How to Prevent DDOS Attacks by Blocking Phish and Malware Hosts Gary Warner, CTO of Malcovery Security Malcovery Threat Intelligence Links Attacks to Unsafe Web Servers w w w . m a l c o v e r y . c o m 2 HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS White I N T R O D U C T I O N The purpose of this White Paper is to demonstrate how the Malcovery Cyber Intelligence & Forensics architecture (MCIF) can be used to analyze external threat data and show correlations to spam, phishing, and malware events. Malcovery Threat Intelligence can prevent DDOS attacks by blocking phish and malware hosts. MALCOVERY’S EMAIL-‐BASED THREAT INTELLIGENCE COLLECTION For years we have known that the primary way Phishing sites are created is through a compromised web server. In fact, the Anti-‐Phishing Working Group’s Global Phishing Survey 1H2013 documents that more than 77% of phishing sites that used a domain name were hosted on hacked or compromised web servers.i The Malcovery PhishIQ system provides our customers with the ability to review the stored forensic evidence of more than 600,000 confirmed phishing websites. w w w . m a l c o v e r y . c o m HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS 3 Because the database contains information about the Domain Name, IP Address, full URL and other information about the phish, including statistics, hashes and samples of all of the content files used to make the phishing webpages, queries can be made against the database to identify common attributes that reveal information about the hosting location and method of the phish, and to identify “favorite hosts” for phishing. w w w . m a l c o v e r y . c o m 4 HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS Malcovery Security also reviews nearly a million spam messages per day to identify newly emerging attack vectors. These new malicious spam campaigns are documented in our Today’s Top Threats (T3) reports. The data in these reports answer the questions: – – – – – What is the spam subject? What hostile URLs are advertised? What hostile attachments are present? What network touches does the malware make? What additional malware drops if executed? Quite often the malicious links advertised in email messages documented in the T3 reports will contain strings of text in the path portion of the URLs that help us to understand the method by which a webserver has been compromised. One common example would be the string “/wp-‐ content/”. In the 3rd Quarter of 2013, more than 200 compromised web servers were used in 17 major malware distribution spam campaigns to deliver malicious content via URLs stored in the “/wp-‐ content/” directory of a webserver. This content placement indicates that the criminal has the ability to upload content into a WordPress server, either through a vulnerability in an outdated version of WordPress, or by compromising the userid and password of a WordPress account holder on the server. The Malcovery PhishIQ system documents that in more than 51,000 cases, a Phishing URL has contained the “/wp-‐content/” string, indicating that these phishing sites were also created via a WordPress hack or account compromise. INTERSECTION OF PHISHING AND MALWARE DISTRIBUTION The T3 report also documents IP addresses and URLs of computers that infected computers call out to. We call these “Indicators of Compromise” and document them with the <BLOCK> tag in the XML Version of our T3 reports. When we chart the relationship between these Indicators of Compromise computers and the Spam Campaigns they originate from, we find that many computers are re-‐used for numerous malware campaigns. Certain of those IP addresses have been identified that are able to link together many seemingly disparate attacks, where the primary link between the attacks is not in the spam subject, or the URL advertised in the email, or even the IP addresses that sent the spam, but based on the fact that a computer infected by the malware associated with that campaign will communicate with a Command & Control server, or attempt to download additional malware, from a computer