Category: botnet

Dec 13 2017

Chinese Cybercriminals Develop Lucrative Hacking Services

Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according to one report. Advanced hacking tools such as botnet, control server infrastructure, remote access tools, malware creation and obfuscation services, source-code writing services, and targeted exploitation toolkits are available on underground markets.

Other popular malicious tools and hacking services—such as spam and flooding services, denial-of-service or distributed denial-of-service attack scripts, compromised routers, and hijacked accounts—are also available in China on the black market. Criminal groups are well-organized and establish discreet buying and selling processes for malware and hacking services through QQ networks. (Tencent QQ is one of China’s most popular online communication and Internet service portals. It had more than 870 million active monthly users as of 2016. QQ users can communicate with each other or publish comments through QQ forums, shared space, QQ groups, and private chatrooms.)

Criminal groups also establish master-apprentice relationships to recruit and train new members to expand their criminal enterprise operations. All of these trends cost businesses in China and around the world tens of billions of dollars, as hacking tools sold online can be used to steal intellectual property or create social engineering attacks.

Operating Structure

The Chinese cybercriminal underground market has become more sophisticated and service-oriented as China’s economy becomes more digital. Cybercriminal groups are well-structured with a clear division of work. Contrary to their American and Russian counterparts, Chinese cybercriminals do not rely on the Deep Web. McAfee research indicates that there has been an increasing number of organized crime groups that take advantage of burgeoning QQ networks. These organized crime groups typically possess clear mechanisms for their cybercrime operations. Malware developers usually profit by creating and selling their products online; they do not get involved in underground criminal operations. Their code often includes “backdoors” that offer them continued access to their software.

QQ hacking group masters (qunzhu, 群主), also known as prawns (daxia, 大虾) or car masters (chezu, 车主) by those in Chinese cybercriminal underground networks, are the masterminds of cybercrime gangs. QQ hacking group masters purchase or acquire access to malware programs from a malware writer or wholesaler. As shown in the following graph, QQ hacking group masters recruit members or followers, who are commonly known as apprentices, and instruct apprentices on hacking techniques such as setting up malicious websites to steal personally identifiable information or bank accounts. In most cases, QQ hacking group masters collect “training fees” from the apprentices they recruit. The apprentices later become professional hackers working for their masters. Apprentices are also required to participate in multiple criminal “missions” before they complete the training programs. These hacker groups are usually private: The group masters can accept or deny membership requests on QQ networks.

 

Master-Apprentice Mechanism

Black-hat training is growing in popularity on the black market due to high profit margins in the hacking business. Some hacker groups use these training programs to recruit new members.  Once they complete the training, selected members will be offered an opportunity as apprentices or “hackers in training,” who later become full-time hackers responsible for operations such as targeted attacks, website hacking, and database exfiltration. (See the preceding graph.) The apprentices gain further experience by taking part in cybercrime schemes, including stealing bank account passwords, credit card information, private photos, personal videos, and virtual currency such as Q coins. The following screenshot is an example of black-hat hacker training materials offered by an underground hacker.

Training program offered by an underground hacker.

Products

The Chinese cybercriminal underground business has become more structured, institutional, and accessible in recent years. A great number of QQ hacking groups offer hacking services. Just as in the real world, cybercriminals and hackers take online orders. Prospective customers can fill out their service requests—including types of attacks, targeted IP addresses, tools to be deployed—and process the payments online. For example, some QQ groups provide website takedown services, which can cost up to tens of thousands of yuan, depending on the difficulty of the tasks and the security level of a targeted system. There are also QQ groups that hire black-hat hackers to conduct attacks against commercial and government targets for profit. The following list shows many of the top activities:

  • DDoS services
  • Black-hat training
  • Malware sales
  • Advanced persistent attack services
  • Exploit toolkits sales
  • Source-code writing services
  • Website hacking services
  • Spam and flooding services
  • Traffic sales
  • Phishing website sales
  • Database hacking services

Buying Hacking Services and Malware

Some hacking groups provide 24/7 technical support and customer service for customers who do not have a technical background. A hacking demonstration is also available upon request. Prices are negotiable in some cases. After agreeing on the price, the hacker-for-hire sends an email confirmation with detailed payment information. Prospective clients can transfer payments online through Taobao or Alipay.  However, prospective customers are usually required to submit an upfront deposit, which can be as much as 50% of the agreed price. Once the service is complete, the hacker-for-hire will request payment on the remaining balance.

