The role of threat intelligence in combating against targeted malware
attacksBoldizsár Bencsáth
Budapest University of Technology and EconomicsDepartment of Telecommunications
Laboratory of Cryptography and System Security (CrySyS Lab)www.crysys.hu
joint work with Levente Buttyán, Gábor Pék, and Márk Félegyházi
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
2
CrySyS Lab - activities
09/2011 discovery, naming, and first analysis of Duqu malware
05/2012 published detailed technical analysis on Flame malware
02/2013 Together with Kaspersky Labs, we published information on the MiniDuke malware
03/2013 After the joint work with NSA HUN, we published results of investigations on the TeamSpy campaign
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Miniduke
FireEye found a document with 0-day PDF exploit on 12/02/2013
PDF documents that use the same 0-day vulnerability, but the different malware module were found
The documents were suspicious – we expected that the attackers use them against high-profile targets
~60 victim IP addresses found, many high profile targets in governments and organizations like even NATO
Investigations were finished within a week, we disclosed all relevant information about the malware and the victims to the appropriate organizations
Not the malware, but the attack campaign of main interest
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
TeamSpy
In March 2013 Hungarian National Security Authority (NSA HUN) asked for our support to further work on an already identified attack
We obtained and analyzed many new malware samples, investigated a number of C&C servers and obtained victim lists
There are multiple waves of attack campaigns done by some group in the last 8 years
Two main malware technologies: One “standard” proprietary botnet client, one based on TeamViewer abuse
Main goal of the attackers: targeted attacks to steal information Traces show that attackers were active from 2004 Some of their tools were already known for years by A/V companies,
but the whole story was never identified (missing threat intelligence)
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
5
Threat Intelligence
the process of discovering malicious activity – through internal monitoring tools or external services that publish information about detected incidents – before an attack succeeds– situational awareness
to understand „what is going on”, technical analysis just one point in that process
Information is needed from as many sources as possible One finding might open the way for another (cyclic
approach) As long the attack is not fully understood, the work done
should not be exposed (too much) – don’t leak info towards the attackers
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
6
Questions of threat intelligence
What is the threat we are facing?– What tools are used by the attackers?– What are the possible capabilities, resources of the attacker?– What is the goal of the attacker?– Attribution “who is the attacker” is just a way to understand it
better
What is the risk at our side?– What are our assets that need to be protected?– What if the attack continues?
What should be the response?– What is the most efficient way to handle the problem?– How to notify others, what to share?– What could happen after a response on the attack?
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
7
Threat intelligence process - a model
Analyze
Act
Decide
DigCollect
Info
qu
ery
inte
llige
ncecom
mand
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
8
Threat intelligence gathering - sources
internal monitoring tools– AV (anti-virus) products– IDSs (Intrusion Detection Systems) and SIEMs (Security Incident
and Event Management systems)– log analysis tools– DNS monitoring– honeypots
external services – run by various security organizations, projects, vendors, universities,
CERTs, non-profit initiatives, or even enthusiastic individuals – public, closed, or commercial access– examples: collection of malware samples, malicious domains, IP
blacklists
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
9
A case study for threat intelligence
5 Hungarian banks were attacked by specific Zeus P2P botnet based attack from Dec/2012
Started with a phishing email and an attachment executable
Main attack: modified browser behavior to transfer money from bank account of the user
Main attack scripts and botnet was updated multiple times
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
10
First steps
Collect samples from victims Run samples in sandbox environment
– First within an isolated computer– Network communications shows UDP traffic and later domain flux as
backup mechanism– You can consider it is P2P Zeus
For the first glance Virus Total gives something like 2/46 with to “generic.Trojan” markers
After some hour is will give you something like 30/46 if the attack is wide scale
If you still see 2/46 then you are in trouble: it can be a targeted attack (APT)
If you were the first uploaded the sample to VT, you revealed information
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
11
Zeus P2P UDP traffic sample
01:16:13.254269 IPv4 (0x0800), length 167: X.X.X.53.21969 > 97.75.77.74.14103: UDP, length 125
01:16:20.129442 IPv4 (0x0800), length 218: X.X.X.53.21969 > 94.68.44.62.25576: UDP, length 176
01:16:25.409926 IPv4 (0x0800), length 118: X.X.X.53.21969 > 71.43.217.3.11403: UDP, length 76
01:16:33.222633 IPv4 (0x0800), length 244: X.X.X.53.21969 > 122.167.92.124.27481: UDP, length 202
01:16:38.316845 IPv4 (0x0800), length 201: X.X.X.53.21969 > 76.69.128.171.24685: UDP, length 159
01:16:46.160059 IPv4 (0x0800), length 222: X.X.X.53.21969 > 108.83.233.190.15683: UDP, length 180
01:16:51.847481 IPv4 (0x0800), length 182: X.X.X.53.21969 > 108.211.64.46.23323: UDP, length 140
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
12
Domain flux sample
01:18:55.362727 IPv4 (0x0800), length 87: X.X.X.53.1025 > X.X.X.254.53: 20469+ A? phuozkvvouskzptvcxcicq.info. (45)
01:18:56.879718 IPv4 (0x0800), length 92: X.X.X.53.1025 > X.X.X.254.53: 50782+ A? pjibrcdipzxwmrkgysghuxeywkba.com. (50)
01:18:58.643930 IPv4 (0x0800), length 89: X.X.X.53.1025 > X.X.X.254.53: 50549+ A? gqvkeqroqgqorskhvcdilvfaxy.ru. (47)
01:19:00.176469 IPv4 (0x0800), length 89: X.X.X.53.1025 > X.X.X.254.53: 46761+ A? datpypjrnfrgipfhqfatsjkzd.biz. (47)
01:19:01.706529 IPv4 (0x0800), length 89: X.X.X.53.1025 > X.X.X.254.53: 7477+ A? ztijxchyldmpguizpbdyxsus.info. (47)
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
13
Zeus contd.
