Tomer Teller

• Surprised and not surprised

• Do more harm than good

• But there are some good news..

Crypto Works

Trust the Math!

Implementation Is Broken

Trust No One!

• BSAFE crypto library

• BackDoor in Dual_EC_DRBG design

• $10 Million deal to set as default PRNG

• 2004-2013

Result: NSA can decrypt SSL/TLS Traffic

• Encrypted email service

• Founded in 2004

• edsnowden@lavabit.com – hmm..

• FBI: Court order to reveal metadata

• Owner: Refuse

Result: Operation shut down

• 29/05/2014

• Project developer warns about “unfixed security issues” in

• Website contains instructions to switch to Microsoft’s Bitlocker

?

“hacking” through backdoors is significantly more

simple than trying to crack encryption.

The Bad Guys Are Winning!

[Restricted] ONLY for designated groups and individuals

#1 Information Security Crime Investigator/Forensics Expert

#2 System, Network, and/or Web Penetration Tester

#3 Forensic Analyst

#4 Incident Responder

#5 Security Architect

#6 Malware Analyst

#7 Network Security Engineer

#8 Security Analyst

#9 Computer Crime Investigator

#10 CISO/ISO or Director of Security

#11 Application Penetration Tester

#12 Security Operations Center Analyst

#13 Prosecutor Specializing in Information Security Crime

#14 Technical Director and Deputy CISO

#15 Intrusion Analyst

#16 Vulnerability Researcher/ Exploit Developer

#17 Security Auditor

#18 Security-savvy Software Developer

#19 Security Maven in an Application Developer Organization

#20 Disaster Recovery/Business Continuity Analyst/Manager

SRC: http://www.sans.org/20coolestcareers/

Step-By-Step, End-To-End, Target Attack Simulation

Understand attackers techniques & methodologies

Discuss defense technologies and their limitations

Understand that there is no 100% security ..but we can still do something about it

• Step 1: Recon

• Step 2: Exploits & Delivery

• Step 3: Explore the network

• Step 4: Persistency

• Step 5: Exfiltrate

Progress Bar

Wikipedia

Targeted

Attack

• Target Selection

• OSINT (Corporate/Individual)

• On-Site gathering

• HUMINT (Key employees, social engineering)

• Foot-printing (Port scanning, banner grabbing, etc..)

• Identify protection mechanisms (network/host/application/…)

http://www.pentest-standard.org/index.php/Intelligence_Gathering

dvader86@gmail.com dvader86@hotmail.com dvader86@yahoo.com

• Cross-protocol profiling

• Application-leaked information

• Data correlation

• Weakest link and attack vector suggestion (Exploitation)

• Social engineering helper (categorization)

• MiTM with Automatic SSL Strip capabilities

• Supports multiple protocols: • HTTP (>100 web apps are supported)

• SMTP, FTP, DHCP, …

• Open Source!

https://ae.rsaconference.com/US12/published/rsaus12/sessions/SPO1-303/SPO1-303.pdf

• “Internet Census of 2012” (Carna Botnet)

• Shodan Search Engine

• Google Dorks (Google Hacking)

http://internetcensus2012.bitbucket.org/paper.html

http://www.shodanhq.com/

• There are no rules when gathering information

• The more relevant data your collect, the better the attack could be

• Gather intelligence anonymously (e.g. TOR)

• Harvesting social information is not enough

• Attackers need technical information, too

Social Profile

Full Name

Address

Like

Location

Friend’s with..

Works at…

.

.

Technical Profile

OS Version

Patch level

Browser usage

Installed plugins

AV Vendor

Firewall rules

.

.

http://themalwarechef.us/recipe.html

• Harvesting information on our victim

• Social Profile

• Technical Profile

• Organizing information with Maltego

• Generating actionable items:

• Locate the weakest link (Who?)

• Human / mobile device / server / …

• Define Time-Frames (When?)

• Engaging the target / Delivery Vector (How?)

• Once accurate information was retrieved one can move on to the next

step…

• Writing specific and reliable exploits

• Preferably:

• No user interaction

• No crash / hang (continue in normal flow)

• No memory corruptions (less reliable)

• Oracle Java

• Adobe Acrobat Reader

• Adobe Flash

• Microsoft Internet Explorer

• Microsoft Word

• .

• .