Steps in the hacking service transaction process:

  • Negotiating price
  • Making a deposit
  • Demonstration (if requested)
  • Beginning the hacking services
  • Paying the balance

Buyers must submit full payment for software purchases such as malware, attack tools, and exploit toolkits.

Steps in the malware purchase transaction process:

  • Negotiating price
  • Paying in full for malware
  • Receiving product or exploit kit

Conclusion

The Chinese cybercriminal underground mostly targets Chinese citizens and businesses. However, a growing number of criminal groups offer hacking services that target foreign websites or businesses. These underground criminal groups are stealthy and have gradually grown in sophistication through an institutionalized chain of command, and by setting master-and-apprentice relationships to expand their business operations.  They offer a variety of malicious tools and hacking services through QQ networks and have established successful surreptitious transaction processes.

 

Follow all our research and stories like these on Twitter at @McAfee_Labs.

The post Chinese Cybercriminals Develop Lucrative Hacking Services appeared first on McAfee Blogs.

Sep 12 2017

Android Click-Fraud App Repurposed as DDoS Botnet

The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations, including recent examples on Google Play in 2016 and Clicker.BN last month. These threats are characterized by a common behavior: They appear innocuous but in the background they perform HTTP requests (simulating clicks) on paid “advertainment” to make money for a specific developer.

This behavior means that a URL is permanently requested via HTTP. Hypothetically, if the target and frequency of that request were modified, we could classify it as a DDoS attack. After all, the app uses the same main malware functionality and botnet infrastructure. From ad fraud to DDoS is only one step—and that is what some variants of Clicker.BN have taken. We have now seen click-fraud Android Trojans repurposed to perform DDoS attacks.

Most of the control servers of this Android/Clicker botnet—aka WireX—were taken down in late August.

The apps that perform click-fraud and those that launch DDoS attacks have much in common: the technique to configure headers from the control server, the domains axclick[.]store and ww[56]8[.]ybosrcqo.us (which have been taken down though others remain active), how they keep control server parameters updated in the local cache, and how the target server performs each HTTP request without loading cache data. They are share methods of obfuscation, packing strategies, and methodology for publishing on Google Play.

The apps do have differences, however. The control server subdomain and GET methods vary, as well as the delimiters used to split the received parameters and the order and data of received parameters:

  • Click-fraud components receive:
    • Target URL
    • JavaScript function (to simulate mouse-over clicks)
    • User agent
    • Google Play package
  • DDoS components receive:
    • Target URL
    • User agent
    • HTTP referrer (same as target URL in our tests)

The DDoS variants put the traffic generation in a loop to fully complete each HTTP request many times:

DDoS authors increased the frequency of the HTTP requests to 100 per minute. (Click-fraud implementations send a request each 55 seconds using same code structure.)

Other DDoS variants perform a UDP flood attack on the target, based on data received from the control server (host and port) and implemented as follows:

The previous thread (C1343a) is executed 50 times by the following method (m7240a), which is invoked after loading the parameters from the control server. These are refreshed every 50, 55, or 60 seconds (depending on the variant).

All variants of this threat use an uncommon method to receive and parse parameters from the control server: They arrive inside the title tag of an HTML file, and vary based on a key string used to parse the parameters. We discussed this in our analysis of Clicker.BN.

We mentioned some other curiosities in our Clicker.BN post. The delimiter strings look a bit like anagrams: “WireX” comes from the string “snewxwri.” Early Clicker.BN variants used the delimiter “eindoejy,” which could represent “I enjoyed” or “die enjoy.” More delimiters are present in other variants of this threat.

 

Click fraud in 2017 could cost US$16 billion, according to one source. DDoS attacks have their own underground market. Moving from one mobile threat to another is not new. We have seen Android ransomware switch to banking Trojans (in 2016) and premium SMS Trojans move to wireless application protocol billing.

Malware authors pursue profits with different strategies, taking advantage of already developed infrastructure. In this case, Android/Clicker.BN created a mobile botnet and distributed the infecting vector on Google Play, repackaging the threat to look like a clean app and widely distributing it across the globe. The authors modified this malware only a little bit to launch the massive DDoS attack known as WireX.

