Modern Malware: Tactics & Countermeasures

Transcription

1 Modern Malware: Tactics & Countermeasures

2 General Agenda Tactics of modern malware Countermeasures with Next Generation FW Page Palo Alto Networks

3 Tactics of Modern Malware

4 Goal of the session Showing the different stages that take place during a modern malware infection Understanding the sophistication and dedication required to build up an APT (APT Advanced Persistent Threat) Learning the different mechanisms that the attackers use It s important to note that using this tactics against real sites or users may be punished by law Page Palo Alto Networks Slide 4

5 What has changed / What remains the same The attacker has changed - Nation-States - Criminal organizations - Political groups The strategy has evolved - Patient process, step by step - User compromise and future expansion The technique has evolved - New ways for sending malware - Communication hiding - Signatures evasion It s not the end of the world - It s not new, just more common - There are solutions - Don t believe it has been because of APT Page Palo Alto Networks

6 Cyber Threats: A National Topic "We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air-traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. President Obama State of the Union Address February 2013 "But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers. Imagine the impact an attack like that would have on your company or your business. The collective result of these kinds of attacks could be a cyber Pearl Harbor. Leon Panetta - Former Director of the CIA, Current Secretary of Defense Page Palo Alto Networks. Proprietary and Confidential.

7 Recent Victim of a Malware Attack The attack followed an exposé on corruption and influence peddling in China s ruling Communist Party Attackers planted 45-pieces of malware on Times systems 44 of which were undetected by traditional desktop antivirus software Used university networks as a staging ground for the assault Source: Page Palo Alto Networks. Proprietary and Confidential.

8 The Strategic Role of Modern Malware Infection Escalation Remote Control Malware provides the internal foothold to control and expand a sustained attack

9 The challenges to traditional security Threats are using different techniques, but security remains segmented Exploits, malware, spyware, obfuscation Threats are using the weak points on security to avoid being discovered The most patient attacks need to go over the perimeter several times without being detected Targeted and customized malware is capable of evading traditional signatures Attacks with new malware, which has never seen before, are increasing Page Palo Alto Networks.

10 The Gaps in Traditional Antivirus Protection Modern malware is increasingly able to: - Avoid falling into traditional AV honey-pots - Evolve before protection can be delivered Targeted and custom malware Polymorphic malware Newly released malware Highly variable time to protection WildFire finds unique new malware samples undetectable by leading antivirus software every day. Page Palo Alto Networks. Proprietary and Confidential.

11 The Evolving Threat Landscape Hacktivism and Affiliates Low to medium sophistication, politically motivated sabotage and theft Examples: Anonymous, LulzSec, Pr0j3ct M4yh3m Organized Cybercrime Medium to high sophistication, large-scale theft of financial data, hack-for-profit Examples: Russian Business Network Nation-State Actors Highly sophisticated, persistent, and well funded intelligence gathering. Examples: Aurora, Titan Rain, Shady RAT, GhostNet

12 They have a complex structure usually Botnet kits authors Phising developer Spam senders drive-by experts Carders Page Palo Alto Networks

13 Lifecycle of a Modern Threat

14 Stages and processes in modern malware We will cover the technical aspects related to each of these stages Bait Exploit Download Back channel Steal Page Palo Alto Networks

15 Attack Stages of Modern Malware Targeted malicious sent to user Malicious website exploits client-side vulnerability User clicks on link to a malicious website Drive-by download of malicious payload Page Palo Alto Networks. Proprietary and Confidential.

