A Broad View of the Ecosystem ofSocially Engineered Exploit Documents
StevensLeBlond,CédricGilbert,UtkarshUpadhyay,ManuelGomezRodriguezandDavidChoffnes
Challenges with measuring targeted attacks
• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware
2
Challenges with measuring targeted attacks
• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware• ThreestudiespublishedatUsenixSecurity’14• Tibet(Hardyetal.),MiddleEast(Marczaketal.),andUyghur(LeBlondetal.)
2
Challenges with measuring targeted attacks
• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware• ThreestudiespublishedatUsenixSecurity’14• Tibet(Hardyetal.),MiddleEast(Marczaketal.),andUyghur(LeBlondetal.)
2
Challenges with measuring targeted attacks
• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware• ThreestudiespublishedatUsenixSecurity’14• Tibet(Hardyetal.),MiddleEast(Marczaketal.),andUyghur(LeBlondetal.)
?
2
Challenges with measuring targeted attacks
• Low-volume,sociallyengineeredmessagesthatconvincespecificvictimstoinstallmalware• ThreestudiespublishedatUsenixSecurity’14• Tibet(Hardyetal.),MiddleEast(Marczaketal.),andUyghur(LeBlondetal.)
Measuringtargetedattacksisalonganddifficultprocess
?
2
Can Anti-Virus Aggregators (VirusTotal) help?
3
Can Anti-Virus Aggregators (VirusTotal) help?
3
Can Anti-Virus Aggregators (VirusTotal) help?
3
Can Anti-Virus Aggregators (VirusTotal) help?
3
VirusTotal Statistics (one week)
4
VirusTotal Statistics (one week)
4
VirusTotal Statistics (one week)
4
VirusTotal Statistics (one week)
4
VirusTotal Statistics (one week)
4
VirusTotal Statistics (one week)
4
VirusTotal as a vantage point to measure targeted attacks
5
VirusTotal as a vantage point to measure targeted attacks
5
VirusTotal as a vantage point to measure targeted attacks
5
VirusTotal as a vantage point to measure targeted attacks
5
Research questions
• DotargetedgroupsuploadexploitdocumentstoVirusTotal?
• Canwescaleouranalysistohundredsofthousandsofsamples?
• Howdoattacksfacedbydifferentgroupscomparewitheachother?
• IsVirusTotalusedbyotheractorssuchasattackersandresearchers?
6
Outline
1) Methodology2) Analysisofexploitdocuments3) Futurework
7
Exploit document infection process
Exploit Decoy Malware
8
Exploit document infection process
Exploit Decoy Malware
8
Exploit document infection process
Exploit Decoy Malware
8
Exploit document infection process
Exploit Decoy Malware
8
Data acquisition and processing workflow
9
Data acquisition and processing workflow
9
Can we scale our analysis to hundreds of thousands of samples? Acquisition
257,635
10
Can we scale our analysis to hundreds of thousands of samples? Acquisition
257,635
10
Can we scale our analysis to hundreds of thousands of samples? Acquisition
257,635 143
10
Data acquisition and processing workflow
11
Can we scale our analysis to hundreds of thousands of samples? Detection
257,635 143
12
Can we scale our analysis to hundreds of thousands of samples? Detection
Officew/EMET Acrobatw/EMET
257,635 143
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0
12
Can we scale our analysis to hundreds of thousands of samples? Detection
Officew/EMET Acrobatw/EMET
257,635 143
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0
12
Can we scale our analysis to hundreds of thousands of samples? Detection
Officew/EMET Acrobatw/EMET
257,635 143
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0
-219,79437,841
-29114
12
How many versions ofreaders do we have to test?
#affectedversions
CDF
13
How many versions ofreaders do we have to test?
