V!4GR4: Cyber-Crime, Enlarged

lunch my name is Ben and we're going to talk about viagra I'll start with a demo I got a pill let's let's not do that now perhaps after the talk okay so we only have 25 minutes and I have lots of slides so let's get let's get started we're going to talk about viagra and biggest cybercrime spam campaigns in the world and we're going to show some of the nice sub campaigns that were used by people selling viagra and we're going to get into some nice stuff so let's get it started this is me Ben I have two children I work as the security research group manager for Imperva and that's that's me so first of all we're talking

about viagra so you know there are lots of fun jokes like it was really hard to make this presentation and let's let's get the let's make to make a short story long and all the palm joke so I decided to get it over with in 3 stri in 3 slides so first okay - and and 3 ok now we're good now we can start talking ok so it all starts with this this is still denna feel citrate aka viagra and it was discovered when the scientists at Pfizer they built a new they designed a new medicine for an Jena and other a heart muscular problems and they started testing it on people and it didn't quite

help with angina but everybody was very happy with the experiment so they they saw that it would be better to sell it as an erectile dysfunction medicine so quick skipping the the economical part but it's still very interesting and that's the motivation why there's so much cyber and other types of crime around these types of drugs so it was patented at 1996 and immediately people started selling counterfeit drugs of Viagra and then now we're in a very tricky situation we're in Canada the patent get invalidated so they have actually generic viagra which is much cheaper than the US version so there's a market for parallel import of Viagra lots of money involved and in EU in several

countries it also got expired the patent so lots of parallel import which is illegal by the FDA because they want to protect the big pharmaceutical companies so we're in an interesting point so it sounds very legitimate to say yeah all I'm doing is selling some Canadian drug that does the same which actually ships from China or India and in many cases has nothing to do with actual sildenafil citrate so and that's the trouble with it and now they stopped working ok so a bit again about the economics of this and why it's so tempting to do that so this is Cristiano Ronaldo the most expensive outlet in the world and this is the viagra market xxx Cristiano

Ronaldo's and imagine that in message they could actually score goals but but let's get there to orbit this has a delay I think okay so getting back to our industry this is the average software engineer salary and this is the software engineer salary in Viagra I will just use the keyboard because this has a delay okay so this is the viagra in software engineers and actually we're only half way so another screen like that so that's a lot of a lot of money involved and that's just viagra and there are many other medicines out there and many other counterfeit medicines out there viagra is here about number 3040 in the list we have medicines that are

that are making much more money and also the counterfeit medicine about 10 percent of the formal market is fake is counterfeit that's 21 billion dollar per year so that's a lot that's according to the World Health Organization and according to the Interpol according to the Interpol the annual death toll from counterfeit drugs is over 1 million people I would take that with a grain of salt okay because a they have a motivation to inflate the number and and these are the Interpol but but but but it would be a couple of hundred thousand at least so that's that's important to remember and from some campaigns that were where people actually get arrested and the companies were shut down we can actually

see the tip of the iceberg with companies like glove made that made revenue of 67 point seven million dollar in a year so yeah it's a big market no wonder why it's the biggest spam campaign in the world we've seen lots of motivation economical motivation because it's not like a jeep that you can't ship to places it's just you put it in a small box and you ship it anywhere it's a very lucrative industry it's very easy to make it look like it's just selling parallel import of stuff so let's say that you want to start making some money from illegal trafficking of Viagra okay so first of all there are many affiliate programs mainly in Russia

and of course this is very lucrative terms thirty to fifty percent commission which is more than you'd get from Amazon or Ebay affiliate program templates banners and everything you need to get up and running different languages kids and API support so you can run a real operation and etc and they know who they're selling it to as they're saying where do you get the traffic mainly from email dispatches which is a nice word for spam and the ways are limited by your imagination and where they stress out you know we guarantee anonymity we don't care where you get the traffic as long as we get the traffic and we can sell those drugs and then you're getting

those templates like the canadian pharmacy in here or like the united pharmacy in here and he's smiling because he has here and so or CVS or indian pharmacy etc etc so you're getting all of these templates and now you're ready to go to work and unless you're selling that to your grandma you need to find some actual people who will buy this because every time you start a business like when you're starting selling cookies as a child you always go to your grandma to sell them but you can sell your grandma viagra because your grandfather is no longer alive and rough story okay so let's say that never mind can you please scratch that off when you

