The role of threat intelligence in combating against targeted malware attacks

furiouserectAI and Robotics

Nov 21, 2013 (3 years and 9 months ago)

127 views


The role of threat intelligence in combating
against targeted
malware attacks

Boldizs
ár
Bencsáth

Budapest University of Technology and Economics

Department of Telecommunications

Laboratory of Cryptography and System Security (
CrySyS Lab
)

www.crysys.hu



joint

work

with

Levente
Buttyán
,
Gábor

Pék
, and
Márk
Félegyházi

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

CrySyS Lab
-

activities


09/2011
discovery, naming, and first analysis of
Duqu


malware


05/2012 published detailed technical analysis on
Flame

malware


02/2013 Together with Kaspersky Labs, we published
information on the
MiniDuke

malware


03/2013 After the joint work with NSA HUN, we published
results of investigations on the
TeamSpy

campaign

2

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Miniduke


FireEye

found a document with 0
-
day PDF exploit on
12/02/2013


PDF documents that use the same 0
-
day vulnerability,
but the different malware module were found


The documents were suspicious


we expected that the
attackers use them against high
-
profile targets


~60 victim IP addresses found, many high profile targets
in governments and organizations like even NATO


Investigations were finished within a week, we disclosed
all relevant information about the malware and the victims
to the appropriate organizations


Not the malware, but the attack campaign of main interest


Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

TeamSpy


In March 2013 Hungarian National Security Authority (NSA HUN)
asked for our support to further work on an already identified attack


We obtained and analyzed many new malware samples, investigated
a number of C&C servers and obtained victim lists


There are multiple waves of attack campaigns done by some group
in the last 8 years


Two main malware technologies: One “standard” proprietary botnet
client, one based on
TeamViewer

abuse


Main goal of the attackers: targeted attacks to steal information


Traces

show
that

attackers

were

active

from

2004


Some
of their tools were already known for years by A/V companies,
but the whole story was never identified (missing threat intelligence)


Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Threat

Intelligence


the process of discover
ing

malicious activity



through


internal monitoring tools or external services that publish
information about detected incidents



before
an
attack

succeeds


situational awareness


to understand „what is going on”, technical analysis just
one point in that process


Information is needed from as many sources as possible


One finding might open the way for another (cyclic
approach)


As long the attack is not fully understood, the work done
should not be exposed (too much)


don’t leak info
towards the attackers


5

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Questions of threat intelligence


What is the threat we are facing?


What tools are used by the attackers?


What are the possible capabilities, resources of the attacker?


What is the goal of the attacker?


Attribution “who is the attacker” is just a way to understand it
better


What is the risk at our side?


What are our assets that need to be protected?


What if the attack continues?


What should be the response?


What is the most efficient way to handle the problem?


How to notify others, what to share?


What could happen after a response on the attack?



6

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Threat intelligence process
-

a model

7

Analyze

Act

Decide

Dig

Collect

Info

query

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Threat

intelligence

gathering
-

sources



internal monitoring tools


AV (anti
-
virus) products


IDSs (Intrusion Detection Systems) and SIEMs (Security Incident
and Event Management systems)


log analysis tools


DNS monitoring


honeypots



external services


run
by
various security
organizations
, projects, vendors, universities,
CERTs
,

non
-
profit initiatives, or even enthusiastic individuals


public
,
closed
,

or
commercial

access


examples: collection of malware samples, malicious domains, IP
blacklists


8

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

A case study for threat intelligence


5 Hungarian banks were attacked by specific Zeus P2P
botnet based attack from Dec/
2
012


Started with a phishing email and an attachment
executable


Main attack: modified browser behavior to transfer money
from bank account of the user


Main attack scripts and botnet was updated multiple
times


9

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

First steps


Collect samples from victims


Run samples in sandbox environment


First within an isolated computer


Network communications shows UDP traffic and later domain flux as
backup mechanism


You can consider it is P2P Zeus


For the first glance Virus Total gives something like 2/46 with to

generic.Trojan
” markers


After some hour is will give you something like 30/46 if the attack is
wide scale


If you still see 2/46 then you are in trouble: it can be a targeted attack
(APT)


If you were the first uploaded the sample to VT, you revealed
information


10

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Zeus P2P UDP traffic sample


01:16:13.254269
IPv4
(0x0800),
length

167:
X.X.X.53.21969
> 97.75.77.74.14103:
UDP,
length

125


01:16:20.129442
IPv4
(0x0800),
length

218:
X.X.X.53.21969
> 94.68.44.62.25576:
UDP,
length

176


01:16:25.409926
IPv4
(0x0800),
length

118:
X.X.X.53.21969
> 71.43.217.3.11403:
UDP,
length

76


01:16:33.222633
IPv4
(0x0800),
length

244:
X.X.X.53.21969
> 122.167.92.124.27481:
UDP,
length

202


01:16:38.316845
IPv4
(0x0800),
length

201:
X.X.X.53.21969
> 76.69.128.171.24685:
UDP,
length

159


01:16:46.160059
IPv4
(0x0800),
length

222:
X.X.X.53.21969
> 108.83.233.190.15683:
UDP,
length

180


01:16:51.847481
IPv4
(0x0800),
length

182:
X.X.X.53.21969
> 108.211.64.46.23323:
UDP,
length

140


11

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Domain flux sample


01:18:55.362727
IPv4
(0x0800),
length

87:
X.X.X.53.1025
>
X.X.X.254.53
:
20469+ A?
phuozkvvouskzptvcxcicq.info
. (45)