that is also used as a C&C or malware distribution point in other campaigns. w w w . m a l c o v e r y . c o m HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS 5 In the chart above, we see that the IP address 64.50.166.122 is associated with many malicious spam campaigns including: an August 29th eFax campaign, a September 10th Better Business Bureau campaign, Her Majesty’s Revenue & Customs campaigns from September 10th and 12th, QuickBooks, Royal Bank of Scotland, and UK Companies House campaigns on September 12th, Dun & Bradstreet on September 23rd, and RBS again on October 15th. “But are those Indicator of Attack IP addresses ALSO associated with phishing?” We next used the Malcovery threat collection to ask the question, “how often has an IP address that was used in phishing attacks also listed in a recent T3 report as an Indicator of Compromise IP address?” We used IP addresses found in the T3 XML reports for the previous 120 days and compared them to phishing IP addresses from January 1, 2012 to present. (Note that the AVERAGE phishing IP address in the Malcovery PhishIQ database has been used for phishing on more than eight separate URLs, so 600,000+ phishing URLs reduces to about 68,000 phishing IP addresses.) w w w . m a l c o v e r y . c o m 6 HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS Phish IPs (68000) Block IPs (1200) 27% of the IP addresses tagged as <BLOCK> by Malcovery T3 ALSO hosted phish We then asked the Malcovery collective if there were certain IP addresses among the Indicators of Compromise for our T3 Reports that were abused for phishing more than others. Many of the IP addresses found were used dozens of times for phishing and several were used more than 100 times! The table below shows the Phishing x Malware IP addresses that were abused most often. Column #1, “Days of New Phish” are the number of days when a new URL was found for phishing on that IP address. Days of New phish IP Address NetBlock ASN Organization Name ASN # Country 337 213.186.33.19 213.186.32.0/19 OVH OVH Systems 16276 FR 224 213.186.33.2 213.186.32.0/19 OVH OVH Systems 16276 FR 216 213.186.33.4 213.186.32.0/19 OVH OVH Systems 16276 FR 189 213.186.33.3 213.186.32.0/19 OVH OVH Systems 16276 FR 179 64.29.151.221 INFB2-‐AS -‐ InternetNamesForBusiness.com 30447 US 167 213.186.33.87 213.186.32.0/19 64.29.144.0/20 OVH OVH Systems 16276 FR w w w . m a l c o v e r y . c o m HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS 7 INFB2-‐AS -‐ InternetNamesForBusiness.com 30447 166 66.175.58.9 66.175.0.0/18 78 80.150.6.138 80.128.0.0/11 DTAG Deutsche Telekom AG 3320 DE 94.136.40.103 94.136.32.0/19 AS20738 Webfusion Internet Solutions 20738 GB DALLASNAP-‐AS -‐ Global Net Access, 205.251.152.178 205.251.152.0/22 LLC 27413 US 65 46 US Clearly some computers that host malware related content are also being used quite frequently for phishing! THE IZZ AD DIN AL QASSAM DDOS ATTACKS From the early days of the al Qassam DDOS Attacks, researchers at Malcovery and elsewhere have been documenting that most of the attacking bots are actually hosted on high bandwidth web servers.ii DDOS Attacks from the days of Mafia Boy vs. eBay in 2000 until September 2012 were largely the same. A criminal would plant malware on many thousands of home computers and then cause those computers to generate traffic against the target of his choice. All of that changed with the al Qassam DDOS attacks against the major American banks. More than 200 separate DDOS attacks have been documented by the Iranian-‐based hackers behind “Operation Ababil” as these attacks are sometimes known. On several occasions, the FBI was able to share a list of attacking addresses used in Operation Ababil with the security community. We applied a similar technique to determine what the overlap was between some of these groups of attacking computers and the Phishing and Malware data stored at Malcovery. We compared three different data sets, one from March 2013, one from September 2013, and one from October 30th 2013. The March and September datasets contained only US-‐based IPs, while the