How to Prevent DDOS Attacks by Blocking Phish and Malware Hosts Gary Warner, CTO of Malcovery Security

(1)

How to Prevent DDOS Attacks by

Blocking Phish and Malware Hosts

Gary Warner, CTO of Malcovery Security

Malcovery Threat Intelligence Links Attacks to Unsafe Web Servers

08

(2)

White

IN T R O D U C T IO N

The purpose of this White Paper is to demonstrate how the Malcovery Cyber Intelligence &

Forensics architecture (MCIF) can be used to analyze external threat data and show correlations to spam, phishing, and malware events.

Malcovery Threat Intelligence can prevent DDOS attacks by blocking phish and malware hosts.

MALCOVERY’S EMAIL-‐BASED THREAT INTELLIGENCE COLLECTION

For years we have known that the primary way Phishing sites are created is through a compromised web server. In fact, the Anti-‐Phishing Working Group’s Global Phishing Survey 1H2013 documents that more than 77% of phishing sites that used a domain name were hosted on hacked or compromised web servers.i_{The Malcovery PhishIQ system provides our customers}

with the ability to review the stored forensic evidence of more than 600,000 confirmed phishing websites.

(3)

Because the database contains information about the Domain Name, IP Address, full URL and other information about the phish, including statistics, hashes and samples of all of the content files used to make the phishing webpages, queries can be made against the database to identify common attributes that reveal information about the hosting location and method of the phish, and to identify “favorite hosts” for phishing.

(4)

Malcovery Security also reviews nearly a million spam messages per day to identify newly emerging attack vectors. These new malicious spam campaigns are documented in our Today’s Top Threats (T3) reports. The data in these reports answer the questions:

– What is the spam subject?

– What hostile URLs are advertised?

– What hostile attachments are present?

– What network touches does the malware make?

– What additional malware drops if executed?

Quite often the malicious links advertised in email messages documented in the T3 reports will contain strings of text in the path portion of the URLs that help us to understand the method by which a webserver has been compromised. One common example would be the string “/wp-‐ content/”.

In the 3rd_{Quarter of 2013, more than 200 compromised web servers were used in 17 major}

malware distribution spam campaigns to deliver malicious content via URLs stored in the “/wp-‐ content/” directory of a webserver. This content placement indicates that the criminal has the ability to upload content into a WordPress server, either through a vulnerability in an outdated version of WordPress, or by compromising the userid and password of a WordPress account holder on the server.

The Malcovery PhishIQ system documents that in more than 51,000 cases, a Phishing URL has contained the “/wp-‐content/” string, indicating that these phishing sites were also created via a WordPress hack or account compromise.

INTERSECTION OF PHISHING AND MALWARE DISTRIBUTION

The T3 report also documents IP addresses and URLs of computers that infected computers call out to. We call these “Indicators of Compromise” and document them with the <BLOCK> tag in the XML Version of our T3 reports. When we chart the relationship between these Indicators of

Compromise computers and the Spam Campaigns they originate from, we find that many

computers are re-‐used for numerous malware campaigns. Certain of those IP addresses have been identified that are able to link together many seemingly disparate attacks, where the primary link between the attacks is not in the spam subject, or the URL advertised in the email, or even the IP addresses that sent the spam, but based on the fact that a computer infected by the malware associated with that campaign will communicate with a Command & Control server, or attempt to download additional malware, from a computer that is also used as a C&C or malware distribution point in other campaigns.

(5)

In the chart above, we see that the IP address 64.50.166.122 is associated with many malicious spam campaigns including: an August 29th_{eFax campaign, a September 10}th_{Better Business Bureau}

campaign, Her Majesty’s Revenue & Customs campaigns from September 10th_{and 12}th_{, QuickBooks,}

Royal Bank of Scotland, and UK Companies House campaigns on September 12th_{, Dun & Bradstreet}

on September 23rd_{, and RBS again on October 15}th_.

“But are those Indicator of Attack IP addresses ALSO associated with phishing?”

We next used the Malcovery threat collection to ask the question, “how often has an IP address that was used in phishing attacks also listed in a recent T3 report as an Indicator of Compromise IP address?” We used IP addresses found in the T3 XML reports for the previous 120 days and

compared them to phishing IP addresses from January 1, 2012 to present. (Note that the AVERAGE phishing IP address in the Malcovery PhishIQ database has been used for phishing on more than eight separate URLs, so 600,000+ phishing URLs reduces to about 68,000 phishing IP addresses.)

