R1 RIER ARR BA.

(1)

R

1 R

IE

R

A

R

B

A

www.thebarriergroup.com

(2)

$5B - $20 B Spent and you are NOT

$5B $20 B Spent and you are NOT

Secure

ARRIER1

(3)

S

C

Network Security Must Cover Both



Espionage

–

The act or practice of spying



Sabotage

–

The deliberate destruction,

p

py g

or of using spies to obtain

secret information, as about

another government or a

business competitor

.

,

disruption, or damage of

equipment, a public service, etc.,

as by enemy agents, dissatisfied

employees, etc.

i il

ti

b h

i

–

any similar action or behavior

ARRIER1

(4)

Very Little Difference other than the

y

platform



Process are the same targets might be

different

–

Zero-Day Virus Targets Control Systems?

–

Control System Malware

–

Social Media Malware

ARRIER1

(5)

Fundamentals Have NOT Changed



The Only Secure

Process

–

Inspect All 7 OSI

Layers

–

Inspect All Traffic and

p

Traffic Types

–

Analyze activities in

Total via Intelligence

ARRIER1

g

–

React in Real Time

(6)

Fundamental Process for

E

l it

/C b

C i i

l

Exploiters/Cyber Criminals

1. Reconnaissance & Knowledge of Enterprise (all platforms

and infra structure)

2. Initial Intrusion into the Network-Social Engineering

3. Establish a Backdoor into the Network

4 Obtain User Credentials

4. Obtain User Credentials

5. Install Hacking Utilities

6. Privilege Escalation- Lateral Movement-data Exfiltration

ARRIER1

7. Maintain Presence

(Persistence) or Cleanup and exit

(7)

Myths



I will check my logs and change rules



I am protected with a Firewall

–

Does not inspect traffic



I.e. Not all HTTP Request are valid but are accepted



I am protected with IDS/IDP

–

Protects signatures of known attacks

–

Barrier1 does detect anomalies in data traffic

–

I am protected with Encryption

–

VPN Encryption only protects data while in transport

ARRIER1

–

Stored Data



My Anti Virus is up to date



My OS is patched Regularly Defense in Depth means a box for

each

B



Deep Packet Inspection is not well defined

(8)

C

A

t ll

h

th Vi

i ?

Can Anyone tell me where the Virus is?

ARRIER1

(9)

Name This Attack

ARRIER1

(10)

Name This Attack

 How Does it Work

– Program exploits a Microsoft Vulnerability MS 08-067 Server Service Patch

 Uses a crafted RPC request

 Checks for Windows Version and Disables – Windows Auto Update Features – Windows Security Center

Wi d D f d – Spreads over LAN- USB Memory

Sticks- PC It copies itself in the AMIN$\system32 folder

– 297 Subroutines – Propagated as a DLL

– Windows Defender

– Windows Error Reporting



Sends UPNP Message to Open local

Random High order ports (back door)

 Will create a variant of HTTP server and opens a random port 1024-10,000

Propagated as a DLL

– PC are turned to drones on a Botnet Programmed to seek updates through a list of domains

 7750 Domains on the list ½ are active or (3861- 3889)

random port 1024 10,000

 Go out to site for external facing IP address

 Searches in blocks of 250 domain names

– Operating Systems can handle only 256 request at

one time

 Goes to sleep but checks every 30 sec

 Using the same UTC clock everyone converges on

ARRIER1

are active or (3861 3889)

 Resolve to only 42 unique IP’s

 28 domains most up for sale by registrar

 Obtains a second list of

 Using the same UTC clock everyone converges on the registered domains at the exact same time and asks if an executable is available.

 Send URL request for port 80 and a Windows binary is returned and validated with a locally stored public key

 If not connected it will try every 60 secs.

B

 Obtains a second list of names on the user account using a series of weak passwords

ot co ected t t y e e y 60 secs

(11)

There are always clue or signals before the attack

APT is no different

ARRIER1

(12)

Headlines in Wired Magazine

Google Hack Attack Was Ultra Sophisticated,

New Details Show

By Kim Zetter Email Author

Jan.14,2010,

C t

i

B

h

C b

it H

k

d C

k

Categories: Breaches, Cybersecurity,Hacks and Cracks



Hackers seeking source code from Google, Adobe

Rackspace, Juniper, and dozens of other

high-ARRIER1

profile companies used unprecedented tactics that

combined encryption, stealth programming and an

unknown hole in Internet Explorer

(13)

To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message Bar, and then click Enable external content.

