May 8, 2012

Lost in the annals of campy commercials from the 1980s is a series of ads that featured improbable scenes between two young people (usually of the opposite sex) who always somehow caused the inadvertent collision of peanut butter and chocolate. After the mishap, one would complain, “Hey you got your chocolate in my peanut butter!,” and the other would shout, “You got your peanut butter in my chocolate!” The youngsters would then sample the product of their happy accident and be amazed to find someone had already combined the two flavors into a sweet and salty treat that is commercially available.

It may be that the Internet security industry is long overdue for its own “Reese’s moment.” Many security experts who got their start analyzing malware and tracking traditional cybercrime recently have transitioned to investigating malware and attacks associated with so-called advanced persistent threat (APT) incidents. The former centers on the theft of financial data that can be used to quickly extract cash from victims; the latter refers to often prolonged attacks involving a hunt for more strategic information, such as intellectual property, trade secrets and data related to national security and defense.

Experts steeped in both areas seem to agree that there is little overlap between the two realms, neither in the tools the two sets of attackers use, their methods, nor in their motivations or rewards. Nevertheless, I’ve heard some of these same experts remark that traditional cyber thieves could dramatically increase their fortunes if they only took the time to better understand the full value of the PCs that get ensnared in their botnets.

In such a future, Chinese nationalistic hackers, for example, could avoid spending weeks or months trying to break into Fortune 500 companies using carefully targeted emails or zero-day software vulnerabilities; instead, they could just purchase access to PCs at these companies that are already under control of traditional hacker groups.

Every now and then, evidence surfaces to suggest that bridges between these two disparate worlds are under construction. Last month, I had the opportunity to peer into a botnet of more than 3,400 PCs — most of them in the United States. The systems were infected with a new variant of the Citadel Trojan, an offshoot of the ZeuS Trojan whose chief distinguishing feature is a community of users who interact with one another in a kind of online social network. This botnet was used to conduct cyberheists against several victims, but it was a curious set of scripts designed to run on each infected PC that caught my eye.

Computers infected with ZeuS variants typically relay not only password data, but also basic information about the victim PC, including operating system version, default browser, the system time, and the machine name that the victim user picked when installing the OS. But this version of Citadel sought much more information, and instructed all infected PCs to relay the output of several network diagnostic tools designed to help map out a local network.

Hosts infected with this version of Citadel were instructed to run several variations on the “net view” command, which displays a list of domains, computers and resources that are being shared by systems on the host PC’s local network. The hacked machines also were forced to run the command “osql -L”, which produces a list of database servers that may be present on the network. In addition, compromised PCs were prompted to run the Windows command line instruction “ipconfig /all”, which provides a wealth of data on the Internet addresses assigned to different components of the local network.

A screen shot of the Citadel panel. This page shows the breakdown of antivirus tools installed on infected PCs.

Other diagnostic commands run on each machine sought to dump the list of Windows users and groups on the network, as well as the homepage of the victim’s default browser (the latter is interesting because many organizations set internal systems to default to the company’s Intranet page).

It may well be that the miscreants behind this botnet simply wanted to cover their bases, in case the need arose to identify administrator accounts or users most likely to have access to sensitive financial information. And, of course, miscreants with complete control over infected systems always can run these commands manually. But it is rare to find examples of those involved in traditional cybercrime who are interested in gathering this information from so many infected systems by default, according to Dmitri Alperovitch, one of the aforementioned experts on Eastern European cybercrime who transitioned to tracking APT threats a few years back.

Alperovitch, co-founder of CrowdStrike, a security startup focused on identifying APT attacks and victims, called the development “troubling.” Alperovitch said the hackers behind this Citadel version may be trying to map out who exactly the victims are — as a precursor to selling access to those machines.

“Many of these techniques are exactly what the APT guys use to map out victim organization once they get access to it,” he said.

If APT attackers and the miscreants focused on ebanking fraud are such a match made in heaven, why aren’t we seeing more signs of interaction between these two communities? Alperovitch believes it’s because there aren’t many areas where these two worlds overlap.

“It always amazed me that this was not happening, and I questioned why that was the case for a number of years, and I’ve come to realize the reason is that these two communities — those doing intrusions for espionage purposes and cybercrime purposes — are so far apart and don’t really talk to each other or don’t know how to connect,” he said.  “If you’re a guy who’s specializing in banking cashouts, how do you find someone who is interested in F-35 fighter plane schematics? It’s not so easy.”

Alperovitch said he’s seen APT-based groups occasionally using financial cybercrime tools like ZeuS, but in those cases it appears the attackers were either lazy or were trying to conserve resources.

“That’s just the nature of convenience, because tools like ZeuS allow you to build [the malware] yourself and use it as a first-stage malware delivery system, instead of burning your own custom tool that’s much more valuable to you,” he said. “But just because these [APT actors] were using ZeuS doesn’t mean that they were collaborating with any cybercriminal group. I’m not discounting the possibility of an intermediary potentially bridging these two groups, but it would take someone in the cybercriminal world with a lot more connections with the intelligence agencies to take advantage of it.”