16 Scope of the problem RSA case detailed CVE Fuentes: Page Palo Alto Networks Slide 16

17 Scope of the problem RSA case detailed Page Palo Alto Networks Slide 17

18 Baiting the user: content obfuscation

19 Content obfuscation Definition (Wikipedia): In software development, obfuscated code is the deliberate act of making source or machine code difficult to understand by humans. Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source code. Page Palo Alto Networks Slide 19

20 Content obfuscation Target: Deceive the user so that it will click over a URL or malicious file which doesn t look malicious. Evade pattern matching detection systems for malicious code. Actions: Build URLs that don t appear to be malign to the end user, using different mechanisms. Hide real file extensions, using others considered to be benign. Modify the Javascript code to make it unreadable, as an obfuscation tactic to evade pattern matching detection systems. Page Palo Alto Networks Slide 20

21 URLs obfuscation Use of strings that look good over IPs instead of names: Use of symbol. Everything on the left side is not used (detected by most modern browsers): Use of lengthy strings so that they don t fit in the browser address bar. URL coding using hex, dword or octal: ( Page Palo Alto Networks Slide 21

22 URLs obfuscation Use of similar domains, but not valid, hidden under false tags. (note the real link and the one that the attacker is trying to simulate Image mapping with malicious URLs. As soon as the victim clicks anywhere on the image is redirected to a false page, usually similar to the real one. Let s see an example with the following html code and its result: Page Palo Alto Networks Slide 22

23 Hiding of real file extensions The tactic is known since 2007 but it s now when a lot of activity has been detected in malware (starting specially in 2011). It s based upon the support that Unicode offers to multiple languages, include those where writing is done from right to left (like arabic or hebrew). Unicode has a variety of RTL (Right To Left) and LTR codes (Left To Right) so that after them the content is reversed. Furthermore the codes are invisible. All versions of Windows, starting with Vista, are vulnerable by default. Older versions require the installation of support for RTL languages. Page Palo Alto Networks Slide 23

24 Hiding of real file extensions: Example First we select the character U+202E with the Windows character map tool (RTL Right To Left): Page Palo Alto Networks Slide 24

25 Hiding of real file extensions: Example After we rename the file chosing the right name. In our example we will rename notepad.exe as notepad[u+202e]cod.exe : Note that in the Windows CLI the file is properly displayed, including a? character, representing the RTL one. Page Palo Alto Networks Slide 25

26 Hiding of real file extensions: Example On the other hand, and via the file explorer, the change works (modifying the icon would be trivial as well): These tecniques could be valid also for addresses or URLs, depending on the client program that the end user is utilizing. Page Palo Alto Networks Slide 26

27 Hiding of real file extensions: Example It s of course possible playing with more complex names, i.e.: [RTLO]cod.yrammusevituc[LTRO]n1c[LTRO].exe, that will be displayed as nc1.executivesummary.doc in the Windows file explorer. Other O.S. like Ubuntu or MAC are also able to interpret RTL characters: Page Palo Alto Networks Slide 27

28 Searching for lambs: Scanning and abusing LFI & RFI

29 RFI Remote File Inclusion Definition (Wikipedia): Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to: Code execution on the web server Code execution on the client-side such as JavaScript... Denial of Service (DoS) Data Theft/Manipulation. Page Palo Alto Networks Slide 29

30 LFI & RFI attacks Target: Inject some local file in a server where we are not administrators (LFI), or doing it via a redirection to a remote one (RFI), with the goal of using it later as a landing site. Actions: Use LFI/RFI scanners. Search sites by hand. The sites built up using PHP are usually good candidates. Of course it s possible to use alternative tactics to LFI/RFI in order to get the control of the server (for instance all the ones that we reviewed in the event of web attacks). This is just another example on this area. Page Palo Alto Networks Slide 30

31 LFI+RFI: An example of PHP vulnerable code <html> <head> <title>vulnerable a LFI y RFI</title> </head> <body> <h1>bienvenido a este sitio</h1> <?php $Pagina = isset($_get[ Pagina'])? $_GET[ Pagina'] : 'index.html';?> <p>est&aacutes viendo la p&aacutegina: <?php echo"<a href='$pagina'>$pagina</a>";?></p> <?php include($pagina);?> </body> </html> Page Palo Alto Networks

32 Exploiting LFI vulnerabilities The page will read the file index.html if it doesn t receive any parameter over $pagina. Let s try now to inject another page into the system, creating a kind of Directory Traversal attack: Page Palo Alto Networks