What are Advanced Persistent Threats



Wikipedia definition

–

usually refers to a group, such as a foreign government, with both the

capability and the intent to persistently and effectively target a specific

entity. The term is commonly used to refer to cyber threats, in particular

that of Internet-enabled espionage, but applies equally to other threats

such as that of traditional espionage or attack.[1] Other recognized

attack vectors include infected media, supply chain compromise, and

i l

i

I di id

l

h

i di id

l h

k

t

social engineering. Individuals, such as an individual hacker, are not

usually referred to as an APT as they rarely have the resources to be

both advanced and persistent even if they are intent on gaining access

to, or attacking, a specific target.[2]

ARRIER1



Translated- Long Term sophisticated attacks

–

Example:

B

p

(14)

Other version of an APT



Stuxnet

– designed to sabotage an industrial control system – 100 kb



Flame

a universal attacking tool kit used mostly for cyber espionage – a universal attacking tool kit used mostly for cyber espionage



Nitro

– 20 Megs in size

– It can record audio if a microphone

– it can do screen captures and transmit visual data.

– It can steal information from the input boxes when they are hidden behind asterisks password – It can steal information from the input boxes when they are hidden behind asterisks, password

fields;



Night Dragon

– methodical and progressive intrusions into the targeted infrastructure.

– Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution

i d b d d t l (C&C)

ARRIER1

– compromised web servers as command and control (C&C) servers – Using the RAT malware, they proceeded to connect to other machines



Duqu

– Duqu is essentially the precursor to a future Stuxnet-like attack.” – designed to gain remote access capabilities.

Duqu does not contain any code related to industrial control systems and is primarily a remote

B

– Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)

(15)

APT

ill F

IT t

thi k S

it

APT will Force IT to rethink Security



APT is just a new phrase to describe

malware that took advantage of sometimes

simple weaknesses in networks that the

targeted, victimized organization spent

millions of dollars investing in technology.

.

ARRIER1

(16)

Not Much Different than Blended Threats



Blended Threats vs Conficker vs Suxnet vs APT

–

Blended Threat was the first generation

–

APT is stealthier



Originated in the Air Force but now has gone mainstream



Victims include large, medium, and small organizations

g

including Google



But as IT security vendors take up APT, it turns out not

everyone uses it the same way

source Network World Ellen Messmer editor 2 01 2012

ARRIER1

2-01-2012

–

Then Polymorphic Attacks

(17)

Basics of APT’s

Basics of APT s



Advanced

–

Attackers have a full suite of Intelligent Gathering tools to go after

their target

–

Combine multiple target methods



Persistent

–

Slow and low approach to gathering information about their

attack subject

–

Constant Monitoring

ARRIER1



Threat

–

Individuals that carry these attacks out are very skilled,

motivated, organized and have a specific objective

(18)

Timeline

ARRIER1

(19)

C

APT Termed an Entire Threat Class

Threat Classes

 Insider Fraud  Industrial espionage H ti i

Threat Vehicles

 Drive-by-Malware

 RAT (remote access tool) R tkit

 Hactivism  Rootkits

 DDos

 Keyloger

 Modifications -File and or Registry

 General Operation turned Against you ARP requests

– ARP requests

– Portable Executables

– Injected Threads ie running process of explorer.exe

ARRIER1

Other Aspects  Malware  Bot  Backdoor  C&C

8 different communication methods

(20)

Malware makes up part of the APT



You are being target right now



Over 100,000+ Malware is automatically sent

Over 100,000 Malware is automatically sent

out each day



Anti-Virus is not designed to stop Malware

–

Malware is a human issue

–

Malware is not released until it gets PAST AV

tools

ARRIER1

tools



By the time vectors hardened Malware has

mutated

(21)

f

Anatomy of an APT



Reconnaissance

–

Attacker gains foothold on victim

system

–

Open a shell prompt to see if the

system is mapped to a network drive

–

Victim system is connected to the

y

network drive prompting attacker to

initiate a port scan

–

Attacker will thereby identify available

ports running services on other

t

ARRIER1

systems

 AV  Dbases  OS  Apps

B

 Apps

–

Attackers moves to targeting VIP

(22)

