V!4GR4 BotNet: Cyber-Crime, Enlarged

that we have them here thank you much thank you hi everybody and good afternoon this is a perfect talk to give after lunch because it's thank you this is my son so it's not I didn't start that good this is my son so he obliged to do that so this is a great talk to do after lunch because it's kind of fun it's light and it touches many subject web application a vulnerability is some non obvious ones cybercrime viagra so I think that we have everything we need to and we even touch the number one export industry from Portugal so it's going to be lots of surprises and I have two t-shirts for the people who will ask questions in the

end I had five but some people in here stole some ok so a little bit about myself this is the one ok so I have two children one of them came with me and this is his first trip to a cybersecurity conference ever so him and in my professional experience is from pity penetration testing up to head of offensive security in a penetration testing company and development several rolled up to VP R&D in CTO of a cybersecurity startup and currently I work for Imperva improvised a security company that has security product like most security companies our range of product is from protecting enterprise databases to protecting a web applications web applications mobile applications anything that goes over

HTTP HTTPS and also protecting infrastructure is connected to the Internet and I lead the research group for the company these are also my Twitter and LinkedIn ok so first of all let's get it over with I know that this is a talk about Viagra and we're all expecting to hear jokes about viagra for the entire talk so I decided to just wrap it up in three slides so let's get it over with and start this is the first one okay okay this is the second one and the third one okay that's it no more jokes everybody is leaving the room okay so this is sildenafil citrate aka viagra and this is how our story begins it started as an

experiment of drug company called Pfizer which you've all heard about they tried to find a new medicine for an Jeana for throat pain and the hard issues and they discovered that people were still having those problems but were much happier so they decided that this might sell and they patented it and started selling it and of course the rest is history is there anyone in here who haven't heard about this drug no okay good I want to ask the second question I usually ask okay so so a little bit about the history the economic history of Viagra when when it came out as soon as it came out it took a couple of months but

immediately counterfeit drugs went out because you know if it sells so good then people need to to fake it and make it but then a couple of years ago like six years ago some changes occurred in this which made the industry even more interesting so first of all there was a legal battle in Canada about the invalidation of the patent I think the grounds were the obvious Ness but it was it took about three years because you know it's a court battle it doesn't take a day but the the patent in Canada was invalidated why it's important to our story because in Canada you can buy parallel versions or gray versions of Viagra that are

actually made by legitimate company because it's not patented and you can buy it for a very cheap price if you compare that with the price say in the US then in the in the in 2013 some European countries in some European countries the patent was expired so then again it creates some sort of a vague feeling about this like parallel import versus counterfeit is very hard to tell and this game gives room for marketing counterfeit drugs you're saying this is not counterfeit this is a Canadian drug that I'm just buying legally in Canada and I'm sending them to you so okay it's not legal because the FDA does not approve importing drugs but that's on an

economic economic ground right if they want to protect the local industry it's different than then if it's made in a workshop somewhere and so then in a couple of years it's going to be expired worldwide so then it's going to be almost it's going to be very cheap worldwide this is the what I was referring to the number one export industry of Portugal right Cristiano Ronaldo I guess you all know him the is the the single most valuable athlete in the world it makes just for me the salary not including sponsorships etc 58 million dollars per year which is a lot this is the legal viagra industry in Cristiano Ronaldo's so you use you see

how how big it is okay okay so but let's get let's get another image of this this is the average software engineer salary is it true for Portugal as well Wow that's unanimous you guys make a lot of money okay so but that's in the US right in my country it's also below average but it's okay that's the average software development a pair salary in Viagra that was half of it this is another screen so we're talking about a lot of money and whenever we're talking about a lot of money there is a lot of incentive for people to deal with this kind of industry either for good like opening their own online pharmacy that sells

legitimate drugs or to counterfeit or to start a campaign that will sell illegal versions of the drug and this is just Vera there are many it's just like in the 30 or 40 place of top-selling pharmaceuticals right so there's all types of roughly made and the other stuff some of them we've seen in our in the campaign that are selling five times as much as the viagra but viagra is a catchy everybody knows it so according to the World Health Organization 10% of the farmer farmer market is counterfeit that's again a lot of money all of this again explains why the attackers have so many resources when they are doing those cyber crimes because there is tons of