(6)

We then asked the Malcovery collective if there were certain IP addresses among the Indicators of Compromise for our T3 Reports that were abused for phishing more than others. Many of the IP addresses found were used dozens of times for phishing and several were used more than 100 times! The table below shows the Phishing x Malware IP addresses that were abused most often. Column #1, “Days of New Phish” are the number of days when a new URL was found for phishing on that IP address.

Days of New

phish IP Address NetBlock ASN Organization Name ASN # Country

337 213.186.33.19 213.186.32.0/19 OVH OVH Systems 16276 FR

179 64.29.151.221 64.29.144.0/20

INFB2-‐AS -‐

InternetNamesForBusiness.com 30447 US

Phish IPs

(68000)

Block

IPs

(1200)

27%

of the IP

addresses tagged

as

<BLOCK> by

Malcovery T3 ALSO

(7)

166 66.175.58.9 66.175.0.0/18

INFB2-‐AS -‐

InternetNamesForBusiness.com 30447 US 78 80.150.6.138 80.128.0.0/11 DTAG Deutsche Telekom AG 3320 DE

65 94.136.40.103 94.136.32.0/19

AS20738 Webfusion Internet

Solutions 20738 GB

46 205.251.152.178 205.251.152.0/22

DALLASNAP-‐AS -‐ Global Net Access,

LLC 27413 US

Clearly some computers that host malware related content are also being used quite frequently for phishing!

THE IZZ AD DIN AL QASSAM DDOS ATTACKS

From the early days of the al Qassam DDOS Attacks, researchers at Malcovery and elsewhere have been documenting that most of the attacking bots are actually hosted on high bandwidth web servers.ii

DDOS Attacks from the days of Mafia Boy vs. eBay in 2000 until September 2012 were largely the same. A criminal would plant malware on many thousands of home computers and then cause those computers to generate traffic against the target of his choice. All of that changed with the al Qassam DDOS attacks against the major American banks. More than 200 separate DDOS attacks have been documented by the Iranian-‐based hackers behind “Operation Ababil” as these attacks are sometimes known.

On several occasions, the FBI was able to share a list of attacking addresses used in Operation Ababil with the security community. We applied a similar technique to determine what the overlap was between some of these groups of attacking computers and the Phishing and Malware data stored at Malcovery. We compared three different data sets, one from March 2013, one from September 2013, and one from October 30th_{2013. The March and September datasets contained}

(8)

What we found was a very significant overlap in computers used to participate in the Operation Ababil DDOS attacks and computers used to host phishing websites. Nearly 25% of the March 2013 IP addresses, and more than 1/3rd_{of the September addresses were also phishing hosts!}

Malcovery

Phishing Data

(68,000+ conﬁrmed

phishing IPs used in

566,000 a@acks)

Brobot

September

Nearly 5,000

a@acking IPs

Brobot

March

10,000+

DDOS IPs

24.4% of March

BroBot DDOS IPs

were also used for

phishing

33.4% of September

BroBot DDOS IPs were

also used for phishing

Of the 350 IPs found

on BOTH DDOS lists,

183 were used for

(9)

The world-‐wide dataset provided in late October also showed an astonishing overlap between DDOS-‐attacking computers and Phish-‐hosting computers, though not quite as high as the US-‐only datasets.

While there have been a variety of techniques used to compromise the webservers used in Operation Ababil, several of the known techniques are similar to the techniques used by both website defacers, phishers, and malware distributors, including scanning for vulnerable websites through the use of “Google Dorks” (search engine terms that can be used to suggest that a particular vulnerable PHP Application may be present on the target webserver) as well as password brute forcing techniques. A partial list of known “Brute Force” passwords used by the Operation Ababil hackers to create DDOS websites is listed below:

$passwords = array('porsche', 'firebird', 'prince', 'rosebud', 'guitar', 'butter', 'beach', 'jaguar', 'chelsea', 'united‘ ,'amateur‘, 'great‘, 'black', 'turtle', '7777777', 'cool', 'steelers', 'muffin', 'cooper', 'nascar', 'tiffany', 'redsox','jackson','zxcvbn', 'star', 'scorpio', 'cameron', 'tomcat', 'mountain', 'golf', 'shannon', 'madison', 'bond007', 'murphy', '987654', 'amanda', 'bear', 'frank', 'brazil', 'wizard', 'tiger', 'hannah', 'lauren', 'doctor', 'dave', 'japan','money', 'gateway','eagle1', 'naked' , 'phoenix', 'gators', 'squirt', 'mickey', 'angel', 'stars', 'bailey', 'junior','nathan', 'knight','thx1138','raiders', 'alexis','iceman','porno', 'steve','tigers' , 'badboy', 'forever', 'bonnie', 'purple', 'debbie', 'angela', 'peaches', 'andrea',' spider', 'viper', 'jasmine', 'melissa', 'ou812', 'kevin', 'ranger', 'dakota ','booger', 'jake', 'matt', 'iwantu', 'lovers', 'qwertyui', 'player','flyers', 'danielle', 'hunter', 'sunshine', 'fish', 'gregory', 'morgan ', 'buddy','matrix', 'whatever', '4128', 'boomer', 'teens', 'runner ','batman',

