But before I start, I would like to introduce myself and my country. I am Chema Alonso, (@chemaalonso) I work in a small company called I64 (Informatica 64) in Spain, I’m also a Microsoft MVP in Enterprise Security, and I live in Spain.
Do you know Spain? Have you ever been to Spain? If not, you have to go and visit our country. This is Madrid (see left-hand image below), the city in which I live. As you can see, this is a city that is never asleep, but it is smaller than New York. And there are a lot of big places in Spain that you have to visit. This is the Sacred Family in Barcelona (image in the middle), one of the most beautiful churches in the world, as you can see.
Of course, there are other places that you might like to visit. This is Ibiza (right-hand image above), a small island to which I’m going tomorrow, so if you want to rest and discover a different Spain – it’s very close to you, it’s in Europe, just across the ocean.
And of course, if you’re a brave man you can visit all the cities with all the parties. This is Pamplona (see left-hand pic). How many of you have run from bulls any time of your life? There is only one rule: if you drink, don’t run. That’s the only rule. The rest is easy, you only need to run faster than the bull, it’s very easy to do.
And of course, if you’d like another party, we’ve got something special. This is the Tomatina (on right-hand image above); it’s a battlefield with tomatoes, one day long. I am not sure about the history of this party, but you only need to throw tomatoes – that’s all, it’s quite interesting. Well, we are Spaniards, you know.
Well, let’s start with today’s topic. Today’s topic is quite simple: let’s create a botnet – that’s all. But we’ve got a lot of problems with this from the start. I guess many of you have been thinking about creating a botnet any time in your life. How many of you have been thinking about creating a botnet? How many of you did it? I did it.
Well, the idea of creating a botnet is quite interesting, but of course, I assure you, I’m lazy. I’m from Spain, so it’s normal. So, we are lazy, and this is a nice picture (see image). I would like to show you this picture, because when Spanish people need power supplier, and they are using flip-flops to connect it through the swimming pool. It’s incredible! This is more or less like a thing we’re used to doing in Spain.
So, that’s the idea of creating a botnet. We wanted to create a botnet, but we were lazy; we have no money – you know it; we have no 0-days; we aren’t the FBI or the NSA, so we cannot intercept communication for free, and of course we are not Google, Apple or Microsoft that are running all their devices around the world. And, you know, we are Spaniards, so we need to do something different from the beginning.
The idea of creating a botnet was quite simple. We thought: okay, let them be infected; let’s do something that allows bots to be infected for themselves. So, the only thing that we wanted is so that they would want to be infected, quite simple.
In the end, if you think about this topic, it’s very useful and the malware industry had been using it for around the last 5 or 10 years; we’ve rolled antivirus and social engineering tricks. So, why not make our own botnet doing the same trick?
So, the idea of creating a botnet is just to create a man-in-the-middle attack. There are so many man-in-the-middle attacks that can be used in different scenarios. Of course, if we are in a network we can use something like ARP spoofing, or we can use rogue DHCP in IPv4 or IPv6 networks, man-in-the-middle attacks in IPv6 networks. We are going to publish a new tool, a new FOCA, which is the evil FOCA, to perform man-in-the-middle attacks in IPv6 networks: just point it and click, quite simple.
And of course, if you are able to manage the DNS, you can do the man-in-the-middle attack. But it is quite complicated in terms of the Internet because you have to deal with a lot of Internet service providers and networks, so it’s difficult to use on the Internet.
One of the most used practices on the Internet several years ago was the man-in-the-browser, in which things like Browser Helper Objects are installed in Internet Explorer, and lots of malware samples have been using this trick. We got a lot of malware this way, especially from Russians. You’ve seen this trick, this is very effective and it works so well that they need special files to configure the Trojan to attack different banks. This is how a banking Trojan uses an XML file to configure the man-in-the-browser to control all the different web pages from different banks. Quite simple, and yet it works very well.
But we needed to code something and deal with antivirus system, managing the detection program, so we decided that it was very complicated for us and we needed something easier.
First of all, we thought about the TOR nodes. The idea with TOR nodes is quite simple: if you are the last one on the line, you will be able to access all the content, you will be able to intercept all the communication. The problem when we tried to create the rogue TOR node was that they are using some security test to discover who is modifying the DNS response, or who is having some special files, and so on. And we got detected (see image to the left). So we thought: “Well, it’s too complicated, we need to detect when they are sending their test and create interception for the test – too difficult, we are Spaniards.”
The next thing that we did was just create a proxy. Creating a proxy is quite simple, because a proxy is not a big infrastructure like the TOR network, in which everyone is connected. A proxy server is a standalone server that people decide to connect to.
