Lost in the annals of campy commercials from the 1980s is a series of ads that featured improbable scenes between two young people (usually of the opposite sex) who always somehow caused the inadvertent collision of peanut butter and chocolate. After the mishap, one would complain, “Hey you got your chocolate in my peanut butter!,” and the other would shout, “You got your peanut butter in my chocolate!” The youngsters would then sample the product of their happy accident and be amazed to find someone had already combined the two flavors into a sweet and salty treat that is commercially available.
It may be that the Internet security industry is long overdue for its own “Reese’s moment.” Many security experts who got their start analyzing malware and tracking traditional cybercrime recently have transitioned to investigating malware and attacks associated with so-called advanced persistent threat (APT) incidents. The former centers on the theft of financial data that can be used to quickly extract cash from victims; the latter refers to often prolonged attacks involving a hunt for more strategic information, such as intellectual property, trade secrets and data related to national security and defense.
Experts steeped in both areas seem to agree that there is little overlap between the two realms, neither in the tools the two sets of attackers use, their methods, nor in their motivations or rewards. Nevertheless, I’ve heard some of these same experts remark that traditional cyber thieves could dramatically increase their fortunes if they only took the time to better understand the full value of the PCs that get ensnared in their botnets.
In such a future, Chinese nationalistic hackers, for example, could avoid spending weeks or months trying to break into Fortune 500 companies using carefully targeted emails or zero-day software vulnerabilities; instead, they could just purchase access to PCs at these companies that are already under control of traditional hacker groups.
Every now and then, evidence surfaces to suggest that bridges between these two disparate worlds are under construction. Last month, I had the opportunity to peer into a botnet of more than 3,400 PCs — most of them in the United States. The systems were infected with a new variant of the Citadel Trojan, an offshoot of the ZeuS Trojan whose chief distinguishing feature is a community of users who interact with one another in a kind of online social network. This botnet was used to conduct cyberheists against several victims, but it was a curious set of scripts designed to run on each infected PC that caught my eye.
Computers infected with ZeuS variants typically relay not only password data, but also basic information about the victim PC, including operating system version, default browser, the system time, and the machine name that the victim user picked when installing the OS. But this version of Citadel sought much more information, and instructed all infected PCs to relay the output of several network diagnostic tools designed to help map out a local network.
Hosts infected with this version of Citadel were instructed to run several variations on the “net view” command, which displays a list of domains, computers and resources that are being shared by systems on the host PC’s local network. The hacked machines also were forced to run the command “osql -L”, which produces a list of database servers that may be present on the network. In addition, compromised PCs were prompted to run the Windows command line instruction “ipconfig /all”, which provides a wealth of data on the Internet addresses assigned to different components of the local network.
A screen shot of the Citadel panel. This page shows the breakdown of antivirus tools installed on infected PCs.
Other diagnostic commands run on each machine sought to dump the list of Windows users and groups on the network, as well as the homepage of the victim’s default browser (the latter is interesting because many organizations set internal systems to default to the company’s Intranet page).
It may well be that the miscreants behind this botnet simply wanted to cover their bases, in case the need arose to identify administrator accounts or users most likely to have access to sensitive financial information. And, of course, miscreants with complete control over infected systems always can run these commands manually. But it is rare to find examples of those involved in traditional cybercrime who are interested in gathering this information from so many infected systems by default, according to Dmitri Alperovitch, one of the aforementioned experts on Eastern European cybercrime who transitioned to tracking APT threats a few years back.
Alperovitch, co-founder of CrowdStrike, a security startup focused on identifying APT attacks and victims, called the development “troubling.” Alperovitch said the hackers behind this Citadel version may be trying to map out who exactly the victims are — as a precursor to selling access to those machines.
“Many of these techniques are exactly what the APT guys use to map out victim organization once they get access to it,” he said.
If APT attackers and the miscreants focused on ebanking fraud are such a match made in heaven, why aren’t we seeing more signs of interaction between these two communities? Alperovitch believes it’s because there aren’t many areas where these two worlds overlap.
“It always amazed me that this was not happening, and I questioned why that was the case for a number of years, and I’ve come to realize the reason is that these two communities — those doing intrusions for espionage purposes and cybercrime purposes — are so far apart and don’t really talk to each other or don’t know how to connect,” he said. “If you’re a guy who’s specializing in banking cashouts, how do you find someone who is interested in F-35 fighter plane schematics? It’s not so easy.”
Alperovitch said he’s seen APT-based groups occasionally using financial cybercrime tools like ZeuS, but in those cases it appears the attackers were either lazy or were trying to conserve resources.
“That’s just the nature of convenience, because tools like ZeuS allow you to build [the malware] yourself and use it as a first-stage malware delivery system, instead of burning your own custom tool that’s much more valuable to you,” he said. “But just because these [APT actors] were using ZeuS doesn’t mean that they were collaborating with any cybercriminal group. I’m not discounting the possibility of an intermediary potentially bridging these two groups, but it would take someone in the cybercriminal world with a lot more connections with the intelligence agencies to take advantage of it.”
