On the Economics of Botnets - Part 2
Friday, September 15. 2006
Since the economics aspects of network attacks seem to be of interest to some people (eWEEK and /.) I blog more about it... But at first, let me thank Jens Hektor and Jan Göbel who analyzed the incident and provided me with further data - without them, I could not blog about this :-)
Recently there was a malware incident within the network of my old university in Aachen: Blast-o-Mat, a custom IDS system, picked up an infected machine and redirected it to a quarantine webserver. This way, the user is instantly noticed that something went wrong and he can download patches and AV engines at that web site. A closer examination revealed that the infected machine also did some strange web requests. It tried to post data to a PHP script located at a remote server. It turned out that this machine was infected with Haxdoor (F-Secure report), one of the most advanced Trojans out there nowadays. Haxdoor (AKA Goldun) is - among other things - capable of collecting private data like username/password combinations entered within Internet Explorer and has also some rootkit capabilities.
During further investigation, several log files which contained all information stolen from all infected machines could be found. In total, these log files contained more than 6,6 million entries, an equivalent of 285 MB of data. This data was stolen from the compromised machines between April 19 and April 27, 2006, so within only nine days. In total, more than 39,000 different IP addresses fell victim of this particular Haxdoor infection. This shows the effectiveness of this kind of attacks.
The vast majority of victims was located in Germany, most of them within IP ranges of dial-up users. This user group is an easy, yet very attractive, target for attackers: people who use the Internet at home for entertaining purposes are often not very security aware. Furthermore, patch management or additional
security software like anti-virus engines or host-based firewalls are unfamiliar terms for them. Thus an attacker can compromise these unpatched machines with the help of autonomous spreading software in the form of bots. Once he has complete control over the victim’s machine, he can use it to install additional tools, for example keylogger or even more advanced tools like Haxdoor.
Presumably the most severe form of identity theft caused by Haxdoor is information related to financial transactions. This Trojan monitors the use of Internet Explorer and sends captured data (e.g., URLs and content of HTML-forms) to a central logging server, and thus this very sensitive information can be
captured by the attacker. In the log files we found traces of at least 15 different banks whose customers were affected. Moreover, the log file contains at least complete information about 280 bank accounts and 28 credit card numbers with complete details. The rather low number of credit card details can be explained with the help of the nationality of the victims: in Germany, the usage of credit cards is not as common as in the US.
In addition, Haxdoor is capable of retrieving the information in the Protected Storage (PStore ) Service of infected machines which contains rather sensitive information as the following (sanitized) example shows:
This information was handed over to the fine guys at DFN-CERT, the Computer Emergency Response Team responsible for German research and education networks. The affected users were warned in cooperation with universities, ISPs and other affected sites - at least as good as possible...
Recently there was a malware incident within the network of my old university in Aachen: Blast-o-Mat, a custom IDS system, picked up an infected machine and redirected it to a quarantine webserver. This way, the user is instantly noticed that something went wrong and he can download patches and AV engines at that web site. A closer examination revealed that the infected machine also did some strange web requests. It tried to post data to a PHP script located at a remote server. It turned out that this machine was infected with Haxdoor (F-Secure report), one of the most advanced Trojans out there nowadays. Haxdoor (AKA Goldun) is - among other things - capable of collecting private data like username/password combinations entered within Internet Explorer and has also some rootkit capabilities.
During further investigation, several log files which contained all information stolen from all infected machines could be found. In total, these log files contained more than 6,6 million entries, an equivalent of 285 MB of data. This data was stolen from the compromised machines between April 19 and April 27, 2006, so within only nine days. In total, more than 39,000 different IP addresses fell victim of this particular Haxdoor infection. This shows the effectiveness of this kind of attacks.
The vast majority of victims was located in Germany, most of them within IP ranges of dial-up users. This user group is an easy, yet very attractive, target for attackers: people who use the Internet at home for entertaining purposes are often not very security aware. Furthermore, patch management or additional
security software like anti-virus engines or host-based firewalls are unfamiliar terms for them. Thus an attacker can compromise these unpatched machines with the help of autonomous spreading software in the form of bots. Once he has complete control over the victim’s machine, he can use it to install additional tools, for example keylogger or even more advanced tools like Haxdoor.
Presumably the most severe form of identity theft caused by Haxdoor is information related to financial transactions. This Trojan monitors the use of Internet Explorer and sends captured data (e.g., URLs and content of HTML-forms) to a central logging server, and thus this very sensitive information can be
captured by the attacker. In the log files we found traces of at least 15 different banks whose customers were affected. Moreover, the log file contains at least complete information about 280 bank accounts and 28 credit card numbers with complete details. The rather low number of credit card details can be explained with the help of the nationality of the victims: in Germany, the usage of credit cards is not as common as in the US.
In addition, Haxdoor is capable of retrieving the information in the Protected Storage (PStore ) Service of infected machines which contains rather sensitive information as the following (sanitized) example shows:
-==; Protected Storage:
Outlook: pop.gmx.net | PASS
http://12090.forum.onetwomax.de/:StringData | USER PASS
http://ksv-hessen.de/:StringData | USER PASS
http://pixum.de/:StringData | e-Mail PASS
http://www.fussballstammtisch.de:StringData | USER PASS
http://www.willstequatschen.com/index.php:StringData | USER PASS
-==; Account
POP3 Server | pop.gmx.net
POP3 User Name | e-Mail
This information was handed over to the fine guys at DFN-CERT, the Computer Emergency Response Team responsible for German research and education networks. The affected users were warned in cooperation with universities, ISPs and other affected sites - at least as good as possible...
".