“A Price List For Hackers Secret Software Exploits” Forbes

• Smashing the stack is so 90’s

• Exploit writing is no longer generic

• Exploit mitigations makes it more challenging

• DEP, HiASLR, /GS, SEHOP, vTable Guard, SandBox, EMET, ….

http://phrack.org/papers/shockwave_memory_disclosure.html

• ASLR randomize key data areas (libraries, heap, stack,…)

• /DYNAMICBASE, PIE

• Cannot jump to fixed addresses anymore

• “Info-leak” era – Memory disclosure vulnerabilities

• Dynamic ROP based on image base address

• HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,..)

• VirtualAlloc(..,PAGE_EXECUTE_READWRITE) + CopyMemory()

• VirtualProtect(,.. PAGE_EXECUTE_READWRITE)

• SetProcessDEPPolicy(0)

• WriteProcessMemory(..)

• …

http://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf

https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/

• Separating running applications

• Lower the system privileges granted to the application

• Provides a tightly controlled set of resources for guest application

Adobe Sandbox Architecture

Chrome Sandbox Architecture

http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-communication.html

http://blog.azimuthsecurity.com/2010/05/chrome-sandbox-part-1-of-3-overview.html

• Mainly three types of vulnerabilities • Broker process

• Kernel vulnerabilities

• Through other user mode services (with higher privilege)

• Vulnerabilities in the kernel • A sandbox that relies on kernel security is as good as the kernel security

• Exploiting unpatched kernel vulnerabilities can be used to break out

• IE10 (CVE-2013-2551) - Vupen Pwn2own 2013

• Chrome (CVE-2013-0912) – MWR Labs Pwn2Own 2013

• "+1 vuln“ case • Depends on the sandbox

• Less LOC == lowered attack surface

https://media.blackhat.com/eu-13/briefings/Wojtczuk/bh-eu-13-thes-sandbox-wojtczuk-slides.pdf

http://haxpo.nl/wp-content/uploads/2014/01/D1T1-Escaping-IE11-Enhanced-Protected-Mode.pdf

• Targets: IE 6-10, Windows XP-Windows8, 32/64 bit

• Vulnerability in Vector Markup Language (VML)

• Integer overflow vulnerability in undocumented function • Arbitrary Read/Write

• Disclose a pointer to bypass ASLR

• Technique to read an arbitrary string in memory ** • #define MM_SHARED_USER_DATA_VA 0x7FFE0000

• Dynamic Return-Oriented-Programming (ROP)

• Use After Free Vulnerability

• Code Execution in the context of IE10 sandbox

• Kernel Vulnerability to escape the Sandbox

[Restriced] ONLY for designated groups and individuals

http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php

http://cansecwest.com/slides/2013/DEP-ASLR bypass without ROP-JIT.pdf **

• Allocate buffer (and use it)

• Free Buffer (at some point)

• Use Buffer (reuse it)

int main(void)

{

int i;

char *c = malloc(10);

strcpy(c, "hello");

printf("%s", c);

free(c);

*c = 0; // UAF

}

• Allocate Object -> Free Object

• Overwrite the memory area with data (object/shellcode)

• Heap Spray techniques (popular but less reliable)

• Low Fragmentation Heap (LFH) manipulations

• Application specific techniques

• Trigger vulnerability (use object)

• Data will be interpreted as code

http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/

http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf

• A technique, not an exploit

• Defeats ASLR

• Place sequence of bytes in predetermined location

• JavaScript, VBScript, ActionScript, Images, HTML5

• Exploit overwrites a vtable (stack/heap)

• Controlling EIP by calling a function pointer

• Fill the memory with NOPS (0x0c) + shellcode

• Memory at 0x0c0c0c0c will contain 0x0c0c0c0c

MOV EAX,DWORD PTR SS:[EBP+8] // Pointer to object

MOV EDX,DWORD PTR DS:[EAX] // Pointer to vtable

MOV EAX,[EDX+4] // Pointer to vfunc_A2 (offset)

CALL EAX // Call vfunc_A2

https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

https://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf

Multiple pointer dereference:

EAX = 0x0c0c0c0c

[EAX] = 0x0c0c0c0c

[EDX+4] = 0x0c0c0c0c

CALL EAX // jump to 0x0c0c0c0c

0x0c0c (2 byte instruction) decoded as: OR AL 0x0C

• Nozzle & BuBBle

• EMET

• Heap Locker

• Browser Memory Subversion Library - DEMO

• Email attachment • Send a malicious email attachment

• Browser Drive-By-Download • Host the malicious content on a website

• “Water-hole” technique • Compromise a website the victim likely to visit

• USB • Brand the logo, and throw it next to a company HQ

• Social Engineering • Fool someone to do it for you

• Mobile malware • Spread a malicious mobile application

• “WaterHole” vector

• Browser exploit (DEP/ASLR/Sandbox bypass)

