Beijing, China 4/2008

Zhong guo hei ke tan hei ke, or ‘Chinese Hackers Talk Hacker,’ was an information security conference held earlier this year in Beijing, China. Sponsored by Yesky, a popular Chinese electronics e-retailer, the event drew around 80 attendees, most of which were hackers that had previously communicated entirely over the internet. Some of the more well-known attendees included Frankie Zie (now CTO of a network security company in China, former black-hat and well-known in Shenzen), r00t (has hacked numerous U.S. websites), and netcc (claims to possess the ability to hack a thousand websites per month).

These figures show some attack trends gathered by the SecureWorks CTU (Counter Threat Unit). Shown here is number of cyber-attacks per foreign country. These stats are from September 2008, however it is clear China’s numbers dwarf other foreign countries, and still, attacks from China continue to increase.

In interviews given at the conference and online, we get some insight into the Chinese hacking subculture and how it is growing at such a rapid pace. Translated below are some interesting responses that seemed to reflect the attitude of the populace:

Q: Under what circumstances will you perform a hack?

A: If it is a matter that affects us internationally, then we will gather members to perform the attack. Most of the time, we attack through the web site.

Q: What’s the difference between Chinese and U.S. hackers?

A: Over the past few years, Chinese hackers could not compare with hackers overseas. However, our hacking level is increasing rapidly. For example, we recently discovered a Microsoft vulnerability.

Xiao Rong, well known among the guests, provides software tools for use by other members of the hacking community. He begins his work nightly at 9pm, and spends all night scanning overseas websites for latent vulnerabilities. His guiding principle is `Don’t be hostile towards society.’ Overall, the attitude seems to be white-hat in nature, despite some guests’ history. It seems that if one’s intentions are judged to be `good,’ performing the hack seems to be acceptable (nevermind the legalities).

Here’s more from the conference:

Q: What is a hacker?

A: Hackers are a very disagreeable topic. In my opinion, hackers are interested in any kind of computer system, they proactively look for vulnerabilities in systems and at the same time look for solutions. Another kind of hacker, the `cracker,’ just intentionally break into others’ systems and cause interruption to their systems. Now, the media categorizes both hackers and crackers alike. I must clarify that this is wrong.

Q: Who is your idol?

A: Kevin Mitnick. In my opinion, the real hacker will not name himself as such, only by others.

Q: What does the existence of hackers mean for the Internet?

A: The internet would not exist without hacker culture. In the 70’s, hackers proposed a simple machine to serve people, and thus created the PC. Apple was also created by 70’s hackers. Later, hackers proposed the sharing of information and thus created the Internet.

Another guest known as `Shot Gun’ commented: “…more than 80 percent of Chinese websites are vulnerable. In February of this year, the most secure network, Yahoo, was hacked–this made people realize the importance of network security. However, many companies don’t have the resources to secure their own network.” Later, while speaking about what `real hacking’ involves:

…the true hacker will lock themselves in a room, eating only instant noodles, with cigarette butts everywhere. The men do not shave for months, just to solve a technical difficulty.

…hackers are irreplaceable. Hackers are warriors, we should be grateful for their dedication and give them a “real name.”

As the Chinese `hackers’ and `crackers’ (it’s not immediately apparent that white-hats in other nations are playing by the same rules either) continue to mount attacks, the SecureWorks CTU continues to investigate and protect against these threats.

Information Source: http://blog.54master.com/index.php/710520/viewspace-31153

Early last week the FTC took aim at Antivirus XP and the people behind it. This kind of scareware is a well known scam. My colleague Joe Stewart had previously investigated a similar scam, run by the Russian Bakasoftware group. From the court filings, the group the FTC is pursuing is run by American and Canadian citizens. The FTC sought and was granted a temporary restraining order (TRO) that requires the entities and people behind Antivirus XP to stop claiming they are performing AV scanning, concealing their identities (including to cease use of any domains registered using false information), and to not spend, hide or transfer any of their ill-gotten gains.

The TRO also extends to the defendants’ web hosting providers and banks. They are respectively ordered to take down and preserve web properties and to freeze assets owned by the defendants.

These scareware products have been marketed under a wide variety of names, those listed in the FTC’s complaint include: WinFixer, WinAntivirus, DriveCleaner, WinAntispyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, and XP Antivirus 2008. These are remarkably similar to the names used by the Bakasoftware group that Joe reported on: Easy Spyware Cleaner, SpyRid, InfeStop, WinIFixer, Advanced XP Defender, Advanced XP Fixer, Malware Protector 2008, Antivirus XP 2008. We do not believe these groups are related, but rather that this is another example of successful tactics being copied by other malicious actors.

