1 / 25

The role of threat intelligence in combating against targeted malware attacks

The role of threat intelligence in combating against targeted malware attacks. Boldizs ár Bencsáth Budapest University of Technology and Economics Department of Telecommunications Laboratory of Cryptography and System Security ( CrySyS Lab ) www.crysys.hu

amena
Download Presentation

The role of threat intelligence in combating against targeted malware attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The role of threat intelligence in combating against targeted malware attacks Boldizsár Bencsáth Budapest University of Technology and Economics Department of Telecommunications Laboratory of Cryptography and System Security (CrySyS Lab) www.crysys.hu jointworkwithLevente Buttyán, GáborPék, and Márk Félegyházi

  2. CrySyS Lab - activities • 09/2011 discovery, naming, and first analysis of Duqu malware • 05/2012 published detailed technical analysis on Flame malware • 02/2013 Together with Kaspersky Labs, we published information on the MiniDuke malware • 03/2013 After the joint work with NSA HUN, we published results of investigations on the TeamSpy campaign

  3. Miniduke • FireEye found a document with 0-day PDF exploit on 12/02/2013 • PDF documents that use the same 0-day vulnerability, but the different malware module were found • The documents were suspicious – we expected that the attackers use them against high-profile targets • ~60 victim IP addresses found, many high profile targets in governments and organizations like even NATO • Investigations were finished within a week, we disclosed all relevant information about the malware and the victims to the appropriate organizations • Not the malware, but the attack campaign of main interest

  4. TeamSpy • In March 2013 Hungarian National Security Authority (NSA HUN) asked for our support to further work on an already identified attack • We obtained and analyzed many new malware samples, investigated a number of C&C servers and obtained victim lists • There are multiple waves of attack campaigns done by some group in the last 8 years • Two main malware technologies: One “standard” proprietary botnet client, one based on TeamViewer abuse • Main goal of the attackers: targeted attacks to steal information • Traces show thatattackerswereactivefrom 2004 • Some of their tools were already known for years by A/V companies, but the whole story was never identified (missing threat intelligence)

  5. ThreatIntelligence • the process of discovering malicious activity – through internal monitoring tools or external services that publish information about detected incidents –before an attacksucceeds • situational awareness • to understand „what is going on”, technical analysis just one point in that process • Information is needed from as many sources as possible • One finding might open the way for another (cyclic approach) • As long the attack is not fully understood, the work done should not be exposed (too much) – don’t leak info towards the attackers

  6. Questions of threat intelligence • What is the threat we are facing? • What tools are used by the attackers? • What are the possible capabilities, resources of the attacker? • What is the goal of the attacker? • Attribution “who is the attacker” is just a way to understand it better • What is the risk at our side? • What are our assets that need to be protected? • What if the attack continues? • What should be the response? • What is the most efficient way to handle the problem? • How to notify others, what to share? • What could happen after a response on the attack?

  7. Threat intelligence process - a model Dig Collect Info query Act Analyze command intelligence Decide

  8. Threatintelligencegathering - sources • internal monitoring tools • AV (anti-virus) products • IDSs (Intrusion Detection Systems) and SIEMs (Security Incident and Event Management systems) • log analysis tools • DNS monitoring • honeypots • external services • run by various security organizations, projects, vendors, universities, CERTs, non-profit initiatives, or even enthusiastic individuals • public, closed,or commercial access • examples: collection of malware samples, malicious domains, IP blacklists

  9. A case study for threat intelligence • 5 Hungarian banks were attacked by specific Zeus P2P botnet based attack from Dec/2012 • Started with a phishing email and an attachment executable • Main attack: modified browser behavior to transfer money from bank account of the user • Main attack scripts and botnet was updated multiple times

  10. First steps • Collect samples from victims • Run samples in sandbox environment • First within an isolated computer • Network communications shows UDP traffic and later domain flux as backup mechanism • You can consider it is P2P Zeus • For the first glance Virus Total gives something like 2/46 with to “generic.Trojan” markers • After some hour is will give you something like 30/46 if the attack is wide scale • If you still see 2/46 then you are in trouble: it can be a targeted attack (APT) • If you were the first uploaded the sample to VT, you revealed information

  11. Zeus P2P UDP traffic sample • 01:16:13.254269 IPv4 (0x0800), length 167: X.X.X.53.21969 > 97.75.77.74.14103: UDP, length 125 • 01:16:20.129442 IPv4 (0x0800), length 218: X.X.X.53.21969 > 94.68.44.62.25576: UDP, length 176 • 01:16:25.409926 IPv4 (0x0800), length 118: X.X.X.53.21969 > 71.43.217.3.11403: UDP, length 76 • 01:16:33.222633 IPv4 (0x0800), length 244: X.X.X.53.21969 > 122.167.92.124.27481: UDP, length 202 • 01:16:38.316845 IPv4 (0x0800), length 201: X.X.X.53.21969 > 76.69.128.171.24685: UDP, length 159 • 01:16:46.160059 IPv4 (0x0800), length 222: X.X.X.53.21969 > 108.83.233.190.15683: UDP, length 180 • 01:16:51.847481 IPv4 (0x0800), length 182: X.X.X.53.21969 > 108.211.64.46.23323: UDP, length 140

