As part of their story on CryptoLocker analysis, John Bambenek and Lance James dwell on the methodology of tracking the ransomware via payments and DGA.John Bambenek: So, taking a look at CryptoLocker. A lot of this was a study in contradictions, because there were indicators that did not seem, at least on the surface, to reconcile with themselves (see right-hand image). So you think, Gameover ZeuS, silent threat, financial fraud – it wants to persist a long time. There is no subtlety or ambiguity about whether you have CryptoLocker. I mean, it’s “Hi, all your files are encrypted,” – you’ve got a big splash screen. So at a certain point – and we’ve talked about this relationship between the GOZ crew and CryptoLocker, the people who are responsible for it – why would people who run Gameover ZeuS expose the infection so loudly?
Lance James: I have a theory on this thing, and I think we all somewhat suspect this as well. In many attacks, in many types of malware, you have exploit kits out there. It’s a website, a drive-by download, it hits you and drops the stuff on you, right? And the solution is, we go after the exploit site, shut it down – done. The effectivity of CryptoLocker detection was actually usually after someone got infected and reported it. The reason why they may have used Gameover ZeuS for this was because it’s almost like a tunnel with a low footprint, something that we couldn’t just shut down. You need to shut down the entire peer-to-peer network to make this effective, and so they were actually winning the race, getting there before detection. And ZeuS being the most prolific and most successfully infiltrating into a network or onto a computer, this obviously proved successful and economically viable for CryptoLocker and the Gameover ZeuS actors.
John: Absolutely. Basically, they were set up for single-flux networking, so they were able to move IPs really quickly – they just never did. They’d sit on the same IP addresses for days, even though they had 300 TTLs. Why? It’s an open theory. The point of this is that, you know, if you are doing intelligence, figuring out and resolving these contradictions is where your intelligence value is. A lot of stuff is obvious. People want to make money – great, that’s a motivation. Does it really give you any real information? But figuring out why you have indicators that are contradicting each other and resolving that is really starting to get into the mind of your attackers. We can kind of deliver that intelligence value.Following the money – obviously, a key part of this. Law enforcement was really helpful on this thing. One thing that kind of surprised me is that while many victims would talk to me and say, “Hey, can you help us recover our files”, they would not necessarily share the details of their payments. They were like, “No, no, no, I don’t want to give that out.” I think that goes to the psychological aspect Lance was talking about. Ransom is a scary thing; somebody saw some mob movies somewhere and thought, “If I shared this information with law enforcement, somebody would kill my cat or something.”
Lance: Another thing we saw was CryptoLocker targeted businesses. It was almost opportunistic but very spear-ish in its phishing email lists. It would pose as transportation type emails like ones from mail companies and such, and it would very effectively get into that. You know, in business your number one tool is email, you’re trying to move on your day. It’s effective, it gets in your email system, you download the attachment, it looks like some kind of a UPS email. And what would happen is you just want to move on your day. You’re a CTO in your company, or you’re VP, and you want to move on, but you’re also embarrassed, you don’t want to be like, “Oh man, I just got owned completely, my boss is expecting this report tomorrow.”
That, just like phishing is, where it gives this urgency, the sense of movement, was effective psychologically for that. We’ve met a lot of people that were like, “You know what, $300 – moving on, it’s my work laptop, I don’t want to get fired.” And that was actually the approach that we would find.
John: They accepted MoneyPaks, we saw that stuff be withdrawn at the same place. But they preferred Bitcoin. In fact, tracking some of their Bitcoin logs we saw, for lack of a more accurate word, “seed” money, where, you know, here’s some money transferred into your Bitcoin wallet, get all the infrastructure in place that you need. So they preferred Bitcoin, but we also used this to derive the estimates that you saw. That said, I think most people paid in MoneyPaks and other things, because Bitcoin is not really an accessible currency to general unsophisticated computer user.
Lance: Not yet.John: Not yet… So, the DGA, while it provides some resiliency, also provides a good means to track their infrastructure. If you had the DGA and you wanted to protect your network, you can simply create RPZ zone, block all that stuff so that nobody in your infrastructure is going to get it, get an alert – you want to know that something is happening so that you can go clean that machine.
You could register sinkholes that would be accessed by anybody on the Internet. And we actually really had an OPSEC fail on this one. With more than 1000 domains that were registered, we were operating about 125 sinkholed domains to about 1 actual C2 proxy, basically waving, “Hi guys, we own your stuff.” They never moved, for whatever reason. And DGAs are not hard to tweak. Once you have an algorithm, they could have simply set “year equals year minus 2” – new 1000 domains, and we would have to reverse engineer that. They never did that. But we certainly got out of control on sinkholes, and that’s something that we need to get better at.