These scareware products have defrauded millions of dollars from consumers and left them vulnerable to other malware. It’s great to see the FTC take action against them. The order also requires the defendants to supply the FTC with business records, including affiliate data.

Hopefully the FTC will also be able to go after the affiliates as well. As we previously disclosed, affiliates can earn big money from this kind of scam. A hacker known as NeoN, broke into the Bakasoftware affiliate website and found that some affiliates were earning in excess of a hundred thousand dollars a week installing Antivirus scareware.
The hearing for this issue is scheduled for this (Friday, December 12, 2008) afternoon. The defendants are ordered to appear, but personally I don’t have terribly much confidence they will be there. The complaint, restraining order, and press release can be found at the FTC’s website. Even if not, I’d like to see the FTC follow the paper trail and seize assets. Good job FTC, and good luck chasing the money trail.

Greetings from sunny San Diego! The past couple of days have been an absolute blast. The folks at ToorCon have put together an awesome conference this year, including speakers from around the world presenting some cutting edge research.

Ben Feinstein and I attended a two-day “crash course” in penetration testing offered by Learn Security Online. Chris Gates and Joe McCray presented some excellent introductory material. They also included a few advanced evasion techniques that I hadn’t seen before. It’s always good to sharpen your skills.

During the Friday seminars, Jay Beale from InGuardians gave an overview of his man-in-the-middle tool, The Middler. He mentioned the code would be released Real Soon Now, so I look forward to a chance to play around with it. Jared DeMott, now at Crucial Security, also gave a rundown of reverse engineering using IDA Pro and the Immunity Debugger. I’m a big fan of Jared’s previous work with fuzzing.

The first day of the convention was pretty packed. Since I didn’t have the chance to attend Black Hat/Defcon this year, Dan Kaminsky’s DNS keynote and Alex Sotirov’s evasion of Vista’s memory protections were fresh and eye-opening to me. Ben also gave his talk about brute-forcing SSH sessions that use the broken Debian SSL libraries, the code for which is available as part of our open-sourced Snort plugins. Joe McCray also gave a good survey of various advanced SQL injection techniques; I really like his classification scheme for the types of SQL injection. Finally, Kurt Grutzmacher’s squirtle tool for obtaining and reusing NTLM hashes from inside corporate networks via XSS definitely proves that you must secure even internal Web applications.

Day two’s shorter format squeezed a lot more presentations in, but some of them kind of felt pressed for time. Marc Bevard showed how to crack DES passwords with the PS3, using some awesomely optimized code. Chema Alonso released a tool for downloading remote files via blind SQL injection. Dennis Brown presented some interesting new details on the Asprox/Damnec botnet, which we’ve covered before. The presentation on hacking telephone entry systems elicited a few chuckles, especially the “dial 333 for rickroll” segment. Stephan Chenette’s presentation on browser hooking is an excellent new technique for deobfuscating Javascript, like our Caffeine Monkey tool. I’ve been really impressed with the convention this year. ToorCon is big enough to attract some high quality presenters, but still small enough where you don’t get lost in the crowd. Hope to see everyone again next year!

By Hunter King & Nick Chapman

The saying goes: “What happens in Vegas stays in Vegas.” Well, apparently not during the week of Black Hat USA 2008. Black Hat is one of the world’s largest and most well known security conferences. Several members of the SecureWorks Counter Threat Unit^SM had an opportunity to attend and we’d like to share some brief highlights from a few of the talks.

There were many highly renowned speakers sharing their expertise, including our own Joe Stewart speaking about the Storm botnet. Informal conversations with other attendees were also extremely valuable. With all this knowledge and experience in one place, Black Hat really is like drinking from the InfoSec fire hose. We don’t want to keep you in suspense any longer, so here are a few samples from some of our favorite talks.

SQL Injection Worms for Fun and Profit

Readers of our previous blog postings will know that we, like many others, have been keeping an eye on the recent waves of mass SQL injection attacks (here, here, and here). Justin Clarke of Gotham Digital Science gave a turbo talk about this very topic. The main thrust of his presentation was that this is just the beginning. The current attacks, although widespread, are very limited in scope. The attackers are only targeting websites using Microsoft SQL Server for a backend database and only targets Microsoft ASP (and more recently Cold Fusion) websites. Once a website has been compromised, the payload is only targeting users who visit that site. Nasty attacks that could be on the horizon include privilege escalation / attacking the database host OS, attacking HTML Forms, scanning internal corporate networks / DMZs, and more. Today the attackers are using the Google search engine to identify potentially vulnerable systems and have successfully compromised literally hundreds of thousands of websites. It would be quite feasible to use Google search results to further refine their focus, generating a targeted attack against an entire business vertical or just a particular organization.