money out there it's billions and billions of dollars in the counterfeit drug market something less funny there is an annual death toll of over 1 million people per year due to illegal pharmaceutical due to counterfeit drugs that is the sources the Interpol so I would take that with a grain of salt of course because 1 million sounds a bit high it sounds too high but there is a death toll of people and there are stories online of people who just bought antidepressant for the present for example online and just died so this is also not just economic this is crime and this is just the tip of the iceberg some of the known campaigns for

selling viagra online like glove med and spam it they were exposed a couple of years ago six seven years ago and and they rolled a lot of money like dozens of millions of dollar in revenue so we established until now that this is a market this is a big market and that cyber criminals had a lot of incentive to do that then it's no wonder why we are seeing so many of these spam about illegal drugs this is the number one worst spam in the world the the spam that is the most active in the world that's called the canadian pharmacy and let's see a little bit about how it works and this is continuous this is a

number one for several years now so let's say that we want to sell viagra online okay because we saw that there is a lot of money in it and we want to make a lot of money because in here we don't make $100,000 software engineers we want to make that 100 thousand dollars so there are lots of websites that can be searched for in the internet I'm not talking about the arc net and in the internet in Google especially using Russian keywords because the source of this campaign is in the Ukraine so this is this is a affiliate program for Viagra a classical one it offers thirty to fifty percent commission how many of you have done

affiliate marketing in here okay you so it's a lot of fun but you don't make thirty to fifty percent commission right from Amazon or Ebay or anything like that unless you're doing affiliate program for Viagra okay so it's a lot of commission it's definitely it can be tenfold what you make for legitimate some of the legitimate campaign you're getting everything everything you need in order to make this successful you're getting the banner you're getting templates for website you you're getting API support so if you want to scale your operation you you want to automate things you you have API support and they know who they are dealing with of course first of all they're saying where do we take the

traffic to the once you have established your account you have your website you take your from email dispatches which means spam in English Google Translate did not translate that well to email dispatches it should be spam okay and they put a lot of emphasis they say yeah we know this is the market and what we also guarantee is the high level of anonymity because they know that in a lot of cases in most cases unlike normal affiliate marketing where you put a lot of content and you expect people to buy legitimate stuff they expect people to to use it in a bad way so then what you this is what you're getting you're getting a template

website okay you're getting a template website okay and you have a lot of templates here he has a smile what he has more hair but it's the same template okay and then you have these sorts of templates you have Indian a pharmacy mexican pharmacy etc you have special sales you have everything they put a lot of faces inside I saw in one of their in one of the forum posts they have that they're saying why we do this mostly for canadian pharmacy because because it's it's confusing for people Canada is seen as the country with high health standards etc and the parallel issue of importing drugs and we're putting a lot of people inside so it

looks really like a normal templated website so there you have it although all sorts of templates that you're getting now let's say that you got all these templates and you want to start making money so you have you have several options not just these two but these are the main two that you're going to start with probably right either one to send spam okay you want to send billions or millions of emails you know that they click through ratio is going to be very low so you want to send a lot of these emails and you want to bypass spam filters because spam filters are used to this sort of spam but you want to send it and then hopefully someone

will click that website and it will be in a moment of doubt and it will say yeah I'm taking this or you can you can do SEO so in in one in one plan when you're sending spam for example you don't want Google to follow to follow this website because you want it to live longer but if you're doing SEO you want Google to rank you high up now let's say that you want to do the SEO part first we'll get to the spam as well let's say that you want to do the SEO you need to pick between white hat SEO and a black hat SEO now to the guy who does affiliate marketing or did I don't know

you need the SEO right because otherwise you're not making a lot of money SEO search engine optimization you probably all know about it getting your site high on Google or Bing since this is Microsoft let's also mention on being but but you want it to be high so you have two types of SEO services search engine optimization you have experts who are doing this legitimately they're putting a lot of content pages linking to your website they're doing link exchanges they're they're doing a lot of legitimate things within the area of slightly manipulating the PageRank algorithm and being algorithm whatever it's called there's also blackhat SEO which means gloves are off let's do anything we can in order to get

