Evolution of Hacktivist Campaigns

In the next week we are going to see a major hacktivist operation, aimed against Israel, called #OpIsraelBirthday which is supposed to start on the 7th of April. The operation is dubbed “birthday“ since it comes to commemorate the last OpIsrael that took place on the same date last year. In recent weeks, there was a lot of internal debate in SenseCy about what has changed from then to now and what can we expect to see in the coming operation. I think that the results of this debate might be interesting to you as well:

–          DDoS Attacks – DDoS attacks are nothing new, but recently, attackers have started utilizing a new-old approach in the form of reflection attacks. If a year ago the height of the attack topped at 30Gb/sec attacks, it’s more than plausible to assume that we’re going to see one order of magnitude higher than that. This might be ok for a large sized country but for Israel this might cause problems in the ISP infrastructure itself and not just create a denial of service to the target site.

–          Self-Developed Code – If up until now, most of what we have seen coming from the anti-Israel hacktivism groups was reuse of anonymous code, with maybe slight improvements in the UI interface, lately we have started to identify unique/ original code developed by the groups themselves, albeit some of it is dependent on existing code and available libraries but this might be an indicator for things to come.

 AnonGhost DDoSer

AnonGhostDDoSer – Developed by AnonGh0st for OpIsraelBirthday

 

–          Dumps vs. Defacements – It seems that the general objective now is less the defacement of sites and more the ability to create harm and panic through the publication of stolen data dumps. We see more and more details regarding allegedly hacked sites (some of them important) with the promise that the databases will be published on the 7th of April. This is probably the first time these hacktivist groups are trying to achieve a more widespread impact that is, at least in spirit, similar to the terror effect.

–          Shells and RATs – It seems that SQL injections and cross site scripting is shifting from being the end result to being the means in which the hacktivist groups place web shells on their targets or infect the targets with RATs and other malware. It might, in effect, suggest a more coherent effort to cause more sophisticated damages to their targets.

All in all, it seems that the motivation for the attack remains similar, but the magnitude and scope of the upcoming operation seems to be larger and more dangerous than the last one (in terms of tools available and number of participants). However, companies and organizations that are aware of the threat can, in turn, take actions to handle and mitigate these attacks.

Zorenium Bot Coming to the iPhone Nearest to You

Written by Tanya Koyfman and Assaf Keren

Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium, a relatively new and unknown bot,  has been for sale on the underground sinceJanuary 2014. This bot will be getting new features in its March 18th update, including, the ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux- and Windows-based machines. The developers have also updated the rootkit to TDL4 (making it vulnerable to anti-TDSS tools).

 zorenium1

Capture of the recent release notifications

Zorenium, a relative of Betabot, is a very robust bot which is still undetected by most AV companies. It has several key abilities, including DDoS, Formgrabbing, Bot-killing, Banking Trojan and Bitcoin mining. The cost of a basic Zorenium bot is 350 GBP and with advanced features (including P2P C&C, i2p C&C and more) it can go up to over 5000GBP.

 zorenium2

Zorenium Payment Plans

According to the developers, it is still in beta mode and more features will be available in time .

 zorenium3

Zorenium Source Screen Capture

Torshammer666 – A New Variant of a DDoS Python Based Tool

Lately we have seen a new version of the Torshmmaer DDoS tool, created by An0nsec hackers. An0nsec hacker group was established at 2012. The group members have links to the infamous hacker group AnonGhost that initiated several cyber operations last year, such as OpUSA, OpPetrol, and OpIsrael. They usually leak details from databases of companies and countries around the world, such as China, Canada and Russia. They also deface websites.

Torshammer is a well-known Python based DDoS script, which is meant for slow POST Denial-of-Service attacks. Originally developed by Packet Storm Security in 2011, it has made the rounds and has been in use by Anonymous, Lulzsec and other Hacktivist groups. As is evident in the name of the tool, it allows the usage of Tor proxies in order to masquerade the attacker’s IP addresses.

The version that we have found (dubbed torshammer666) is tweaked in several places, adding the following functionality to the tool:

Ability to send GET Requests

Up until now the Torshammer tool had support for POST requests, now the ability to send GET requests is incorporated. The GET requests are structured as follows:

GET

The POST request has also changed and the Cache-Control and Accept-Charset HTTP headers have been added to it.

POST

Additional User Agent strings

Torshammer666 now supports three more UA strings:

Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0

Below is a comparison table between the two tools:

User Agent Strings – Torshammer User Agent Strings – Torshammer666
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Googlebot/2.1 (http://www.googlebot.com/bot.html)Opera/9.20 (Windows NT 6.0; U; en)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

Opera/10.00 (X11; Linux i686; U; en) Presto/2.2.0

Mozilla/5.0 (Windows; U; Windows NT 6.0; he-IL) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Firefox/3.6.13

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)

Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100804 Gentoo Firefox/3.6.8

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Googlebot/2.1 (http://www.googlebot.com/bot.html)Opera/9.20 (Windows NT 6.0; U; en)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

Opera/10.00 (X11; Linux i686; U; en) Presto/2.2.0

Mozilla/5.0 (Windows; U; Windows NT 6.0; he-IL) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Firefox/3.6.13

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)

Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100804 Gentoo Firefox/3.6.8

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html),

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)

Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0

Cyber Criminals “TARGET” Point of Sale Devices

In the wake of breaches at retailers from Target through Neiman Marcus, cumulating in CNET’s publication on January 12 that at least three more retailers have been breached, we can see a renewed focus on cybercrime in the retail world, always a prime target for credit card theft. Moreover, the carding and underground crowds have become so skilled in the theft and sale of credit cards that days after the attack on Target, the stolen cards were already on sale.