McAfee Mobile Security detects this threat as Android/Clicker.BN!Gen and prevents its execution. To further protect yourself against malicious apps, use only legitimate app stores, and pay attention to suspicious traits such as nonsense names, missing descriptions, and poor user reviews. Also, verify that the app’s request for permissions are related to its functionality. Be wary when apps request device administration API access, which is usually requested only by security apps, antimalware, mobile device management, or corporate email clients. Most apps and games will never ask for device admin rights.

The post Android Click-Fraud App Repurposed as DDoS Botnet appeared first on McAfee Blogs.

May 03 2017

Mirai, BrickerBot, Hajime Attack a Common IoT Weakness

We know that devices in the Internet of Things make enticing targets for attack. They are often insecure and can act as open windows into trusted networks. Cybercriminals are capitalizing on that more and more each day, gathering hundreds of thousands of insecure IoT devices into giant botnets. Remember what happened last fall when Mirai malware conducted the largest DDoS attack we have seen so far. The downstream effect of that attack was that millions of people could not reach such popular sites as Twitter, Spotify, Box, The New York Times, and Airbnb.

Now, two new attacks targeting IoT devices have emerged. The BrickerBot malware has been infecting and “bricking” poorly secured IoT devices. It is said that the BrickerBot operator is making these devices unusable to keep Mirai from infecting the same devices. Apparently, this attacker may be a modern-day vigilante.

The second attack is based on malware called Hajime. It appears to use its power for good instead of evil, actually securing the IoT devices it infects to protect them from more malicious attacks like Mirai. However, because the devices have been infected by Hajime, there is nothing stopping the Hajime botnet operator from changing their objectives.

What do these attacks have in common? They all take advantage of poor network and credential management. In these attacks, the malware scans for open Telnet or SSH ports, discovers IoT devices behind them, performs brute-force attacks using a dictionary of common default usernames and passwords, and then looks for ways to send the malware payload. Once infected, each malware family has different objectives, as we discussed above.

Given that these IoT device attacks follow the same attack sequence, why don’t IoT device makers simply address their weaknesses? And if they address the problems of poor network and credential management, will that solve the IoT device security problem once and for all?

We offered an answer to the first question in the McAfee Labs 2017 Threats Predictions report. In that report, we said that in their drive to be first to market with certain types of IoT devices, developers focus on features designed to capture early adopters. Unfortunately, sound security is usually not at the top of the list of must-have features by that class of buyers. Further, the use of poorly written, insecure third-party code libraries can exacerbate the problem. So, until the IoT device land rush subsides, we will probably continue to see obvious security weaknesses.

Addressing the problems of poor network and credential management will solve only the IoT device security weaknesses being exploited today. There will be other exploited weaknesses tomorrow.

The right way to look at security in an IoT device is by using an assist such as the OWASP IoT Attack Surface model. From an attacker’s point of view, an IoT device is very similar to any other computer system and should be assessed for security just as with other systems. I created this previously unpublished image last year to make the point:

This is the toaster attack surface!

In fact, when our threat research team examines an IoT device for security weaknesses, they use the OWASP model for guidance. If IoT device makers simply examined their products during development through an attacker’s lens, they could reduce the number of security weaknesses significantly.

What can you do today to mitigate IoT device security weaknesses? Some weaknesses unfortunately fall into the category of acceptable risk. Other weaknesses, however, can be addressed. Check out the Solution Brief “Secure IoT Devices to Protect Against Attacks” to learn more. In that brief, we offer actionable policies and procedures for securing IoT devices. We also provide detailed advice on how McAfee products can protect systems and networks from IoT device attacks.

To stay up to date on all cybersecurity news, follow @McAfee and @McAfee_Labs.

The post Mirai, BrickerBot, Hajime Attack a Common IoT Weakness appeared first on McAfee Blogs.

Apr 28 2017

Hajime Botnet Reaches 300,000 Hosts With No Malicious Functions

This is not the first IoT heavy botnet, Mirai takes that title, the interesting part is the Hajime botnet appears to be benign. So far no malicious functions have been detected in the codebase, other than the ability to replicate itself and block other malware, Hajime seems to have no DDoS or offensive mechanisms. Hajime […] The post Hajime...

Read the full post at darknet.org.uk