1

Hacking Exposed 7Network Security Secrets & Solutions

Chapter 6 Cybercrime and Advanced Persistent Threats

2

Cybercrime and Advanced Persistent Threats

• What is an APT?– Operation Aurora– Anonymous– RBN

• What APTs are not?• Examples of popular APT tools and techniques• Common APTs indicators

3

What is an APT?• APT: US Air Force, 2006• Advanced: capable of crafting custom exploits and tools

for selected targets• Persistent: long-term objective without being detected

– low-profile without interrupting normal operation• Threat: organized, funded, and motivated• Examples:

– Spear-phishing email• Include malware to exploit user’s computer• Or refer the user to a server delivering custom malware• Email systems and exploit malware (Trojan droppers): leased or pay

per install– Other techniques: SQL injection, meta-exploits, phishing, social

networking

4

Multiple Phases of APTs• Targeting

– Collect info about the target and test: vulnerability scanning, social engineering, spear-phishing

• Access/compromise– Gain access: ascertain host info, collect credentials for additional

compromises, obfuscate intention by malware• Reconnaissance

– Enumerate networks and systems• Lateral movement

– Move through network to other hosts• Data collection and exfiltration

– Establish collection points and exfiltrate via proxy• Administration and maintenance

– Maintain access over time

5

Operation Aurora• Code-named by investigators• Google, Juniper, Adobe, and at least 29 others

– Lost trade secrets and competitive info in 6 months• Gain access to victims’ network

– By targeted spear-phishing emails to employees with a link to Taiwanese website hosting a malicious JavaScript which exploits IE vulnerability for remote code execution

– Malicious JavaScript, CRC routine of 16 constants, undetected by virus scanners• IE vulnerability

– allows Trojan downloaders to download and install backdoor Trojan RAT (remote administration tool) for SSL-encrypted communications

• Follow-up steps: network reconnaissance, compromise Active Directory, access computers for trade secrets, exfiltrate info

• From China?– CRC code published in simplified Chinese language– 6 command-and-control IP addresses in Taiwan, traced to 2 schools in China

• Other APTs campaigns with similar patterns: Night Dragon in 2010, RSA Breach and Shady RAT in 2011

6

Anonymous

• From 2011, a loosely affiliated group or collection of groups, to expose sensitive info to public or interrupt services (DOS)

• A variety of hacking techniques– SQL injection, cross-site scripting, web service

vulnerability exploits, social engineering (targeted spear-phishing, imitating employees like help desk personnel)

7

RBN (Russian Business Network)

• From St. Petersburg to international cybercrime• Operates several botnets for spamming,

phishing, malware distribution– Identity or financial theft– Very sophisticated malware tools to remain

persistent– A platform for subscribers to conduct activities

• Hosts pornographic subscription websites

8

What APTs Are Not

• Not “hacks of opportunity”• Neither a single piece of malware, a collection

of malware, nor a single activity• Coordinated and extended campaigns with a

purpose – whether competitive, financial, reputational, or otherwise

9

Examples of Popular APT Tools and Techniques

• Malicious email• Gh0st attack• Memory capture• File/process capture• Lost Linux host• Indicators of compromise

10

Malicious E-mail

• Phishing email with URL to click• To trace back, use tools– WHOIS– Robtex Swiss Army Knife Internet Tool– PhishTank

11

Gh0st Attack• Gh0st RAT (Remote Administration Tool)• From China: 2008-2010 on the office of Dalai

Lama• Gh0st RAT– Existing rootkit removal, file manager, screen control,

process explorer, keystroke logger, remote terminal, Webcam eavesdropping, voice monitoring, dial-up profile cracking, remote screen blanking, remote input blocking, session management, remote file downloads, custom gh0st server creation

12

Indicators of Compromise• For malware to survive a reboot

– Using various “Run” registry keys– Creating a service– Hooking into an existing service– Using a scheduled task– Disguising communications as valid traffic– Overwriting the master boot record– Overwriting the system’s BIOS

• Forensics techniques and incident response procedures documented in RFC 3227, in the order of volatility– Memory– Page or swap file– Running process info– Network data such as listening ports or connections– System registry– System or application log files– Forensics image of disk– Backup media

• Toolkit on CD-ROM– AccessData FTK Imager– Sysinternals Autoruns– Sysinternals Process Explorer– Sysinternals Process Monitor– WinMerge– Currports– Sysinternals Vmmap

13

Memory Capture• Memory dump to external mass-storage device and analyze

malware– Hacking tools use process injection and obfuscation

• Memory dump: FTK Imager• Memory analysis: HBGary, FDPro, Responder Pro, Mandiant

Memoryze, Volatility Framework– Extract process-related info, threads, strings, dependencies, comm.,

Windows OS files (Pagefile.sys – page file, Hiberfil.sys – swap file; right click to export the files)

– The Sandman Project: approach to analyze memory files– Steps in Volatility Framework: image identification retrieve

processes check connections of processes look into a process with PID dump DLLs from this process check content of DLL with strings command Volatility plug-ins to check traces of malware (e.g. malfind plug-in: detect hidden or injected processes) upload result files to VirusTotal

