we can do better - sector greg hoglund sector keynote...ghostnet: backdoor mzx90 upx! the dropped...
TRANSCRIPT
We can do better
bull IDS only works if you have the right patterns but how do you make those patterns smarter and more real-time
ndash Stop depending on the security vendor for DAT files and signature databases
bull Tune your IDS to detect the threats that are custom to your environment
ndash You need to extract amp leverage the evidence that already exists in your own enterprise
Threat Intelligence Cycle
Adverse Event
Compromise Detected
Reimage Machine
Get Threat Intel from the host
Update NIDS
More Compromise
Scan for IOCrsquos
Search Logs
Evolving Threat Landscape
Evolving Threat Landscape
bull Adversaries are funded and well equipped
bull The bad guys are entrenched
bull AV losing credibility
ndash Web-based attack has 10-45 chance of bypassing the AntiVirus protection (NSS Q3 2010)
ndash Exploit-based attack has 25-97 chance of bypassing the AntiVirus protection (NSS Q3 2010)
Social Networking
bull A new way to target individuals and workers within a specific industry group
bull Itrsquos easy to create a false digital identity
Attack Vectors
bull Spear-phishingndash Booby-trapped documents
ndash Fake-Links to drive-by websites
bull Trap postings on industry-focused social networksndash Forums Groups (clinician list-servs AMDIS web
forums)
bull SQL injections into web-based portalsndash Employee benefit portals external labs etc
Boobytrapped Documents
bull Single most effective focused attack todaybull Human crafts text
you know they will click it
Social Networking Space
Injected Java-script
bull Used heavily for large scale infectionsbull Focused Social network targeting is possible
Web-based attack
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Threat Intelligence Cycle
Adverse Event
Compromise Detected
Reimage Machine
Get Threat Intel from the host
Update NIDS
More Compromise
Scan for IOCrsquos
Search Logs
Evolving Threat Landscape
Evolving Threat Landscape
bull Adversaries are funded and well equipped
bull The bad guys are entrenched
bull AV losing credibility
ndash Web-based attack has 10-45 chance of bypassing the AntiVirus protection (NSS Q3 2010)
ndash Exploit-based attack has 25-97 chance of bypassing the AntiVirus protection (NSS Q3 2010)
Social Networking
bull A new way to target individuals and workers within a specific industry group
bull Itrsquos easy to create a false digital identity
Attack Vectors
bull Spear-phishingndash Booby-trapped documents
ndash Fake-Links to drive-by websites
bull Trap postings on industry-focused social networksndash Forums Groups (clinician list-servs AMDIS web
forums)
bull SQL injections into web-based portalsndash Employee benefit portals external labs etc
Boobytrapped Documents
bull Single most effective focused attack todaybull Human crafts text
you know they will click it
Social Networking Space
Injected Java-script
bull Used heavily for large scale infectionsbull Focused Social network targeting is possible
Web-based attack
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Evolving Threat Landscape
Evolving Threat Landscape
bull Adversaries are funded and well equipped
bull The bad guys are entrenched
bull AV losing credibility
ndash Web-based attack has 10-45 chance of bypassing the AntiVirus protection (NSS Q3 2010)
ndash Exploit-based attack has 25-97 chance of bypassing the AntiVirus protection (NSS Q3 2010)
Social Networking
bull A new way to target individuals and workers within a specific industry group
bull Itrsquos easy to create a false digital identity
Attack Vectors
bull Spear-phishingndash Booby-trapped documents
ndash Fake-Links to drive-by websites
bull Trap postings on industry-focused social networksndash Forums Groups (clinician list-servs AMDIS web
forums)
bull SQL injections into web-based portalsndash Employee benefit portals external labs etc
Boobytrapped Documents
bull Single most effective focused attack todaybull Human crafts text
you know they will click it
Social Networking Space
Injected Java-script
bull Used heavily for large scale infectionsbull Focused Social network targeting is possible
Web-based attack
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Evolving Threat Landscape
bull Adversaries are funded and well equipped
bull The bad guys are entrenched
bull AV losing credibility
ndash Web-based attack has 10-45 chance of bypassing the AntiVirus protection (NSS Q3 2010)
ndash Exploit-based attack has 25-97 chance of bypassing the AntiVirus protection (NSS Q3 2010)
Social Networking
bull A new way to target individuals and workers within a specific industry group
bull Itrsquos easy to create a false digital identity
Attack Vectors
bull Spear-phishingndash Booby-trapped documents
ndash Fake-Links to drive-by websites
bull Trap postings on industry-focused social networksndash Forums Groups (clinician list-servs AMDIS web
forums)
bull SQL injections into web-based portalsndash Employee benefit portals external labs etc
Boobytrapped Documents
bull Single most effective focused attack todaybull Human crafts text
you know they will click it
Social Networking Space
Injected Java-script
bull Used heavily for large scale infectionsbull Focused Social network targeting is possible
Web-based attack
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Social Networking