a lot of links to that website and that is what we will we are going to do if we're going to send a lot of spam air to send people to this website because anyway someone will pull the trigger and cut it off in a week in a month in two months but the ISP or someone will send abuse complaint and and your website is anyway going down so there's no point in investing a lot of money for getting content to your website when it's going to get offline so this is one campaign that we sell for a blackhat SEO and what it does is this it sends the user agent in the HTTP request it first

sends a user agent okay and then it does a semicolon and it sends this sequel function okay this sequel function is basically looking at the metadata of the database of the not information it should come up but for the MS sequel C C's databases it looks for the the tables and it looks for any string columns like varchar' call columns and then it takes the those it has a an iteration on these columns and then it does some sort of a module module or it does a randomization and in 10% of the times it adds a link to a specific website and then in some of the other cases it only adds text ok now the text

is aimed at getting like getting Google to understand that this page also deals with this thing so if you searching it for Google in Google you might get it higher up and the link of course gets traffic to your website and also get a link to your website through Google okay so it was run really high scale and we have the collect research in our you know website in our blogs and that is what happened after they deployed of course some of the pages for example they just put the text they do HTML and code if they do HTML escaping so we just see the plain HTML in the in the description of the page and you see so

you see the HTML tags it's not really working in these cases but it does get to Google with a lot of results right so when you're doing it this high scale and if you use for example one of the WordPress plug-in vulnerabilities out there you're bound to hit something so that was about SEO first of all any questions so far about SEO yes you know you just but if you but now you must know okay any any other question not you okay SEO is search engine optimization it means getting your site to be in the top positions in Google okay okay so let's go the other way this is a tough tough audience and I have it every day at home so it's

tough every day okay so spam let's move to spam okay so there are some simple things about spam right for example domain domain is no issue it's no problem we register a lot of domains of course once you do it in as an operation and in high volumes it becomes an issue but then again it's not that much of an issue to register domain there are there are bound to be domain suppliers that don't have enough anti automation protection or even you can take people and pay them to register the domain so the mains let's say that it's not it's a non-issue right registering a lot of domains or one domain email lists are no issue as

well you can scrape for emails and you can buy email lists in absurd prices email servers are more of an issue if you want to send a lot of emails and remember that the click through ratio is going to be very low so you need to send a lot of emails in order to get some money okay so we've seen a lot of a lot of web applications attacked by this this is the WS o WS o is one of the most popular web backdoor web shell the code is available on get on github not get lab and the code is available on github and it there are a lot of variants for it as

well and then you once you install this once you upload it say from a vulnerable WordPress plug-in to a website or web application you can control that application and then what we saw was that attackers are doing this they're sending a in wso is the action you want to do so it has PHP it has a I don't remember the exact name but yeah you can execute SQL command you can view file the you can download file so there's a running PHP code and what they're running is and that's P the P the P parameters are for the payload so p1 p2 p3 is for payload then they're taking a variable a PHP variable and they're

putting the base64 decode of this string into that variable okay and then what it decodes to is PHP command to run they do eval and afterwards so they eval this PHP body a file body so inside the basic C for lies another basics before that gets into a parameter called file body okay and what is done with that file body is a back door that looks like this let's insert it into the website so we're using the generic wso backdoor in order to add their specific their custom vector now let's see what this code does this code takes an array of the post parameters and then the strings array is an explode explode you split in PHP like

ok so it splits it splits it by the pipe by the pipe character of a base64 decode of a base64 decode of a base64 decode of a basic c for the code of a very sick sick verdict oh that's right alpha base64 decode of a base64 Taccone off the volume okay so basically it does eight times the base64 decoding of the string now why would they do it first of all they're not very good developers I guess I mean this this gave me a migraine when I saw it I saw it and and second of all it says that you have some sort of system that monitors your traffic and it a it sees what looks like

