Wednesday, August 21, 2013

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Three

Over the years, I've been persistently highlighting the abuse of compromised hosts as either 'stepping stones', or as the primary facilitators for 'island hopping' campaigns, empowering those using them with the necessary non-attributable 'know-how' to not just anonymize their Internet activities, but also, engineer cyber warfare tensions.

The utilization of hacked/compromised hosts/PCs as 'island hopping' points, or as 'stepping stones', continues to take place in 2013, with more managed cybercrime-friendly services offering access to compromised hosts located virtually all over the World, access to which can be bought in a cost-effective manner, thanks to the available discounts or price discrimination schemes.

Catch up with previous research on the topic:

What has changed over the years? Is the once thought the be the future of anonymization for cybercrime-friendly activities, 'proxy chaining' -- think chaining of connections between multiple malware-infected hosts -- still relevant today? Or was the concept largely replaced by log and data retention free cybercrime-friendly VPN providers, that continue popping up on everyone's radar?

Since 2010, a HTTPS-supporting, DIY multiple gates application (proxy which can be a Socks 4/Socks 5 compromised host given it has been properly configured for the purpose) managing, Man-in-the-Middle "attack" performing -- in order to randomize for anonymization purposes -- cookie/headers modifying of the requests performed through the "chaining" of compromised hosts/servers, has been commercially available for cybercriminals to take advantage of.

Let's take a close look at this state of the art gate/proxy chaining cybercrime-friendly application.

Sample screenshots of the application's interface:

The application's author is also known to have been released custom builds for various cybercrime-friendly forums:

Some of its core features include:
[+] HTTPS support for php-gates, needs OpenSSL
[+] Ability to set a password on the gate.
[+] Ability to work with a gate, through any procs (HTTP (S), SOCKS4, SOCKS5).
[+] Working with gated exclusively via the method GET, which provides protection from detection by the log files on the server.
[+] Ability to set Cookies, transferred during handling to the gate. This is useful for hiding the code in the files of the site gate. Format: "cookie = value; cookie2 = ;"
[+] Processing of each compound is in a separate stream.
[+] Ability to unlimited downloads and uploads of large files (in case of inability to bypass restrictions set_time_limit () can download files in a few times, provided support to resume from the target server).
[+] Preprocessing mechanism optimizes queries under HTTP 1.0.
[+] The presence of an encryption key must be specified (purely symbolic encryption to hide traffic from prying eyes), and all data, including the password for the gate are transmitted in encrypted form. Enable / disable the encryption does not require editing the code gate.
[+] Ability to work with several gates. In this case, each assigned a specific gated User-Agent (assigned by chance) that does not allow the target site to link together the requests from different gates.
[+] Ability to add a request to the target site header X-Forwarded-For, X-Real-Ip and Via with random IP-addresses (in this case, sites that use mechanisms for determining the visitor's IP address on these titles or used mod_realip, will benefit from logging bogus addresses, as these headlines mislead the site administrator).
[+] Ability to select the interface to listen to.
[+] More statistics on network connections, there are different levels of profiling queries (and no logs are written to the file).
[+] Support chains gates.
[+]-Chain of 3 modes:
- Direct sequence (traffic passes through a series of gates that you clearly stated)
- Random chain (each request is passed through a randomly builds a chain of gates)
- Casual chain with specific output gate time (similar to the previous mode, except that the final gate remains constant.
[+] Ability to speed up surfing through the chain by local caching IP-addresses.
[+] Support for HTTPS gates are not independent of their number.
[+] Using a cascade encryption - the ability to use any number of gates with different encryption keys.
[+] Built-checker gates.
[+] You can check all the gates at once, or each gate individually when adding / editing.
[+] Built-in gates.
[+] Ability to insert code in the gate pre-generated table of permutations. This eliminates the need to store the encryption key directly to the Gate, and generate a table for each access to the gate.
[+] Automate the process of creating a masked gate with Cookies
[+] Ability to delete from the code perevodoa lines and tabs.
[+] Ability to set proivolnyh request headers.
[+] Ability to define hosts, which will be sent to a specific heading.
[+] Ability to temporarily activate / deactivate a specific heading.

[+] Gain Control key to 2048 bits (256 bytes) using md5
[+] Complete independence from each other bytes (including the order of the bytes and encrypted block length).
[+] The variable number of rounds of permutations, depending on the key.
[+] Partly salt as XOR'a-byte hash key.

With the ease of assessing a malware-infected host's bandwidth thanks to the overall availability of such an option among the most popular managed services offering access to such hosts, it shouldn't be surprising to consider that a potential cybercriminal using this application, would be in a perfect position to create -- in a DIY fashion -- a stable anonymous network, to further assist him on his way to achieve his fraudulent or purely malicious objectives.

The bottom line? What's the cost of anonymizing a cybercriminal's Internet activities? 1,900 rubles or $57.53 for the application, in this particular case.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.