UNCLASSIFIED

FBI Malware Overview - EDUs

Vincent J. Rowe, Intelligence Analyst

Andy Czyzewski, Intelligence Analyst

FBI Cyber Division

Washington, DC

UNCLASSIFIED 2

Overview

• FBI’s mission

• Intelligence initiatives

• Analysis objectives

• Cycle of malicious code

• Case Studies: FooNet, Mytob

• Implications for universities (“EDUs”)

• Questions

UNCLASSIFIED 3

FBI’s Priorities1. Protect the US from terrorist attack.2. Protect the US against foreign intelligence operations and

espionage.3. Protect the US against cyber-based attacks and high-

technology crimes.4. Combat public corruption at all levels.5. Protect civil rights.6. Combat transnational and national criminal organizations and

enterprises.7. Combat major white-collar crime.8. Combat significant violent crime.9. Support federal, state, county, municipal, and international

partners.10. Upgrade technology to successfully perform the FBI's mission.

UNCLASSIFIED 4

FBI Cyber Division Mission

• Stop those behind the most serious computer intrusions and the spread of malicious code

• Identify and thwart online sexual predators who use the Internet to meet and exploit children and to produce, share, or possess child pornography

• Counteract operations that target U.S. intellectual property

• Dismantle national and transnational organized criminal enterprises engaging in Internet fraud.

UNCLASSIFIED 5

Analysis Objectives

• What is the author’s skill level?• What does the code do?• What OSs are affected?• When was it written?• Who wrote the code?• What is the purpose?• What contacts does the subject have?• What type of connection did he

make?

UNCLASSIFIED 6

Cycle of Malicious Code

Harnessing

Execution

Harvesting

UNCLASSIFIED 7

Harvesting Phase

From January to April over 75 pieces of malcode were released into the wild MyDoom (15), Netsky (30), and Beagle (30)

• Mass mailing worm arrives as attachment• Establish listen threads on TCP ports• Creates a notification thread that will

contact to a remote site• Enables the intruder to download and

execute arbitrary files

UNCLASSIFIED 8

Harnessing Phase

• The next phase is to herd the victimized systems into a botnet by gaining unauthorized access left behind by the worm infections

• Backdoor command and control software is then executed on the victimized system from the holes left behind by the worms

UNCLASSIFIED 9

Execution Phase

• The victimized boxes are herded into a botnet to launch DDoS attacks

• DDoS attacks are used extort money out of victim companies to have access to the Internet

• Botnets can be used as a platform to launch next-generation malware

• Botnets can be sold to spammers

UNCLASSIFIED 10

Case Study: FooNet

• In January 2003, an FBI investigation centered around a group of individuals launching DDoS attacks

• Forensic analysis of victims’ logs lead the FBI to UK subject using an IRC channel hosted by FooNet

• Individuals from this group launched numerous DDoS attacks, driving victims to FooNet for protection

UNCLASSIFIED 11

Case Study: FooNet (cont)

UNCLASSIFIED 12

Case Study: FooNet (cont)

UNCLASSIFIED 13

Case Study: FooNet (cont)

• FBIHQ coordinated with New Scotland Yard on the arrest and interview of the UK subject

• Implicated the owner of a webhosting provider in Columbus, OH

• UK subject commanded an army of 20,000-50,000 bots

• SDbot and Agobot

UNCLASSIFIED 14

Case Study: FooNet (cont)

• Columbus subject owned and operated a web hosting provider in his home, with some legitimate clients

• On February 14, 2004, “Cyber St. Valentine’s Day Massacre,” the FBI executed a search warrant on FooNet

• Over 299 systems were seized, the largest takedown in FBI cyber history

UNCLASSIFIED 15

Case Study: FooNet (cont)

UNCLASSIFIED 16

Case Study: FooNet (cont)

• Through forensic analysis and interviews with the subject, the FBI determined that FooNet administrators hired DDoS henchmen to knock entities off the Internet

• The group had about 20 members that design, develop, and test code

UNCLASSIFIED 17

Case Study: Mytob

• Computers affected: CNN, ABC News, The New York Times, the U.S. Senate, the Centers For Disease Control and Prevention, Daimler Chrysler and U.S. Immigration and Customs Enforcement and others

• Writer was paid to create malware

• Likely profit motive for deployment

UNCLASSIFIED 18

Case Study: Mytob (cont)

• Cooperation: FBI, law enforcement in Morocco and Turkey, and Microsoft

• Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker "Diabl0"

• Atilla Ekici, aka "Coder," a 21-year old resident of Turkey

• Local prosecutions

UNCLASSIFIED 19

Why Universities (EDUs)?

1. EDU networks are targeted in order to carry out further attacks (botnets, host phishing, test malware, etc)

– Large volume of networked computers– Significant Internet presence (“wired”)– High bandwidth

2. EDU networks hold large amounts of valuable data (SSNs) that can be trafficked

UNCLASSIFIED 20

EDUs/Law Enforcement Success

• A university experienced a DDoS attack

• Administrators and tech professionals gathered information

• They forwarded the information to their local FBI field office

UNCLASSIFIED 21

EDUs/LE Success (cont)

• FBI opened an investigation

• University provided information critical in locating the perpetrator

• Further investigation revealed that others were involved in the attack

• Other schools were also victimized

• Investigation continues

UNCLASSIFIED 22

What Can EDUs Do?

• Report intrusion incidents to your local FBI field office

• Participate in your local Infragard chapter

• Once established, maintain contact with your local FBI cyber personnel

• Proactive

UNCLASSIFIED 23

Questions?

IA Vince Rowe

Vincent.Rowe@ic.fbi.gov

IA Andy Czyzewski

Andrew.CzyzewskiJr@ic.fbi.gov