a base64 string and then it tries to do you try to decode it and then you're getting another gibberish in the assumption I think if I need to reverse do reversing on the play ecology of the attackers is that someone will give up after the second or third decoding and but then this is what it does and then it gets an array right so the array is the structured data set of to email which is the email that we're sending the spam to subject body and header so so then it does again extra three basic C for decoding okay because it is not enough okay and it gets the strings one once it gets the string it just sends

the email using the native PHP mail function okay so this is basically they're using the wso in order to get this specific custom back door that get the payloads and it's fast you're sending a lot of lots of record from your email list that you you have and with the messages that you want to send and then you're using it to send spam but there is a problem in here that we found and I thought that it was really cool we'll see if you if you guys will agree with me so they're doing all of these basics before again and again and again and again to obfuscate the their payload and in order for people not to be able to to

see what's in there right but that the first case in recorded history of overdosing on base64 okay why is that this is how base64 works for ASCII we have eight bits right eight bits because two to the power of eight is 256 right so we have 0 to 255 in ASCII right so this character this is the non-printable characters in ask it will be 2 4 6 8 it will be until here okay this is the the ASCII character this will be its value in base64 we only take the first six bits there's a certain truncation that happens in base64 why because we're turning the text into into 64 bit bit part which is upper case lower case and

two numbers and two other signs all printable characters that's part of what we want to achieve with rate 64 the message because once we do that we need to concatenate more and more basic C for converted strings will take more space because we're not using a lot of the ASCII characters but all of it will be will be printable characters and will be characters that will not do any trouble when we're for example transferring them over the web so everything is great right because we take this and we convert it according to the table and we're getting this for example and then this is M and then we're adding to it another six bits and then we're getting

6 and then L and then P this is this is how basic C 4 works but there's a special case with uppercase v v you can remember that from viagra okay by 64 6 6 bits of V the base 64 is basically a conversion table right it's like 1 is a 2 is B ok like a ski but a different conversion table when we have these bits one zero one zero one in ascii 0 1 0 1 0 1 1 0 is capital v in ascii you can check me you have a laptop open you can check me she held laptop ok with basic z4 it's the same first 6 bits so what happens when we try to encode a capital letter V

into base64 what will we get the same exactly we're getting a capital V ok so every time we will get to a string that starts with the capital V it will stay a capital V when we basically four encoded right but then there are three letters who are the first hop from capital V okay every time you you encode T it will become in the next hop at V when we truncate it to a base 64 and then this is the next phase all of these letters if something starts with the capital L if we encode it twice in base64 it will become V okay and so on and so forth so we wrote a small Python

script I hope I have it ready that just it just does this okay so even if I don't have it it's not that complicated it takes all the characters and then it does a loop an iteration to check when how many hops will it take to get to a capital V and this is how it works so you see there is this table and it shows all the all the hops this character will do until it becomes a capital V so V is 0 hops okay so how is this important except that it's very interesting that there's this collision collision between encoding which is really cool and we didn't find any information about it in

the internet so that's also interesting is that we don't know how to find stuff on the internet or oh it's interesting so once you have a capital V okay this is the basic C for this is the basic T for encoding after you have the capital V you will always have a lower because that's the the next collision and then you have this string V capital V m0 lowercase W lowercase D to capital Q and Y so if you take a string and encode it enough times like eight times in the in that payload you will get this this initial this prefix so this this was actually to tell the truth we first saw the prefix and then we wanted to

understand why it has this perfect all the time but but it was very interesting to dig to dig into this and understand the case of the truncating payloads so like I said getting a domain is easy email lists are easy email servers we now have them with this by abusing a lot of vulnerable websites and sending them the backdoor okay but domain is not enough okay we need domains okay we need a lot of domains because like I said someone will blacklist them will send an abuse complaint and then they will they they will shut down and we will need additional domain okay so when we register the domains what do we do about it to keep them safe from blacklisting

as much as possible so then another payload that will send is another another basic C 4th string okay which was also sent to the shrewdest wsl and this string was this okay it's this string this is the file body and then it saves this save this as dot htaccess okay dot htaccess in Apache servers have configurations for that directory and then it writes it down okay now what it tries what it writes down is this it it sets the error document to be a redirection to a specific URL so now if I take a vulnerable website and I inject this into all the regular traffic will go go fine okay no no one will even notice but if

