thotcon 0x6: going kinetic on electronic crime networks

Going  Kine)c  on  Electronic  Crime  Networks

THOTCON0x06

John  Bambenek,  Fidelis  Cybersecurity  

Introduc)on

•  Sr. Threat Researcher with Fidelis Cybersecurity•  Faculty at the University of Illinois at Urbana-

Champaign•  Producer of open-source intelligence feeds•  Run several takedown-oriented groups for various

malware families

Problem  Statement

•  Right now we are on the losing end of an arms race

•  The adversaries produce more malware than we can possibly analyze.

•  We have to operate in the open while they operate in secret.

•  Their core business is exploitation, security for us is a cost center.

•  We operate in a global economy without an effective means of global law enforcement.

TL;DR

Bad News: We’re Doomed

Good News: Unlimited Job Security

What  to  do…

•  You could keep playing defense:•  Firewall Rules•  IDS/IPS Rules•  AV Signatures•  IoCs•  Etc etc etc

The  problem  of  “sufficiency”

•  Once we “detect” a threat work occurs until some “defense” is developed.

•  Once a threat is “blocked”, the work tends to stop.

•  The threat actor can operate with impunity and just has to tweak tactics occasionally.

•  Those in most need of security are least likely to have it / afford it.

What  to  do…

•  Or you can take the fight to the adversary and go kinetic?

•  Why kinetic?•  No, I’m not talking about predator

drones…•  Or hacking back…

What  to  do…

What  is  a  takedown?

•  An attempt to disrupt an ongoing electronic crime operation with the intent of ending it entirely.

•  Successful takedowns: Operation Tovar, Conficker

•  Unsuccessful takedowns: Kelihos (all 4)

•  Complete disasters: No-Ip

Aren’t  takedowns  just  media  ploys?

Aren’t  takedowns  just  media  ploys?

•  Right now there is far too much media pimping in our industry by <insert company name here>.

•  There have been plenty of takedowns for PR purposes. And white papers. And blog posts… etc.

•  Doesn’t mean to stop trying to have an impact.

How  to  tell  difference?

•  Takedowns, like all security related activity requires OPSEC.

•  What’s the first rule of OPSEC?

Do  takedowns  do  any  good?

•  Some argue because crime doesn’t stop takedowns don’t do any good.•  Sure, stupid takedowns don’t do much

good.

•  But arrests haven’t stopped rape, murder and theft in a few thousand years either.

Do  takedowns  do  any  good?

•  Writing detection rules don’t stop criminals from adapting either.

•  Key is to do things in a thoughtful way to maximize impact and minimize risk.

•  Hopefully along the way an indictment can be had.

How  to  do  takedowns…

•  Largely depends on the threat and the complexity.•  Can be as simple as asking a provider

to shut someone down.

•  Can be as complicated as involving dozens of organizations, law enforcement across multiple countries.

The  Easy  Way

•  Getting things taken down for criminal activity can be time-consuming.

•  Getting things taken down for “brand damage” / DMCA is generally easy.•  Seriously, ICANN has minimal

security rules for domains, but they are all over brand damage / impersonation.

The  Easy  Way

•  That only works for “small” threats… the kind of threats that are easy to come back anyway.

•  Most threats are too big for one organization to handle.•  There are shared threats and unique

threats. Most are shared threats.

Building  the  Intel  for  Takedowns

•  Have to build the “what” before you can answer the “how”.

•  Almost all malware wants to talk “somewhere”.

•  Enumerate *ALL* avenues an adversary can contact an infected machine.

Example  #1

•  Example #1: Domain Generation Algorithms

•  Based on some math, a pseudo-random but predictable list of domains are generated.

Example  #1

•  If you can RE a DGA, you can use it to build intel.•  See Johannes Bader’s blog:

johannesbader.ch

•  Create a domain list, use adns-tools to resolve large numbers of them on a routine basis, instant SIGINT tool

Example  #1

tmabjkeyftudpk.com , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 eiavquoeipblqq.net , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 rvyqndcrbqsxqu.biz , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 fjccjegtytxxsh.ru , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 swbwgmthrupkju.org , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 gqfoopfpkaxjjf.co.uk , Domain used by Cryptolocker - Flashback DGA for 11 May 2015

Example  #1

•  You could use this list to find what resolves and where the adversary is sitting…

50.63.202.25 , IP used by matsnu C&C 54.228.194.98 , IP used by matsnu C&C

Example  #1

•  Or you could take all the domains current and future in a legal action.•  If there is no other path to access, you have

severed the adversary’s ability to control. (Operation Tovar did this).

•  You could also buy all the domains…•  Expensive, unless you are a registrar which is

cheaper than you think to do.•  Or you could ask registrar to suspend. Many will

take action (some won’t).•  AlienSpy example

Example  #2

•  Example 2

•  Mine malware for C2 information

•  https://github.com/kevthehermit/RATDecoders

•  Python scripts that will statically rip configurations out of 32 different flavors of RATs.

•  Disclaimer: I had nothing to do with the development of these tools; they just fit my need and Kevin Breen deserves mad props.