14 thoughts on “At the Crossroads of eThieves and Cyberspies

  1. Mike

    They may not have to do much with each other because the APT people are entirely aware that the crooks might use information against them and try to get into their systems.

    I’d expect the CIA would pay good money and non-criminal money to find out about Chinese spying efforts.

  2. Ed

    Its surprised me before i know a few people who do the corporate espionage game, for instance a contact of mine works on a commision basis with a sewage pump company they pay him 5% of the total value for any leads he gets them which end in a sale

    he has access to the email accounts of two of their competitors so knows the quote that the other companys are giving to an individual business.

    the company then wins the contract because of the insider information last month he made over $50k from just this one company

  3. James

    interesting how they were using such simple commands to explore the local networks. Seems to me that any scriptkiddie could be behind an attack like this, I would expect sophisticated attacks by these criminal groups to use more advanced methods. Great reporting Brian.

    1. Neej

      Er … so what more “advanced” methods would you be using to establish IPs domains and databases then?

      Sometimes simple is best and in this case it almost certainly is: it appears based on Brian’s writeup that the information gleaned is a “bonus” (if you like) in addition to the original attack. There’s no reason to use anything other than simple shell commands to get this information.

      1. prairie_sailor

        If a simple command is readily available to do a task – use it. Much less likely you’ll do something to arouse the suspicions of malware and intrusion detection tools.

    2. Seymour Butz

      I think running commands like this presents a fairly “light” load on the system, whereas a more elaborate tool could increase the risk of being noticed. Running a multitude of WMI queries would likely result in more disk access, slowing access to the rest of the system, instead of just running a bunch of command line tools and piping the result to the C&C system.

      Any custom executable requires time to develop & debug, then you have to deploy it to the infected systems, which means the tool needs to be fairly compact. Once deployed you have the specter of it being traced back to the developer, based on coding style, code signing certs, etc. so there is risk involved.

      The last thing a thief wants is their custom app to crash and have users submit crash reports to Microsoft, et al. Keeping the app simple keeps it small and makes it easier to debug.

    3. JCitizen

      I should think a good UTM appliance would catch probing such as this. Mine did. I violated my own rules just once, and used the factory installation disk for a Brother laser printer, and I started getting blocking alerts immediately.

      One should never use the disk from the factory, and always download the latest drivers from the makers web site. Even that may not be a guarantee that similar malware won’t be present, but the odds go down that way -IMO

      1. ITSec Pro

        UTM appliance is unlikely to be found on a network compromised with the malware described. If it is, it did not do its job did it?

        1. JCitizen

          Unified threat firmware can be fooled if the appliance has an algorithm that assumes something has been approved by the administrator. Skype comes to mind. It can be defeated, but the new firmware just keeps getting better and better, and the hardware improves yearly.

          I little granular control can go a long way. The Chinese have been trying to penetrate my perimeter every since 2006. If they’ve been successful, I haven’t detected it yet.

  4. Anarchist

    Why do you always meddle Brian? Can you not jut go leave criminals alone? Is it too hard for you? Please, leave. Go to Mars Brian.

    1. Jonathon

      “The only thing necessary for evil to triumph is for good men to do nothing.”

  5. Alfred Huger

    I am not sure I agree with the premise of the story. Hackers often tend to come from common communities regardless of where they apply their skills. This has been especially common in Europe for years and I imagine the US is not much different. Most people cut their teeth somewhere and generally it’s in a common pool. I can see why some people in the industry would benefit from making this a new unique bogeyman all on it’s own but I think it’s a lot more nuanced than that.

    The underground has been trading account lists and ingress points for decades. Sometimes for tools sometimes for favours and I am sure sometimes for cash. To take an ancient example look at the hackers Cliff Stoll caught. They actively traded account data on X25 networks with others and if I recall they both hacked for recreation and state purposes.

    1. ITSec Pro

      IIRC the Cuckoo’s Egg hackers were dupes of a state-run intelligence agency, and at least one ended up dead as a result of the agency closing out the project when it was discovered.

      I assume that the marketplace for compromised systems has some structure that values some systems more highly than others, but expect that there is little value added beyond access. Seems to me that the nation-state actors associated with APT are less likely the marketplace than the corporate espionage folks, which is going to bring the cybercrooks somewhat into competition with the nation-states doing economic espionage.

      Ah, we live in interesting times…

  6. steve

    Its not gonna make a big difference if you use a simple command or a more complex one, a good ids ops will catch em all. I think the point is that based on the reporting done by mr. Krebs it looks like anybody could have been behind this and its definitely important to analyze specifically the level of complexity that the remote attacker used when controlling the zombie. It always helps to figure out who your attacker may be by examining exactly what he or she did or tried to do. EXCELLENT reporting.

Comments are closed.