someone makes a mistake and and clicks on the link that does not exist they will get redirected to my website so now it's less domains that I need to buy because when I'm linking this this it will it will link to a legitimate site and not just directly to my site and the most important thing about this is because there are email filtering spam filtering services that are looking for links inside emails and are checking reputation databases those services either they're doing this active or passive but when they're looking at the reputation they're just getting Joe's Garage the the is WordPress application was vulnerable and then this 404 page was inserted into we also saw some other

ways of doing the same thing basically we saw an invisible iframe like inserting gibberish PHP which is an invisible iframe on top of the entire screen which which shows the website the target website that we want to go it goes through or JavaScript redirects again the same principle we're taking a site your site is attacked no one is taking your crown jewels no one is hacking your database to get maybe they do that as well but no one is trying to get your credit card but all of a sudden you find yourself in the fifth page in Google because you have very bad reputation because you're linked to in stem campaigns okay so this is a summary

of how this works so we have the user okay the user gets a spam email the spam email is sent to a non-existent link on the at the attacked website okay then he opened the email get the 404 I think I started from the from then he opened the email it gets to the 404 the 404 is a redirection to the target site that sell them illegal drugs the the way this is this gets to in that the domain is injected with the shell in both cases and then the attacker modifies the htaccess file and that creates that redirect for other domains and sometimes same domains are used for both type of backdoors domain is

injected with the custom PHP malware we called it but Ryoka because we have russian researchers and it's like that matryoshka like a dog within the door within a door within a door within the dog and so that that is the custom back doors it's inserted in there in there and then the spam emails are sent through there through that site a mail function so once you do that you need to you need to create a buffer zone between you as the attacker as the one who's running all of this operation and the end your victims okay now bear in mind that you're making a lot of money from selling this so this is a very lucrative type of business so

the these were it's what the geographical out spread of the of the IP is participating just in the operation of routing then rerouting of the the traffic because you set the error page to a certain domain and then there's a system behind it that's all this routing so tomorrow it will change to another domain because that domain was cancelled was revoked so the the network that was doing this was huge it was over 80 thousand IP addresses okay now this operation could have been done with several IP addresses or just by using tor but someone really needed high scalability machine to do all the routing for this campaign and to end to run all of this there are several

interesting things about the geographical spread because we saw some we didn't see almost anything from the US and nothing from Canada by the way which is surprising for the Canadian policy but but we saw countries that we don't see often in botnets whether it's a DDoS botnets or account takeover botnets etc like Egypt like Algeria so probably it had something to do with either browser add-on for these countries or something like that we didn't investigate that angle but we saw traffic from unusual locations and again when we're talking about scale because this we have a lot of money going on in this system etc so these all of these domains from this campaign were bought in the same day okay and this is

constant this is not like a peak day this is a random date there were dates with more with more domains but in the same days but dozens of domains were bought in the same day something that was interesting was different days had different geographical domains so probably you can see a day that all the domains that they were they purchased were Indian domains for example and of course these are Roo domain Russian domains so again this is operation with the scale that people had a lot of money to invest in so wrapping it up about this topic first of all these campaigns existed years ago and they continue to exist and evolve because again there's a lot of

money and whenever there's a lot of money involved people will find the motivation to deploy this sort of wide campaign and it's always interesting to see the non-trivial attacks done on web applications for example the Apache strats remote code execution attacks that the waves of attack that we had this year from the different vulnerabilities that there were in Apache strat it was brought to the media that for example Equifax was hit from Apache strata for nobility and the motivation was very clear get private information and monetize it make money from it and it's always interesting to see other types of activities the cybercriminals are doing they're infecting your website but they're not infecting your website just to get your

database or get your users or get your private information they're infecting it - to get PageRank to get to send mail through it and they don't want you to find out about about what they're doing so this is a this is something that's interesting about this this campaign so we top regard oh thank you very much and a questions okay so question yes basic support there was a clear initial string string are there other initial strings for different amounts of the double encoding so if you have five rounds of base64 is there a different initial string that you can yeah yeah when you when you do a five five fold base64 encoding you will get capital V then a

