Advanced Persistent Threat

APT – What is it?

•

–
•
 Wake Up
Google cyber attacks a
'wake‐up' call
‐Director of National Intelligence Dennis Blair

http://www.csmonitor.com/USA/2010/0204/Google‐cyber‐attacks‐a‐wake‐up‐call‐
for‐US‐intel‐chief‐says
 Anatomy of APT Malware
Survive Reboot

Command and
C&C Protocol
Control Server

Process
File Search
Injection

Update Keylogger

USB Stick
 IP is Leaving The Network Right Now
•

YOU ARE ALREADY OWNED

They are STEALING right now, as you sit in that chair.

 The Coming Age
•

–
–
 Economy
•

•
Espionage
 MI5 says the Chinese government “represents
one of the most significant espionage threats”

http://www.timesonline.co.uk/tol/news/uk/crime/article7009749.ece
 Big Brother

Opennet.net
 Cash is not the only motive
•
•

•
–
Whyy Enterprise
p Securityy Products
DON’T WORK
 The True Threat
•
–

•
–
–

–
 The Scale
Over 100,000
100 000 malware
are automatically
generated and released
daily. Signature based
solutions are tightly
coupled
p to individual
malware samples, thus
cannot scale.

http://www.avertlabs.com/research/blog/index.php/2009/03/10/avert‐passes‐milestone‐20‐million‐
htt // tl b / h/bl /i d h /2009/03/10/ t il t 20 illi
malware‐samples/
 Surfaces
•

The bad guys STILL HAVE their zero day

day, STILL HAVE their
vectors, and STILL HAVE their malware
 Not an antivirus problem
•

–
•

–
 Annealing

Value Horizon
 Continuum

Value Horizon

Continuous area of attack

 Technology Lifecycle

Value Horizon

Area of attack
 Continuous Area of Attack
By the time all the surfaces in a given technology
are hardened, the technology is obsolete
V l Horizon
Value H i

Continuous area of attack

Technology Lifecycle
The Global Malware Economy
 A Global Theatre
•

•
 $500+ $1,000+ $10,000+
$10,000+ for 0‐day
for 0‐day Implant
Vendor Exploit Pack Exploit
Vendor Developer
Rootkit
Developer
$1000+
Rogueware Back Office
eGold Developer Developer

Wizard ~4% of
Country that doesn’t Bot Vendor bank
co‐op
co op w/ LE Payment customers
system
Keep developer
atm
10% Small
Transfers Victims
Secondary
A single $5,000
$5 000
operator here incrm.
may recruit Keep $100.00
100’s of mules 50% per 1000
per week infections
Drop Man Account Affiliate Endpoint
Buyer Botmaster
ID Thief
PPI Exploiters

Sells accounts in
Countryy where bulk $5.00
$
Forger Cashier
C hi / Mule
l account is per
Bank Broker physically
$50 Keep
located
10%
 Crimeware and the State

–
 China
“There
There are the intelligence
intelligence‐oriented
oriented hackers inside the People
People'ss
Liberation Army”

“There are h
“Th hacker
k conferences,
f h k ttraining
hacker i i academies
d i andd
magazines”

“Loosely defined community of computer devotees working

independently, but also selling services to corporations and even
the military
military”

When asked whether hackers work for the government, or the

military,
ilit [h ] says ""yes.""
[he]
http://news.cnet.com/Hacking‐for‐fun‐and‐profit‐in‐Chinas‐underworld/2100‐1029_3‐6250439.html
 Crimeware Affiliate Networks
•
Pay per install org
Pay-per-install.org
 Earning4u

Pays per 1,000 infections

* http://www.secureworks.com/research/threats/ppi/
PPI Programs

* http://www.secureworks.com/research/threats/ppi/
 Custom Crimeware
Programming Houses
Anatomy of an APT
Operation
 Anatomy of an APT Operation
•
 Malware Distribution Systems
•
–
•
–
•
–
Boobytrapped Documents

• Single most effective focused attack today

• Human crafts text
 Web-based
Web based attack
Social Networking Space

Injected
Java‐script

• Used heavily for large scale infections

• Social
S i l network
t k targeting
t ti iis possible
ibl
Trap Postings I
www.somesite.com/somepage.php
/ p g p p

Some text to be posted to…

<script>

</script> the site ….

