Advanced Persistent Threat

Document Sample
Advanced Persistent Threat Powered By Docstoc
					Advanced Persistent Threat
        APT – What is it?
•


    –
•
                                                                    Wake Up
                                                                              Google cyber attacks a 
                                                                              Google cyber attacks a
                                                                              'wake‐up' call
                                                                              ‐Director of National Intelligence Dennis Blair 




http://www.csmonitor.com/USA/2010/0204/Google‐cyber‐attacks‐a‐wake‐up‐call‐
for‐US‐intel‐chief‐says
      Anatomy of APT Malware
       Survive Reboot

                                Command and 
              C&C Protocol
                                Control Server
                                Control Server

                     Process 
File Search
                    Injection

 Update             Keylogger


                    USB Stick
    IP is Leaving The Network Right Now
•



         YOU ARE ALREADY OWNED

      They are STEALING right now, as you sit in that chair.
        The Coming Age
•



•


    –
    –
    Economy
•




•
Espionage
   MI5 says the Chinese government “represents 
   one of the most significant espionage threats”




http://www.timesonline.co.uk/tol/news/uk/crime/article7009749.ece
              Big Brother




Opennet.net
        Cash is not the only motive
•
•

•

•

•
    –
  y      p            y
Why Enterprise Security Products
         DON’T WORK
        The True Threat
•
    –


•
    –
    –

    –
                     The Scale
Over 100,000 malware 
Over 100 000 malware
are automatically 
generated and released 
daily.  Signature based 
solutions are tightly 
coupled to individual 
    p
malware samples, thus 
cannot scale.



                           http://www.avertlabs.com/research/blog/index.php/2009/03/10/avert‐passes‐milestone‐20‐million‐
                           htt //         tl b     /       h/bl /i d     h /2009/03/10/    t         il t     20 illi
                           malware‐samples/
                       Surfaces
•




    The bad guys STILL HAVE their zero day, STILL HAVE their 
    The bad guys STILL HAVE their zero day STILL HAVE their
            vectors, and STILL HAVE their malware
        Not an antivirus problem
•

    –
•

•

    –
                Annealing

Value Horizon
                     Continuum


Value Horizon




                Continuous area of attack
                Technology Lifecycle

Value Horizon




  Area of attack
              Continuous Area of Attack
By the time all the surfaces in a given technology 
    are hardened, the technology is obsolete
Value H i
V l Horizon




                  Continuous area of attack
                  Continuous area of attack




  Technology Lifecycle
The Global Malware Economy
    A Global Theatre
•


•


•
                                         $500+                         $1,000+                                          $10,000+ 
                   $10,000+                                                                                             for 0‐day
                   for 0‐day                     Implant 
                                                 Vendor                     Exploit Pack                 Exploit 
                                                                              Vendor                    Developer
                              Rootkit
                             Developer
                                                                       $1000+
                                                                                                  Rogueware    Back Office
                                                                                                               Back Office 
                                         eGold                                                    Developer    Developer


                                                  Wizard                                                                    ~4% of 
     Country that doesn’t                                                    Bot Vendor                                      bank 
     co‐op w/ LE
     co op w/ LE                                                                                  Payment                 customers
                                                                                                   system 
         Keep                                                                                     developer
                                                            atm
         10%                        Small 
                                  Transfers                                                                                   Victims
                  Secondary
A single
A single                                      $5,000 
                                              $5 000
operator here                                 incrm.
may recruit              Keep                                                                                             $100.00 
100’s of mules           50%                                                                                              per 1000 
per week                                                                                                                 infections
                                 Drop Man                   Account           Affiliate                       Endpoint 
                                                             Buyer           Botmaster
                                                                              ID Thief
                                                                                                  PPI         Exploiters


                                                                      Sells accounts in 
                                              Country where 
                                                     y                bulk               $5.00 
                                                                                         $
Forger           Cashier / Mule
                 C hi /      l                account is                                    per
                  Bank Broker                 physically 
  $50                Keep 
                                              located
                     10%
        Crimeware and the State

•



    –
                                                                           China
 There are the intelligence oriented hackers inside the People s 
“There are the intelligence‐oriented hackers inside the People's
Liberation Army”

“Th        h k       f         h k t i i          d i      d
“There are hacker conferences, hacker training academies and 
magazines”

“Loosely defined community of computer devotees working 
independently, but also selling services to corporations and even 
the military
the military”

When asked whether hackers work for the government, or the 
 ilit     [h ]      "    "
military, [he] says "yes." 
http://news.cnet.com/Hacking‐for‐fun‐and‐profit‐in‐Chinas‐underworld/2100‐1029_3‐6250439.html
    Crimeware Affiliate Networks
•
Pay-per-install.org
Pay per install org
                   Earning4u




Pays per 1,000 infections
                               * http://www.secureworks.com/research/threats/ppi/
PPI Programs




           * http://www.secureworks.com/research/threats/ppi/
 Custom Crimeware
Programming Houses
Anatomy of an APT
   Operation
    Anatomy of an APT Operation
•
        Malware Distribution Systems
•
    –
•
    –
•
    –
Boobytrapped Documents




• Single most effective focused attack today
• Human crafts text
      Web-based attack
      Web based
                    Social Networking Space


                     Injected 
                    Java‐script




• Used heavily for large scale infections
  Social network targeting is possible
• S i l t       kt     ti i        ibl
Trap Postings I
                             www.somesite.com/somepage.php
                                             /    p g p p

  Some text to be posted to…
  <script>


         </script> the site ….
Trap Postings II
                            www.somesite.com/somepage.php
                                            /    p g p p