bull A new way to target individuals and workers within a specific industry group
bull Itrsquos easy to create a false digital identity
Attack Vectors
bull Spear-phishingndash Booby-trapped documents
ndash Fake-Links to drive-by websites
bull Trap postings on industry-focused social networksndash Forums Groups (clinician list-servs AMDIS web
forums)
bull SQL injections into web-based portalsndash Employee benefit portals external labs etc
Boobytrapped Documents
bull Single most effective focused attack todaybull Human crafts text
you know they will click it
Social Networking Space
Injected Java-script
bull Used heavily for large scale infectionsbull Focused Social network targeting is possible
Web-based attack
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Attack Vectors
bull Spear-phishingndash Booby-trapped documents
ndash Fake-Links to drive-by websites
bull Trap postings on industry-focused social networksndash Forums Groups (clinician list-servs AMDIS web
forums)
bull SQL injections into web-based portalsndash Employee benefit portals external labs etc
Boobytrapped Documents
bull Single most effective focused attack todaybull Human crafts text
you know they will click it
Social Networking Space
Injected Java-script
bull Used heavily for large scale infectionsbull Focused Social network targeting is possible
Web-based attack
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Boobytrapped Documents
bull Single most effective focused attack todaybull Human crafts text
you know they will click it
Social Networking Space
Injected Java-script
bull Used heavily for large scale infectionsbull Focused Social network targeting is possible
Web-based attack
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
you know they will click it
Social Networking Space
Injected Java-script
bull Used heavily for large scale infectionsbull Focused Social network targeting is possible
Web-based attack
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Social Networking Space
Injected Java-script
bull Used heavily for large scale infectionsbull Focused Social network targeting is possible
Web-based attack
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
SQL Injection
wwwsomesitecomsomepagephp
SQL attack inserts IFRAME or script tags
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
The web-based portal is quite helpful
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Using SEO tracker
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Google Web Portal Search
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
My First Hit on allinurlrdquoexchangelogonasprdquo ndash I havenrsquot even started yethellip
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Perimeter-less Network
bull Excuse me while I disconnect from the corporate network I need to use my mobile hotspot to check facebookhellip
bull The host matters more than ever
ndash Regardless of the network data path the data ends up on the host
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Cyber Weapons Market
bull Foreign Intelligence Services Criminals and Terroristrsquos donrsquot need to have expert hackers they can just buy exploits for money
ndash Fully weaponized and ready to use
ndash Mostly developed out of the Eastern Bloc
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Selling Access to Your Network
bull Access to your networks is being auctioned
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
They will install for you
Minimum is 1000 installs ndash this would be about $100000 for US installs
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Recruiting All Exploiters
Pays per 1000 infections
httpwwwsecureworkscomresearchthreatsppi
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Custom Crimeware Programming Houses
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Eleonore (exploit pack)
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Tornado (exploit pack)
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Attribution
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Sources of Intelligence
bull Data at rest
bull Data in motion
bull Data in execution
ndash This is the gap and it exists only at the host
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
DISK FILE
MD5 Checksum is white listed
IN MEMORY IMAGE
OS
Load
er
Internet DocumentPDF Active X Flash
Office Document Video etchellip
Process is trusted
White listing on disk doesnrsquot prevent
malware from being in memory
White listed code does not mean secure code
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
DISK FILE
MD5 Checksum
reliable
MD5 Checksum
is not consistent
IN MEMORY IMAGE
Software Traits remain
consistent
100 dynamic
Copied in full
Copied in part
OS
Load
er
In memory traditional checksums
donrsquot work
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Starting Malware
PackedMalware
Packer 1
Packer 2
DecryptedOriginal
Physical memory tends to
get around the
lsquopackingrsquo
problem
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
DISK FILE
MD5 Checksumsall different
IN MEMORY IMAGE
Software Traits remain
consistent
OS
Load
er
Same malware
compiled in three
different
ways
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Humans
bull Attribution is about the human behind the malware not the specific malware variants
bull Focus must be on human-influenced factors
Binary Human
Move this way
We must move our aperture of visibility towards the human behind the malware