01:18:56.879718
IPv4
(0x0800),
length

92:
X.X.X.53.1025
>
X.X.X.254.53
:
50782+ A?
pjibrcdipzxwmrkgysghuxeywkba.com
. (50)


01:18:58.643930
IPv4
(0x0800),
length

89:
X.X.X.53.1025
>
X.X.X.254.53
:
50549+ A?
gqvkeqroqgqorskhvcdilvfaxy.ru
. (47)


01:19:00.176469
IPv4
(0x0800),
length

89:
X.X.X.53.1025
>
X.X.X.254.53
:
46761+ A?
datpypjrnfrgipfhqfatsjkzd.biz
. (47)


01:19:01.706529
IPv4
(0x0800),
length

89:
X.X.X.53.1025
>
X.X.X.254.53
:
7477+ A?
ztijxchyldmpguizpbdyxsus.info
. (47)


12

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Zeus contd.


It was found (and even published in blog sites) that the
malware downloads update from a hacked web page


www.felegond
-
jatektar.hu
/
lego
-
logo
/
biz.exe


The site was running for weeks and nobody took steps to
remove the content


The malware installed some new versions, for some, only
the configuration block was different (e.g. peers)

13

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Difference is only at the end of the file


14

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Zeus Contd.


Later new malware components were installed to
sandboxed computers


Some new modules try to communicate with two C&C
servers, one in Netherlands and one in
Italy
(
95.141.32.214)


15

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Components


Main communication module is written in Delphi


It uses a standard remote access SDK “
RealThinClient



The malware stores components (executable files!) in the
registry


Binary and sometimes encrypted form


Software
\
Google
\
Update
\
network
\
secure


Software
\
Adobe
\
Adobe Acrobat


Software
\
Google
\
Common
\
Rlz
\
Events


Uses VNC as a module


Uses socks proxy to back connect




16

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

RCApp



For some reason, the
RCApp

receives list of known
victims from the C&C server


Communication is in encrypted form


Data reveals IP addresses and other information
(windows version, computer name, partial SID, etc.) on
the victims


Data revealed that most victims are in Hungary, Sweden
and Great Britain


Of course, related CERT organizations were notified


17

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

RCApp

module info about victim

name:

infoUserName

value:

Tibor

name:

infoIP

value:

85.66.XXX.XXX

name:

infoComputerName

value:

TIBOR
-
PC

name:

infoClientVersion

value:

RCApp

xxx

name:

infoidgen

value:

HU
-
41
-
3XXXXXXXXX

name:

infoIsHost

value:

true

name:

infoisAv

value:

1a

name:

infoisX64

value:

0

name:

infoisVer

value:

1.0.7.5

name:

infoisPcNetName

value:

TIBOR
-
PC

name:

infoisPcUserName

value:

Tibor

name:

infoisCountry

value:

HU

name:

infoisJava

value:

7

name:

infoisbk

value:

0

name:

infoisKeyLog

value:

0

name:

infoisaccessadmin

value:

0

name:

infoisNote

value:

0

name:

infoisUptime

value:

Day: 0 Hour: 13 Min: 17

name:

infouser

value:


name:

infopwd

value:

2d53XXXXXXXXXXXXXXXXXXXz

name:

infoid

value:

E80XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


18

Windows version and patch level

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu


Coropotaile
” component victim distribution


Based on data extracted from the botnet


Number of known victims is small, ~500

19

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Umbrella data (based on
OpenDNS
)