   Some text to be posted to…
  <IFRAME src=
     t l “di l         ”></IF
    style=“display:none”></IF
    RAME> the site ….
SQL Injection
                     www.somesite.com/somepage.php
                                     /    p g p p


     SQL attack, 
  inserts IFRAME 
  i     t IFRAME
    or script tags
                          ‘Reflected’ injection
                           Reflected
                                  Link contains a URL variable w/ embedded script or IFRAME *



                                  User clicks link, thus submitting the variable too




                                                                                    Trusted site, like
                                                                                         , g ,
                                                                                    .com, .gov, .edu
                                             The site prints the contents of the 
                                             variable back as regular HTML

*For an archive of examples, see xssed.com
                 A three step infection
Injected Java‐
    script                 Redirect         Exploit Server
                  10101
                  01010

                          Browser Exploit
                          Browser Exploit

                                            Payload Server
                                            Payload Server




                   Dropper
Eleonore (exploit pack)
Tornado (exploit pack)
Napoleon / Siberia (exploit pack)
    Rogueware
•

•




•



      *http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf
Rogueware
    Payload Server
•

•
 Command and Control



Once installed, the malware phones home…




     TIMESTAMP SOURCE COMPUTER USERNAME
     VICTIM IP ADMIN? OS VERSION
     HD SERIAL NUMBER
     HD SERIAL NUMBER
        Command and Control Server
•
    –
    –
    –
    –
•
    –
Command and Control




                These commands map 
                     f i l
                to a foreign language 
                keyboard.
                             IRC C&C


IRC control channel for a DDOS botnet
IRC       l h     lf      DDOS b
Most of the C&C has moved to the web.
Triad (botnet)
ZeuS (botnet)
Fragus (botnet)
    Implants
•
•
•
•
•
Poison Ivy (implant)
CRUM (protector)
                    Steal Credentials

                                    Outlook Email Password




Generic stored passwords
       Steal Files




All the file types that are 
        exfiltrated
        Staging Server
•

    –
    Drop Site
•
Drop‐point is in Reston, VA 
   in the AOL netblock
Part II
Part II
Countering the Threat
C   t i th Th t
     Malware
 h         ib i
Threat Attribution
            Why Attribution?
•
    –
    –
•
    –
    –
        •
        •
    Threat Intelligence
•
•
•
•
•
•
•
    Enterprise Information Sources
•
    –

•

•
•
        Information Points
•
    –
•
    –
    –
    –
•
    –
    Intel Feeds
•
•
•
•
•
        Forensic Marks left by Actors
•

•
    –

•

•
Fingerprinting Actors
  within the Theatre
        Digital Fingerprints
•

•
    –
    –
    –
    –
    The developer != operator
•

•
•
DISK FILE                        IN MEMORY IMAGE

                                                         Same 
                                                       malware 
                                                      compiled in 
                                                         three 
                                                       different 
                                                         ways



                           der
                     OS Load




         MD5 
         MD5                           Code idioms 
                                       Code idioms
     Checksums                           remains 
     all different                      consistent
                                  IN MEMORY IMAGE

                                                        Packer #1

                                                        Packer #2

                                                        Decrypted
                                                        Original




                      OS Loader
                      O
                                                      In‐memory 
Starting                                                analysis 
                                                        tends to 
                                                        tends to
Malware
            Packed                                       defeat 
            Malware                      Unpacked       packers
                                          portions 
                                          portions
                                          remains 
                                         consistent
                                           IN MEMORY IMAGE




                               OS Loader
                                                                   Toolkits 

                               O
                                                                     and 
                                                                 developer 
Malware                                                          signatures 
Tookit                                                                  b
                                                                    can be 
          Different                                   Toolkit     detected
          Malware                                     Marks 
          Authors                                    Detected
          Using 
          Same        Packed
          Toolkit
            Country of Origin
•
    –


•

    –

    –


        •



                     C&C map from Shadowserver, C&C for 24 hour period
        Language
•


    –

•
                                              $100.00 

        Actor: Endpoint Exploiter   Endpoint 
                                              p
                                              per 1000 
                                             infections

                                    Exploiters

•

•


•

•
    –                           
                                                URL artifact




Codenamed  C&C 
Botmaster  Fingerprint



                               Unique                          Endpoints
                               Affiliate ID’s




                          i k    l i
                         Link Analysis
        Actor: Bot Master
•

    –
    –
    –
•
    –
•


•

•
        Actor: Account Buyer
•
•

    –
•

    –
    –

    –
        Actor: Mules & Cashiers
•



    –

    –
•

    –
        Actor: Wizards
•

•

•

    –
        Actor: Developers
•
    –

•
    –
    –


•
We want to                                C&C 
find a 
find a         Botmaster
                                          Fingerprint
connection                                                                 URL artifact
here
                                                            Affiliate ID


              Developer
                                                        Protocol 
                                                        Fingerprint



                                                                                          Endpoints
              Developer


                           C&C products




                              Link Analysis
                              Link Analysis
    Softlinking into the Social Space
•

    –
    –
•


    –

    –

    –
                                       Software   Author
Software   Author


                                                           Social Space
                    Social Space




                             Link Analysis
                             Link Analysis
        Working back the timeline
•

    –


    –
Software   Author



                       Social Space


                                i.e., Technical Support Query made 
                                AFTER version 1.4 Release




               Use of timeline to differentiate links
                     Link Analysis
        Actor: Vuln Researchers
•

    –

•

    –
    –
    l i
Conclusion
    Take Away
•
•
•
•
            HBGary
•
•
    –

        •



    –

				
DOCUMENT INFO