  12. Domain flux sample • 01:18:55.362727 IPv4 (0x0800), length 87: X.X.X.53.1025 > X.X.X.254.53: 20469+ A? phuozkvvouskzptvcxcicq.info. (45) • 01:18:56.879718 IPv4 (0x0800), length 92: X.X.X.53.1025 > X.X.X.254.53: 50782+ A? pjibrcdipzxwmrkgysghuxeywkba.com. (50) • 01:18:58.643930 IPv4 (0x0800), length 89: X.X.X.53.1025 > X.X.X.254.53: 50549+ A? gqvkeqroqgqorskhvcdilvfaxy.ru. (47) • 01:19:00.176469 IPv4 (0x0800), length 89: X.X.X.53.1025 > X.X.X.254.53: 46761+ A? datpypjrnfrgipfhqfatsjkzd.biz. (47) • 01:19:01.706529 IPv4 (0x0800), length 89: X.X.X.53.1025 > X.X.X.254.53: 7477+ A? ztijxchyldmpguizpbdyxsus.info. (47)

  13. Zeus contd. • It was found (and even published in blog sites) that the malware downloads update from a hacked web page • www.felegond-jatektar.hu/lego-logo/biz.exe • The site was running for weeks and nobody took steps to remove the content • The malware installed some new versions, for some, only the configuration block was different (e.g. peers)

  14. Difference is only at the end of the file

  15. Zeus Contd. • Later new malware components were installed to sandboxed computers • Some new modules try to communicate with two C&C servers, one in Netherlands and one in Italy (95.141.32.214)

  16. Components • Main communication module is written in Delphi • It uses a standard remote access SDK “RealThinClient” • The malware stores components (executable files!) in the registry • Binary and sometimes encrypted form • Software\Google\Update\network\secure • Software\Adobe\Adobe Acrobat • Software\Google\Common\Rlz\Events • Uses VNC as a module • Uses socks proxy to back connect

  17. RCApp • For some reason, the RCApp receives list of known victims from the C&C server • Communication is in encrypted form • Data reveals IP addresses and other information (windows version, computer name, partial SID, etc.) on the victims • Data revealed that most victims are in Hungary, Sweden and Great Britain • Of course, related CERT organizations were notified

  18. RCApp module info about victim name: infoUserName value: Tibor name: infoIP value: 85.66.XXX.XXX name: infoComputerName value: TIBOR-PC name: infoClientVersion value: RCApp xxx name: infoidgen value: HU-41-3XXXXXXXXX name: infoIsHost value: true name: infoisAv value: 1a name: infoisX64 value: 0 name: infoisVer value: 1.0.7.5 name: infoisPcNetName value: TIBOR-PC name: infoisPcUserName value: Tibor name: infoisCountry value: HU name: infoisJava value: 7 name: infoisbk value: 0 name: infoisKeyLog value: 0 name: infoisaccessadmin value: 0 name: infoisNote value: 0 name: infoisUptime value: Day: 0 Hour: 13 Min: 17 name: infouser value: name: infopwd value: 2d53XXXXXXXXXXXXXXXXXXXz name: infoid value: E80XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Windows version and patch level

  19. “Coropotaile” component victim distribution • Based on data extracted from the botnet • Number of known victims is small, ~500