Anatomy

Moving in



Entry

– Phishing email with attachment



Dropper

– Files placed (msvcr.dll)

– Key functions identified subroutines are renamed – Win32/COSWid

 Gets Code Value from PNG File (uses compression)p )

– Can be packaged in HTML files



System Check (dg003.exe)

– Checks to see if it is a command prompt

– Then checks AV programs running and from who

ARRIER1

 Enumerating the registry key at

“Software\Microsoft\Windows\current Version



Creates another file name



Marks its spot or presence

This came from ZeuS

(23)

Anatomy

Now inside



Changes MAC time of newly created

file



Debugging Process

–

Patches for injecting msvcr.dll into

explorer.exe

–

Memory address redirected volume “60

03” in explorer.exe to B8 0E

–

Generates a debugger message and

then terminates itself

–

Goal is changing file names but

keeping the names close not to be

noticed and then creating mutux

(mutual exclusion algorithms)

ARRIER1

(mutual exclusion algorithms)



Resolving DNS names

–

Injected “msvcr.dll” resolves

–

Attempt to connect to non-routable IP

address

B

–

Runs a loop and waits for instructions

(24)

Anatomy

Various Roles



C&C Role

–

Collects hard disk information



Msvcr.dll jumps into function at

0x1000BB10 to 0x10001E9A



Calls API’s

– GetLogicalDrives – GetDriveTypeA

– GetdiskFreeSpaceExAGetdiskFreeSpaceExA

–

Script is written to decrypt

–

“msvcr.dll” sends standard HTTP

request with machine ID and

receives standard HTTP response

ARRIER1

p

–

Send collected information

through encryption HTTP traffic to

C&C

–

New binaries are downloaded and

B

_injected

–

Only selected files are uploaded

– Files with extensions of *.dll and

(25)

Anatomy

Trojan Use in APT



Trojan Used for

–

Collection of email Passwords

 Extracts information from SAM fil d t



Trojan Used for

–

Capturing Screens

 “aacvcwin32.exe” screen captures bit f t 1000 illi d SAM file and generates a

temp. file with prefix of “SAM”

 All passwords are written to temporary files and

compressed and renamed

 Before termination this process files are renamed

bitmap format every 1000 milliseconds

 Screens are compressed and renamed with extension of “*.v2

process files are renamed

– “avcwin32.exe” to “svcwin32.exe –

Collection of File System

Details

 Scans all hard disk, CDROW and Floppy diskette

ARRIER1

and Floppy diskette

– File names and MAC time

 Collected information is kept inside a file called “drive” compressed and injected to “msvcr.dll”

(26)

S

DNS Role



Scalability



Virtual Host Support



Where is

myhacked.site.com



Virtual Host Support



Evasion of Common

Blacklist



After searching it is

located

173.173.173.172

173.173.173.172 

Then cached for future

inquiries

ARRIER1

(27)

f

Lifecycle



Malicious Mail with infected attachment or link



RAT Installation (remote access tool or remote administration tool)

– User opens infected attachment

– User follows the link and malicious software is installed – Outbound perceived to be less hazardous

– Example POISONIVY



RAT Control

– RAT communicates with C&C Server for orders



Information Gathering

– Compromised host used as a hop – Attacker sweeps the Internal networks

ARRIER1

(28)

Type of Communications Protocol (c

yp

(

&

c)

)

in APT’s



Lurk



X-Shell C601 Communications



Cookie Stealing



Murcy Communications



Oscar Protocol



BB Protocol



DB Protocol



QDigit Protocol

ARRIER1



Name Servers

B

(29)

How X-Shell C601 works

-X-Shell RAT is commercial software



Compromised computers communicated with “path.alyac.org” on port 443

–

This is not SSL traffic

–

It was command-line based Remote Administration Tool (RAT)



C indicates it was not a free version but custom



C indicates it was not a free version but custom



At byte 288 name listed as “svchost.exe”



System registry was compromised RAT executes as a service by the

trusted process “svchost.exe”



Functionality depends on the version, release, and etc.