lowercase M because you will always get if you take something and you buy 64 encoded five times you will get a capital V eventually from any ASCII character out there but then if you take it and encode it enough times you will always get a lowercase M because it's the next collision okay so you will always get this this prefix you will always get after eight or ten basics for encoding of any string additional questions

if the sites are taken down after a month or something do they really sell anything to the guy that buys the stuff first of all III never operated such a campaign but I can imagine that they do because they they don't their philosophy their their play ecology is not to get people to trust them over time like a sales people they're building rapport and eventually we will sell something you're getting too into a very directed ecommerce website okay and they're saying you're you have depression yeah someone is selling you this drug for $200 for a battle you can buy it online because it's parallely important you're getting the same thing for $20 so they're building on that on the fact

that this is so lucrative that someone will pay immediately they're not building on people to make this their homepage and then after a month or two buy it it's like a landing page they want people to enter and buy within the time oh okay now I get the question okay so there were some researchers who bought drugs from from such website and they got Singh in some of the cases it was actually the same the same chemical component only sent from Mumbai and from China I don't think that maybe the Interpol or organizations like that the wider tests and investigations but bought like the entire product line to see what's what's true and what not

there was an interesting case a few years ago in the u.s. I think of a woman that the committed suicide after she bought counterfeit drugs and then in the in the test they found that it was nothing it was like and nothing nothing related to that drug so I guess it's like filling the lottery you may win you may not but I I would not try this on myself anymore question yeah hi there great talk did they get away with using the PHP mail function in 2017 like or do they do SPF like trust things and their domains or well in this campaign they do it's when you're doing this in such a wide scale for the other example would be

that for example adding the sequel injection to the user agent for example in 2017 you are right it shouldn't work right and the mail function also shouldn't work but I guess it does in low-end hosting websites where the the mail function is configured in the PHP dot ini file and it has the default SMTP server for the hosting company and then it does it field you know for the contact form etc and then then it just works to what extent I'm not sure but yeah but it does send the emails hi we talked regarding this exactly this this this this attack here this user agent is used against a specific web server or I I

think well there were some both WordPress and Joomla and other application the Ted vulnerability is plugins for example SEO plugins that insert takes all the user agents and run then just doesn't sanitize the data and insert them into the into the database and again like the same question it's funny that in 2017 we're still dealing with sequel injection for example but we but we we are and we do see this and just a couple of weeks ago there were new sequel injection vulnerabilities in core functions in WordPress depending on the usage that the plug-in is did but so it's still a vulnerability that's out there it's not if you do this in a wide enough scale you will be okay so we use

the machine learning in different things here it was not a machine learning but we we do use machine learning in some things and I will just do some bullet points but if you want we can discuss this afterwards we do machine learning when we are looking at anomalies at suspicious traffic we do two things to it one of them is to use heuristics that is domain knowledge for example if I'm looking for suspicious payloads going through our CDN and we we are looking for those specific types of things and then we see that some of the vectors for example impersonated the user agent yeah like said their Google Chrome when they're not Google Chrome or some of

them did other various anomalies we do an automated risk assessment and that heuristic part but we also do a machine learning algorithm that looks for the between zero which is probably a false positive if you if you will try to block it it will be a false positive to one where this is probably almost certainly an attack as much as machine learning can be certain of anything we use this as well so the idea is not to find the what we are looking for when we're looking with domain knowledge for example okay if it's a vulnerability scanner I can be pretty sure that this is an attack but whereas with machine learning I could find more interesting

things so this is one part where we're using machine learning for application security another part is for for clustering attacks for finding for example from 1 million or 100 million alerts or pieces of traffic that were blocked which ones belongs to the other like instead of saying this is 100 thousand bad things that happened today this 12k where someone from your office network ran a vulnerability scanner whereas this is a referrer spam campaign so you just need to address box so this is another part and again if you want you can discuss it not to worry more questions still I think few minutes this part we didn't get any expressions from this part this is the cool part okay no

more questions okay thank you thank you ran [Applause]