So, the idea is that if you read all the manuals online about how to be anonymous, the first thing is: “Connect to any proxy server on the Internet.” We thought: “Hey, it’s very interesting, because it’s a man-in-the-middle scheme.” So, if we are a proxy server on the Internet and people decide to connect to the Internet through our proxy server, we will be able to collect all data and infect all browsers. So, we did it.
The first thing we needed to do was just rent a server on the Internet; of course you have to take care about what kind of server you are going to use. Don’t use any Pirate Bay server, not one in Amazon – remember what happened to WikiLeaks, and not in Megaupload. It’s better to select any country in which there are no laws. So, we were renting servers in Iraq, Afghanistan, Kazakhstan, Spain.
So, the next thing we needed to do is just make our proxy server public, so we copied our IP address and published the IP address on a proxy server list – as you can see, XPROXY – and then just let the Internet do its magic, and in a few days we had 1110 different results about our IP address, because all proxy server lists copy themselves. So, if you publish your IP address in one proxy server list, they are copying the same IP address to all proxy server lists, which is funny, because in one day you can have a lot of bots.
Then we created a small payload to grab all form fields (see image). The idea is that we hook the Submit function and copy all information in the fields, and send the fields’ value to our control panel – and that’s all, just enjoy. Doing this in just one single day, we were able to get 5000 bots, which is not bad – no pay-per-install, not creating any special polymorphic malware – just publishing one IP address on the Internet. We are from Spain, you know.
So, the question is: who the hell uses proxy services on the Internet? How many of you are using this kind of services on the Internet? If you read related manuals, they all say: “If you want to be anonymous, use anonymous proxy server. If you want to be more anonymous, use more than one anonymous proxy server,” which is cool, because you can be infected by more than one proxy server.
And the idea is that the kind of people who are using these services are, of course, bad people. All we were able to collect was bad people doing bad things. Of course, the first thing we discovered was the Nigerian scammers. We collected all information, and of course we collected all usernames and passwords. But we had warned them, so it’s all legal.
So, once we got the passwords, we could get into the mailboxes of those people. There were lots of people doing this, but this is one of my favorites (see image to the left). As you can see, the email alias is firstname.lastname@example.org. That guy was creating a spam campaign trying to scam people with visa scheme. He was offering the victims a special visa to get a job in the UK.
This is the mail (see right-hand image), of course he was asking for money, 275 Pounds. And a lot of people were suspicious, saying things like: “I appreciate the information, but show me the job first. Show me the job and then I’ll send the money.” Of course, if the guy was suspicious, the scammer wasn’t continuing the scam. But others weren’t so suspicious, so in the end they were sending all the information needed to create a visa – passports, application forms, resumes, high-quality pictures for the UK passport, even fingerprints, and so on. This is the easiest way of identity theft that I’ve seen in my life, for sure. If you got all this information, then you probably can create your own mule to use in banking malware.
Here is another one (see image to the right), which is one of my favorites too. This is a profile on a social network for having a fling, that kind of thing. How many of you really think that this girl needs to search for a guy on the Internet? Well, it was very suspicious to us from the beginning. So, we decided to collect the username and password of this profile and analyze what she was doing.
And in the end, as you can see, this Axionqueen here is searching for relationship and dating, she is from Texas, and she is about 30. But she has another profile on another network (see image to the left). And in this case she is from New Zealand, she’s 31, she’s Aries, and so on. And in another profile, she lives in Virginia. Anyone from Virginia who has seen this girl? And of course, the most wonderful thing is that in all the profiles she looks completely ‘different’.
In the end, we decided to get into this guy’s email box, and we read the information he was storing there. Well, this person, of course, is not a girl, it’s a boy, it’s a he, and he was collecting conversations with people who were in contact with this profile. Those profiles are for phishing the victims.
That is one of my favorite chats (see image), in which kkbill is supposedly the girl, and fiat176punto is the victim:
– Hello, sweetie.
– Hello, my sweet Mous. (I think we need an “e” here.)
The second one is:
– How are you doinf?
In the chat they are discussing the details of their love, and one of the details implies 700 Euros that need to be sent in exchange for the ‘nicked’ pics. I don’t know what kind if pictures those are. And the point is that this guy, this predator, is a multitasking scammer, so he is chatting with different people at the same time, and that’s probably why he fails here, because in the middle of the chat he started to chat in German, I think so: “Ich frage Sie, dass, wenn Sie…”
So, we went inside the email box and it’s quite nice, because he has all the victims very well classified in his email box (see image). And there is a folder with all the chats, in which he is working right now, and we were searching for mails asking for money through Western Union, and, as you can see, there were 158 messages asking for money from Western Union.
And the mails were like this (see left-hand image) : “Hello sweetie, why haven’t you sent me the nicked pictures you promised me?” And the guy said: “Hello baby, I don’t know but my bank manager told me that the address city and country are not possible, now what can we do?” Of course, she is asking for money that needs to be transferred to a different country in which she’s supposed to be living, that fake profile, and she gets angry: “Stop playing games on me, I gave you the right address!”