Trap Postings II
www.somesite.com/somepage.php
/ p g p p

Some text to be posted to…

<IFRAME src=
style=“display:none”></IF
t l “di l ”></IF
RAME> the site ….
SQL Injection
www.somesite.com/somepage.php
/ p g p p

SQL attack,
i
inserts
t IFRAME
or script tags
 ‘Reflected’
Reflected injection
Link contains a URL variable w/ embedded script or IFRAME *

User clicks link, thus submitting the variable too

Trusted site, like

.com,, .gov,
g , .edu
The site prints the contents of the
variable back as regular HTML

*For an archive of examples, see xssed.com

 A three step infection
Injected Java‐
script Redirect Exploit Server
10101
01010

Browser Exploit

Payload Server

Dropper
Eleonore (exploit pack)
Tornado (exploit pack)
Napoleon / Siberia (exploit pack)
 Rogueware
•

*http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf
Rogueware
 Payload Server
•

•
 Command and Control

Once installed, the malware phones home…

TIMESTAMP SOURCE COMPUTER USERNAME

VICTIM IP ADMIN? OS VERSION
HD SERIAL NUMBER
 Command and Control Server
•
–
–
–
–
•
–
Command and Control

These commands map

to a foreign
f i llanguage
keyboard.
 IRC C&C

IRC controll channel

h l for
f a DDOS botnet
b
Most of the C&C has moved to the web.
Triad (botnet)
ZeuS (botnet)
Fragus (botnet)
 Implants
•
•
•
•
•
Poison Ivy (implant)
CRUM (protector)
 Steal Credentials

Outlook Email Password

Generic stored passwords

 Steal Files

All the file types that are

exfiltrated
 Staging Server
•

–
 Drop Site
•
Drop‐point is in Reston, VA
in the AOL netblock
Part II
C
Countering
t i th the Th
Threatt
 Malware
Threat
h Attribution
ib i
 Why Attribution?
•
–
–
•
–
–
•
•
 Threat Intelligence
•
•
•
•
•
•
•
 Enterprise Information Sources
•
–

•
•
 Information Points
•
–
•
–
–
–
•
–
 Intel Feeds
•
•
•
•
•
 Forensic Marks left by Actors
•

•
–

•
Fingerprinting Actors
within the Theatre
 Digital Fingerprints
•

•
–
–
–
–
 The developer != operator
•

•
•
DISK FILE IN MEMORY IMAGE

Same
malware
compiled in
three
different
ways

der
OS Load

MD5 Code idioms

Checksums remains
all different consistent
 IN MEMORY IMAGE

Packer #1

Packer #2

Decrypted
Original

OS Loader
O
In‐memory
Starting analysis
tends to
Malware
Packed defeat
Malware Unpacked packers
portions
remains
consistent
 IN MEMORY IMAGE

OS Loader
Toolkits

O
and
developer
Malware signatures
Tookit can be
b
Different Toolkit detected
Malware Marks
Authors Detected
Using
Same Packed
Toolkit
 Country of Origin
•
–

C&C map from Shadowserver, C&C for 24 hour period

 Language
•

•
 $100.00

Actor: Endpoint Exploiter Endpoint

per 1000
p
infections

Exploiters

•
– 
 URL artifact

Codenamed C&C
Botmaster Fingerprint

Unique Endpoints
Affiliate ID’s

Link
i k Analysis
l i
 Actor: Bot Master
•

–
–
–
•
–
•

•
 Actor: Account Buyer
•
•

–
•

–
–

–
 Actor: Mules & Cashiers
•

–
•

–
 Actor: Wizards
•

–
 Actor: Developers
•
–

•
–
–

•
We want to C&C
find a Botmaster
Fingerprint
connection URL artifact
here
Affiliate ID

Developer
Protocol
Fingerprint

Endpoints
Developer

C&C products

Link Analysis
 Softlinking into the Social Space
•

–
–
•

–
 Software Author
Software Author

Social Space
Social Space

Link Analysis
 Working back the timeline
•

–
Software Author

Social Space

i.e., Technical Support Query made

AFTER version 1.4 Release

Use of timeline to differentiate links

Link Analysis
 Actor: Vuln Researchers
•

–
–
Conclusion
l i
 Take Away
•
•
•
•
 HBGary
•
•
–