33 Shell injection via RFI It s possible to exploit RFI vulnerabilities to get, among other stuff, a shell on the exploited server itself (this way we get a site that we can still use later to inject malware, for instance). For this purpose you can use shells encoded with html. There are many available with different features: b374k, c99, r57, locus, c100, All we need to do is exploit the same vulnerability, but as an RFI (Remote File Inclusion), including in the vulnerable parameter the path to a webshell code in another server. For instance: Page Palo Alto Networks

34 Exploiting RFI vulnerabilities - WebShell execution (locus) Page Palo Alto Networks

35 Exploiting RFI vulnerabilities - Getting a back shell Now we have many resources at our disposal. Each webshell offers its own integrated suite of tools. With locus we can for example get access to the system via CLI, through a reverse or back shell For this purpose we will use netcat in the attacker PC, listening in a TCP port where we will get the backshell. In this example we will use 6666: Then we launch the back connect in locus and we check what s going on in netcat Bingo!!! Now we could for instance try a privilege escalation, install a rootkit (later on in this PPT, in the client side),... Page Palo Alto Networks

36 Summary: Global flow The victim visits the URL and the drive-by download executes Hop Point Victim The victim downloads and installs the malware and becomes a part of the botnet The victim visits the site and is redirected to the malicious URL Popular websites(landing Site) Malware repository Attacker (y C&C) The attacker injects the URL, in a legitimate site preferably, under his control Page Palo Alto Networks

37 Countermeasures: Next Generation Firewall

38 Applications Get Through the Firewall Both internal and external applications are accessible through traditional firewalls... Page Palo Alto Networks.

39 Applications Get Through the Firewall and can carry inbound threats Page Palo Alto Networks.

40 Applications Get Through the Firewall and outbound risks Page Palo Alto Networks.

41 Applications Get Through the Firewall and are increasingly encrypted Page Palo Alto Networks.

42 Requirementes for a NGFW New requirements for the FW Identify the application Identify the users Scan the application Granular control and visibility Multi-Giga performance Page Palo Alto Networks.

43 Why Visibility & Control Must Be In The Firewall Application Control as an Add-on Traffic Firewall Port IPS Port-based FW + App Ctrl (IPS) = two policies Applications are threats; only block what you expressly look for Applications Implications Port Policy Decision App Ctrl Policy Decision Network access decision is made with no information Cannot safely enable applications NGFW Application Control Application control is in the firewall = single policy Visibility across all ports, for all traffic, all the time Implications Network access decision is made based on application identity Safely enable application usage Traffic Firewall Applications App Ctrl Policy Decision Application IPS Scan Application for Threats Page Palo Alto Networks.

44 Fighting Malware in the Cloud

45 The attacker has many opportunities Time needed to capture the first sample in the wild Time needed to create and verify the malware signature Total exposure time Time needed for updating the virus definitions With traditional signatures you can need weeks until the users are protected Page Palo Alto Networks.

46 Evolving Threats Require Intelligent Solutions An effective modern malware solution must provide: Visibility See files in all applications, protocols, and ports at all times See files inside SSL, compression, and encoding Visibility into mobile devices and users Detection & Reaction Sandbox-based behavioral analysis of new unknown files Rapid alerting of malware discovered on the network Complete forensics report of the activity of the malware Enforcement Automatic updates of signatures to block threats at the firewall True in-line blocking of infecting files and C&C traffic Stream-based malware blocking to preserve performance Page Palo Alto Networks.

47 Fighting Malware in the Cloud Centralized malware analysis in the cloud provides key advantages over on-premises solutions: All signatures are rapidly shared with devices globally No need to reprocess files already seen by other customer networks Rapid updating of detection logic (countering VM-aware malware) Cloud safely enables internet access to samples during analysis period No additional on-premises hardware required Page Palo Alto Networks. Proprietary and Confidential.