Powering this trend is Point of Sale (POS) malware. In recent years, we have identified increased underground activity in the sale and development of POS malware, with Dexter and Project Hook being the most notable. Howbeit, wherever there is a need, there is a market, so the world is not limited to these specific malwares. A case in point was versions of vSkimmer, POS.CardStealer and Dump Memory Grabber that our analysts came across last month. These are all dedicated Windows-based POS malwares developed in early 2013, but prevalent to this day.

Spy.POSCardStealer

A known POS-Trojan detected by anti-viruses since January 2013. The malware builder was uploaded to the closed Russian forum exploit in December 2013. This tool was analyzed in the Xylibox.com blog in detail, revealing that it searches for Track 2 data from the magnetic strip of the credit card, which is stored in the POS device, and then sends it to the C&C.

vSkimmer POS Trojan

A POS-Trojan that was sold on the Russian underground during 2012 and early in 2013. In March 2013, the builder was uploaded to exploit.in for free download but after a short time it was deleted and uploaded again in October 2013. The Botnet based on this tool was discovered in February 2013 and was widely considered to be Dexter’s successor, with additional functions. The malware detects the card readers, grabs all the information from the Windows machines attached to them, and sends the data to a control server.

DUMP MEMORY GRABBER (Black POS)

A POS-Trojan sold in the Russian underground since February 2013 (a video of the malware in action is available upon request). The malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. The price ranges from $1,800-$2,300 (as of April 2013).

Original post uploaded by the malware seller
Original post uploaded by the malware seller

Conclusion and Recommendations

It seems that the Target breach is poised to be the TJX of the POS world. If TJX brought about a complete rethinking of how credit cards should be processed through the enterprise back-end and in turn gave us PCI-DSS, I think that it is clear today that progress in PA-DSS and the work performed by the POS machine providers is still insufficient to protect customers. It is very likely that we will start to see technologies that are today directed against APT detection in enterprise computers being shifted to POS networks, and perhaps even developing companies and retailers taking a step back from Windows-based machines toward more dedicated, hardened operating systems. Retailers (both large and small) that wish to take action against the threat of card theft should:

  1. Contact their POS supplier and make sure it complies with PA-DSS.
  2. Ensure the POS system is fully up-to-date (and with the death of Windows XP – installed on Windows 7 and up).
  3. Ensure there are security systems (both whitelist- and blacklist-based) installed on the POS system.
  4. Install network-based security systems on the POS network connection.
  5. Be aware of the threat and how to locate and mitigate it.

The “Liberalization” of Cyber Crime

Written by Yotam Gutman

The British Bankers Association (BBA) announced last week that robberies at British banks have fallen by more than 90 per cent in less than two decades (http://www.bba.org.uk/media/article/the-decline-of-the-british-bank-robber).

The decrease in bank robberies has been mirrored in the United States, where FBI figures put the number of bank robberies nationwide at 3,870 in 2012 – the lowest in decades. However, while violent bank robberies are dropping, banks and other financial institutions are being increasingly targeted by cyber-criminals.

This switch can be attributed to improved bank security on the one hand and the combination of the relative ease of perpetuating cyber theft and less severe punishment inflicted on convicted cybercriminals on the other hand. Check the following comparison table to see which pros and cons are weighed by would-be criminals before they decide if they wish to engage in real or virtual (cyber) crime:

Cyber theft

Actual bank robbery

Criteria

Damage to the eyes due to many hours gazing at the screen

High probability of injury or mortality

Danger level

Not that hard

Very hard to execute flawlessly

Difficulty

Endless

Limited to how much you can carry

Potential financial value  

Perhaps a few years in a low security prison, where you are likely to enroll in an “Internet” course

20 years in a maximum security prison, small cell with a roommate named “Axe

Potential punishment

The comfort of your home

Some run-down bank branch

Location

None required

Guns, bank security procedures, driving

Previous know-how

Script – kiddies to bored teenagers – Russian mobsters

Violent, adrenaline–seeking disregard for the law

Appeals to

However, this only tells a part of the story. The real revelation is not how widespread cyber theft has become, but how easy it has become to execute.

Although the notion within the general public is that cybercrimes, and especially theft from banks, are committed by highly skilled computer experts, the truth is that today one does not need special skills to become a cybercriminal, just the desire, courage and some basic IT skills (some initial funding wouldn’t hurt either).

We have repeatedly identified attack tools sold on underground platforms that make cyber-theft child’s play. One simply needs to buy (or rent) these tools and activate them to start generating cash (and breaking the law). For instance, during March 2013 a veteran member of a Russian password-protected forum offered a MitB (Man-in-the-Browser) service for different bank sites and other sites where credit cards are used. The details are stolen from the victim when he tries to browse his bank site by planting a fake page instead. In May that year, another tool named MMBB (Money-maker Bank Bot) was offered on another forum, this time without the need to download and install the tool but as a (criminal) service. Pricing options vary according to the service level – the basic package is priced at $4,999 (per month), but a more comprehensive package, including 24/7 helpdesk, costs $6,499 amonth. True, these are hefty sums, but when measuring the possible income of the would-be cybercriminal they pale in comparison.

Cybercrime is undergoing a rapid liberalization process, meaning that the capabilities thatwere once reserved for an elite few are now at the disposal of practically anyone (with motivation and Internet access).

The outlook for the future isn’t rosy. With more and more people around the world gaining access to computers and the web, the number of potential victims is quickly rising. With cybercrime tools becoming more commonplace, more people will surely exploit this fact to try and generate quick cash (or virtual cash) with the aid of the tools sold on the underground.