14

File/Process Capture (1/2)• Master File Table (MFT): metadata (filename, timestamp, file size, etc.),

timeline is important• Network/process/registry: netstat to find connections and process PID• Host file: check any changes• Currports: look into a current open port and its DLL• Process Explorer: lookup a process, its DLL references, and cmd.exe

shell executions• Process Monitor: lookup process-kernel interactions understand how

malware modifies a compromised system and provide indicators for detection tools

• VMMap: show virtual/physical memory map, check DLL strings malware strings to imply RAT

• DNS Cache: find other possible infection hosts• Registry Query: reg query to check for suspicious Registry entries of

Run keys

15

File/Process Capture (2/2)• Scheduled Tasks: at to find scheduled tasks• Event Logs: psloglist to retrieve System and Security Event logs commands

issued by attackers• Prefetch Directory: last 128 unique programs executed• Collecting interesting files: ntuser.dat (user profile), index.dat (requested

URLs), .rdp files (remote desktop session info), .bmc files (bit map to clients), antivirus log files (virus alerts)

• Analyzing RDP files: servers accessed, login info, etc. in XML attackers use RDP to connect to other servers

• Analyzing BMC files: cached bitmap image for performance BMC Viewer to find attacker’s access to applications, files, network, credentials

• Investigating System 32 Directory for anomalies: diff system32 directory with cache directory to find files changed since installation .dll, .bat, .rar, .txt

• Antivirus logs: check configurations that exclude detection of certain PUP (Potentially Unwanted Program), e.g. netcat/nc

• Network: analyze traffic between compromised host to C&C server other targeted hosts signatures for IDS

16

Summary of Gh0st Attack• Phishing email• Backdoor placed when malicious link clicked• Backdoor hides itself to survive a reboot• Connection to C&C• Check internal domain, create accounts, use Terminal

Server to hop to other hosts (Event Logs)• Add/modify some files (diff \System32)• Look for documents and zip for exfiltration• Create a 2nd backdoor using netcat• Create user account and execute FTP (Windows Security

Event Log)• Schedule a new job to clean logs everyday

17

Linux APT Attack• Scenario: Apache Tomcat server with weak credentials• Metaexploit Framework to penetrate and get a shell

– Connect to Tomcat, find \shadow.bak, crack passwords– With root account, Sudo su – to run all commands– Upload PHP backdoor, create a SUID root shell for getting root

back in case a password gets changed– Use host pivot to other hosts: leave little on the host

• To diagnose the host– Block access by firewall– Check root account history, check added/modified files, check

logs for sudo su – commands– Check listening ports and connections with netstat and lsof– Check hidden files in RAM drives, drive slack space, /dev, hard-to-

see file or directory like “.. ” (dot-dot-space), /tmp and /var/tmp

18

Summary of Linux APT Attack• Root access through Tomcat server with weak credentials• Evidences of scripts and SUID shell binaries– Several ways to get back: accounts, PHP shell, SUID shell, etc.

• Attackers explore environment and look for other targets• With Metaexploit Framework, compromised host used as

a pivot host (without tools installed)• Run shells like Meterpreter in memory without disk

writes

19

Poison Ivy RAT• A ubiquitous tool used by many APT campaigns

(Operation Aurora, RSA Attacks, Nitro)– Similar to gh0st RAT– Source code available for custom-purposed Trojans– Deployable by phishing email with a Trojan dropper

suffixed with a self-executing “7zip” extension– Detected by Malicious Software Removal Tool (MSRT)– Often seen on “snatch-and-grab” compromises of

computers• A tool itself is not an APT, the persistent

campaign is!

20

TDSS Malware• A botnet of hosts compromised by TDSS– “Malware as a service” for subscribers

• DDoS attacks, click fraud for advertising revenues, backdoor installation and execution, etc.

• Subscription through websites such as AWMProxy.net• Targeted at compromised networks of hosts in selected companies• Utilized in more APT campaigns since 2011

• TDSS– A rootkit with encrypted files and communications, C&C

communications over compromised hosts, proxies, and P2P networks

– Numerous infection vectors• Application and server zero-day exploits, Black Hole Exploit kit, spear-

phishing emails, viral worms via P2P/IM/NetBIOS, rogue DHCP servers, etc.

21

Common APT Indicators• Indicators

– Network comm. utilizing SSL or private encryption methods, or sending/receiving base64-encoded strings

– Services registered to Windows NETSVCS keys in SYSTEM folder with DLL or EXE extensions

– Copies of cmd.exe as svchost.exe or other file names in TEMP folder– LNK files referencing executables that no longer exist– RDP files referencing external IP addresses– Windows Security Event Log entries with external IP addresses or

computer names that do not match organizational naming conventions– Windows Application Event Log entries of antivirus and firewall stop

and restart– Etc.

• Recent APT procedures: 14 steps (expanded from the previous steps)

22

APT Detection• Administrative procedures

– Create a file system index to audit changes• A simple diff analysis of index files

– Alert admin logons– Firewall or IDS to monitor inbound RDP/VNC/cmd.exe

• Products– Endpoint security products (AV, HIPS, file system integrity

checking)• Sandbox based or reverse engineering based anti-APT products

– File system auditing products for change control and auditing– Network intelligence/defense products (IDS/IPS)– Network monitoring products (Tcpdump)– Security information/event management products with

correlation and reporting databases