• Result: Compromised machine in the network

• Gain elevated access to resources

• Perform unauthorized actions

• Exploiting a bug or design flaw

• Kernel-Mode vulnerabilities

http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html

http://www.exploit-db.com/exploits/25912/

• Attackers will keep moving laterally in the network

• Find more devices

• Gain more access

• Find interesting data

• Pass-The-Hash

• Ease the SSO process by caching users credentials locally

• NTLM Uses password hashes in the challenge response

• Many available tools to dump the hashes: WCE, Pshtoolkit, …

Gain Privileged Access

Dump admin password hash

(Pshtoolkit, WCE,…)

Access Remote Computers

http://media.blackhat.com/bh-us-12/Briefings/Duckwall/BH_US_12_Duckwall_Campbell_Still_Passing_Slides.pdf

http://www.rsaconference.com/writable/presentations/file_upload/hta-w03-pass-the-hash-how-attackers-spread-and-how-to-stop-them.pdf

• Pass-The-Hash between nodes in the domain

• Gain more access in the network

• Maintain persistency

• Attacker needs to stay for the long term

• Users tend to:

• Reboot their computer

• Patch their systems

• Update their signature detection

• Attacker needs to deploy undetected software on victim machine

• Remote Administrator Tools (RAT) is the most popular

• Poison Ivy , Dark Comet, Net Wire, ….

• Client/Server Architecture

• Allows a remote "operator" to control a system

• Taking screenshots

• File Management (downloading/uploading files)

• Shell control (execute commands)

• Key logging capabilities

• AV vendors will likely flag the RAT as malicious

• Need to create a variant of the same RAT

• Obfuscation

• Packers

• Cryptors

• The result is “Same Same… But different”

• Attackers test their software first

• Uploading to VirusTotal will notify the AV vendors

• There are some alternatives in the market

• e.g. Scan4You (VirusTotal for Criminals)

• Sysadmin might detect the malicious program running

• Need to hide the malicious activity using a rootkit

• Rootkit is a stealthy software that hides the existence of certain processes/programs from normal methods of detection

• What can it hide?

• Network Communication

• Registry Values

• File-System

• Processes

• …

• Kernel-mode Rootkit (ring 0)

• DKOM = Direct Kernel Object Manipulation

• Loadable kernel module has access to kernel memory

• It can modify (manipulate) objects directly in memory

typedef struct _EPROCESS

{

KPROCESS Pcb;

..

..

LIST_ENTRY ActiveProcessLinks;

ULONGLONG ProcessQuotaUsage[2];

ULONGLONG ProcessQuotaPeak[2];

ULONGLONG CommitCharge;

PETHREAD RotateInProgress;

PETHREAD ForkInProgress;

..

..

UCHAR ImageFileName[16];

..

}

typedef struct _LIST_ENTRY

{

PLIST_ENTRY Flink;

PLIST_ENTRY Blink;

} LIST_ENTRY, *PLIST_ENTRY;

• KPRCB -> ETHREAD -> KTHREAD -> EPROCESS

• EPROCESS contains LIST_ENTRY (ActiveProcessLinks)

• Traverse the list and look for the process to hide

• Connect the previous process to point to the next one (and vice verse)

Why does the process

keeps running?

• Create a variant of a malicious software

• Test for detection

• Install it on the victim machine

• Hide the malicious process using a rootkit

• Exfiltration “an unauthorized release of data from within a computer system” Wikipedia

• Attacker needs to exfiltrate information from the network without getting detected

• Many ways to achieve that:

• Encrypted over SSL

• Blend in normal traffic over HTTP

• Picture, Social media posts, pastebin, HTML tags,…

• VoIP

• Removable Media

• .

• .

“Steganography is the art and science of writing hidden messages in such a way that

no one, apart from the sender and intended recipient, suspects the existence of the

message” Wikipedia

• Hiding secret information inside a cat (picture)

• Uploading picture into a web service by blending inside

normal traffic

Why

me?