October dataset contained World-‐Wide IP addresses. w w w . m a l c o v e r y . c o m 8 HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS 24.4% of March BroBot DDOS IPs were also used for phishing Malcovery Phishing Data (68,000+ confirmed phishing IPs used in 566,000 a@acks) Brobot March 10,000+ DDOS IPs Of the 350 IPs found on BOTH DDOS lists, 183 were used for phishing Brobot September Nearly 5,000 a@acking IPs 33.4% of September BroBot DDOS IPs were also used for phishing What we found was a very significant overlap in computers used to participate in the Operation Ababil DDOS attacks and computers used to host phishing websites. Nearly 25% of the March 2013 IP addresses, and more than 1/3rd of the September addresses were also phishing hosts! w w w . m a l c o v e r y . c o m HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS 9 Malcovery Phishing Data (68,000+ confirmed phishing IPs used in 600,000+ a@acks) Of the 20,000 unique Brobot IPs world-‐wide 3,987 of them were used for Phishing as well Brobot October 20,000+ DDOS IPs The world-‐wide dataset provided in late October also showed an astonishing overlap between DDOS-‐attacking computers and Phish-‐hosting computers, though not quite as high as the US-‐only datasets. While there have been a variety of techniques used to compromise the webservers used in Operation Ababil, several of the known techniques are similar to the techniques used by both website defacers, phishers, and malware distributors, including scanning for vulnerable websites through the use of “Google Dorks” (search engine terms that can be used to suggest that a particular vulnerable PHP Application may be present on the target webserver) as well as password brute forcing techniques. A partial list of known “Brute Force” passwords used by the Operation Ababil hackers to create DDOS websites is listed below: $passwords = array('porsche', 'firebird', 'prince', 'rosebud', 'guitar', 'butter', 'beach', 'jaguar', 'chelsea', 'united‘ ,'amateur‘, 'great‘, 'black', 'turtle', '7777777', 'cool', 'steelers', 'muffin', 'cooper', 'nascar', 'tiffany', 'redsox','jackson','zxcvbn', 'star', 'scorpio', 'cameron', 'tomcat', 'mountain', 'golf', 'shannon', 'madison', 'bond007', 'murphy', '987654', 'amanda', 'bear', 'frank', 'brazil', 'wizard', 'tiger', 'hannah', 'lauren', 'doctor', 'dave', 'japan','money', 'gateway','eagle1', 'naked' , 'phoenix', 'gators', 'squirt', 'mickey', 'angel', 'stars', 'bailey', 'junior','nathan', 'knight','thx1138','raiders', 'alexis','iceman','porno', 'steve','tigers' , 'badboy', 'forever', 'bonnie', 'purple', 'debbie', 'angela', 'peaches', 'andrea',' spider', 'viper', 'jasmine', 'melissa', 'ou812', 'kevin', 'ranger', 'dakota ','booger', 'jake', 'matt', 'iwantu', 'lovers', 'qwertyui', 'player','flyers', 'danielle', 'hunter', 'sunshine', 'fish', 'gregory', 'morgan ', 'buddy','matrix', 'whatever', '4128', 'boomer', 'teens', 'runner ','batman', 'cowboys', 'scooby', 'nicholas', 'swimming', 'trustno1', 'edward', 'jason', 'lucky', 'dolphin', ‘thomas', 'charles', 'walter', 'helpme', 'gordon', 'girls', 'jackie', 'casper', ‘robert', 'booboo', 'boston', 'monica', 'stupid', 'co ffee', 'braves', 'midnight', 'love' . . . ) w w w . m a l c o v e r y . c o m 1 HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS 0 When we repeated the query used to compare Phishing website to XML BLOCK addresses with the current dataset, it was no surprise that many of the same systems appeared on the list. Days of New phish IP Address NetBlock ASN Organization Name ASN # Country 337 213.186.33.19 213.186.32.0/19 OVH OVH Systems 16276 FR 224 213.186.33.2 213.186.32.0/19 OVH OVH Systems 16276 FR 216 213.186.33.4 213.186.32.0/19 OVH OVH Systems 16276 FR 198 213.186.33.17 213.186.32.0/19 OVH OVH Systems 16276 FR 189 213.186.33.3 213.186.32.0/19 OVH OVH Systems 16276 FR 167 213.186.33.87 213.186.32.0/19 OVH OVH Systems 16276 FR REGISTER-‐AS Register.IT S.p.A. 39729 IT QSC-‐AG-‐IPX QSC AG / ehem. IP Exchange GmbH 15598 DE 113 81.88.48.95 81.88.48.0/20 99 89.31.143.116 89.31.136.0/21 97 88.190.253.248 88.176.0.0/12 81 213.186.33.16 