Copyright (c) 2013, FireEye, Inc. All rights reserved. 1

Leviathan: Command and Control Communications on Planet Earth

Dr. Kenneth Geers 2501 Kevin Thompson FireEye

Copyright (c) 2013, FireEye, Inc. All rights reserved. 2

Leviathan

Copyright (c) 2013, FireEye, Inc. All rights reserved. 3

Worldwide malware ecosystem

Copyright (c) 2013, FireEye, Inc. All rights reserved. 4

C2 malware signatures

Copyright (c) 2013, FireEye, Inc. All rights reserved. 5

Tactics, techniques, and procedures

lv|'|'|2YLZgNin2KrZgNmEINmF2YDYo9is2YDZiNixXzQwMENENTEw|'|'|Remote PC|'|'|admin|'|'|2013-04-22|'|'|USA|'|'|Win XP Professional SP2 x86|'|'|No|'|'|0.5.0E|'|'|..|'|'|QzpcV0lORE9XU1xzeXN0ZW0zMlxjbWQuZXhl|'|'|[endof]

Copyright (c) 2013, FireEye, Inc. All rights reserved. 6

Every industry vertical owned

Copyright (c) 2013, FireEye, Inc. All rights reserved. 7

Callbacks: ebb and flow

Copyright (c) 2013, FireEye, Inc. All rights reserved. 8

Knock Knock

Copyright (c) 2013, FireEye, Inc. All rights reserved. 9

Hiding in Plain Site

•  Vertical Analysis: Education •  Library •  CS department •  School of Law

•  Vertical Analysis: Government • Country to Country •  Less talk, more rock:

•  For 2013 - APT 2.49, Non 5.92 •  For 2014 - APT 1.6, Non 12.10

Copyright (c) 2013, FireEye, Inc. All rights reserved. 10

Hiding in plain “site”

•  Unique initial CnC communications: •  200+ variants of google (gooqle) •  200+ variants of firefox (firefoxupdata) •  50+ variants of Facebook (faceboak) •  100’s of Microsoft related variants (microsocft,

windosw) •  Spoofed security or AV sites

Copyright (c) 2013, FireEye, Inc. All rights reserved. 11

Semantic signatures

Copyright (c) 2013, FireEye, Inc. All rights reserved. 12

World C2 network map

Copyright (c) 2013, FireEye, Inc. All rights reserved. 13

World C2 network heatmap

Copyright (c) 2013, FireEye, Inc. All rights reserved. 14

Connectivity and malware

Copyright (c) 2013, FireEye, Inc. All rights reserved. 15

Callbacks by vertical / country

Copyright (c) 2013, FireEye, Inc. All rights reserved. 16

The king of malware

Copyright (c) 2013, FireEye, Inc. All rights reserved. 17

USA: the top callback destination

Copyright (c) 2013, FireEye, Inc. All rights reserved. 18

Callback destinations from South Korea

Copyright (c) 2013, FireEye, Inc. All rights reserved. 19

Overlap: investigative headache

Copyright (c) 2013, FireEye, Inc. All rights reserved. 20

USA: also a favorite target

Copyright (c) 2013, FireEye, Inc. All rights reserved. 21

Israel: traffic analysis

Copyright (c) 2013, FireEye, Inc. All rights reserved. 22

Geopolitical reflection: Ukraine crisis

Copyright (c) 2013, FireEye, Inc. All rights reserved. 23

RU-UA unique callbacks by country

0

5

10

15

20

25

30

35

AE

AR

AT

A

U

BE

BR

C

H

CN

D

E D

K

EG

ES

EU

FI

FR

HK

IL

IN

IT

JP

LT

LU

M

X NL

NO

PE

PR

Q

A SA

SE

SG

TH

TR

TW

VN

ZA

MAR FEB

Copyright (c) 2013, FireEye, Inc. All rights reserved. 24

Geopolitical reflection: Israel-Gaza crisis

0 20 40 60 80 100 120

July

June

May

April

March

February

January

Copyright (c) 2013, FireEye, Inc. All rights reserved. 25

Unique callbacks: CA to IL (2014)

Copyright (c) 2013, FireEye, Inc. All rights reserved. 26

Leviathan: Command and Control Communications on Planet Earth

Dr. Kenneth Geers 2501 Kevin Thompson FireEye