Another scammer in that test that we did was someone very weird, because he was doing something strange with dogs. We weren’t sure what he was doing with dogs and why he needed to use a proxy server on the Internet, an anonymous proxy server on the Internet. So, we decided to use the username and password to get into the email box, and we discovered something very hardcore. We discovered a picture – I’m warning: please, if you love animals, don’t look at this picture, because this is the picture (see image). He was selling this fake Yorkshire, and in the end he was selling the same Yorkshire around the world. So, it’s the most profitable Yorkshire in the world. He was placing the same picture in a lot of places selling dogs and making money out of it.
Of course, we discovered psychotics. This is what the control panel looks like (see image), and as you can see, this guy was searching xnxx.com for “Mother”, “Rape sister”, “Violent rape”, “Violence”. We were about to send this IP address to the police, because this guy is not normal.
Also, a lot of people are trying to be anonymous, and the first thing they were doing was just test if they were anonymous. The problem is that if you are using a proxy server, you are anonymous to the end page, but not to the proxy server, so the proxy server can track you anytime, it’s quite simple. So, okay, you are ‘anonymous’: we know what country you are from, and we know your real IP address – so, it’s quite simple. There are lots of cases when people are doing the same, trying to be anonymous.
This is the worst case we discovered (see image). It’s a guy trying to make money by reading blog posts. It’s supposed to be a business: you read a blog post of anyone around the world and you will be paid for it. And after one month he was able to earn 24 bucks, so I’m not sure it’s such a good business right now.
In this case, this is a guy from Mexico, he wanted to browse for some porn on the Internet, and then he disconnected from the proxy server, but he was infected. And, as you can see, this is an internal server; we weren’t able to connect to it, but there is an ARP application with data and, of course, a lot of information on the user, such as the password and so on. But we couldn’t connect to that intranet because it’s not published on the Internet.
And, of course, porn, a lot of porn; people searching for porn. Porn is the business, believe me. Not hacking – porn, porn, porn. We discovered this (see left-hand image), this is a very nice story, where in a Catholic church they discovered this painting from monks, about 7 centuries old – they were painting penises. It’s true.
So, we were collecting URLs and we discovered a lot of URLs of porn. Also, a lot of usernames and passwords (see image below); we’ve been selling them on the Internet, of course…
So, you only need to select the target – whatever: a bank, a social network, intranet – analyze the files that are going to be loaded by this website, and force this file to load when the guy, the victim, is connected to the proxy server. It’s pretty simple.
I wanted to do a real demo, but first I’d like to show you the control panel and what it looks like. Of course, we turned off the proxy server on the Internet, but for BlackHat and Defcon I created a new control panel (see image). I didn’t publish this proxy server on the Internet, but after delivering the talk at BlackHat – I don’t know why – someone published it online. So, we configured this proxy only for 10 parallel connections, and right now, this morning I’m going to show you the bots, the zombies; and as you can see, if we search for today’s date, we started to receive a lot of bots from different countries, a lot of them from the States, Brazil, elsewhere. And we got a lot of information collected from them. We didn’t want to do it, we didn’t publish the IP address, believe me.
And then in our control panel we created some special payload. So, we go to the control panel, and you can see we got preset attacks in which you can configure what is of interest to you, and in case with the California Credit Union League the only thing that we needed to do is force to download this file (see image).
We were able to do this in only one day; the problem is: how many of you think that government, intelligence services, the bad guys aren’t doing the same on the Internet? The question is how many of you think that only one of those proxy servers on the Internet is secure? No one? I mean the server that is not going to infect you or collect your data. It’s the one you run; it’s not an anonymous proxy server, it’s yours.
In the end, using a proxy server on the Internet is a very bad idea, but we got thousands and thousands of web pages on the Internet, same people: “If you want to be anonymous, use a proxy server on the Internet.” We are going to have this problem for a long time. So, don’t use it.
Some protection, of course. This is a man-in-the-middle schema, in which you decide to be hacked, because you configure your web browser to use that man-in-the-middle, that proxy server, so you have to think twice whether it’s worth it – to be using that proxy server.
And certainly, the problem is with TOR networks, but right now we’re getting more news about rogue TOR nodes on the Internet than about fake proxy servers on the Internet, and I don’t know why. And of course, after using this kind of services, if you have to do this for whatever reason you have, take care and clean all the information that you downloaded from the Internet. Take special care with that machine. If it’s possible, use a new virtual machine and burn it out after using, throw it to the trash, wherever you want. And, of course, VPNs are not a silver bullet, because in this case we were able to discover a lot of people connecting to our personal VPN to be outside of the network in which they were connecting, and then from the VPN connect to our proxy server, and in the end it’s possible to infect the client in any case. So, take care of it.
Thank you very much!