R1 RIER ARR A www.thebarriergroup.com
$5 - $20 Spent and you are NOT Secure
Network Security Must Cover oth Espionage The act or practice of spying or of using spies to obtain secret information, as about another government or a business competitor. Sabotage The deliberate destruction, disruption, or damage of equipment, a public service, etc., as by enemy agents, dissatisfied employees, etc. any similar il action or behavior
Very Little Difference other than the platform Process are the same targets might be different Zero-Day Virus Targets Control Systems? Control System Malware Social Media Malware
Fundamentals Have NOT Changed The Only Secure Process Inspect All 7 OSI Layers Inspect All Traffic and Traffic Types Analyze activities in Total via Intelligence React in Real Time
Fundamental Process for Exploiters/Cyber Criminals i 1. Reconnaissance & Knowledge of Enterprise (all platforms and infra structure) 2. Initial Intrusion into the Network-Social Engineering 3. Establish a ackdoor into the Network 4. Obtain User Credentials 5. Install Hacking Utilities 6. Privilege Escalation- Lateral Movement-data Exfiltration 7. Maintain Presence (Persistence) or Cleanup and exit
Myths I will check my logs and change rules I am protected with a Firewall Does not inspect traffic I.e. Not all HTTP Request are valid but are accepted I am protected with IDS/IDP Protects signatures of known attacks arrier1 does detect anomalies in data traffic I am protected with Encryption VPN Encryption only protects data while in transport Stored Data My Anti Virus is up to date My OS is patched Regularly Defense in Depth means a box for each Deep Packet Inspection is not well defined I outsource my Web Site and use a cloud provider
Can Anyone tell me where the Virus is?
Name This Attack
Name This Attack How Does it Work Program exploits a Microsoft Vulnerability MS 08-067 Server Service Patch Spreads over LAN- US Memory Sticks- PC It copies itself in the AMIN$\system32 folder 297 Subroutines Propagated as a DLL PC are turned to drones on a otnet Programmed to seek updates through a list of domains 7750 Domains on the list ½ are active or (3861-3889) Resolve to only 42 unique IP s 28 domains most up for sale by registrar Obtains a second list of names on the user account using a series of weak passwords Uses a crafted RPC request Checks for Windows Version and Disables Windows Auto Update Features Windows Security Center Windows Defender Windows Error Reporting Sends UPNP Message to Open local Random High order ports (back door) Will create a variant of HTTP server and opens a random port 1024-10,000 10,000 Go out to site for external facing IP address Searches in blocks of 250 domain names Operating Systems can handle only 256 request at one time Goes to sleep but checks every 30 sec Using the same UTC clock everyone converges on the registered domains at the exact same time and asks if an executable is available. Send URL request for port 80 and a Windows binary is returned and validated with a locally stored public key If not connected it will try every e 60 secs. Http request
There are always clue or signals before the attack APT is no different
Headlines in Wired Magazine Google Hack Attack Was Ultra Sophisticated, New Details Show y Kim Zetter Email Author Jan.14,2010, Categories: reaches, Cybersecurity,Hacks and Cracks Hackers seeking source code from Google, Adobe Rackspace, Juniper, and dozens of other highprofile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer.
To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message ar, and then click Enable external content. What are Advanced Persistent Threats Wikipedia definition usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage, but applies equally to other threats such as that of traditional espionage or attack.[1] Other recognized attack vectors include infected media, supply chain compromise, and social engineering. i Individuals, id such as an individual id hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.[2] Translated- Long Term sophisticated attacks Example: Stuxnet
Other version of an APT Stuxnet designed to sabotage an industrial control system 100 kb Flame a universal attacking tool kit used mostly for cyber espionage Nitro 20 Megs in size It can record audio if a microphone it can do screen captures and transmit visual data. It can steal information from the input boxes when they are hidden behind asterisks, password fields; Night Dragon methodical and progressive intrusions into the targeted infrastructure. Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution compromised web servers as command and control (C&C) servers Using the RAT malware, they proceeded to connect to other machines Duqu Duqu is essentially the precursor to a future Stuxnet-like attack. designed to gain remote access capabilities. Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)
APT will Force IT to rethink Security APT is just a new phrase to describe malware that took advantage of sometimes simple weaknesses in networks that the targeted, victimized organization spent millions of dollars investing in technology..