edit okay so you have a couple of ways to proceed when you want to get traffic to your to your campaign you can go spam or SEO SEO search engine optimization let's go to the first way so we have white hat SEO and black hat SEO in this in this case we would go for black hat SEO because a you don't want something that will be ultimate but we'll take a lot of time and B we don't care we know that our website is going to be alive for maybe a month or two we just want some quick traffic and then we're out and we're starting the new one so this is from a research we did we found some

interesting sequel injection attacks like here's a user agent and afterwards a sequel query this one is aimed at mssql it looks for the databases that are not system databases and it looks for varchar' or string columns and then it it's like it loops it updates the tables in these databases and then it does like a drawing a module of new idea which is random number and if it's 0 that means in 10 percent of the cases it added it adds this spam link it's invisible so you know you don't want anyone to notice and remove your links and and you also have other links in there so this is the result you you get this injected

these are sites that got this injected in Google and it's a really high scale operation they try to attack tons of web applications so that's about SEO let's talk a little bit about spam so you would need a domain to send people to you would need email lists let's not even get into that there is so many emails lists for little or no money and you will need email servers now you can both use open smtp servers or crack correct smtp servers or IMAP servers to send the emails or you can use web sites so in a campaign we found hackers used the vulnerabilities mainly CMS vulnerabilities like WordPress file upload vulnerabilities to upload wso you

can see it at github it's one of the most popular web shells out there and then once they get control of the website they send the command with wso a section is the action you want to do and P is the payload p1 in this case and they send base64 to decode basically first string which takes a base64 string inside a file to write it and then it does a custom it installed the custom shell on the server that what he does is send the emails so it takes the strings from from the post dead data and then it explodes by a pipe splits it by a pipe a string that we called it a battery Oscar

because it's a bunch of base64 decodes so it's a string that's basically for the code then base64 decoded then basically for decoded then basically for decoded then you're a smart guy then base64 decoded then base64 decoder then it takes it it's it split by a pipe then it's additional three times on each field and then it just takes this field and it sends why would they why would they basically for eight times is a good question and I suppose it the answer is that if someone is trying to decode base64 traffic and then see what what's in there they will just see a bunch of gibberish and they wouldn't think to try eight times to base64 decode however it

kind of pay-back backfire on on the attackers in this case so this is actually the first case in the world I think that you can overdose on base64 which is respect okay so and it goes down to and I will be happy to explain in more details if someone wants later but it goes down to the way base64 worked base64 word is basically two to the power of eight instead of ^ ^ six instead of two to the power of eight you have 64 characters that's a to za to the uppercase and numbers and plus and slash and backslash and then you have only 64 characters so when you take a character instead of having the 8-bit you only

have six bits and the additional bit goes to the next character then you re convert it to a representing ASCII character right according to a table this goes from 0 to 63 and everything is good because you're switching the letters you don't see anything it it changes the the string and it's only human readable characters so it doesn't do any encoding problems etc however the letter V as in viagra not related okay the letter capital V the ASCII is 0 1 0 1 0 1 10 and the base64 is 0 1 0 1 0 1 so when you encode V capital V what do you get in basics before your the basis before expert what

do you get for capital V you're getting a capital V as well so you're getting stuck on the capital V right now there are three letters capital T capital u and capital W that gets you to capital V in one hop so if you're encoding anything that starts with a capital T or a capital T U or a capital W you're getting to a capital v so you're getting stuck in that capital v okay and on and on we go these letters are two hops away from capital V and the rest of the characters any character gets to a capital V after up to 5 times of base64 decode we even wrote a Python script

that calculates it calculates amount of hops it takes for each character so the maximum is 5 characters so that's that's really cool I think for me it's really cool and after capital V comes lowercase M because of the same reasons basically you're getting because your information you're fixating yourself to the two lowercase M and then on and on it goes so if you're seeing a string that starts with capital v m 0 w p2 etc you know that this string is something that was basics Deford lots of times so that's pretty interesting ok moving on we need we don't need a domain we need domains okay we need a lot of domains because they will get

