Executive Summary

APT Email Defense Platform and Android Market Apps SanitizationDr. Shiuhpyng Winston ShiehIEEE Fellow & ACM Distinguished ScientistIEEE Reliability Society Vice President Technical Activities, 2014 -Director of Taiwan Information Security Center at NCTU (TWISC@NCTU)Professor, CS Dept., NCTU

Outline

• A real APT (Advanced Persistent Threat) showcase• APT email defense platform

– mAnatomy• Email attachment extraction and containment system• Malware anatomy, detection and analysis Cloud with detonation

chamber• CRAXapt: A New Exploitation and Post-Exploitation Framework for

Generating APT Attacks – mTrace

• Pathfinder: APT Potential Attack Path Finding System• dObserver: Abnormal DNS Traffic Detection System

– DNSSEC-enabled webmail server

2

緣起: • Taiwan a ‘testing ground’ for Chinese cyber army |

Reuters （路透社）, July 18, 2013http://www.reuters.com/article/2013/07/19/net-us-

taiwan-cyber-idUSBRE96H1C120130719• 我國政府機關常遭遇不明來源的攻擊，此類“針對特定對象網路攻擊與滲透攻擊APT”沒有固定的格式，屬於新型攻擊。商業產品例如防毒軟體、防火牆、IDS(網路入侵偵測系統)等皆無法有效防禦此類攻擊。目前最常見也最難以防禦的APT攻擊是經由偽造來源的電子郵件附件檔間接地逐步滲透，經由滲透次要單位，進而滲透主要單位。因此本計畫重點放在防禦經由電子郵件的APT攻擊。

3

Recent Attacks in Japan

• “Cybersecurity in Japan: Key Issues and Recent Regulatory Developments,” Nir Kshetri, University of North Carolina at Greensboro (also a research fellow of Kobe University), submitted, IEEE Computer Magazine.

• Attacks on Mitsubishi Heavy Industries (50 types of viruses and malware products), IHI, Kawasaki

• Lower House Diet members and secretaries, ID and passwords are stolen. – 480 lawmakers’ documents and emails.

• According to NPA, 90% of accounts receiving fraudulent funds have Chinese names

4

現況：

• 目前行政院已經建立身分認證的電子郵件，但無法認證來自地方政府、民間、學術單位的郵件，無法閱讀Gmail，也無法解析郵件惡意的附件檔。目前的防毒軟體也無法偵測出APT附件檔。

5

目標:

• 本計畫將發展電子郵件惡意程式鑑識新技術與系統以補強(complement, not to replace)現有商業產品的不足，以用於實戰。

6

APT 實例

社交工程•真實正確的寄件人姓名以及其職務

• 單位，連絡方式皆是真實存在

8

躲避防毒軟體

•附件以加密或壓縮的方式躲避防毒軟體

•附件密碼附於信件中，防毒檢測軟體難以自動化解密分析

• Dropper也沒有惡意行為在內

9

誘使使用者開啟

• 偽裝檔名引誘使用者開啟檔案–偽裝檔名為PDF檔案– Window判定為螢幕保護裝置–實際上為一可執行檔

10

惡意程式執行

• 設定開機自動執行• 程式自動執行後，嘗試連接遠端伺服器

–連線位址來自新世紀資通股份有限公司，疑似為中繼跳板

設定開機自動執行惡意程式位置

11

遠端控制與執行

• 產生隱藏檔案sonicedev.exe• 持續與遠端伺服器溝通（dropper)

–訊息經過加密，一般IDS/IPS難以分析

12

加密訊息

延伸攻擊-文件型惡意程式

• 常見可以嵌入攻擊程式碼之文件類型（shellcode)– PDF, ex: CVE-2013-2730, CVE-2010-0188

– PPT, ex: CVE-2013-0077

– DOC, ex: CVE-2013-1331, CVE-2012-2539

– EXCEL, ex: CVE-2012-1885, CVE-2011-3403

– MOV, ex: CVE-2013-1017

– AUDIO, ex: OSVDB-75096

– …

13

延伸攻擊-惡意PDF文件

• 文件型惡意程式可以逃過應用程式沙盒的權限控制,執行任意程式

• 利用CVE-2010-0188的漏洞進行攻擊– 將pdf檔案進行逆向後,於ImageField1欄位發現以base64編碼的

shellcode– Adobe Reader具有buffer overflow漏洞，在處理tiff圖片時,攻擊者可以藉此執行任意程式碼

• 執行後門程式並開啟偽裝PDF檔案

14

延伸攻擊-系統漏洞

• 惡意程式進入系統後,再透過系統漏洞取得管理者權限,控制整體系統

• Windows 7 UAC Bypass– Win7在執行特定白名單程式時,會自動賦予管理者的權限

– 惡意程式可利用DLL-Injection,強迫白名單程式執行惡意行為

15

取得系統管理者的身分

Return Address Smashing

• The Unix fingerd() system call, which runs as root (it needs to access sensitive files), used to be vulnerable to buffer overflow

• Write malicious code into buffer and overwrite return address to point to the malicious code

• When return address is reached, it will now execute the malicious code with the full rights and privileges of root

