Department of Managed Services Active Defense Engagement ...

Department of Managed Services

Active Defense Engagement Report

STRICTLY CONFIDENTIAL



Report ID DIS001_POC_001

Report Date



Customer

Name

Company



Street

City, State, Zip



Report Contact

Name



Company HBGary

Street 3604 Fair Oaks Blvd, Suite 250

City, State, Zip Sacramento, CA 95864

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 2 of 15



1. OVERVIEW ................................................................................................................................................................................3



2. SUMMARY ................................................................................................................................................................................3



3. RECOMMENDATIONS ................................................................................................................................................................3



4. IMPLEMENTATION SUMMARY ..................................................................................................................................................3



5. SCAN SUMMARY – AS OF ..........................................................................................................................3



6. HOST DETECTION & EXAMINATION SUMMARY ........................................................................................................................4



6.1. APT INFECTED HOSTS .................................................................................................................................................................... 4

6.2. HOSTS CONTAINING APT ARTIFACTS................................................................................................................................................. 5

6.3. NON-TARGETED INFECTED HOSTS .................................................................................................................................................... 5



7. MALWARE ANALYSIS.................................................................................................................................................................6



7.1. RASAUTO32.DLL ........................................................................................................................................................................... 6



8. HOST EXAMINATION DETAILS ...................................................................................................................................................8



8.1. EXFILTRATION HOSTS ............................................................................................................................................................... 8

8.1.1. JMONTAGNADT - 10.10.104.134 ..................................................................................................................................... 8



9. INDICATORS ............................................................................................................................................................................ 10



9.1. FILE NAME IOC’S ........................................................................................................................................................................ 10

9.2. FILE BINARY IOC’S....................................................................................................................................................................... 11

9.3. LIVE SYSTEM (MEMORY) IOC’S...................................................................................................................................................... 11

9.4. LIVE SYSTEM (REGISTRY) IOC’S ...................................................................................................................................................... 12

9.5. NETWORK IOC’S ......................................................................................................................................................................... 13



10. MANAGED HOSTS LIST ........................................................................................................................................................ 13



11. GLOSSARY OF TERMS .......................................................................................................................................................... 13



12. END OF REPORT .................................................................................................................................................................. 15









Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 3 of 15



1. Overview







2. Summary







3. Recommendations







4. Implementation Summary

Implementation Information

1.1.0.271 (Server)

Active Defense Version Deployment Type HBGary Provided Server (HBAD)

2.0.0.736 (Agent)

Deployment Location IT Contact



A/D Implementation Date Technician

Notes

















5. Scan Summary – As of











Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 4 of 15









Deployment Statistics





Deployment Statistics

Total Hosts Managed 1874

Total Hosts Managed

Additional Hosts Pending 32

Total Hosts Pending









Detection Summary



Clean

Detection Summary

Clean 1790

APT Malware

APT Malware 18

APT Artifacts 7

TDSS (RAT) 28 APT Artifacts





Non-Targeted

Malware









6. Host Detection & Examination Summary

6.1. APT Infected Hosts





Host Examination Summary – APT Infected Hosts



Hostname IP Alert/Detection Date Created File Path









Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 5 of 15



6.2. Hosts Containing APT Artifacts





Host Examination Summary – APT Artifacts



Hostname IP Alert/Detection State Description









6.3.Non-Targeted Infected Hosts

.



Host Examination Summary – Non-Targeted Infected Hosts



Hostname IP Alert/Detection State Description









Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 6 of 15









7. Malware Analysis





The following section details the findings from reverse engineering recovered malware. HBGary focused mainly on

malware that appeared in the QNA environment during the timeframe covered in the scope of work.



7.1.Rasauto32.dll

Summary



The rasauto32.dll malware and its variants was the most commonly found APT malware in the QNA network.

Rasauto32.dll provides complete access to a victim host through outbound communications to an attacker controlled

server over an HTTP communication channel. The IP address of the primary control server (72.167.34.54 ) was

hardcoded and identical in all recovered samples. However, this malware can be used to fully control a victim machine

or specify additional C&C server thus allowing the gathering and exfiltration of data to any location of the attacker’s

choosing. The rasauto32.dll malware also supports an internally configured sleep command that forces the malware to

not beacon out until a specified date and time.



File Details



The compile time of a binary is an embedded attribute that indicates when the binary was compiled. This value can be

altered by an attacker but is considered to be an relevant attribute to track. The date created is the date which the

binary appeared on the affected system.