blacklisted like in couple of weeks to the most so we need lots of domains and then we also need a way to bypass spam filtering now what I'm talking about of course is just describing part of the active campaigns in this in this operation because it's an affiliate program and anyone can come up with different stuff but this is a cool one that we we found so again they're using wso as well they're sending a PHP command and it's sending a base64 to run and this time it sends a base64 which is inside inside the script itself that's being ran and what it does is it goes to htaccess and it puts the results of the decoded basic default

file in the HT access so what it puts in the htaccess file is actually a 404 redirection to two to one of the illegal domains at one of the blacklist domains that the attacker is using so the idea here is that if there's a spam filtering algorithm or a control or product it will see that we are going to legitimate domain.com slash something something okay but eventually it will redirect us to to a different domain so your site can be hacked and you won't even know it unless you type the wrong address we've seen other similar ways of of abusing this type of thing for example by doing JavaScript two direction or putting a big iframe on it so this is basically

how it works for this specific campaign because we find found correlations between the domains that were sent in the spam list and the domains the the dummy domains used for redirection so the attackers are attacking two sites basically or in some cases it's the same site in one of them they set the HT access and and they keep doing it so like if one of their domains gets blacklisted they just rerun it automatically and set the routing to another domain and and that's that's all this botnet does and then the other one is installing the petrushka backdoor the one that sends the emails to the to the victims to the spam recipient and it's using just PHP mail command so it's

using the mail server of that of that website and then the spam is sent to a user it in most cases I suppose bypasses the spam filtering because it's a legitimate domain a legitimate URL in a legitimate domain and then the clients the the ones who are supposed to purchase the pills they go into this and redirect or redirected to the to the counterfeit drugs website so something interesting about this I mentioned there's a lot of money here so in most cases when we see backdoor activity we see the activity from several IPS or from Tor network or from anonymous proxies but in this case it was used by over 80,000 IPs so they have a lot of

money they can buy better services to better buffer themselves from the attack something that's interesting here is that most actual botnets we have we in regard to DDoS in regards to lots of things do have lots of presence from the US because there's lots of computers in the u.s. in this one it's negligible numbers from the US and we have high numbers from countries where we it's uncommon to see attacks from like Algeria Egypt and such which is interesting and we hardly see any traffic from Canada which is a kind of said given it the canadian pharmacy but you see that it's not a canadian pharmacy so we see a lot of I P is from

Russia and and but we like I said we see from Egypt Algeria etc this is a partial this is a part of the domains that were used all of these were registered in the same day there are a thousand of these domains and if anyone wants the list of the domains they can send me a Twitter message or email and I will happily send the domains list so this is just one day so there's real develop operation going in here in the dark side people are keep buying domains the ultimate domains that are being bought and sometimes we see like a wave of buying Indian domains some other times we see other waves so they're buying

lots of domains and they do all of these spam things and this is just part of the campaign that they're running so wrapping it up first of all first of all I think that it's interesting where there is money there will always be attacks so this campaigns of the canadian pharmacy and other from a suta call campaigns they exist for a very long time for a decade over a decade and they still run in full speed because there's still lots of money to be made in here so that's that's one thing and the other thing interesting here is that like me I wear devices were attacked and they were attacked just as a means to

get to get resources for a DDoS attack in air as well devices or web applications were attacked as a mean to redirect people to other web to other web sites which is a kind of not the usual defacement so I think it's pretty nice will dunk thank you very much

any questions okay cool then I think thanks Ben or one more I know I know don't worry so you said that 10% of the former industry is fake counterfeit not me the World Health Organization okay I didn't organization okay but say 90% of it then is legitimate but pharmacy companies really don't have much of an incentive to lower their prices to push this whole economic status I do they yes well they they don't have the well it's it's a it's an economics game and since they're getting it in a much reduced price and it's also the same for legitimate drugs when the patent runs out and it becomes generic you see it with legitimate drugs as well

the price to make the to actually make the drugs is very low in comparison with the price you sell the drug because most of it reflects the RnB involved in actually working on the drug itself so they don't have the incentive to lower the prices to one cent let's say but there's a lot of margin to work here to work with here so you know going from $80 to $18.00 you still get a lot of money and that's if you you need to take that with a grain of salt as well are you really getting the drugs that you ordered I don't know I haven't tried ordering yet no thanks I mean Amsterdam I can just go to a store and buy anyone

else I will I will try to see if there's a matching conquer category for Viagra okay so anyone anyone else feel free of course to talk to me or send an email or tweet or whatever thank you Thanks you