thotcon 0x6: going kinetic on electronic crime networks
Post on 12-Aug-2015
159 Views
Preview:
TRANSCRIPT
Going Kine)c on Electronic Crime Networks
THOTCON0x06
John Bambenek, Fidelis Cybersecurity
Introduc)on
• Sr. Threat Researcher with Fidelis Cybersecurity• Faculty at the University of Illinois at Urbana-
Champaign• Producer of open-source intelligence feeds• Run several takedown-oriented groups for various
malware families
Problem Statement
• Right now we are on the losing end of an arms race
• The adversaries produce more malware than we can possibly analyze.
• We have to operate in the open while they operate in secret.
• Their core business is exploitation, security for us is a cost center.
• We operate in a global economy without an effective means of global law enforcement.
TL;DR
Bad News: We’re Doomed
Good News: Unlimited Job Security
What to do…
• You could keep playing defense:• Firewall Rules• IDS/IPS Rules• AV Signatures• IoCs• Etc etc etc
The problem of “sufficiency”
• Once we “detect” a threat work occurs until some “defense” is developed.
• Once a threat is “blocked”, the work tends to stop.
• The threat actor can operate with impunity and just has to tweak tactics occasionally.
• Those in most need of security are least likely to have it / afford it.
What to do…
• Or you can take the fight to the adversary and go kinetic?
• Why kinetic?• No, I’m not talking about predator
drones…• Or hacking back…
What to do…
What is a takedown?
• An attempt to disrupt an ongoing electronic crime operation with the intent of ending it entirely.
• Successful takedowns: Operation Tovar, Conficker
• Unsuccessful takedowns: Kelihos (all 4)
• Complete disasters: No-Ip
Aren’t takedowns just media ploys?
Aren’t takedowns just media ploys?
• Right now there is far too much media pimping in our industry by <insert company name here>.
• There have been plenty of takedowns for PR purposes. And white papers. And blog posts… etc.
• Doesn’t mean to stop trying to have an impact.
How to tell difference?
• Takedowns, like all security related activity requires OPSEC.
• What’s the first rule of OPSEC?
Do takedowns do any good?
• Some argue because crime doesn’t stop takedowns don’t do any good.• Sure, stupid takedowns don’t do much
good.
• But arrests haven’t stopped rape, murder and theft in a few thousand years either.
Do takedowns do any good?
• Writing detection rules don’t stop criminals from adapting either.
• Key is to do things in a thoughtful way to maximize impact and minimize risk.
• Hopefully along the way an indictment can be had.
How to do takedowns…
• Largely depends on the threat and the complexity.• Can be as simple as asking a provider
to shut someone down.
• Can be as complicated as involving dozens of organizations, law enforcement across multiple countries.
The Easy Way
• Getting things taken down for criminal activity can be time-consuming.
• Getting things taken down for “brand damage” / DMCA is generally easy.• Seriously, ICANN has minimal
security rules for domains, but they are all over brand damage / impersonation.
The Easy Way
• That only works for “small” threats… the kind of threats that are easy to come back anyway.
• Most threats are too big for one organization to handle.• There are shared threats and unique
threats. Most are shared threats.
Building the Intel for Takedowns
• Have to build the “what” before you can answer the “how”.
• Almost all malware wants to talk “somewhere”.
• Enumerate *ALL* avenues an adversary can contact an infected machine.
Example #1
• Example #1: Domain Generation Algorithms
• Based on some math, a pseudo-random but predictable list of domains are generated.
Example #1
• If you can RE a DGA, you can use it to build intel.• See Johannes Bader’s blog:
johannesbader.ch
• Create a domain list, use adns-tools to resolve large numbers of them on a routine basis, instant SIGINT tool
Example #1
tmabjkeyftudpk.com , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 eiavquoeipblqq.net , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 rvyqndcrbqsxqu.biz , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 fjccjegtytxxsh.ru , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 swbwgmthrupkju.org , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 gqfoopfpkaxjjf.co.uk , Domain used by Cryptolocker - Flashback DGA for 11 May 2015
Example #1
• You could use this list to find what resolves and where the adversary is sitting…
50.63.202.25 , IP used by matsnu C&C 54.228.194.98 , IP used by matsnu C&C
Example #1
• Or you could take all the domains current and future in a legal action.• If there is no other path to access, you have
severed the adversary’s ability to control. (Operation Tovar did this).
• You could also buy all the domains…• Expensive, unless you are a registrar which is
cheaper than you think to do.• Or you could ask registrar to suspend. Many will
take action (some won’t).• AlienSpy example
Example #2
• Example 2
• Mine malware for C2 information
• https://github.com/kevthehermit/RATDecoders
• Python scripts that will statically rip configurations out of 32 different flavors of RATs.
• Disclaimer: I had nothing to do with the development of these tools; they just fit my need and Kevin Breen deserves mad props.