Sample  DarkComet  config

Key: CampaignID Value: Guest16Key: Domains Value: ######.ddns.net:1234Key: FTPHost Value: Key: FTPKeyLogs Value: Key: FTPPassword Value: Key: FTPPort Value: Key: FTPRoot Value: Key: FTPSize Value: Key: FTPUserName Value: Key: FireWallBypass Value: 0Key: Gencode Value: 3yHVnheK6eDmKey: Mutex Value: DC_MUTEX-W45NCJ6Key: OfflineKeylogger Value: 1Key: Password Value: Key: Version Value: #KCMDDC51#

Sample  njRat  config

Key: Campaign ID Value: 1111111111111111111 Key: Domain Value: #####.ddns.net Key: Install Dir Value: UserProfile Key: Install Flag Value: False Key: Install Name Value: svchost.exe Key: Network Separator Value: |'|'| Key: Port Value: 1177 Key: Registry Value Value: 5d5e3c1b562e3a75dc95740a35744ad0 Key: version Value: 0.6.4

Processing  DNS/IP  Info

•  Config takes FQDN or IP in free-form field.

•  The only configuration item any processing is done on is here.

•  If RFC 1918 IP, then drop config.

•  If FQDN resolves to RFC1918 IP, keep it.

•  If it doesn’t resolve, keep it.

Sample  Output

0739b6a1bc018a842b87dcb95a73248d3842c5de,150213,Dark Comet Config,Guest16,######.ddns.net,,1604,,,,o1o5GgYr8yBB,DC_MUTEX-4E844NR

0745a4278793542d15bbdbe3e1f9eb8691e8b4fb,150213,Dark Comet Config,Guest16,######.noip.me,,1604,,,,aWUZabkXJRte,DC_MUTEX-TX61KQS

07540d2b4d8bd83e9ba43b2e5d9a2578677cba20,150213,Dark Comet Config,FUDDDDD,######.no-ip.biz,204.95.99.66,1604,,,,qZYsyVu0kMpS,DC_MUTEX-8VK1Q5N

07560860bc1d58822db871492ea1aa56f120191a,150213,Dark Comet Config,Victim,######.no-ip.biz,,1604,,,,sfAEjh4m1lQ7,DC_MUTEX-F2T2XKC

07998ff3d00d232b6f35db69ee5a549da11e96d1,150213,Dark Comet Config,test1,,192.116.50.238,90,,,,4A2xbJmSqvuc,DC_MUTEX-F54S21D

07ac914bdb5b4cda59715df8421ec1adfaa79cc7,150213,Dark Comet Config,Guest16,######.ddns.net,31.132.106.94,1604,1.#######.z8.ru,######60,######2012,zwd8tEC0F0tA,DC_MUTEX-W3VUKQN

NOTE – Redacted entries are username and password for FTP drop for keylogs.

So  you  have  data.  Now  what?

•  You have four options for takedown related actions:•  Use the criminal justice system•  Use civil litigation•  Work with providers directly (AUP/

ToS/Contract enforcement)•  Other “less legal” means which we

will not discuss here.

Criminal  Jus)ce  System

•  The ideal result… someone gets arrested.

•  Generally, work for big online crime cases starts with private sector research.

•  Very time consuming but low cost.

•  LE in almost every country willing to work with anyone who can help build cases.•  Yet cooperation between countries can be

problematic.

Criminal  Jus)ce  System

•  Important tool to motivate law enforcement is to enumerate harm.

•  Sinkhole domains (if possible) to build victim information.

•  Before LE will act they want to know how their citizens are impacted.

•  Possible to get cooperation even in “hostile” jurisdictions.

Civil  li)ga)on

•  Involves an aggrieved party (or regulatory body) going to court for some remedy.

•  Generally not available to most people for lack of “standing”.

•  Can also lead to some collateral damage.

Work  with  providers  directly

•  Some are more cooperative than others.

•  Many go from uncooperative to cooperative.

•  Takes time to build a relationship and trust.

•  Bypasses “foreign policy” issues and gets results.•  As example, I’ve gotten cooperation inside

Russia and China on security issues.

Risk  assessment

•  Before any takedown is taken, a “risk assessment” should be done.•  What collateral damage could be done?•  Is action being taken against a third-party

and not the target?•  Will less aggressive means accomplish the

mission without resorting to heavy-handed tactics?

Post-­‐Takedown  ac)vity

•  Just because you takedown the C2 network, it doesn’t necessarily mean you have cleaned up infected machines.

•  Operative Tovar created a mechanism for people to recover files and to see if they were infected to make private individuals “whole”.

•  This is the most neglected part of takedowns.

The  Key  to  All  of  This…

•  Most threats are too big for one organization to tackle.

•  Many organizations have unique data or skillsets.

•  Key is to have a group of people across organizations all contributing to a reasonable amount to the goal.

The  Key  to  All  of  This…

•  Private working groups aren’t exclusive to big companies or security companies.

•  Takes willingness to contribute something to get something in return.

•  Added benefit is access to information to protect your organization you wouldn’t have otherwise.

Venues  to  par)cipate  in  takedown  ac)vity

•  Microsoft CME Program

•  Private working groups (some are more open than others)•  I run 4.

The  Upshot

•  There is more work than could possibly be done.

•  If you want to contribute effort, find a venue to do so.•  Reverse-engineering•  Tooling•  OSINT research•  Etc.

•  Much of the work is not as high-skill as you would think, just takes time, motivation and a willingness to learn.

Call  to  Ac)on

•  There is more work than could possibly be done.

•  If you want to contribute effort, find a venue to do so.•  Reverse-engineering•  Tooling•  OSINT research•  Etc.

•  Much of the work is not as high-skill as you would think, just takes time, motivation and a willingness to learn.

Bocom  Line

“The infosec industry doesn’t need another white paper.

What we need is bodies in the streets.”

This  is  here  just  because  it  amuses  me

QUESTIONS? THANK  YOU

John.bambenek@fidelissecurity.com  /  217  493  0760

@bambenek