48 Architecture Uses two main technologies Virtual sandbox environment Malware signature generator Page Palo Alto Networks. Proprietary and Confidential.

49 Cloud Architecture File Submission Comparer Virtual Test Environment Cloud Automated Signature Generator Admin Web Portal Files Signatures Page Palo Alto Networks.

50 The Power of Combining Malware Protection and Application Control

51 Today s Focus: Evasive Traffic in Malware 1. Send malware or C2 traffic over commonly open ports - Use existing protocols in unexpected ways - Develop custom protocols that meet a specific need of the attacker 2. Use standard protocols over nonstandard ports to avoid signatures signatures Port 80 Port HTTP

52 Application Control for Malware Analysis Full stack visibility into all traffic Decodes and identifies traffic regardless of port or evasion Progressive analysis Decodes tunneled protocols and communications Identifies evasive techniques Encryption, proxies, anonymizers, circumventors Shows non-compliant or unknown traffic Not identified by decoders, signatures or heuristics

53 Evasive Traffic Observed in Malware Newly Detected Malware in Live Networks (April 2012) - Use of non-standard ports, dynamic DNS, use of proxies and custom traffic were most common techniques 16,497 Newly Discovered Malware Samples 66% 80% 59% Undetected by traditional AV vendors 13,256 samples generated Internet traffic Of those samples, 7,918 generated evasive traffic

54 Common Evasive Behaviors in Malware Surprisingly little use of IRC short h p headers unknown traffic ddns, fas lux domain fake h p nonstandard h p port irc on regular port irc on nonstandard port samples

55 Unknown traffic was both the most common and the most evasive x x samples (23%) generated unknown traffic or fake HTTP x x 2.3x 1.5x 3.0x 0 short h p headers unknown traffic ddns, fas lux domain fake h p nonstandard h p port irc on regular port irc on nonstandard port number of sessions number of samples

56 Opportunity to Manage the Unknowns Unknown traffic is found in significantly high rates in malware as opposed to valid network traffic 11% of malware sessions presented as unknown 0.6% of sessions of enterprise network traffic presents as unknown Based on data from Application Usage and Risk Report based on thousands of networks. Enterprises can progressively reduce the amount of unknown traffic Create custom App-IDs for internally developed or custom applications Shifts the odds in favor of IT over time Page 56

57 An Integrated Approach to Threat Prevention Applications Sources Known Threats Unknown Threats Visibility and control of all traffic, across all ports, all the time Control traffic sources and destinations based on risk Stop exploits, malware, spying tools, and dangerous files Automatically identify and block new and evolving threats R e d u c i n g R i s k Reduce the attack surface Control the threat vector Control the methods that threats use to hide Sites known to host malware Find traffic to command and control servers SSL decrypt high-risk sites Integrated threat prevention across exploits and malware Stream-based anti-malware based Control threats across any port Behavioral analysis of unknown files Visibility and automated management of unknown traffic Anomalous behaviors Page Palo Alto Networks.

58 References

59 References (some ) [1] OWASP Malicious file execution : [2] lionaneesh Understanding LFI & RFI attacks : [3] Pudja Mansyurin Web Shell (B374k, C99, R57) : r57.html [4] Wayne Huang Drivesploit: Circumventing Automated Detection of Browser Exploits (BlackHat USA 2010) [5] ESET Drive-by-Download: infección a través de sitios web [6] Microsoft Security Intelligence Report Volume 12 : [7] Lenguaje de programación AutoIT: Page Palo Alto Networks Slide 59

60 References (some ) [8] Satyamhax Practical RTLO Unicode Spoofing! : [9] BreakingPoint Javascript obfuscations : [10] F-Secure How we found the file that was used to hack RSA : [11] Wikipedia (Varios) [12] Symantec Zeus: King of crimeware toolkits : [13] Poison Ivy Remote Administration Tool : [14] Metasploit Penetration Testing Software : Page Palo Alto Networks Slide 60

61 Thanks for your attention!