Filename MD5 Hash Compile Time Date Created

rasauto32.dll FC63A35A36B84B11470D025A1D885A6B 2/9/2010 3:29:43 9/6/2010 22:40:22

rasauto32.dll 2502766AF38E3AFEBB10D16EA52800FD 5/24/2010 22:50:41 9/6/2010 20:56:00

reg32.exe 0D6FBBEB9E2A750F7BA5E06406CC8582 6/25/2010 12:34:57 7/22/2010 1:44:00

111.exe (dropper) 5E7EA7264E5FC7F447FC3BEC44145ABD 5/24/2010 22:50:57 8/31/2010 7:33:00

ctfmon.exe 0D6FBBEB9E2A750F7BA5E06406CC8582 6/25/2010 12:34:57 7/22/2010 1:44:00



System Modifications



File System:

 The rasauto32.dll malware exists in the following location:

o %SYSTEMROOT%\system32\rasauto32.dll

 The malware creates an alternate system command shell:

o %USERPROFILE%\Local Setting\ati.exe



Registry:

 The 111.exe dropper alters the following registry values to allow for persistence across system reboots:

o HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent\: 0x00000011

o HKLM\SYSTEM\ControlSet001\Services\RasAuto\Type: 0x00000110

o HKLM\SYSTEM\ControlSet001\Services\RasAuto\Start: 0x00000002



Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 7 of 15



o HKLM\SYSTEM\ControlSet001\Services\RasAuto\Parameters\ServiceDll:

"C:\WINDOWS\system32\rasauto32.dll"

o HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000011

o HKLM\SYSTEM\CurrentControlSet\Services\RasAuto\Type: 0x00000110

o HKLM\SYSTEM\CurrentControlSet\Services\RasAuto\Start: 0x00000002

o HKLM\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters\ServiceDll:

"C:\WINDOWS\system32\rasauto32.dll"

 The rasauto32.dll malware checks the following registry key and values to obtain sleep instructions:

o HKLM\SOFTWARE\TIME

o HKLM\SOFTWARE\TIME\dwHighDateTime

o HKLM\SOFTWARE\TIME\dwLowDateTime



Network Communications



Embedded C&C:

 Hard-coded IP address:

o 72.167.34.54

 Session Details:

o TCP Port 443

 Encryption

o OpenSSL is statically compiled into the malware

o A static DES key “!b=z&7?cc,MQ>” is compiled into the malware for an additional layer of encryption.

 Connection Retries

o If a successful connection is made to the attacker controlled server then the C&C logic follows.

o If a connection cannot be made to the attacker’s server then the malware sleeps for 60 seconds and then

retries.



Detailed Analysis



Upon successful installation of rasuto32 the following tasks are performed:



 Expand the string %USERPROFILE%\Local Settings" which generally is "c:\Documents and

Settings\NetworkService\Local Settings"

 Create the directory "c:\Documents and Settings\NetworkService\Local Settings\Temp" if it does not already

exist. This directory serves as a “home directory” for the malware to download other software. The dynamically

created copies of CMD.EXE that are named “ATI.EXE” have been observed as being created at this location.

 Collect some basic network/performance statistics on the machine via NETAPI32.DLL -

NetStatisticsGet("LanmanSserver")

 Set up a static/symmetrical cryptographic DES hash based upon the hardcoded passphrase “!b=z&7?cc,MQ>”

 Collect the machine name and volume information for the system volume

 Dynamically resolve DNSAPI.dll!!DnsFlushResolverCache() and URLMON!!URLDownloadToCacheFile() via

loadlibrary/getprocaddress

 Collect some generic performance metrics from the compromised machine



The rasauto32.dll malware has many embedded capabilities. It was clearly written to give an attacker flexibility,

persistent access, and security. The C&C functionality of the malware is detailed below.



 Create additional secure communication channels

Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 8 of 15



This feature allows an attacker to specify a new C&C server. Even though the malware was compiled

with a static IP address this can be changed dynamically by the attacker a later date.

 Process manipulation

The malware has the ability to list and kill existing processes and create new processes.

 List loaded modules in running processes

The malware can list the loaded modules in running processes on the victim system. It also can read the

memory space of other processes. This is usually a precursor to injecting code into a remote process.



 Service manipulation

The malware can list, create, remove, start, stop, and reconfigure services on a victim system.

 List and upload files

Rasauto32.dll has the ability to list files on a system and upload them through a SSL and DES encrypted

network channel. This feature combined with the ability to specify a new C&C server allows the attacker

to upload data to any location.

 Shellcode injection

Shellcode can be injected into other processes and remote threads can be started within other

processes. This allows an attacker to effectively hijack other processes on a victim system with very

little forensic evidence left behind. Memory analysis of a system is normally required to identify the

malicious code that has been injected.