20


Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Momentsindividualists.biz


CC domain


21

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Coropotaile

samples


From Virus Total uploads

QqD

Socks proxy module bd619bcdacc94b586a0afbdbb7d886c5


RCApp

loader 994caf8a96a9608854eda97edf3ff434

RCApp

xxx 1.7.5 from registry


maybe wrong eee085bca6e2d0103211e7e8a0d21fc4

VNC module (vncdll.dll) 149504b ba0e37dfb2b8432a0c0acc9dfc48bb8d

VNC module2 bb2ed55913b7edfdeeee82bb85fcf414





22

be20272439ea8e2d3052e39e57e93110

3a26b33da3b2d73b01c3637611027b36

9e3b3b5c427c28fab8b7c6bd955d1dcf

afe79cd9ab043f01bb454af4d69c0c80

12dcc190f8911faebec4474c60cb301f

7d2b506d1f1cccf38b98a2bf5d64c770

71fa4058594b6ca86cc3989e1421f11d

73ca3a02534bc907e28c0609aedbe390

b230b621717fb6e1fd9c78a2a053a53a

61acd7649a543b8de9ef47f6f1becdef

dc7bd24ae60fdd61e20f499faf1c08bd

ad41f2afbc3a96615c24e32b3e207acb

4819d04f42dab9dc6059e206961e4637

9322ffe4e6177d44a291df4b3770abc9

4d0cca53828702e96320e559fa836d35

2f856d675273f4601f0e867f51c8b434

b70a1aefa1ab9d6f0278f3c4e86895e8

1ed064a0c2d69206876884d999775f9a

c68dff9bcf2646560158db2c914f5e8a

4996466b0e1bdb393f25ea11f6c20baf

c79ab000caa3346ddf817454653ee472

8dff9f8a9dfe7321cb1606600f983ecb

14d9e1567f372c3626c92b21a259094b

f8cffa6f466297f495af94048e33bf40

b9bf4e272576a90026aa7862a12fc5b8

ecdc60f8b3aae9545262f49f4bab1c78

a5d1b278d2ad2025eefc603f3e7ddf7a

73ca3a02534bc907e28c0609aedbe390

2db3cf5b7a3ee572a5f048a8ecd76629

8636e0d634f035dfdedfd7791aaa6ee4

28e4599c4f3553562bf71027b14ebcb3

bf6f0c9090013898fe5aee36ca45a693

04f71b4a95d649eb393c903e6d059c08

6f1fcc096201d6cf39f3888b4a3a1801

43a50055a8508137f640a50f084e6ae4

6cdff4a6091a0b4089e97b3d13089a02

5e419ee12a4a3d029d7cfa91d23b1687

bd61b5e93174d9b163c342c4dbb2f76f

a5d1b278d2ad2025eefc603f3e7ddf7a

a870ff15482c093991cbac3149c492c4

0120e34a297d90672fc45d72cb68b078

789b2da29022bf692e0a2054f043ae1a

0ac50838152c6792b8ca9e8db5abdc6b

3caa529ddcf40ef5540bec29a08ba240

964b36bb6c15923d7d4ee92e32d67f9c

f8ccfc7e526db6655fe97bc0086ea0a2

cc7616be70b6c52949f0e8fc963b5a73

4c5f96380c85782a2a5c7ebf961e7f4f

9fe9bf82ac81ed7c82241002f85c63a1

69ad13451920ab9c6dd5efcac6e52a41

196205bc8dc9ce629b37f3e4ed76a01c

77aef1d1e719328344b4171661ea7e34

6e13a919c6d2f9f0da6bb07842d3979e

73b2d6b7f2214ff1d05c75eaf447d0fa

5611b116b9f353095a64bdfd37de5128

78fed89f965d5bd3e356d6a3b9616727

d3fcd87207ff1afc671f8a35e174b92e

2f110ca715783ea387cc7b1f91042a50

5c22ca13c6e32bd02612ff691229ea3a

5ce2d4864aba5a23625df32e73e6f863

c67cebdb2f2c6d956674b7ad3e0e9b60

3ae0c2eda6cdfb061b6f6f328b89937f


b7aa4a6f3398ef2f3f287f8b25af5170

bb92dcef94b0e079f9429483dba73609

27597092a59db7362cde2b88ee19b438

4e3eecbaf69e721c1366171a50e19546

662b1421bd29f790906f55c8679028dd

fa756c6763c1f44fe274c9f6041dd6e9

1eafd8a4a409b3735c3bc0a98f9087e3

403cd7c0c276af3159f565b03a24ec7c

af1cdb38feb51ef68d790dd63c0c020d

a68c44e60ad28e457bd4583c9a5b9ff7

65cb92dd823f789dd99cba8a7a108ddd

68d602fbd5151022add13268341ca292

deabc900df4f22e9f62d7c56ce35f9f2

0df7fbfd12c0478fa17a7b253f9e254f

edea0c629b68cddf1cd3f09abbde2d92

b4cf239d0b419d5cc56717d5836501d3

f7b16a76b6220125a61ecadb7df9d361

1f204343af2cb5dff7a40e2ea4dd8db5

b71d3d5eed6700a15c4ca0c24ceb3308

e1004aae8f165144cc0560784548531e

c212dbc1d3b1c605127177d2ba5f6cb4

1cb8d50d635578de30b317743a0e4554

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Zeus
-

conclusions


It is not just “Zeus”, it’s a campaign


A new related campaign was discovered (
RCApp
)


New malware strain uncovered with new tricks


Several corresponding samples can be investigated


Hundreds of victims were identified


Lot of questions are still unanswered


Work in progress



23

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

Conclusions


threat intelligence


Threat intelligence is more than finding and analyzing
malware


Lot of information is available, but the threat intelligence
is still a hard task


Some tasks can be automated, but many cannot


scalability problems


Hard task to judge seriousness


Information sharing is highly needed


Threat intelligence is very important for the security of our
networks


24

Laboratory of Cryptography and System Security

CrySyS Adat
-

és Rendszerbiztonság Laboratórium

www.crysys.hu

25

Questions?

CrySyS
Lab
, Budapest

contact info:
www.crysys.hu

www.crysysatm.com