Fewexploitsareportableacrossallreaderversions
#affectedversions
CDF
13
Data acquisition and processing workflow
14
Can we scale our analysis to hundreds of thousands of samples? Extraction
Officew/EMET Acrobatw/EMET
257,635 143
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0
-219,79437,841
-29114
15
Can we scale our analysis to hundreds of thousands of samples? Extraction
Acrobatw/driver0.01.02.03.04.05.0
Officew/EMET Acrobatw/EMET
257,635 143
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010
VIIIIXXXI
SP0SP1SP2SP3
-219,79437,841
-29114
15
Can we scale our analysis to hundreds of thousands of samples? Extraction
Acrobatw/driver0.01.02.03.04.05.0
Officew/EMET Acrobatw/EMET
257,635 143
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010
VIIIIXXXI
SP0SP1SP2SP3
-219,79437,841
-29114
15
Can we scale our analysis to hundreds of thousands of samples? Extraction
Acrobatw/driver0.01.02.03.04.05.0
Officew/EMET Acrobatw/EMET
257,635 143
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010
VIIIIXXXI
SP0SP1SP2SP3
-219,79437,841
-29114
-34,0263,815
-11103
15
Data acquisition and processing workflow
16
Can we scale our analysis to hundreds of thousands of samples? Analysis
-29114
-11103
Acrobatw/driver0.01.02.03.04.05.0
Officew/EMET Acrobatw/EMET
257,635
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010
VIIIIXXXI
SP0SP1SP2SP3
-219,79437,841
-34,0263,815
143
17
Can we scale our analysis to hundreds of thousands of samples? Analysis
Acrobatw/driver0.01.02.03.04.05.0
Officew/EMET Acrobatw/EMET
257,635
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010
VIIIIXXXI
SP0SP1SP2SP3
-219,79437,841
-34,0263,815
17
Can we scale our analysis to hundreds of thousands of samples? Analysis
Acrobatw/driver0.01.02.03.04.05.0
Officew/EMET Acrobatw/EMET
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010
VIIIIXXXI
SP0SP1SP2SP3
-219,79437,841
-34,0263,815
TranslatorsMalwaresandboxes
17
Can we scale our analysis to hundreds of thousands of samples? Analysis
Acrobatw/driver0.01.02.03.04.05.0
Officew/EMET Acrobatw/EMET
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010
VIIIIXXXI
SP0SP1SP2SP3
-219,79437,841
-34,0263,815
TranslatorsMalwaresandboxes
17
Can we scale our analysis to hundreds of thousands of samples? Analysis
Acrobatw/driver0.01.02.03.04.05.0
Officew/EMET Acrobatw/EMET
200320072010
VIIIIXXXI
SP0SP1SP2SP3 0.01.02.03.04.05.0Officew/driver200320072010
VIIIIXXXI
SP0SP1SP2SP3
-219,79437,841
-34,0263,815
TranslatorsMalwaresandboxes
2,447 3,705
17
Outline
1) Methodology2) Analysisofexploitdocuments3) Futurework
18
Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys)
19
Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys)
19
Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys)
19
Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys)
VirusTotalgivesvisibilityintoattackstargetingnumerousgroups 19
How attacks faced by different groups compare with each other? Languages of decoys
Fractio
n
20
How attacks faced by different groups compare with each other? Languages of decoys
Fractio
n
20
How attacks faced by different groups compare with each other? Languages of decoys
Fractio
n
20
How attacks faced by different groups compare with each other? Languages of decoys
Fractio
n
20
How attacks faced by different groups compare with each other? Languages of decoys
Decoystendtousetheofficiallanguageofthegroupstheytarget
Fractio
n
20
How attacks faced by different groups compare with each other? Malware targeting
21
How attacks faced by different groups compare with each other? Malware targeting
21
How attacks faced by different groups compare with each other? Malware targeting
21
How attacks faced by different groups compare with each other? Malware targeting
21
How attacks faced by different groups compare with each other? Malware targeting
Fromourdataset,malwarefamiliestendtotargetoneortwocountries 21
Targeted regions
• Chineseinfluence:Tibet,Uyghur,Taiwan
• AsiaPacific:Myanmar,thePhilippines,Thailand,andVietnam
• AsiaPacific,G20:India,Indonesia,Japan,andSouthKorea
• RussiaandUSA
How do attacks faced by different groups compare with each other? Malware targeting (cont.)
Fractio
n
23
How do attacks faced by different groups compare with each other? Malware targeting (cont.)
Fractio
n
23
How do attacks faced by different groups compare with each other? Malware targeting (cont.)
Fractio
n
23
How do attacks faced by different groups compare with each other? Malware targeting (cont.)
Fractio
n
23
How do attacks faced by different groups compare with each other? Malware targeting (cont.)
