

• FTP accountsFTP accounts: :

–– US$1 US$1 perperaccountaccount

•• IcqIcqnumbersnumbers::

–

– FromFromUS$1 US$1 totoUS$10 (US$10 (dependingdepending ononthetheICQ numberICQ number))

•• RapidShareRapidShare premiumpremium accounts:accounts:

–– 1 1 monthmonth -- US$5US$5 –– 2 2 monthsmonths -- US$8US$8 –– 3 3 monthsmonths -- US$12US$12 –– 6 6 monthsmonths -- US$18US$18 –– 1 1 yearyear -- US$28US$28

•• Online Online ShopShopaccountsaccounts

–– ((megashop.rumegashop.ru, , bolero.rubolero.ru, , cup.rucup.ru, etc. ALL RUSSIAN): , etc. ALL RUSSIAN): --US$50 eachUS$50 each

•• 50MB of50MB of Limbo TrojanLimbo Trojan logslogs

(59)

59

•

• CreditCredit CardsCards

–– VISA / MASTERCARDVISA / MASTERCARD

1 1 --1010cardscards US$2 (US$2 (perpercardcard)) 10 10 --100100cardscards US$1.5 (US$1.5 (perpercardcard) ) –– AMEXAMEX

1 1 --1010cardscards US$2.5 (US$2.5 (perpercardcard)) 10

10 --100100cardscards US$2 (US$2 (perpercardcard) )

•• Passports:Passports:

–– Black Black andandwhitewhite:: US$2US$2 –– Color:Color: US$5 US$5

(60)

Where

Where to to buy buy ? ?

(61)

61

(62)

(63)

63

(64)

(65)

65

(66)

(67)

67

(68)

(69)

69

PandaLabs Blog:

http://www.pandalabs.com