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Blacklists
Signatures
ATTRIBUTION-Derived
Intel Value WindowLifetime
IP Address
DNS name
Protocol Install
Hooks
Algorithms
Checksums
Minutes Hours Days Weeks Months Years
Developer Toolmarks
NIDS sansaddress
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Intelligence Spectrum
MD5 Checksum of a single malware sample
SSN amp Missile Coordinates of the Attacker
Blacklists
Nearly Useless Nearly Impossible
Developer Fingerprints
Social Cyberspace
DIGINT
Physical Surveillance
HUMINT
Sweet Spot
IDS signatures with long-term viability
Predict the attackerrsquos next moves
NetRecon
C2
TTP
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Developer Fingerprints
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
The Flow of Forensic Toolmarks
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Developer Fingerprints
NetRecon
C2
TTP
DNS C2 Protocol Encryption Method (high rate of change)
Exploit weaponization delivery vehicle
Shellcode
Installation + Deployment methodCommand + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)COMS (code level view as opposed to network sniff)
Defensive Antiforensics (usually a packer easily changed)
Actions Intent (attackerrsquos behavior as opposed to code)
Archaeology layer
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Rule 1
bull The human is lazy
ndash The use kits and systems to change checksums hide from AV and get around IDS
ndash They DONrsquoT rewrite their code every morning
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Rule 2
bull Most attackers are focused on rapid reaction to network-level filtering and black-holes
ndash Multiple DynDNS C2 servers multiple C2 protocols obfuscation of network traffic
bull They are not-so-focused on host level stealth
ndash Most malware is simple in nature and works great
ndash Enterprises rely on AV for host and AV doesnrsquot work and the attackers know this
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Rule 3
bull Physical memory is King
ndash Once executing in memory code has to be revealed data has to be decrypted
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Attribution Example Paths
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Paths
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Example Gh0stNet
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
GhostNet
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
Embedded executableNOTE Packing is not fully effective here
UPX
Packer Signature
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
Resource Culture Code
0x0804
The embedded executable is tagged with Chinese PRC Culture code
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
GhostNet Dropper
parauumlyumlyumlUlsaquoigraveƒigraveSVW3yumlyuml
MZx90
This progRy y cannot be run in DOS mode
UPX
0x0804
The embedded executable is extracted to disk The extracted module is not packed PDB path reveals malware name E drive
MZx90 This program cannot be run in DOS mode
Egh0stServerRelease
installpdb
Embedded PDB Path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
PDB Path found within extracted EXE
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Link Analysisldquogh0strdquo
The web reveals Chinese hacker sites that reference the ldquogh0strdquo artifact
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
GhostNet Backdoor
MZx90
UPXThe dropped EXE is loaded as svchostexe on the victim It then drops another executable a device driver
MZx90 This program cannot be run in DOS mode
Egh0stServerRelea
seinstallpdb
Another embedded EXE
MZx90 MZx90
Another PDB path
egh0stserversysi
386RESSDTpdb
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Our defensehellip
Even if we had not known about the second executable our defense would have worked This is how moving towards the human offers
predicative capability
RawVolumeFileBinaryData
ldquogh0strdquo
Query ldquoFind Attackerrsquos PDB Pathrdquo
contains
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
What do we knowhellipi386 directory is common to device drivers Other clues1 sys directory2 lsquoSSDTrsquo in the name
Also embedded strings in the binary are known driver calls1 IoXXXX family2 KeServiceDescriptorTable3 ProbeForXXXX
SSDT means System Service Descriptor Table ndash this is a common place for rootkits and HIPS products to place hooks
KeServiceDescriptorTable is used when SSDT hooks are placed We know this is a hooker
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
What do we knowhellip
IofCompleteRequest IoCreateDevice IoCreateSymbolicLink and friends are used when the driver communicates to usermode This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver
When communication takes place between usermode amp kernelmode there will be a device path
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
For Immediate Defensehellip
Useless Human
MD5 of the Gh0stNet dropperEXE
Device Path of the kernel mode driver and the Symbolic Link name
PhysmemWindowsObjectName
ldquoRESSDTrdquo
Query ldquoFind Rootkit Device Path or Symlinkrdquo
contains
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Link Analysis
A readme file on Kasperkyrsquos site references a Ressdt rootkit
ldquoRESSDTrdquo
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
TMC