 Sleep

This is a very important feature of malware. An attacker can configure rasauto32 to not beacon out to

its C&C server for a specified period of time. This forces the malware to be dormant from a network

perspective. An infected host must be identified through host analysis due to a lack of network

indicators. Use of this feature also demonstrates the attacker’s motive to return to the QNA network.

 Interactive command shell

The malware establishes an interactive system command shell through the use of the ATI.exe file.

Rasauto32 will copy the default system command shell, make a slight binary alteration, and then place it

in a user’s temp folder. The binary alteration involves changing the binary string from “Microsoft Corp.”

to “superhard corp.” It is believed that this is done to alter the MD5 hash of the command shell only.

No other binary changes were detected.

 Shutdown or reboot

A victim system can be shut down or rebooted using the malware.

 Self-destruct

Rasauto32 can delete the service that hosts the malware. This is considered a self-destruct mechanism

to prevent the malware from running again upon reboot.

 Create or delete files

The malware has the ability create and delete files on a victim system. An attacker could delete

exfiltrated data or other tools on the system that they wish to not have detected.







8. Host Examination Details

8.1.EXFILTRATION HOSTS



8.1.1. JMONTAGNADT - 10.10.104.134

Alert/Detection Exfiltration Point



Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 9 of 15





Detection Date Detection Source Customer Reported



Hostname JMONTAGNADT IP Address 10.10.104.134

Microsoft Windows XP Professional

Host Type Workstation Host OS

Service Pack 3 (build 2600)

Host State NTF/Not Infected Examination Date 9/14/2010

Root Cause (IPI) Occurrence (IPI)

Unable to Identify Unable to Identify

Finding Date

Remediation Possible Forensic Analysis (Data un-

Threat Classification Direct/External

Recommendations deletion and disk string searches)

Malicious File



No malicious files identified on this host



Examination Notes





Nothing notable identified in MFT. Security logs did not go back far enough/or contain data. Time key in registry was not found.









Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 10 of 15



9. Indicators



9.1.File Name IOC’s





Value Malware Notes

\rasauto32.dll rasauto32.dll The name rasauto32.dll is not legitimate. Look for any

instance.

\windows\system\ctfmon.exe rasauto32.dll Ctfmon.exe is a renamed version of rasauto32.dll. The

exact path must be used. There is a valid ctfmon.exe in the

\windows\system32 directory.

\ati.exe rasauto32.dll Ati.exe is a subcomponent of rasauto32.dll. Look for any

instance.

\reg32.exe rasauto32.dll Reg32.exe is a renamed version of rasauto32.dll.

\111.exe rasauto32.dll 111.exe is the dropper for rasauto32.dll. It can exist in any

directory.

\iisstart[1].htm rasauto.dll This internet history artifact can indicate a system

attempted to communicate to a command and control

server.

\iprinp.dll Iprinp.dll The name iprinp.dll is not legitimate. Look for any instance.

\windows\ntshrui.dll ntshrui.dll The exact path to ntshrui.dll must be used. The path

provides the persistence mechanism.

\windows\system32\update.exe update.exe The exact path for update.exe must be used. There are

numerous valid update.exe files.

\erroinfo.sy update.exe This indicator also covers erroinfo.sys. Both files are

artifacts created by update.exe.

\a.bat update.exe The a.bat file is a batch file that executes update.exe. It can

exist in any directory.

mspoiscon mspoiscon Search for any file name containing mspoiscon. Limited

success is expected due to mspoiscon’s use of alternate

data streams to hide its presence.

\r.exe rar.exe R.exe was a renamed version of rar.exe. It can exist in any

directory.

\p.exe pwdump P.exe was a renamed pwdump tool. It can exist in any

directory.

\gethash.exe pwdump Gethash.exe was a renamed pwdump tool. It can exist in

any directory.

\w.exe PTH Toolkit W.exe was a renamed portion of the PTH Toolkit. It can

exist in any directory.

\remcomsvc.exe RemCom Remcomsvc.exe is an artifact left on a system after the

execution of the RemCom.exe software. This artifact will

be present on a system even if the remcom.exe had been

renamed.

Svchost.exe Anomalous Discover any svchost.exe not in a standard path.

svchost.exe







Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 11 of 15



9.2. File Binary IOC’s





Value Malware Notes

macrosoft corp. iprinp.dll Some iprinp.dll variants create a patched system shell

with this unique string embedded.

SvcHost.DLL.log iprinp.dll This unique string is found in many iprinp.dll variants.

process-%d-stoped! iprinp.dll This unique string is found in many iprinp.dll variants.