1/27/2014 Buffer Overflow 16

void fingerd (…) {char buf[80];…get(buf);…

}

curr

ent

fram

ecu

rren

t fra

me

prev

ious

fra

mes

prev

ious

fra

mes

f() arguments f() arguments

bufferbuffer

local variables

program code program code

next locationnext locationpaddingat

tack

er’s

inpu

tat

tack

er’s

inpu

t

malicious codereturn addressreturn addressf() arguments

EIP

return addressreturn address EIP

TWISC＠NCTU過去資安的技術能量及研發重點

為何選擇Taiwan Information Security Center at NCTU (Ｗhy TWISC@NCTU)?• 本中心的工程師與博碩士生約有60人(全職助理5人），具備撰寫攻擊程式與解析的能力，多位曾經獲得全國駭客競賽第一名

• 本計畫基於本中心蒐集的大量的惡意程式樣本資料庫（目前Windows、Linux、Android樣本數已達30餘萬）為基礎，用以發展各項惡意程式分析以及偵測之機制。

• cloudebug.cs.nctu.edu.tw: A online fine grained malware behavior analyzer• DNSSEC-Enabled Email System : 與現有SMTP郵件系統相容（含Gmail），能與

DNSSEC伺服器結合的身分認證webmail伺服器，使用者僅需使用瀏覽器便可接收、傳送郵件。

• 本中心負責2013年行政院資安辦第一階段年初資安演習規劃，規劃扮演第二階段年尾攻擊方

• 本中心執行國科會網路通訊國家型計畫「異質無線多網安全檢測平台建置計畫」，獲審查委員一致肯定，於獲頒100年「優良研究計畫－成效卓著奬」。以及「102年國科會雲端運算與資通安全優良研究計畫奬」

• 本中心過去所開發系統已經分別實際經由國安局、調查局、中科院、工研院、資策會、中華電信、趨勢科技、宏達電、喬鼎資訊等單位採用

17

APT email defense platform

– mAnatomy• Email attachment extraction and containment system• Malware anatomy, detection and analysis Cloud• CRAXapt: A New Exploitation and Post-Exploitation

Framework for Generating APT Attacks

– mTrace• Pathfinder: APT Potential Attack Path Finding System• dObserver: Abnormal DNS Traffic Detection System

– DNSSEC-enabled webmail server

18

mAnatomy: 惡意程式偵測與數位鑑識系統

• 惡意郵件附件擷取與隔離系統:可抽離郵件惡意的附件檔，以供分析判讀。

• 惡意程式基因資料庫：研析最新攻擊技術，建立攻擊軟體基本元件；惡意程式基因發掘、定序、資料庫建置與比對

• 惡意程式偵測與數位鑑識系統，– Phase I: detection framework equipped with multiple

commercial antivirus systems – Phase II: APT靜態惡意文件偵測系統，動態惡意程式分析系統

19

Malware Behavior AnalyzerThe Features

• MBA is an VM-based malware analyzer– MBA creates a VM and runs the target program inside the VM.– While executing, MBA collects the execution trace inside the VM.

• Dynamic Information Flow Tracking（DIFT）– DIFT is used to trace the system information flows in the fine-

grant byte level.

• Out of Box Monitor– With VMI (Virtual Machine Introspection), MBA is totally

implemented in the VMM level.– The guest VM system cannot aware the existence of MBA.

20

Malware Behavior AnalyzerThe Applications (1/2)

• General Purpose Malware Analysis– With DIFT, MBA can trace the information flow between the

storages, memory, files and network.

• Privacy Data Leakage Detection– According to the pre-defined private data, MBA can detect if the

private data leak to the Internet.

21

Malware Behavior AnalyzerThe Applications (2/2)

• Anti-Debug Malware Analysis– Malware often use anti-debug technique to evade analysis tools.– Since MBA is implemented with VMI, it is hard to detect the

existence of MBA from the inside of the VM.

• Rootkit Detection– Comparing information between in-VM and out-of-VM, MBA

can discover rootkits which try to hide.

22

CloudebugA Dynamic Debug/Analysis Utility by TWISC@NCTU

• Cloudebug is a dynamic analysis/debug utility with usable web interface.

• Cloudebug’s features:– Virtual Machine Introspection

– Dynamic Malware Analysis

– Step-by-Step Software Run-time Debug

– Taint Analysis

– Reversing Engineering cooperated with DIFT and API Hooking

– Please go online to visit cloudebug.cs.nctu.edu.tw

23

ANDROID MARKET APPS SANITIZATION

24

Mobile Apps Security Analysis

• The use of mobile apps is a trend.

• Malware targeting mobile devices grows rapidly.

• The following research topics are ongoing:– Taint Analysis on Android– Malware Classification and Genome Extraction– Malicious Behavior Analysis

25

Taint Analysis on Android

• Tracing the data flow originated from the pre-definedtaint source.

• The data locations influenced by the taint source willbe marked and added into the tracking list.

• Taint analysis contributes to the following area:– Private Data Leakage Detection– Malicious Behavior Analysis– Dynamic Malware Detection

26

Mobile Apps -Malware Classification and Genome Extraction

• Malware Classification is the first step. MalwareGenome Database is the prospect.

• An automatic sample grabbing system is animportant basis.

• Some of the Malware Classification techniques:– Repackage Detection– Dalvik Bytecode Modeling– Data Mining on Code Tree/Code Graph– Semantic Model Analysis

27

Mobile Apps -Malicious Behavior Analysis

• Static analysis is efficient but has limitations,especially against polymorphic or encrypted malware.

• Dynamic analysis is powerful but too resourceexhausting to be implemented in the mobile devices.

• Cloud computing provides both static and dynamicanalysis against mobile applications.

• The prospect is to construct a Malware AnalyzingCloud for the mobile application markets.

28

Conclusion

• APT Email Defense Platform• Android Market Apps Sanitization• DNSSEC-enabled webmail server

29