4) Criminal Business Models, Botnet C&C and Takedowns Flashcards
What is MaaS?
Malware as a service; one of the business models in the underground scene
What are Garants?
Highly trusted member of the underground scene. Act as escrow and exchange money between two gangs.
Explain some Cybercrime business models?
FakeAV: AntiVirus programm that claims to have found multiple new malware on our system. With the exchange of money, it will remove the malware;
ID Theft: Identity theft deals with personal identifiable information clickfraud: Monitize an infected computer by force them to click on ads. For every click an attacker will receive money;
DDoS: Multiple requests to one system. Goal is to bring a system down;
SPAM: Use infected systems to send out ads via email;
Bitcoin mining: use processing power of infected system to mine cryptocoins.
Explain how TOR works.
- Contact Directory Servers to get List of TOR nodes
- Alice picks random path with three hops and negotiate session keys with each hop
- Decrypting layers of envelopes hop-by-hop, each node can only decrypt one layer
- Circuit established.
- Circuit will change after 10min.
Describe what is meant by the term Zero-Day Exploit, and what sort of attacks would these commonly be used in.
A zero-day exploit is an exploit of a security hole for which no patch is available yet. Normally for very targeted attacks
How does a Hidden Service work in TOR?
- Select Introduction Points & send public key, builds circuits
- Create Hidden Service Descriptor (public key, intro points) and advertises hidden service at the database => sent to distributed hash table
- HS will have an onion URL of 16 chars.onion
- Client downloads Hidden Service Descriptor and create circuit to Rendezvous Point
- Sends Introduction Message w/ one time secret+RP to Introduction points
- Hidden services connects to Rendezvous Point (acts as Relay)
- Connection established
How can you find criminal forums online?
Search in well known forums for hints; use username or oder coding words for advanced searches;
What is/are Money Mules?
Re-Transfer money from illigal activities
What is/are Carders?
Monitize stolen credit card information
What is/are Exploit Writers?
Write zero-day exploits for very targeted attacks
What is/are Bullet Proof Hosting?
Provides highly secure hosting. Provider will not shutdown service or hand out any log files by legal request
What is/are Resellers?
Resells any goods or services
What is/are Card makers?
works closley together with carders
What kind of botnets are common?
- Single Client
- Multi Client
- Multi-Headed
- Multi-tiered
- Peer-to-Peer
Explain the following types of botnets: Single Client, Multi Client, Multi-Headed, Multi-tiered, Peer-to-Peer.
- Single Client: 1-to-1 botnet;
- Multi Client: Classical clients to server relationsship;
- Multi headed: Botnet has a list of multiple C&C servers. Try to reach one of them. Hard coded domain name;
- DGA or Fast-Flux (ip changes on DNS);
- Multi tier: proxy botnet servers forward traffic to bullet proof hosted botnet;
- Peer-to-Peer: no real head of botnet