Lance: One of the neat things about this was the fact that we were so obvious about this sinkholing and the stuff we were doing. We were kind of letting them know. In some ways, we realized that with a really good strategy we could force them to move to a new DGA. Humans don’t have while loops, they don’t last very long. So, if we force this, register all these domains and then do this again, after a while they are going to change this entirely, because the success is only going downward. We didn’t have to end up doing this, we were in the process of doing it, and there was a shift in the Gameover ZeuS side of things. So, luckily, we didn’t have to really push that part, but that was actually one of the things we were being loud on purpose about: we’re letting you know, you’re on a cyber dogfight with us, we are going to play hard.John: The DGA also provided a nice means to surveil their infrastructure. Ultimately these domains had to resolve to something. So, given a list of domains, you could do a ‘for loop’ if you really wanted to, if you like slow scripts. Currently, my surveillance scripting goes through 33,000 domains – imagine how long doing nslookups on those individually would be. But with a bit of technical tricks, you can use a package called adns-tool, which does asynchronous DNS queries, to basically spam your DNS server for 500 request, they come back when they come back. It allows you to do these things relatively quickly. For 33,000 domains, it takes me about 30 seconds to get nslookups back on all of them.
Lance: If you use Haskell, it’s actually built in natively.
John: Yeah, there you go. If you do this, consider setting up passive DNS. You know, not to commercial, I have no relationship with Farsight, but I use DNSDB because it’s a great resource. Consider that. That’s one way to passively give back with no real information, because this is the kind of stuff in passive DNS that I like being able to do as a researcher.As an example, this (see left-hand image) is a feed that was generated out for simply domains registered in plus or minus two days. So if you’re looking to surveil their infrastructure, there it was. That was, obviously, from December of last year. But there’s a little bit of bias in the way I generated this (see right-hand image). Every time you do some intelligence exercise you bring bias to the table. The way I generated this was I stripped off the sinkholes. I don’t care, because that’s not the business I’m in. My intelligence objective is to smash things. I don’t really care about detection. I mean, I feel sorry for people who became victims – you’ve got to protect your infrastructure, but I want to disrupt these people and just kick these people off the Internet. So I stripped out the sinkholes.
Now, if you’re doing it, or if you’ve got a network to protect, you don’t care if they’re talking to a sinkhole, nxdomain or a C2. You’ve got a problem – you need to address it.
Lance: I’m not going to bring up too many times about how you just want to just burn. Burn was your thing that we kept talking about.John: Yeah, burn all the things. Pillage first, then burn. As another particular aspect of showing how they changed over time, this is simply a chart of Bitcoin value since roughly July 1 of 2013 (see left-hand image). This had nothing to do with CryptoLocker, except that CryptoLocker liked Bitcoin payments. They, for whatever reason, thought their sweet spot value was $300. So, about the time where you see a Bitcoin at $1200, they chose 2 Bitcoins as the hard-coded value to get your files back. It went from $300 to about $2500. They kept releasing new binaries that changed that so that it would change the value over time to be something around that $300. So they did have some decent situational awareness. Going back to my earlier point (see right-hand image), I’m not really interested in white paper or blog post or whatever. People do that, it has value. I’m not saying it doesn’t have value. What I want to see is bodies in the street, because I’m tired of these clowns.
Lance: I do want to mention something, though. Speaking of the politeness about their $300. The actual pop-up was also extremely polite. It was kind of like “hey, guess what’s happened, we’re going to just let you know that we kind of have your files.” And it was funny because it was sort of polite, it was like “this is the situation.” So, almost makes us want to definitely burn them more in that sense and shut this down, because the politeness was kind of too much.
John: It’s not personal, it’s just business, I’m sure they’re nice people. But no, they’re not nice people, but they might be nice to have a drink with.
Lance: … And say: “We know who you are.”
John: Yeah, exactly. One of the problems that we ran into is a problem that I call ‘sufficiency’. I mean, at a certain point, if I could say it’s talking to these domains and these IP addresses, you can put these rules in your IPS, most people are like “You know what, that’s good enough for me, I don’t need to do anything more, we can tolerate that threat.” When they get enough to satisfy these short-term objectives, they move on to what’s next. And if you’re fighting fires all day long, I don’t fault people for that. But we tolerate the continued existence of threats.
But the problem is that the people most in need of this protection aren’t the ones who are paying for it. And quite frankly, every organization has people who go home and have personal laptops – they’ll probably be using the same password for Facebook or Gmail or whatever, and they may get access to the stuff at home, and that’s leveraged to access people at work.
Read previous: The New Scourge of Ransomware 3: Recovery and Defenses