(PRI) Comment: iprinp.dll This string appears in output from an iprinp.dll network

scan.

%s\%05d.dat iprinp.dll This unique string is found in many iprinp.dll variants.

d0ta010@hotmail.com iprinp.dll Hard-coded credentials for the iprinp.dll MSN variant.

lich123456@hotmail.com iprinp.dll Hard-coded credentials for the iprinp.dll MSN variant.

2j3c1k iprinp.dll Hard-coded credentials for the iprinp.dll MSN variant.

72.167.34.54 rasauto32.dll This IP address was hard-coded into many rasauto32.dll

variants.

superhard corp. rasauto32.dll Some rasauto32.dll variants create a patched system shell

with this unique string embedded.

Installed RAM: %ldMB Various String found in code from WinVNC and various APT

malware.

lsremora64.dll Pwdump This string is found in pwdump variants.

72.167.33.182 Unknown QNAO reported malicious IP address.

67.152.57.55 Unknown QNAO reported malicious IP address.

66.228.132.129 unknown QNAO reported exfiltration destination IP address.

66.228.132.130 unknown QNAO reported exfiltration destination IP address.

66.228.132. unknown QNAO reported netblock related to APT activity.

65.54.165.179 Unknown This IP address is possibly related to APT malware that

was using Neil certificate.

216.246.75.123 mspoiscon This IP was found in the memory of a system infected with

mspoiscon malware.

32.16.195.129 mspoiscon This IP was found in the memory of a system infected with

mspoiscon malware.

119.167.225.48 mspoiscon Command and control server for the mspoiscon malware.

happy.7766.org mspoiscon Command and control server for the mspoiscon malware.

123.183.210.26 msomsysdm Command and control server for the msomsysdm

malware.

xyrn998754.2288.org msomsysdm Command and control server for the msomsysdm

malware.

nodns3.qipian.org msomsysdm Command and control server for the msomsysdm

malware.

208.73.210.85 msomsysdm Command and control server for the msomsysdm

malware.







9.3. Live System (Memory) IOC’s





Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 12 of 15



Value Malware Notes

macrosoft corp. iprinp.dll Some iprinp.dll variants create a patched system shell

with this unique string embedded.

SvcHost.DLL.log iprinp.dll This unique string is found in many iprinp.dll variants.

process-%d-stoped! iprinp.dll This unique string is found in many iprinp.dll variants.

(PRI) Comment: iprinp.dll This string appears in output from an iprinp.dll network

scan.

%s\%05d.dat iprinp.dll This unique string is found in many iprinp.dll variants.

d0ta010@hotmail.com iprinp.dll Hard-coded credentials for the iprinp.dll MSN variant.

lich123456@hotmail.com iprinp.dll Hard-coded credentials for the iprinp.dll MSN variant.

2j3c1k iprinp.dll Hard-coded credentials for the iprinp.dll MSN variant.

72.167.34.54 rasauto32.dll This IP address was hard-coded into many rasauto32.dll

variants.

superhard corp. rasauto32.dll Some rasauto32.dll variants create a patched system shell

with this unique string embedded.

Installed RAM: %ldMB Various String found in code from WinVNC and various APT

malware.

lsremora64.dll Pwdump This string is found in pwdump variants.

72.167.33.182 Unknown QNAO reported malicious IP address.

67.152.57.55 Unknown QNAO reported malicious IP address.

66.228.132.129 unknown QNAO reported exfiltration destination IP address.

66.228.132.130 unknown QNAO reported exfiltration destination IP address.

66.228.132. unknown QNAO reported netblock related to APT activity.

65.54.165.179 Unknown This IP address is possibly related to APT malware that

was using Neil certificate.

216.246.75.123 mspoiscon This IP was found in the memory of a system infected with

mspoiscon malware.

32.16.195.129 mspoiscon This IP was found in the memory of a system infected with

mspoiscon malware.

119.167.225.48 mspoiscon Command and control server for the mspoiscon malware.

happy.7766.org mspoiscon Command and control server for the mspoiscon malware.

123.183.210.26 msomsysdm Command and control server for the msomsysdm

malware.

xyrn998754.2288.org msomsysdm Command and control server for the msomsysdm

malware.

208.73.210.85 msomsysdm Command and control server for the msomsysdm

malware.

nodns3.qipian.org msomsysdm Command and control server for the msomsysdm

malware.





9.4. Live System (Registry) IOC’s





Value Malware Notes

Data Value = iprinp.dll iprinp.dll Any registry value containing this string.

Data Value = rasauto32.dll Rasauto32.dll Any registry value containing this string.



Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 13 of 15



Key Path contains AA8341AE- mspoiscon,

87E5-0728-00B2-65B59DDD7BF7 msomsysdm









9.5. Network IOC’s





Value Malware Notes

72.167.33.182 Unknown QNAO reported malicious IP address.

67.152.57.55 Unknown QNAO reported malicious IP address.

66.228.132.129 unknown QNAO reported exfiltration destination IP address.

66.228.132.130 unknown QNAO reported exfiltration destination IP address.

66.228.132. unknown QNAO reported netblock related to APT activity.

65.54.165.179 Unknown This IP address is possibly related to APT malware that

was using Neil certificate.

216.246.75.123 mspoiscon This IP was found in the memory of a system infected with

mspoiscon malware.

32.16.195.129 mspoiscon This IP was found in the memory of a system infected with

mspoiscon malware.

119.167.225.48 mspoiscon Command and control server for the mspoiscon malware.

happy.7766.org mspoiscon Command and control server for the mspoiscon malware.

123.183.210.26 msomsysdm Command and control server for the msomsysdm

malware.

xyrn998754.2288.org msomsysdm Command and control server for the msomsysdm

malware.

208.73.210.85 msomsysdm Command and control server for the msomsysdm

malware.

nodns3.qipian.org msomsysdm Command and control server for the msomsysdm

malware.









10. Managed Hosts List







11. Glossary of Terms

TTP - Tools, Techniques, and Procedures. These are the methods used by an attacker to compromise and

remain persistent within a network. TTP is a broad term and covers all behavioral characteristics of an attacker,





Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 14 of 15



including methods used to lateral movement, exfiltration of data, scanning the network, preferences for tools,

etc.



APT - Advanced Persistent Threat. This is a catch-all term for any targeted attack that involves one or more

human attackers interacting with compromised hosts. In other words, APT and Hacker are synonomous. The

term APT is not used when malware is the result of large scale autonomous infection and there is no evidence of

interaction with a host (that is, there is no human at the other end of the keyboard).



RAT - Remote Access Tool. These are malware programs designed to allow a remote attacker to execute

programs and move files to and from a compromised host. These programs typically connect outbound to a

server to get commands.



C2 - Command and Control. This refers to the mechanism used by a RAT to communication with an external

host and get commands. The C2 host is usually a compromised host that functions as a cut-out between the

compromised network and the attacker. C2 servers are typically moved on a regular basis to overcome

perimeter security such as NIDS or DNS blackholes.



FUD - Fully Undetectable. This term applies to malware that has been tested against a large set of known

security products and has been verified as undetectable. Most APT attackers use tools that are FUD. FUD

typically refers to AV products, but is sometimes used to refer to browser-sandbox technology (sandboxie, etc)

as well. For example, a FUD malware would score zero hits on a scan performed by virustotal.com.



AV - Anti Virus. Refers to anti-virus products and host-based firewalls.



NIDS - Network Intrusion Detection System.



DDNA - Digital DNA. This is HBGary's system to detect suspicious code based on behaviors.



IPI - Initial Point of Infection. This refers to how the machine was initially compromised by an attacker. This can

be a autonomous malware infection, such as that caused by visiting a malicious website, or a targeted attack

such as those caused by spear-phising. IPI can also refer to lateral movement.



Lateral Movement. This refers to an attacker who has already compromised the network in one location, but is

attempting to gain access to additional machines. Typically this is done using stolen account credentials.



Exfil / Exfiltration. This term refers to the removal of data from the network, typically using some form of

covert communications designed to bypass filtering at the perimeter.



Packer / Cryptor. This term refers to a technology that can create many different variants of the same malware

in an automated way, easily bypassing MD5 checksum scans and many forms of AV scanning.



Speader. This refers to a function within a malware that allows it to spread across the network in an automated

way - for example by infecting USB keys or connecting over Windows network shares.



Downloader / Dropper / Sleeper. This refers to how a machine is initially exploited. The dropper is a small

program that executes first and downloads a larger program (the payload) and executes the second program.



Confidential Information

Report ID DIS001_POC_001

Report Date: October 21, 2010

Page 15 of 15



Some downloaders can be configured with a sleep time and will not connect out for weeks or months. In this

case, the downloader may be called a 'sleeper agent'.



PUP - Potentially Unwanted Program. These are programs that are suspicious by nature but are not actually

malware. Examples are unsanctioned VPN bypass (LogMeIn, etc), invasive toolbar technology (Google Toolbar,

etc), and security tools that are not tied to an attack (packet sniffers, etc). PUP's are typically whitelisted during

an investigation, but are still reported to the customer for informational purposes.









12. End of Report









Confidential Information