Not Much Different than lended Threats lended Threats vs Conficker vs Suxnet vs APT lended Threat was the first generation APT is stealthier Originated in the Air Force but now has gone mainstream Victims include large, medium, and small organizations including Google ut as IT security vendors take up APT, it turns out not everyone uses it the same way source Network World Ellen Messmer editor 2-01-2012 2012 Then Polymorphic Attacks
asics of APT s Advanced Attackers have a full suite of Intelligent Gathering tools to go after their target Combine multiple target methods Persistent Slow and low approach to gathering information about their attack subject Constant Monitoring Threat Individuals that carry these attacks out are very skilled, motivated, organized and have a specific objective
Timeline
APT Termed an Entire Threat Class Threat Classes Insider Fraud Threat Vehicles Drive-by-Malware Industrial espionage Hactivism i RAT (remote access tool) Rootkits DDos Keyloger Modifications -File and or Registry General Operation turned Against you ARP requests Portable Executables Injected Threads ie running process of explorer.exe Other Aspects Malware ot ackdoor C&C 8 different communication methods
Malware makes up part of the APT You are being target right now Over 100,000+ Malware is automatically sent out each day Anti-Virus is not designed to stop Malware Malware is a human issue Malware is not released until it gets PAST AV tools y the time vectors hardened Malware has mutated
Anatomy of an APT Reconnaissance Attacker gains foothold on victim system Open a shell prompt to see if the system is mapped to a network drive Victim system is connected to the network drive prompting attacker to initiate a port scan Attacker will thereby identify available ports running services on other systems AV Dbases OS Apps Attackers moves to targeting VIP victims
Anatomy Moving in Entry Phishing email with attachment Dropper Files placed (msvcr.dll) Key functions identified subroutines are renamed Win32/COSWid Gets Code Value from PNG File (uses compression) Can be packaged in HTML files System Check (dg003.exe) Checks to see if it is a command prompt Then checks AV programs running and from who Enumerating the registry key at Software\Microsoft\Windows\current Version Creates another file name Marks its spot or presence This came from ZeuS
Anatomy Now inside Changes MAC time of newly created file Debugging Process Patches for injecting msvcr.dll into explorer.exe Memory address redirected volume 60 03 in explorer.exe to 8 0E Generates a debugger message and then terminates itself Goal is changing file names but keeping the names close not to be noticed and then creating mutux (mutual exclusion algorithms) Resolving DNS names Injected msvcr.dll resolves Attempt to connect to non-routable IP address Runs a loop and waits for instructions from the C&C
Anatomy Various Roles C&C Role Collects hard disk information Msvcr.dll jumps into function at 0x100010 to 0x10001E9A Calls API s GetLogicalDrives GetDriveTypeA GetdiskFreeSpaceExA Script is written to decrypt msvcr.dll sends standard HTTP request with machine ID and receives standard HTTP response Send collected information through encryption HTTP traffic to C&C New binaries are downloaded and injected Only selected files are uploaded Files with extensions of *.dll and *.v2
Anatomy Trojan Use in APT Trojan Used for Collection of email Passwords Extracts information from SAM file and generates a temp. file with prefix of SAM All passwords are written to temporary files and compressed and renamed efore termination this process files are renamed avcwin32.exe to svcwin32.exe Collection of File System Details Scans all hard disk, CDROW and Floppy diskette File names and MAC time Collected information is kept inside a file called drive compressed and injected to msvcr.dll Trojan Used for Capturing Screens aacvcwin32.exe screen captures bitmap format every 1000 milliseconds Screens are compressed and renamed with extension of *.v2
DNS Role Scalability Virtual Host Support Evasion of Common lacklist Where is myhacked.site.com After searching it is located 173.173.173.172 Then cached for future inquiries
Lifecycle Malicious Mail with infected attachment or link RAT Installation (remote access tool or remote administration tool) User opens infected attachment User follows the link and malicious software is installed Outbound perceived to be less hazardous Example POISONIVY RAT Control RAT communicates with C&C Server for orders Information Gathering Compromised host used as a hop Attacker sweeps the Internal networks
Type of Communications Protocol (c&c) in APT s Lurk X-Shell C601 Communications Cookie Stealing Murcy Communications Oscar Protocol Protocol D Protocol QDigit Protocol Name Servers