Malcovery

Phishing Data

(68,000+ conﬁrmed

phishing IPs used in

600,000+ a@acks)

_October

Brobot

20,000+

DDOS IPs

Of the 20,000

un

ique Brobot IPs

world-‐

wide

3,987

of

them were used for

Phishing as well

(10)

current dataset, it was no surprise that many of the same systems appeared on the list. Days of

New

phish IP Address NetBlock ASN Organization Name ASN # Country

337 213.186.33.19 213.186.32.0/19 OVH OVH Systems 16276 FR

113 81.88.48.95 81.88.48.0/20 REGISTER-‐AS Register.IT S.p.A. 39729 IT

99 89.31.143.116 89.31.136.0/21

QSC-‐AG-‐IPX QSC AG / ehem. IP Exchange

GmbH 15598 DE

97 88.190.253.248 88.176.0.0/12 PROXAD Free SAS 12322 FR

Seven of the Top Ten IP addresses used for both Phishing and Malware were ALSO found to be used for both Phishing and DDOS attacks!

As we consider the implications of this information, we conclude that a new urgency may be in order. Using threat intelligence from Malcovery, we can easily identify which compromised

computers are being compromised for the first time and which have been compromised repeatedly, even dozens or hundreds of times. As a Network Defender considers the appropriate stance towards a new threat to his or her network, we hope that this form of valuable cyber intelligence will become part of the threatscape and be used to drive change in the behavior of website owners and hosting companies.

(11)

We have long known that there was value in storing attack attributes for future analysis. The Operation Ababil attacking IP addresses provides just one example of the way third party data sources can be compared against the intelligence found in the Malcovery Cyber Intelligence & Forensic Systems to bring additional knowledge to an investigation.

Some final thoughts

We hope you have found the information in this paper useful and informative. Here are a couple final thoughts regarding phishing and malicious spam as a result of what sis presented in this paper:

1.) Phishing -‐ if you are about to do a take-‐down on a site that has hosted 100 phishing sites this year, don't waste your time-‐-‐-‐or your money. Demand that someone find out what is really going wrong with the site and actually fix it.

2.) Malicious spam—If you are using a service such as Malcovery’s T3, because these sites are blocked in T3 already, you are protected from FUTURE attacks. Is it wrong to block a website that has 500 organizations hosted on the same IP? Yes, there could be collateral damage -‐ but if a

(12)

APWG Global Phishing Survey, 1H 2013 – Rod Rasmussen

ii_{“Bank DDOS Attacks Using Compromised Web Servers as Bots”, Michael Mimoso, January 11, 2013.}

http://threatpost.com/bank-‐ddos-‐attacks-‐using-‐compromised-‐web-‐servers-‐bots-‐011113

(13)

A B O U T G A R Y W A R N E R

CHIEF TECHNOLOGIST, CO-‐FOUNDER

Gary Warner is a world-‐renowned researcher and speaker on the subject of catching cyber criminals. Gary, a seven-‐time Microsoft Most Valuable Professional, is the visionary, inventor, as well as patent holder, for much of the technology that drives the Malcovery solutions. In his role of Chief Technologist for Malcovery Security, Gary drives technical product direction, architecture, and definition and development of security application. In addition to his Malcovery role, he remains the Director of Research in Computer Forensics at the University of Alabama at Birmingham (UAB). In this role, which brings together the Computer and Information Science department with the Justice Science department, he is doing research that helps law enforcement and other security professionals identify, apprehend, prosecute, and convict cybercriminals, and spreads information to victims and potential victims about cybercrime issues. Gary was the founding president of the Birmingham chapter of the FBI’s InfraGard program, has served on the boards of the InfraGard National Members Alliance and the National Board for the Energy ISAC. He has been recognized by FBI Director Robert Mueller for “Exceptional Service in the Public Interest” and received the IC3 and NCFTA’s Partnership Award “in recognition of his outstanding support in the ongoing battle against cybercrime.”

How to Prevent DDOS Attacks by Blocking Phish and Malware Hosts Gary Warner, CTO of Malcovery Security