The role of threat intelligence in combating against targeted malware attacks Boldizsár Bencsáth Budapest University of Technology and Economics Department

The role of threat intelligence in combating against targeted malware

attacksBoldizsár Bencsáth

Budapest University of Technology and EconomicsDepartment of Telecommunications

Laboratory of Cryptography and System Security (CrySyS Lab)www.crysys.hu

joint work with Levente Buttyán, Gábor Pék, and Márk Félegyházi

Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

2

CrySyS Lab - activities

09/2011 discovery, naming, and first analysis of Duqu malware

05/2012 published detailed technical analysis on Flame malware

02/2013 Together with Kaspersky Labs, we published information on the MiniDuke malware

03/2013 After the joint work with NSA HUN, we published results of investigations on the TeamSpy campaign


Miniduke

FireEye found a document with 0-day PDF exploit on 12/02/2013

PDF documents that use the same 0-day vulnerability, but the different malware module were found

The documents were suspicious – we expected that the attackers use them against high-profile targets

~60 victim IP addresses found, many high profile targets in governments and organizations like even NATO

Investigations were finished within a week, we disclosed all relevant information about the malware and the victims to the appropriate organizations

Not the malware, but the attack campaign of main interest


TeamSpy

In March 2013 Hungarian National Security Authority (NSA HUN) asked for our support to further work on an already identified attack

We obtained and analyzed many new malware samples, investigated a number of C&C servers and obtained victim lists

There are multiple waves of attack campaigns done by some group in the last 8 years

Two main malware technologies: One “standard” proprietary botnet client, one based on TeamViewer abuse

Main goal of the attackers: targeted attacks to steal information Traces show that attackers were active from 2004 Some of their tools were already known for years by A/V companies,

but the whole story was never identified (missing threat intelligence)


5

Threat Intelligence

the process of discovering malicious activity – through internal monitoring tools or external services that publish information about detected incidents – before an attack succeeds– situational awareness

to understand „what is going on”, technical analysis just one point in that process

Information is needed from as many sources as possible One finding might open the way for another (cyclic

approach) As long the attack is not fully understood, the work done

should not be exposed (too much) – don’t leak info towards the attackers


6

Questions of threat intelligence

What is the threat we are facing?– What tools are used by the attackers?– What are the possible capabilities, resources of the attacker?– What is the goal of the attacker?– Attribution “who is the attacker” is just a way to understand it

better

What is the risk at our side?– What are our assets that need to be protected?– What if the attack continues?

What should be the response?– What is the most efficient way to handle the problem?– How to notify others, what to share?– What could happen after a response on the attack?


7

Threat intelligence process - a model

Analyze

Act

Decide

DigCollect

Info

qu

ery

inte

llige

ncecom

mand


8

Threat intelligence gathering - sources

internal monitoring tools– AV (anti-virus) products– IDSs (Intrusion Detection Systems) and SIEMs (Security Incident

and Event Management systems)– log analysis tools– DNS monitoring– honeypots

external services – run by various security organizations, projects, vendors, universities,

CERTs, non-profit initiatives, or even enthusiastic individuals – public, closed, or commercial access– examples: collection of malware samples, malicious domains, IP

blacklists


9

A case study for threat intelligence

5 Hungarian banks were attacked by specific Zeus P2P botnet based attack from Dec/2012

Started with a phishing email and an attachment executable

Main attack: modified browser behavior to transfer money from bank account of the user

Main attack scripts and botnet was updated multiple times


10

First steps

Collect samples from victims Run samples in sandbox environment

– First within an isolated computer– Network communications shows UDP traffic and later domain flux as

backup mechanism– You can consider it is P2P Zeus

For the first glance Virus Total gives something like 2/46 with to “generic.Trojan” markers

After some hour is will give you something like 30/46 if the attack is wide scale

If you still see 2/46 then you are in trouble: it can be a targeted attack (APT)

If you were the first uploaded the sample to VT, you revealed information


11

Zeus P2P UDP traffic sample

01:16:13.254269 IPv4 (0x0800), length 167: X.X.X.53.21969 > 97.75.77.74.14103: UDP, length 125








12

Domain flux sample

01:18:55.362727 IPv4 (0x0800), length 87: X.X.X.53.1025 > X.X.X.254.53: 20469+ A? phuozkvvouskzptvcxcicq.info. (45)