How X-Shell C601 works -X-Shell RAT is commercial software Compromised computers communicated with path.alyac.org on port 443 This is not SSL traffic It was command-line based Remote Administration Tool (RAT) C indicates it was not a free version but custom At byte 288 name listed as svchost.exe System registry was compromised RAT executes as a service by the trusted process svchost.exe Functionality depends on the version, release, and etc. Common Functionality Start a command shell Control processes and services, upload/download files Terminate TCP connections Create user accounts Retrieve system information Log user activity ( via keylogger) Modify timestamps on files Conduct process injection Conduct ddos Shutdown or restart the computer
X-Shell continued RAT Awareness VM Proxy Can used a specified DNS server to resolve callback domains Some have rootkit functionality and avoid detection by antivirus software 3 rd party plugins can be developed and integrated Encrypted file search SMS notification service Used as a part of a botnet to send spam or DDOS RAT and Malware are generated by a Control Program Options to digitally sign the malware, specify it connections mode, install malware, recover the System Service Dispatch Table before installation, and Abort installation if a VM is detected When X-Shell malware is generated the connect mode is selected malware is configured with a static C2 host and control port During generation notify the malware of a new C2 host and port via a configuration webpage Malware communicates with a webpage and a C2 server a regular intervals between 30-3600 seconds
How it Works Lurk Protocol Uses TCP port 80 via the Lurk Protocol 15-byte header followed by data compression Header contained Protocol identifier, size, and compression information Decompressed data revealed Name, Computer Specifications, and OS of the compromised Computer Domain windowpdate.org pointed to S. Korea IP address Malware used to send communication to office.windowupdate.org was signed using a compromised code signing certificate belonging to YNK Japan Inc. a producer of on line games. This same certificate has been used in attacks including Hupigon malware Compromised code signing cedrtificate was revoked on July 29, 2011 revocation was not active before July 29, 2011. THE CERTIFICATE continued to validate after the revocation
Anatomy Summary and Review Dropper dg003.exe Droppee msvcr.dll Trojan-Spies fvcwin32.exe acvcwin32.exe avcwin32.exe Uses large amount of Windows API calls to reduce its size Encrypted HTTP traffic to transmit collected information back to the C&C Emails uses for reconnaissance Then send spear-phising phising email
How did SK Communications get Hacked? Communication Malware Programmed to communicate with several Callback Domains DNS was used for directions to the callback domain DNS gives out the callback domain and IP location Malware communications with the C2 server located at x.x.x.x. to obtain C2 instructions or to send a response C2 server provides additional instructions to the malware Callback locations was registered (for 1 yr) but very close to a legitimate company The 1 yr. registration was not renewed Office.windowupdate.org vs windowupdate.org The adm. Address and contact t information listed in the DNS records is identical to that listed for the legitimate Microsoft domain 8 Different types of C2 communications were observed to alyac.org subdomains Communications included Update information
How to Catches Such an Attack Unrecognized or never before seen traffic type on Port 80 Web Content Filter updates all domains on a 24 hr. basis Domains do not match up Outbound traffic to a S. Korean IP address was not authorized Windowupdate.org and alyac.org were resolving with the same IP address IDS would identify unknown patterns Web Content Filtering and AARE would identify Intelligent/Algorithms would have identified, captured, and blocked Geo Location to the CO Source from Shaoxing China but botnets in Illinois, Texas, Taiwan If any of these would mutate the AARE engine and analytics would have Honeypot detects and learns from entrance attempts Average size 121.85 File Names Svchost.ext Lexplore.exe Iprinp.kll Wiinzf21.dll Avoids Outbound HTTP Persistence Outbound uses TCP port 80 and 443 Several use other ports and mutate
How Intelligence Catches Such an Attack (arrier1) Global Identification of malicious domains Look at DNS queries and Responses Requestor Diversityit Are these machines local or have diversity? Requestor Profile Is it from ISP Small usiness Machine Stand Alone PC Human Lookups have a different diurnal distribution than Malware lookups Resolved IP address reputation # of Requestor IP per CIDR Network ase lining Network ehavior Analysis Layered Algorithms Layered Algorithms Rule Set, Network ehavioral Analysis, and Layered Algorithms
Operation Aurora Targeted APT Google Juniper Adobe Rackspace Grumman SCM (software configuration management) not locked down Anatomy Once infected masked SSL to C&C located in Texas, Illinois, Taiwan Included compromised customers of Rackspace Shaoxing China is the source of around 25% of the APT attacks
Conclusion APT is showing up beyond just the Military APT mutates and already has several variants It takes more than just static stand alone security components to identify and stop these attacks arrier1 has identified and accurately blocked sophisticated attacks such as APT
A ARRI IER1 Thank You www.thebarriergroup.com