Malwarefoundinmultiplecountriestendtotargetaconfinedregion
Fractio
n
23
Outline
1) Methodology2) Analysisofexploitdocuments3) Futurework
24
Future work
•Monitoringoperatorbehavioroftargetedmalware
•Analysisofevasionstechniques,attackersoperations,andotherattackvectors
•Deployon-premisesandcloud-basedservicesforanalysisofemailattachments
25
Take home messages
• Complementarymethodologytomeasuretargetedattacksatscale
• At-riskgroupsuploadexploitdocumentstoVirusTotal
• Groupstendtobetargetedwithtailoreddecoysandmalwarefamilies
• Preliminaryimpact• Servicedeployedatemailproviderwith100,000+users• Datasetandacademicserviceavailableathttps://slingshot.dedis.ch
26
Frequently Asked Questions
• WhataretheobservationalbiasesofusingVirusTotal?
• Whatarethecommontypesofmaliciousdocumentsthatyoufilteredout?
• Whydidyoufocusonexploitdocuments?
• Whatprecautionsdidyoutaketoreducefalsenegatives?
• Didyoufindindicationsofsuccessfulcompromises?
27
What are the observational biases of using VirusTotal?
• Coverageoftargetedattacksislimitedtothoseusersandorganizationswhouploadsuspiciousfiles
• VirusTotal’svisibilityislikelyskewedtowardsuserswhoworkwithnon-classifiedmaterial
• VirusTotaldatasetoffersapartialcoverageofattackswhereindividualsandNGOsarelikelyover-represented
What are the most common malicious documents that you filtered out?
Why did you focus on exploit documents?
• Exploitdocumentsarethemostcommonvectoroftargetedattacksidentifiedbyrelatedwork
•Macrosrequireadditionaluserapprovalandcanbeforciblydisabledbysystemadministrators
• UsedagainstarangeoftargetsincludingNGOs,newsagencies,andmilitary,governmentalandintelligenceagencies
What precautions did you take to reduce false negatives?
• ReducingdetectionFNs• CrossvalidatedEMETdetectionresultswithgroundtruthfromtheWUCdataset• 29/143WUCdocumentswerenotdetectedbyEMET,noneofthemFNs(16MacOSX,9wrongreaderversion,2password,and2withoutexploit)
• ReducingextractionFNs• ManuallyinspectedEMETdetectionsthatdidn’twritefilestodisk• 29/4,259documentsdetectedbyEMETdidnotwriteanyfilestodisk,noneofthemFNs(6crashes,4experimental,and19dysfunctional)
• Noneofouranalysesdependsonthelackofevasiontechniquesinthemalwareembeddedinexploitdocuments
Did you find indication of successful compromises?
• Codeddecoysbasedontheirlanguages,thecountriestheyreferto,ethnicgroupsanddates,andwhethertheytargetedspecificindividualsororganizations
• NativespeakersindependentlycodedthedocumentswritteninRussian,TraditionalChinese,Uyghur,andVietnamese
• Identifieddocumentslikelyexfiltratedfromcompromisedsystemsandusedasdecoysinexploitdocumentstargetingnew,relatedvictims
Did you find indication of successful compromises (cont.)?
Fractio
n
Did you find indication of successful compromises (cont.)?
Mostgroupsweretargetedwithreplayeddecoys
Fractio
n
Did you find evidence of zero-day vulnerabilities?
• WecollaboratedwithalargeAVvendortodeterminetheCVEtagsoftheexploitedreadervulnerabilities
• ThevendorscannedalltheexploitdocumentsthatwedetectedandcomparedtheresultingCVEwiththemajorityofVirusTotaltags• IfthetwoCVEsmatched,nofurtheractionwastaken• Otherwise,thesamplewasanalyzedmanually
• SamplesforwhichtheCVEreleasedatewasafterthedateofuploadonVirusTotalwereexaminedmanuallytodeterminetheCVE’scorrectness
• Basedonthismethodology,wedidn’tfindevidenceofzero-dayvulnerabilities
Can you estimate the dates of the decoys?
• Wecodeddecoysaccordingtotheirlanguages,thecountriestheyreferto,ethnicgroupsanddates,andwhethertheytargetedspecificindividualsororganizations
• NativespeakersindependentlycodedthedocumentswritteninRussian,TraditionalChinese,Uyghur,andVietnamese
Can you estimate the dates of the decoys (cont.)?
Fractio
n
Can you estimate the dates of the decoys (cont.)?
Allgroupsexhibiteddecoysreferringtoaleastoneyearin2013-2015
Fractio
n