Sample DarkComet config
Key: CampaignID Value: Guest16Key: Domains Value: ######.ddns.net:1234Key: FTPHost Value: Key: FTPKeyLogs Value: Key: FTPPassword Value: Key: FTPPort Value: Key: FTPRoot Value: Key: FTPSize Value: Key: FTPUserName Value: Key: FireWallBypass Value: 0Key: Gencode Value: 3yHVnheK6eDmKey: Mutex Value: DC_MUTEX-W45NCJ6Key: OfflineKeylogger Value: 1Key: Password Value: Key: Version Value: #KCMDDC51#
Sample njRat config
Key: Campaign ID Value: 1111111111111111111 Key: Domain Value: #####.ddns.net Key: Install Dir Value: UserProfile Key: Install Flag Value: False Key: Install Name Value: svchost.exe Key: Network Separator Value: |'|'| Key: Port Value: 1177 Key: Registry Value Value: 5d5e3c1b562e3a75dc95740a35744ad0 Key: version Value: 0.6.4
Processing DNS/IP Info
• Config takes FQDN or IP in free-form field.
• The only configuration item any processing is done on is here.
• If RFC 1918 IP, then drop config.
• If FQDN resolves to RFC1918 IP, keep it.
• If it doesn’t resolve, keep it.
Sample Output
0739b6a1bc018a842b87dcb95a73248d3842c5de,150213,Dark Comet Config,Guest16,######.ddns.net,,1604,,,,o1o5GgYr8yBB,DC_MUTEX-4E844NR
0745a4278793542d15bbdbe3e1f9eb8691e8b4fb,150213,Dark Comet Config,Guest16,######.noip.me,,1604,,,,aWUZabkXJRte,DC_MUTEX-TX61KQS
07540d2b4d8bd83e9ba43b2e5d9a2578677cba20,150213,Dark Comet Config,FUDDDDD,######.no-ip.biz,204.95.99.66,1604,,,,qZYsyVu0kMpS,DC_MUTEX-8VK1Q5N
07560860bc1d58822db871492ea1aa56f120191a,150213,Dark Comet Config,Victim,######.no-ip.biz,,1604,,,,sfAEjh4m1lQ7,DC_MUTEX-F2T2XKC
07998ff3d00d232b6f35db69ee5a549da11e96d1,150213,Dark Comet Config,test1,,192.116.50.238,90,,,,4A2xbJmSqvuc,DC_MUTEX-F54S21D
07ac914bdb5b4cda59715df8421ec1adfaa79cc7,150213,Dark Comet Config,Guest16,######.ddns.net,31.132.106.94,1604,1.#######.z8.ru,######60,######2012,zwd8tEC0F0tA,DC_MUTEX-W3VUKQN
NOTE – Redacted entries are username and password for FTP drop for keylogs.
So you have data. Now what?
• You have four options for takedown related actions:• Use the criminal justice system• Use civil litigation• Work with providers directly (AUP/
ToS/Contract enforcement)• Other “less legal” means which we
will not discuss here.
Criminal Jus)ce System
• The ideal result… someone gets arrested.
• Generally, work for big online crime cases starts with private sector research.
• Very time consuming but low cost.
• LE in almost every country willing to work with anyone who can help build cases.• Yet cooperation between countries can be
problematic.
Criminal Jus)ce System
• Important tool to motivate law enforcement is to enumerate harm.
• Sinkhole domains (if possible) to build victim information.
• Before LE will act they want to know how their citizens are impacted.
• Possible to get cooperation even in “hostile” jurisdictions.
Civil li)ga)on
• Involves an aggrieved party (or regulatory body) going to court for some remedy.
• Generally not available to most people for lack of “standing”.
• Can also lead to some collateral damage.
Work with providers directly
• Some are more cooperative than others.
• Many go from uncooperative to cooperative.
• Takes time to build a relationship and trust.
• Bypasses “foreign policy” issues and gets results.• As example, I’ve gotten cooperation inside
Russia and China on security issues.
Risk assessment
• Before any takedown is taken, a “risk assessment” should be done.• What collateral damage could be done?• Is action being taken against a third-party
and not the target?• Will less aggressive means accomplish the
mission without resorting to heavy-handed tactics?
Post-‐Takedown ac)vity
• Just because you takedown the C2 network, it doesn’t necessarily mean you have cleaned up infected machines.
• Operative Tovar created a mechanism for people to recover files and to see if they were infected to make private individuals “whole”.
• This is the most neglected part of takedowns.
The Key to All of This…
• Most threats are too big for one organization to tackle.
• Many organizations have unique data or skillsets.
• Key is to have a group of people across organizations all contributing to a reasonable amount to the goal.
The Key to All of This…
• Private working groups aren’t exclusive to big companies or security companies.
• Takes willingness to contribute something to get something in return.
• Added benefit is access to information to protect your organization you wouldn’t have otherwise.
Venues to par)cipate in takedown ac)vity
• Microsoft CME Program
• Private working groups (some are more open than others)• I run 4.
The Upshot
• There is more work than could possibly be done.
• If you want to contribute effort, find a venue to do so.• Reverse-engineering• Tooling• OSINT research• Etc.
• Much of the work is not as high-skill as you would think, just takes time, motivation and a willingness to learn.
Call to Ac)on
• There is more work than could possibly be done.
• If you want to contribute effort, find a venue to do so.• Reverse-engineering• Tooling• OSINT research• Etc.
• Much of the work is not as high-skill as you would think, just takes time, motivation and a willingness to learn.
Bocom Line
“The infosec industry doesn’t need another white paper.
What we need is bodies in the streets.”
This is here just because it amuses me
QUESTIONS? THANK YOU
John.bambenek@fidelissecurity.com / 217 493 0760
@bambenek
top related