  20. Umbrella data (based on OpenDNS)

  21. Momentsindividualists.biz – CC domain

  22. Coropotaile samples – From Virus Total uploads QqD Socks proxy module bd619bcdacc94b586a0afbdbb7d886c5 RCApploader 994caf8a96a9608854eda97edf3ff434 RCApp xxx 1.7.5 from registry – maybe wrong eee085bca6e2d0103211e7e8a0d21fc4 VNC module (vncdll.dll) 149504b ba0e37dfb2b8432a0c0acc9dfc48bb8d VNC module2 bb2ed55913b7edfdeeee82bb85fcf414 be20272439ea8e2d3052e39e57e93110 3a26b33da3b2d73b01c3637611027b36 9e3b3b5c427c28fab8b7c6bd955d1dcf afe79cd9ab043f01bb454af4d69c0c80 12dcc190f8911faebec4474c60cb301f 7d2b506d1f1cccf38b98a2bf5d64c770 71fa4058594b6ca86cc3989e1421f11d 73ca3a02534bc907e28c0609aedbe390 b230b621717fb6e1fd9c78a2a053a53a 61acd7649a543b8de9ef47f6f1becdef dc7bd24ae60fdd61e20f499faf1c08bd ad41f2afbc3a96615c24e32b3e207acb 4819d04f42dab9dc6059e206961e4637 9322ffe4e6177d44a291df4b3770abc9 4d0cca53828702e96320e559fa836d35 2f856d675273f4601f0e867f51c8b434 b70a1aefa1ab9d6f0278f3c4e86895e8 1ed064a0c2d69206876884d999775f9a c68dff9bcf2646560158db2c914f5e8a 4996466b0e1bdb393f25ea11f6c20baf c79ab000caa3346ddf817454653ee472 8dff9f8a9dfe7321cb1606600f983ecb 14d9e1567f372c3626c92b21a259094b f8cffa6f466297f495af94048e33bf40 b9bf4e272576a90026aa7862a12fc5b8 ecdc60f8b3aae9545262f49f4bab1c78 a5d1b278d2ad2025eefc603f3e7ddf7a 73ca3a02534bc907e28c0609aedbe390 2db3cf5b7a3ee572a5f048a8ecd76629 8636e0d634f035dfdedfd7791aaa6ee4 28e4599c4f3553562bf71027b14ebcb3 bf6f0c9090013898fe5aee36ca45a693 04f71b4a95d649eb393c903e6d059c08 6f1fcc096201d6cf39f3888b4a3a1801 43a50055a8508137f640a50f084e6ae4 6cdff4a6091a0b4089e97b3d13089a02 5e419ee12a4a3d029d7cfa91d23b1687 bd61b5e93174d9b163c342c4dbb2f76f a5d1b278d2ad2025eefc603f3e7ddf7a a870ff15482c093991cbac3149c492c4 0120e34a297d90672fc45d72cb68b078 789b2da29022bf692e0a2054f043ae1a 0ac50838152c6792b8ca9e8db5abdc6b 3caa529ddcf40ef5540bec29a08ba240 964b36bb6c15923d7d4ee92e32d67f9c f8ccfc7e526db6655fe97bc0086ea0a2 cc7616be70b6c52949f0e8fc963b5a73 4c5f96380c85782a2a5c7ebf961e7f4f 9fe9bf82ac81ed7c82241002f85c63a1 69ad13451920ab9c6dd5efcac6e52a41 196205bc8dc9ce629b37f3e4ed76a01c 77aef1d1e719328344b4171661ea7e34 6e13a919c6d2f9f0da6bb07842d3979e 73b2d6b7f2214ff1d05c75eaf447d0fa 5611b116b9f353095a64bdfd37de5128 78fed89f965d5bd3e356d6a3b9616727 d3fcd87207ff1afc671f8a35e174b92e 2f110ca715783ea387cc7b1f91042a50 5c22ca13c6e32bd02612ff691229ea3a 5ce2d4864aba5a23625df32e73e6f863 c67cebdb2f2c6d956674b7ad3e0e9b60 3ae0c2eda6cdfb061b6f6f328b89937f b7aa4a6f3398ef2f3f287f8b25af5170 bb92dcef94b0e079f9429483dba73609 27597092a59db7362cde2b88ee19b438 4e3eecbaf69e721c1366171a50e19546 662b1421bd29f790906f55c8679028dd fa756c6763c1f44fe274c9f6041dd6e9 1eafd8a4a409b3735c3bc0a98f9087e3 403cd7c0c276af3159f565b03a24ec7c af1cdb38feb51ef68d790dd63c0c020d a68c44e60ad28e457bd4583c9a5b9ff7 65cb92dd823f789dd99cba8a7a108ddd 68d602fbd5151022add13268341ca292 deabc900df4f22e9f62d7c56ce35f9f2 0df7fbfd12c0478fa17a7b253f9e254f edea0c629b68cddf1cd3f09abbde2d92 b4cf239d0b419d5cc56717d5836501d3 f7b16a76b6220125a61ecadb7df9d361 1f204343af2cb5dff7a40e2ea4dd8db5 b71d3d5eed6700a15c4ca0c24ceb3308 e1004aae8f165144cc0560784548531e c212dbc1d3b1c605127177d2ba5f6cb4 1cb8d50d635578de30b317743a0e4554

  23. Zeus - conclusions • It is not just “Zeus”, it’s a campaign • A new related campaign was discovered (RCApp) • New malware strain uncovered with new tricks • Several corresponding samples can be investigated • Hundreds of victims were identified • Lot of questions are still unanswered • Work in progress

  24. Conclusions – threat intelligence • Threat intelligence is more than finding and analyzing malware • Lot of information is available, but the threat intelligence is still a hard task • Some tasks can be automated, but many cannot – scalability problems • Hard task to judge seriousness • Information sharing is highly needed • Threat intelligence is very important for the security of our networks

  25. Questions? CrySyS Lab, Budapest contact info: www.crysys.hu www.crysysatm.com

More Related