01:18:56.879718 IPv4 (0x0800), length 92: X.X.X.53.1025 > X.X.X.254.53: 50782+ A? pjibrcdipzxwmrkgysghuxeywkba.com. (50)

01:18:58.643930 IPv4 (0x0800), length 89: X.X.X.53.1025 > X.X.X.254.53: 50549+ A? gqvkeqroqgqorskhvcdilvfaxy.ru. (47)

01:19:00.176469 IPv4 (0x0800), length 89: X.X.X.53.1025 > X.X.X.254.53: 46761+ A? datpypjrnfrgipfhqfatsjkzd.biz. (47)

01:19:01.706529 IPv4 (0x0800), length 89: X.X.X.53.1025 > X.X.X.254.53: 7477+ A? ztijxchyldmpguizpbdyxsus.info. (47)


13

Zeus contd.

It was found (and even published in blog sites) that the malware downloads update from a hacked web page

www.felegond-jatektar.hu/lego-logo/biz.exe The site was running for weeks and nobody took steps to

remove the content The malware installed some new versions, for some, only

the configuration block was different (e.g. peers)


14

Difference is only at the end of the file


15

Zeus Contd.

Later new malware components were installed to sandboxed computers

Some new modules try to communicate with two C&C servers, one in Netherlands and one in Italy (95.141.32.214)


16

Components

Main communication module is written in Delphi It uses a standard remote access SDK “RealThinClient” The malware stores components (executable files!) in the

registry Binary and sometimes encrypted form

– Software\Google\Update\network\secure– Software\Adobe\Adobe Acrobat– Software\Google\Common\Rlz\Events

Uses VNC as a module Uses socks proxy to back connect


17

RCApp

For some reason, the RCApp receives list of known victims from the C&C server

Communication is in encrypted form Data reveals IP addresses and other information

(windows version, computer name, partial SID, etc.) on the victims

Data revealed that most victims are in Hungary, Sweden and Great Britain

Of course, related CERT organizations were notified


18

RCApp module info about victim

name: infoUserName value: Tibor

name: infoIP value: 85.66.XXX.XXX

name: infoComputerName value: TIBOR-PC

name: infoClientVersion value: RCApp xxx

name: infoidgen value: HU-41-3XXXXXXXXX

name: infoIsHost value: true

name: infoisAv value: 1a

name: infoisX64 value: 0

name: infoisVer value: 1.0.7.5

name: infoisPcNetName value: TIBOR-PC

name: infoisPcUserName value: Tibor

name: infoisCountry value: HU

name: infoisJava value: 7

name: infoisbk value: 0

name: infoisKeyLog value: 0

name: infoisaccessadmin value: 0

name: infoisNote value: 0

name: infoisUptime value: Day: 0 Hour: 13 Min: 17

name: infouser value:

name: infopwd value: 2d53XXXXXXXXXXXXXXXXXXXz

name: infoid value: E80XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Windows version and patch level


19

“Coropotaile” component victim distribution

Based on data extracted from the botnet Number of known victims is small, ~500


20

Umbrella data (based on OpenDNS)


21

Momentsindividualists.biz – CC domain


22

Coropotaile samples – From Virus Total uploads

QqD Socks proxy module bd619bcdacc94b586a0afbdbb7d886c5

RCApp loader 994caf8a96a9608854eda97edf3ff434

RCApp xxx 1.7.5 from registry – maybe wrong eee085bca6e2d0103211e7e8a0d21fc4

VNC module (vncdll.dll) 149504b ba0e37dfb2b8432a0c0acc9dfc48bb8d

VNC module2 bb2ed55913b7edfdeeee82bb85fcf414

be20272439ea8e2d3052e39e57e931103a26b33da3b2d73b01c3637611027b369e3b3b5c427c28fab8b7c6bd955d1dcfafe79cd9ab043f01bb454af4d69c0c80 12dcc190f8911faebec4474c60cb301f7d2b506d1f1cccf38b98a2bf5d64c77071fa4058594b6ca86cc3989e1421f11d73ca3a02534bc907e28c0609aedbe390b230b621717fb6e1fd9c78a2a053a53a61acd7649a543b8de9ef47f6f1becdefdc7bd24ae60fdd61e20f499faf1c08bdad41f2afbc3a96615c24e32b3e207acb4819d04f42dab9dc6059e206961e46379322ffe4e6177d44a291df4b3770abc94d0cca53828702e96320e559fa836d352f856d675273f4601f0e867f51c8b434b70a1aefa1ab9d6f0278f3c4e86895e81ed064a0c2d69206876884d999775f9ac68dff9bcf2646560158db2c914f5e8a4996466b0e1bdb393f25ea11f6c20bafc79ab000caa3346ddf817454653ee4728dff9f8a9dfe7321cb1606600f983ecb14d9e1567f372c3626c92b21a259094bf8cffa6f466297f495af94048e33bf40b9bf4e272576a90026aa7862a12fc5b8ecdc60f8b3aae9545262f49f4bab1c78a5d1b278d2ad2025eefc603f3e7ddf7a73ca3a02534bc907e28c0609aedbe3902db3cf5b7a3ee572a5f048a8ecd766298636e0d634f035dfdedfd7791aaa6ee428e4599c4f3553562bf71027b14ebcb3