Get Rich or Die Trying – “Making Money on The Web, The Black Hat Way”

Jeremiah Grossman and Arian Evans gave a wonderful talk about real world ways to monetize attacks, both against technology and flaws in business logic (Arian’s other talk about encoding issues was also very interesting). What I found fascinating is how, as the amount of money involved increased, the amount of technical expertise required to pull off the hack decreased. The presentation started by talking about manually solving CAPTCHAs for profit. Initial offers were for $10 per 1000 CAPTCHAs solved, which works out to an income of about $50 a day. However, free market competition drove that price down to as low as $2 per 1000 CAPTCHAs.

Another example of ways hackers can make large sums of money that don’t require a high degree of technical sophistication was through information leakage. An Application Service Provider (ASP) which provided services to banks had been revealing sensitive information in an error message. Only three items of information were actually required to access an account through the ASP – a client identifier, a bank identifier and an account number.

These parameters were supplied via HTTP GET variables, easily modifiable by anyone with a web browser. If these three items didn’t match, the web application was kind enough to tell the visitor that “Account X belongs to Bank Y.” If a visitor used the correct bank identifier but other parameters did not match, the website would inform them you that “Bank Y belongs to Client Z.” The website was also only checking that a visitor was authenticated – it did not verify that the user was authorized to access a particular account. This could easily be exploited for profits in the tens or hundreds of thousands of dollars.

A third example requires even less technical expertise. A website featuring press releases (including profit and loss statements) would add press releases to their site ahead of their official release date — they just wouldn’t link them from the main page. However, the press releases were stored on sequentially numbered web pages, so it was a trivial task to identify and access a “hidden” press release. This would allow outsiders to have access to P&L information for publicly traded companies before the market closed. Hackers exploited this to earn over 8 million dollars on the stock exchange market.

The critical lesson here is that all avenues of attack must be considered. This is especially true when dealing with how the business logic is implemented at a technical level. This is very difficult to do, because it requires knowledge of the business processes and a grasp of some of the technical details that drive those processes. If you’re not aware of how these interact, rest assured that there are many people using your systems, and it only takes a single one having that “Eureka!” moment where they find a critical flaw. This can lead to financial losses in the hundreds of thousands or more. What’s even worse is that some of these “attacks” aren’t even illegal, not even in the United States.

Malware Detection Through Network Flow Analysis

The always entertaining Bruce Potter, founder of The Shmoo Group, gave a talk titled “Malware Detection Through Network Flow Analysis.” In it, Bruce emphasized the need to quickly detect compromised machines in order to minimize damage. Given the rate at which client-side attacks presently occur, compromise is, for many, inevitable. Quick detection of infections becomes an increasingly important tool in the defender’s toolkit. Bruce advocates analyzing network traffic data for statistical anomalies. For example, a desktop which sends out twice as much data as it receives is likely part of a botnet. Without NetFlow data (or similar), this infection may go completely unnoticed. Bruce also advocated including frequency distribution graphs alongside traditional time-based graphs as a method of quickly identifying potential network issues. Incorporating these techniques won’t stop the bad guys, but could greatly minimize the damage done once a compromise does occur.

Circumventing Automated JavaScript Analysis Tools

Billy “AJAX” Hoffman’s talk, titled, “Circumventing Automated JavaScript Analysis Tools,” focused on why current attempts to run malicious JavaScript within sandboxes are failing. With the increasing popularity of sandboxes, including SecureWorks’ own Caffeine Monkey, JavaScript-based malware is being forced to play “catch-up” with x86 malware with regard to sandbox detection. These techniques revolve around writing code which behaves differently in a browser than in a sandbox. Using the “quit” command within a try/catch block is a perfect example. This command, which does nothing when run from within a web browser, will exit Mozilla’s standalone JavaScript interpreter. Billy listed at least 20 pages of similar techniques (each needed to be coded for explicitly). Two main alternatives exist:

1) Analyze malware using a real browser within a VM. JavaScript can tell when being run from within a sandbox, but not while running in a real browser in a VM.

2) Modify the Mozilla JS interpreter to run in headless mode. This would break the majority of Billy’s attacks, and raise the bar significantly for malware authors. The analysis needed to detect this form of inspection would be easy to identify and evade.