Common Functionality

–

Start a command shell

–

Control processes and services, upload/download files

–

Terminate TCP connections

ARRIER1

–

Create user accounts

–

Retrieve system information

–

Log user activity ( via keylogger)

–

Modify timestamps on files

–

Conduct process injection

B

Conduct process injection

–

Conduct ddos

(30)

X-Shell continued



RAT Awareness

– VM

– Proxy

– Can used a specified DNS server to resolve callback domains

– Some have rootkit functionality and avoid detection by antivirus software – 3rdparty plugins can be developed and integrated

– Encrypted file search SMS notification service – SMS notification service

– Used as a part of a botnet to send spam or DDOS



RAT and Malware are generated by a Control Program

– Options to digitally sign the malware, specify it connections mode, install malware, recover the System Service Dispatch Table before installation, and Abort installation if a VM is detected

ARRIER1

– When X-Shell malware is generated the connect mode is selected malware is configured with a static C2 host and control port

– During generation notify the malware of a new C2 host and port via a configuration webpage

 Malware communicates with a webpage and a C2 server a regular intervals between 30-3600 seconds

(31)

How it Works



Lurk Protocol



Uses TCP port 80 via the Lurk Protocol

–

15-byte header followed by data compression

–

Header contained Protocol identifier, size, and compression information

–

Decompressed data revealed Name, Computer Specifications, and OS

of the compromised Computer



Domain windowpdate.org pointed to S. Korea IP address



Malware used to send communication to “office.windowupdate.org”

was signed using a compromised code signing certificate belonging

to YNK Japan Inc a producer of on line games

ARRIER1

to YNK Japan Inc. a producer of on line games.



This same certificate has been used in attacks including Hupigon

malware



Compromised code signing cedrtificate was revoked on July 29,

2011

ti

t

ti

b f

J l 29 2011 THE

B

2011 revocation was not active before July 29, 2011. THE

(32)

A

t

S

d R

i

Anatomy

Summary and Review



Dropper

–

“dg003.exe”



Droppee



Droppee

–

“msvcr.dll”



Trojan-Spies

–

“fvcwin32.exe”

–

“acvcwin32.exe”

–

“avcwin32.exe”



Uses large amount of Windows API calls to reduce its size

E

t d HTTP t ffi t t

it

ll

t d i f

ti

b

k

ARRIER1



Encrypted HTTP traffic to transmit collected information back

to the C&C



Emails uses for reconnaissance



Then send spear-phising email

(33)

How did SK Communications get Hacked?



Communication

–

Malware Programmed to communicate with several ‘Callback” Domains



DNS was used for directions to the callback domain

–

DNS gives out the callback domain and IP location

–

Malware communications with the C2 server located at x.x.x.x. to obtain

C2 instructions or to send a response

–

C2 server provides additional instructions to the malware

–

Callback locations was registered (for 1 yr) but very close to a legitimate

company



The 1 yr. registration was not renewed



“Office.windowupdate.org” vs” windowupdate.org”

Th

d

Add

d

t

t i f

ti

li t d i th DNS

d

ARRIER1



The adm. Address and contact information listed in the DNS records

is identical to that listed for the legitimate Microsoft domain

–

8 Different types of C2 communications were observed to “alyac.org”

subdomains

–

Communications included Update information

(34)

How to Catches Such an Attack

 Unrecognized or never before seen traffic type on Port 80

 Web Content Filter updates all domains on a 24 hr. basis  Average size 121.85  File Names – Svchost.ext – Lexplore.exe – Iprinp kll – Domains do not match up

 Outbound traffic to a S. Korean IP address was not authorized

 Windowupdate.org and alyac.org were resolving with the same IP address

Iprinp.kll – Wiinzf21.dll  Avoids – Outbound HTTP – Persistence  Outbound uses TCP port 80 and 443 resolving with the same IP address

 IDS would identify unknown patterns

 Web Content Filtering and AARE would identify

 Intelligent/Algorithms would have identified captured and blocked

– TCP port 80 and 443

– Several use other ports and mutate

ARRIER1

identified, captured, and blocked

 Geo Location to the CO Source from Shaoxing China but botnets in Illinois, Texas, Taiwan