• Information Gathering

• Reliable exploitation

• Target Selection/Delivery

• Persistency and Stealthiness

• Data Exfiltration

• “Kill Chain” Concept (Lockheed martin)

• Attacker only need to win once (find one hole)

• Need to move the asymmetry from the attacker to the defender

The defender only need to detect once

What can be detected?

• Recon “Dry Run”

• Delivery methods

• Exploits techniques (heapspray, ROP chaining,…)

• Shellcode structure

• Communication (C2C communication)

• ..

• ..

Pattern Based Static Analysis

Dynamic Analysis

Hybrid Approach

MD5 / SHA1 / SHA256

Fuzzy hashing

Pattern-based

PCRE/ Regex

Proprietary language

Malware classifiers (J48, J48

Graft, PART)

Anti-VM

Anti-debugging

Anti-disassembly

Obfuscation

Reverse engineering

Semantic-aware detectors

Extract dynamic trace

Transform into IR

Compare to pre-defined templates

Memory dump analysis (packers)

API call trace analysis

Network activities

Registry modifications

Process creation/injections

File activities

What you see is what you get!

The Sample Lifecycle

Sample Arrives Unknown Static

Analysis

# Flags

< Threshold Dynamic

Analysis

Classification

Benign

Not Classified

Generic

Threat

Family

Threat

Classified

Manual

Analysis Malicious

Interesting

# Flags

< Threshold

Pattern Based Static Analysis

Dynamic Analysis

Hybrid Approach

Build variants (e.g. Zeus)

Append garbage

Encoding

“Stay compliant”

Packing

Obfuscation

Encryption

Anti-reversing techniques

Avoid using the same executable

template

Metasploit AV-evasion

Reuse “trusted templates”

PowerShell

In-memory exploits

Detect analysis*

Detect emulation*

Detect security product*

Beat the clock (AV sandbox)

“Split the maliciousness”

*Could be detected during static analysis

• Based on Lockheed Martin

“Cyber Kill Chain”

• Overview of offensive and

defensive exploit technologies

[Restricted] ONLY for designated groups and individuals

http://0xdabbad00.com/2013/04/28/exploit-mitigation-kill-chain/

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

[Restricted] ONLY for designated groups and individuals

[Restricted] ONLY for designated groups and individuals

[Restricted] ONLY for designated groups and individuals

TIME

Cannot analyze program forever

• Slow down loops

• Sleep

• Time-consuming operations (Encryption/Packing)

SPACE

Cannot maintain unlimited states

• “Run out the clock”

• OpenProcess VirtualAllocEx WriteProcessMemory LOOP .. CreateRemoteThread

• Elevation of privilege to kernel mode • Bypassing security products

• Server-Side Memory Leaks • HeartBleed Attack

• Stolen certificate authorities • Breaking the trust

• Automatic static analysis is hard! • Packing / obfuscation / encryption

• Manual static analysis • Time consuming / not scalable

• Dynamic analysis • The malware problem!

[Restricted] ONLY for designated groups and individuals

• A subset of Malware that do not re-use old patterns

• Unseen exploit techniques

• Undetected delivery methods

• Undetected persistency tools

• Covert communication channels

• Stealthy rootkit

• ..

• ..

https://ae.rsaconference.com/US13/connect/fileDownload/session/DA3B2DD6AE143237522B02205867156D/SPO2-T19_SPO2-T19.pdf

• Detecting internal threats using ML

• Network Behavior Analysis

• Evasive Malware

• Making the malware “feel comfortable”

• Effective patch management

• Social engineering

• Password Management

• The Achilles heel of security

• Privacy & Law enforcement

https://ae.rsaconference.com/US13/connect/fileDownload/session/AB01B2A7988BE24B3EC4802D824C20C3/HT-T17.pdf

http://video.ted.com/talk/stream/2011G/Blank/MikkoHypponen_2011G-320k.mp4

• Attackers are 10 steps ahead

• Defenders need to raise attacks complexity • Force mistakes

• Raise cost

• Setup traps

• Defense-In-Depth works for 99% • For the 1% we need to keep innovating

• Exchange threat intelligence

• Don’t forget the basics • Patching

• Password re-use

• …

?

• Original Security Research

• Whitepapers / Tools

• Company representation

• Conferences

Current Research:

• Automated Memory Analysis for Malware Detection

• Advanced Exploit mitigation techniques

• Malware Evasion Visualization

Tomer Teller

tomert@checkpoint.com

@djteller