213.186.32.0/19 PROXAD Free SAS 12322 FR OVH OVH Systems 16276 FR Seven of the Top Ten IP addresses used for both Phishing and Malware were ALSO found to be used for both Phishing and DDOS attacks! As we consider the implications of this information, we conclude that a new urgency may be in order. Using threat intelligence from Malcovery, we can easily identify which compromised computers are being compromised for the first time and which have been compromised repeatedly, even dozens or hundreds of times. As a Network Defender considers the appropriate stance towards a new threat to his or her network, we hope that this form of valuable cyber intelligence will become part of the threatscape and be used to drive change in the behavior of website owners and hosting companies. w w w . m a l c o v e r y . c o m HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS 1 1 We have long known that there was value in storing attack attributes for future analysis. The Operation Ababil attacking IP addresses provides just one example of the way third party data sources can be compared against the intelligence found in the Malcovery Cyber Intelligence & Forensic Systems to bring additional knowledge to an investigation. Some final thoughts We hope you have found the information in this paper useful and informative. Here are a couple final thoughts regarding phishing and malicious spam as a result of what sis presented in this paper: 1.) Phishing -‐ if you are about to do a take-‐down on a site that has hosted 100 phishing sites this year, don't waste your time-‐-‐-‐or your money. Demand that someone find out what is really going wrong with the site and actually fix it. 2.) Malicious spam—If you are using a service such as Malcovery’s T3, because these sites are blocked in T3 already, you are protected from FUTURE attacks. Is it wrong to block a website that has 500 organizations hosted on the same IP? Yes, there could be collateral damage -‐ but if a company is willing to host on an IP address that has participated in distributing malware, phishing sites, and DDOSing the major American banks, then their ignorance or their neglect has earned them the right to be blocked. w w w . m a l c o v e r y . c o m 1 HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS 2 i APWG Global Phishing Survey, 1H 2013 – Rod Rasmussen ii “Bank DDOS Attacks Using Compromised Web Servers as Bots”, Michael Mimoso, January 11, 2013. http://threatpost.com/bank-‐ddos-‐attacks-‐using-‐compromised-‐web-‐servers-‐bots-‐011113 w w w . m a l c o v e r y . c o m HOW TO PREVENT DDOS ATTACKS BY BLOCKING PHISH AND MALWARE HOSTS 1 3 A B O U T G A R Y W A R N E R CHIEF T ECHNOLOGIST, C O-‐FOUNDER Gary Warner is a world-‐renowned researcher and speaker on the subject of catching cyber criminals. Gary, a seven-‐time Microsoft Most Valuable Professional, is the visionary, inventor, as well as patent holder, for much of the technology that drives the Malcovery solutions. In his role of Chief Technologist for Malcovery Security, Gary drives technical product direction, architecture, and definition and development of security application. In addition to his Malcovery role, he remains the Director of Research in Computer Forensics at the University of Alabama at Birmingham (UAB). In this role, which brings together the Computer and Information Science department with the Justice Science department, he is doing research that helps law enforcement and other security professionals identify, apprehend, prosecute, and convict cybercriminals, and spreads information to victims and potential victims about cybercrime issues. Gary was the founding president of the Birmingham chapter of the FBI’s InfraGard program, has served on the boards of the InfraGard National Members Alliance and the National Board for the Energy ISAC. He has been recognized by FBI Director Robert Mueller for “Exceptional Service in the Public Interest” and received the IC3 and NCFTA’s Partnership Award “in recognition of his outstanding support in the ongoing battle against cybercrime.” w w w . m a l c o v e r y . c o m
© Copyright 2024