egh0stserversysi386RESSDTpdbejobgh0stReleaseLoaderpdbAVCgh0stDocAVCgh0stAppAVCgh0stViewCgh0stViewCgh0stDocejobgh0stReleasegh0stpdbCgh0st36_srcHACKERi386HACKEpdbgh0st36_srcServersysi386CHENQIpdb
Rootkit
Dropper
GUI (MFC)
DocView is usually MFC
Already at version 36
Rootkits
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
gh0st _RAT source code team and forum
wwwwolfexpnet
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Case Study Chinese APT
2004 20102005 20092007
SvcHostDLLlog
SvcHostDLLlog
SvcHostDLLlog ampldquobind cmd fristrdquo
Just ldquobind cmd fristrdquo
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Attribution Example Timestamps
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Timestamps
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
IMAGE DEBUG DIRECTORY
PE TimestampsPE file
Image File Header
Optional Header
Module timestamptime_t (32 bit)
Debug timestamptime_t (32 bit)
This is not the same as NTFS file times which are 64 bit and stored in the NTFS file structures
This is present if an external PDB file is associated with the EXE
The lsquolmvrsquo command in WinDBG will show this value
e_lfanew
Image Data Directories
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Timestamp Formats
bull time_t ndash 32 bit seconds since Jan 1 1970 UTCndash 0x3DE03E0A usually start with lsquo3rsquo or lsquo4rsquo
bull lsquo3rsquo started in 1995 and lsquo4rsquo ends in 2012
ndash Use lsquoctimersquo function to convert
bull FILETIME ndash 64 bit 100-nanosecond intervals since Jan 1 1600 UTCndash 0x01C195C25100E190 usually start with lsquo01rsquo and a
letter bull 01A began in 1972 and 01F ends in 2057
ndash Use FileTimeToSystemTime() GetDateFormat() and GetTimeFormat() to convert
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Case Study Chinese APT
2004 20102005 2009
3XX2010 ndash XXXX AM3XX2010 ndash XXXX PM3XX2010 ndash XXXX PM
2007
12XX2007 ndash XXX AM
2XX2010 ndash XXXX AM11XX2009 ndash 9XX AM12XX2009 ndash 11XX PM
12XX2007 ndash XXX PM
XXXX2005 ndash XXXX PM
Compile times extracted from lsquosoysaucersquo backdoor program
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
For Immediate Defensehellip
Useless Human
Compile time
RawVolumeFileCompileTime
312010
Query ldquoFind Modules Created Within Attack Windowrdquo
gt
3312010lt
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Attribution Example Sourcecode
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Source Code Clues
bull Bad guys keep re-using their same source code
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Source Code Trade
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Tracking Source Code
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Main Functions
bull Main
ndash Same argument parsing
ndash Init of global variables
ndash WSAStartup
bull DllMain
bull ServiceMain
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Service Routines
bull Install Uninstall Service
bull RunDll32
bull Service StartStop
bull ServiceMain
bull ControlService
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Skeleton of a service
DllMain()
store the HANDLE to the module in a global variable
ServiceMain()
RegisterServiceCtrlHandler amp store handle to service in global variable
call SetServiceStatus set PENDING then RUNNING call to main malware function(s)
ServiceCtrlHandler_Callback
handle various commands startstoppauseetc
Hard coded sleep( ) times
dwWaitHint
Sleep loop at end
Size of local buffer
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Skeleton of a service
Main_Malware_Function
do stuff
InstallService() OpenSCManager CreateService
UninstallService() OpenSCManager DeleteService
Service Name
Exception Handling
Registry Keys
Size of local buffer
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Filename Creation
bull Log files EXErsquos DLLrsquos
bull Subdirectories
bull Environment Variables
bull Random numbers
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Case Study Chinese APT
2004 20102005 2009
2005 posting of similar source code includes posterrsquos handle
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Case Study Chinese APTContinued searching will reveal many many references to the base source code of this malware
All malware samples for this attacker are derived from this basic framework but many additions amp modifications have been made
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
3rd Party SourceCode
Core lsquoBackbonersquo Sourcecode
3rd party Sourcecode
Tweaks amp Mods
3rd party libraries
Compiler
Runtime Libraries
Time
Paths
MAC address
Malware
Developer
Machine
Sample
Packing
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Format Strings
bull These are written by humans so they provide good uniqueness
httpsdd04d
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Searching for -ldquoUnable to determinerdquo amp-ldquoUnknown typerdquo
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material
Logging Strings
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Mutex Names
Mutex names remain consistent at least for one infection-push as they are designed to prevent multiple-infections for the same malware
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Link Analysis
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Search source code of the lsquoNet
Large grouping of constants
GhostNet Searching for sourcecode
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Further refine the search by including lsquoWAVE_FORMAT_GSM610rsquo in the search requirementshellip