It was found (and even published in blog sites) that the malware downloads update from a hacked web page
www.felegond-jatektar.hu/lego-logo/biz.exe The site was running for weeks and nobody took steps to
remove the content The malware installed some new versions, for some, only
the configuration block was different (e.g. peers)
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
14
Difference is only at the end of the file
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
15
Zeus Contd.
Later new malware components were installed to sandboxed computers
Some new modules try to communicate with two C&C servers, one in Netherlands and one in Italy (95.141.32.214)
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
16
Components
Main communication module is written in Delphi It uses a standard remote access SDK “RealThinClient” The malware stores components (executable files!) in the
registry Binary and sometimes encrypted form
– Software\Google\Update\network\secure– Software\Adobe\Adobe Acrobat– Software\Google\Common\Rlz\Events
Uses VNC as a module Uses socks proxy to back connect
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
17
RCApp
For some reason, the RCApp receives list of known victims from the C&C server
Communication is in encrypted form Data reveals IP addresses and other information
(windows version, computer name, partial SID, etc.) on the victims
Data revealed that most victims are in Hungary, Sweden and Great Britain
Of course, related CERT organizations were notified
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
18
RCApp module info about victim
name: infoUserName value: Tibor
name: infoIP value: 85.66.XXX.XXX
name: infoComputerName value: TIBOR-PC
name: infoClientVersion value: RCApp xxx
name: infoidgen value: HU-41-3XXXXXXXXX
name: infoIsHost value: true
name: infoisAv value: 1a
name: infoisX64 value: 0
name: infoisVer value: 1.0.7.5
name: infoisPcNetName value: TIBOR-PC
name: infoisPcUserName value: Tibor
name: infoisCountry value: HU
name: infoisJava value: 7
name: infoisbk value: 0
name: infoisKeyLog value: 0
name: infoisaccessadmin value: 0
name: infoisNote value: 0
name: infoisUptime value: Day: 0 Hour: 13 Min: 17
name: infouser value:
name: infopwd value: 2d53XXXXXXXXXXXXXXXXXXXz
name: infoid value: E80XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Windows version and patch level
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
19
“Coropotaile” component victim distribution
Based on data extracted from the botnet Number of known victims is small, ~500
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
20
Umbrella data (based on OpenDNS)
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
21
Momentsindividualists.biz – CC domain
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
22
Coropotaile samples – From Virus Total uploads
QqD Socks proxy module bd619bcdacc94b586a0afbdbb7d886c5
RCApp loader 994caf8a96a9608854eda97edf3ff434
RCApp xxx 1.7.5 from registry – maybe wrong eee085bca6e2d0103211e7e8a0d21fc4
VNC module (vncdll.dll) 149504b ba0e37dfb2b8432a0c0acc9dfc48bb8d
VNC module2 bb2ed55913b7edfdeeee82bb85fcf414