bf6f0c9090013898fe5aee36ca45a69304f71b4a95d649eb393c903e6d059c086f1fcc096201d6cf39f3888b4a3a180143a50055a8508137f640a50f084e6ae46cdff4a6091a0b4089e97b3d13089a025e419ee12a4a3d029d7cfa91d23b1687bd61b5e93174d9b163c342c4dbb2f76fa5d1b278d2ad2025eefc603f3e7ddf7aa870ff15482c093991cbac3149c492c40120e34a297d90672fc45d72cb68b078789b2da29022bf692e0a2054f043ae1a0ac50838152c6792b8ca9e8db5abdc6b3caa529ddcf40ef5540bec29a08ba240964b36bb6c15923d7d4ee92e32d67f9cf8ccfc7e526db6655fe97bc0086ea0a2cc7616be70b6c52949f0e8fc963b5a734c5f96380c85782a2a5c7ebf961e7f4f9fe9bf82ac81ed7c82241002f85c63a169ad13451920ab9c6dd5efcac6e52a41196205bc8dc9ce629b37f3e4ed76a01c77aef1d1e719328344b4171661ea7e346e13a919c6d2f9f0da6bb07842d3979e73b2d6b7f2214ff1d05c75eaf447d0fa5611b116b9f353095a64bdfd37de512878fed89f965d5bd3e356d6a3b9616727d3fcd87207ff1afc671f8a35e174b92e2f110ca715783ea387cc7b1f91042a505c22ca13c6e32bd02612ff691229ea3a5ce2d4864aba5a23625df32e73e6f863c67cebdb2f2c6d956674b7ad3e0e9b603ae0c2eda6cdfb061b6f6f328b89937f

b7aa4a6f3398ef2f3f287f8b25af5170bb92dcef94b0e079f9429483dba7360927597092a59db7362cde2b88ee19b4384e3eecbaf69e721c1366171a50e19546662b1421bd29f790906f55c8679028ddfa756c6763c1f44fe274c9f6041dd6e91eafd8a4a409b3735c3bc0a98f9087e3403cd7c0c276af3159f565b03a24ec7caf1cdb38feb51ef68d790dd63c0c020da68c44e60ad28e457bd4583c9a5b9ff765cb92dd823f789dd99cba8a7a108ddd68d602fbd5151022add13268341ca292deabc900df4f22e9f62d7c56ce35f9f20df7fbfd12c0478fa17a7b253f9e254fedea0c629b68cddf1cd3f09abbde2d92b4cf239d0b419d5cc56717d5836501d3f7b16a76b6220125a61ecadb7df9d3611f204343af2cb5dff7a40e2ea4dd8db5b71d3d5eed6700a15c4ca0c24ceb3308e1004aae8f165144cc0560784548531ec212dbc1d3b1c605127177d2ba5f6cb41cb8d50d635578de30b317743a0e4554


23

Zeus - conclusions

It is not just “Zeus”, it’s a campaign A new related campaign was discovered (RCApp) New malware strain uncovered with new tricks Several corresponding samples can be investigated Hundreds of victims were identified Lot of questions are still unanswered Work in progress


24

Conclusions – threat intelligence

Threat intelligence is more than finding and analyzing malware

Lot of information is available, but the threat intelligence is still a hard task

Some tasks can be automated, but many cannot – scalability problems

Hard task to judge seriousness Information sharing is highly needed Threat intelligence is very important for the security of our

networks


25

Questions?

CrySyS Lab, Budapest

contact info: www.crysys.hu

www.crysysatm.com

Documents

The role of threat intelligence in combating against targeted malware attacks Boldizsár Bencsáth Budapest University of Technology and Economics Department