Has something to do with audiohellip
GhostNet Refining Search
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
We discover a nearly perfect lsquocrsquo representation of the disassembled
function Clearly cut-and-paste
We can assume most of the audio functions are this implementation of
lsquoCAudiorsquo class ndash no need for any further low-level RE work
GhostNet Source Discovery
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Attribution Example Command and Control
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Command amp Control
Communications Functions
Developer
Installation amp Deployment Method
Command amp Control Functions
Compiler Environment
Stealth amp Antiforensic Techniques
Malware
Sample
Packing
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Command and Control
bull Remote attackers must communicate with embedded access this is their primary weakness
bull We need to detection signatures for these COMS channels
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
API Usage
bull Once code is decrypted remote access behaviors are always the same ndash if you have host access this is a great way to detect compromise
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Command and Control
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN OS VERSION
Once installed the malware phones homehellip
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
CampC Hello Message
1) this queries the uptime of the machine
2) checks whether its a laptop or desktop machine
3) enumerates all the drives attached to the system including USB and network
4) gets the windows username and computername
5) gets the CPU info and finally
6) the version and build number of windows
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Command and Control Server
bull The CampC system may vary
ndash Custom protocol (Aurora-like)
ndash Plain Old URLrsquos
ndash IRC (not so common anymore)
ndash Stealth embedded in legitimate traffic
bull Machine identification
ndash Stored infections in a back end SQL database
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
A) Command is stored as a number not text It is checked here
B) Each individual command handler is clearly visible below the numerical check
C) After the command handler processes the command the result is sent back to the CampC server
Aurora CampC parser
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Attribution Example Algorithms
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Offset in screenshot
Len in bytes Datahellip
GhostNet Screen Capture Algorithm
Reads screenshot data creates a special DIFF buffer
Loops scanning every 50th line (cY) of the display
LOOP Compare new screenshot to previous 4 bytes at a time
If they differ enter secondary loop here writing a lsquodata runrsquo
for as long as there is no match
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
How to apply attribution
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Continuous Protection
bull The bad guys are going to get in Accept it
bull Because intruders are always present you need to have a continuous countering force to detect and remove them
bull Your continuous protection solution needs to get smarter over time ndash it must learn how the attackers work and get better at detecting them Security is an intelligence problem
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Continuous Protection
Adverse Event
Check AV Log
Breakdown 1
Check with AD
Compromise Detected
Reimage Machine Get Threat Intel
Breakdown 2
Inoculate Update NIDS
More Compromise
Scan for IOCrsquos
Breakdown 3
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
The Breakdowns
bull 1 ndash Trusting the AVndash AV doesnrsquot detect most malware even variants of
malware that itrsquos supposed to detect
bull 2 ndash Not using threat intelligencendash The only way to get better at detecting intrusion is
to learn how to detect them next time
bull 3 ndash Not preventing re-infectionndash If you donrsquot harden your network then you are
just throwing money away
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
The Intelligent Perimeter
bull Connect host-based intelligence back to the perimeter security devices
bull Extract any C2 DNS Protocol from physical memory and apply to NIDS
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Host System Analysis
bull Address all three of these
ndash Physical Memory
ndash Raw Disk (forensically sound)
ndash Live Operating System (for speed agentless)
bull Be able to extract artifacts from all three sources
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Timelines
bull Any timestamped event regardless of source
bull Make easy to extract in one step
ndash User registry
ndash Event log
ndash MFT
ndash Temporary internet files
ndash Prefetch
ndash Etchellip
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Malware Analysis
bull This needs to be easy
bull No more disassembly just show me the strings
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
The Solution
Adverse Event
Compromise Detected
Reimage Machine Get Threat Intel
Inoculate Update NIDS
More Compromise
Scan Hosts
Intelligent Perimeter
Host Analysis
Timelines
Malware Analysis
COMS
Artifacts
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom
Thank you
HBGary Incwwwhbgarycom
For copies of this slide deck contactKaren Burke
karenhbgarycom