be20272439ea8e2d3052e39e57e931103a26b33da3b2d73b01c3637611027b369e3b3b5c427c28fab8b7c6bd955d1dcfafe79cd9ab043f01bb454af4d69c0c80 12dcc190f8911faebec4474c60cb301f7d2b506d1f1cccf38b98a2bf5d64c77071fa4058594b6ca86cc3989e1421f11d73ca3a02534bc907e28c0609aedbe390b230b621717fb6e1fd9c78a2a053a53a61acd7649a543b8de9ef47f6f1becdefdc7bd24ae60fdd61e20f499faf1c08bdad41f2afbc3a96615c24e32b3e207acb4819d04f42dab9dc6059e206961e46379322ffe4e6177d44a291df4b3770abc94d0cca53828702e96320e559fa836d352f856d675273f4601f0e867f51c8b434b70a1aefa1ab9d6f0278f3c4e86895e81ed064a0c2d69206876884d999775f9ac68dff9bcf2646560158db2c914f5e8a4996466b0e1bdb393f25ea11f6c20bafc79ab000caa3346ddf817454653ee4728dff9f8a9dfe7321cb1606600f983ecb14d9e1567f372c3626c92b21a259094bf8cffa6f466297f495af94048e33bf40b9bf4e272576a90026aa7862a12fc5b8ecdc60f8b3aae9545262f49f4bab1c78a5d1b278d2ad2025eefc603f3e7ddf7a73ca3a02534bc907e28c0609aedbe3902db3cf5b7a3ee572a5f048a8ecd766298636e0d634f035dfdedfd7791aaa6ee428e4599c4f3553562bf71027b14ebcb3
bf6f0c9090013898fe5aee36ca45a69304f71b4a95d649eb393c903e6d059c086f1fcc096201d6cf39f3888b4a3a180143a50055a8508137f640a50f084e6ae46cdff4a6091a0b4089e97b3d13089a025e419ee12a4a3d029d7cfa91d23b1687bd61b5e93174d9b163c342c4dbb2f76fa5d1b278d2ad2025eefc603f3e7ddf7aa870ff15482c093991cbac3149c492c40120e34a297d90672fc45d72cb68b078789b2da29022bf692e0a2054f043ae1a0ac50838152c6792b8ca9e8db5abdc6b3caa529ddcf40ef5540bec29a08ba240964b36bb6c15923d7d4ee92e32d67f9cf8ccfc7e526db6655fe97bc0086ea0a2cc7616be70b6c52949f0e8fc963b5a734c5f96380c85782a2a5c7ebf961e7f4f9fe9bf82ac81ed7c82241002f85c63a169ad13451920ab9c6dd5efcac6e52a41196205bc8dc9ce629b37f3e4ed76a01c77aef1d1e719328344b4171661ea7e346e13a919c6d2f9f0da6bb07842d3979e73b2d6b7f2214ff1d05c75eaf447d0fa5611b116b9f353095a64bdfd37de512878fed89f965d5bd3e356d6a3b9616727d3fcd87207ff1afc671f8a35e174b92e2f110ca715783ea387cc7b1f91042a505c22ca13c6e32bd02612ff691229ea3a5ce2d4864aba5a23625df32e73e6f863c67cebdb2f2c6d956674b7ad3e0e9b603ae0c2eda6cdfb061b6f6f328b89937f
b7aa4a6f3398ef2f3f287f8b25af5170bb92dcef94b0e079f9429483dba7360927597092a59db7362cde2b88ee19b4384e3eecbaf69e721c1366171a50e19546662b1421bd29f790906f55c8679028ddfa756c6763c1f44fe274c9f6041dd6e91eafd8a4a409b3735c3bc0a98f9087e3403cd7c0c276af3159f565b03a24ec7caf1cdb38feb51ef68d790dd63c0c020da68c44e60ad28e457bd4583c9a5b9ff765cb92dd823f789dd99cba8a7a108ddd68d602fbd5151022add13268341ca292deabc900df4f22e9f62d7c56ce35f9f20df7fbfd12c0478fa17a7b253f9e254fedea0c629b68cddf1cd3f09abbde2d92b4cf239d0b419d5cc56717d5836501d3f7b16a76b6220125a61ecadb7df9d3611f204343af2cb5dff7a40e2ea4dd8db5b71d3d5eed6700a15c4ca0c24ceb3308e1004aae8f165144cc0560784548531ec212dbc1d3b1c605127177d2ba5f6cb41cb8d50d635578de30b317743a0e4554
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
23
Zeus - conclusions
It is not just “Zeus”, it’s a campaign A new related campaign was discovered (RCApp) New malware strain uncovered with new tricks Several corresponding samples can be investigated Hundreds of victims were identified Lot of questions are still unanswered Work in progress
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
24
Conclusions – threat intelligence
Threat intelligence is more than finding and analyzing malware
Lot of information is available, but the threat intelligence is still a hard task
Some tasks can be automated, but many cannot – scalability problems
Hard task to judge seriousness Information sharing is highly needed Threat intelligence is very important for the security of our
networks
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
25
Questions?
CrySyS Lab, Budapest
contact info: www.crysys.hu
www.crysysatm.com