Date post: | 20-May-2015 |
Category: |
Technology |
Upload: | crowdstrike |
View: | 2,156 times |
Download: | 5 times |
© 2012 CrowdStrike, Inc. All rights reserved. © 2012 CrowdStrike, Inc. All rights reserved.
George Kurtz, President & CEO, CrowdStrike Georg Wicherski, Senior Security Researcher, CrowdStrike Alex Radocea, Senior Security Researcher, CrowdStrike
© 2012 CrowdStrike, Inc. All rights reserved. 2
• Questions – Via GoToWebinar in the Questions tab
– All ?’s will be addressed at the end of the session
– Via Twitter – Engage real-time: @CrowdStrike #hackingexposed7
BEFORE WE GET STARTED…
© 2012 CrowdStrike, Inc. All rights reserved. 3
GEORGE KURTZ President & CEO, CrowdStrike
• In security for ~20 years
• Former CTO, McAfee
• Former CEO, Foundstone
• Co-Author, Hacking Exposed
• Twitter: @George_Kurtz
• Blog: www.securitybattlefield.com
A LITTLE ABOUT US
© 2012 CrowdStrike, Inc. All rights reserved. 4
GEORG WICHERSKI Senior Security Researcher, CrowdStrike
• Focuses on analyzing advanced threats
• Likes to put himself in the attackers’ shoes
• Loves working low level on bytecode
• New interest in ARM architecture
• Twitter: @ochsff
A LITTLE ABOUT US
© 2012 CrowdStrike, Inc. All rights reserved. 5
ALEX RADOCEA Senior Engineer, CrowdStrike
• Application Security Assessment at Matasano
• Product Security Team at Apple
• Dabbles in hardware reverse engineering
• Upcoming talk: Ekoparty 2012
• Twitter: @defendtheworld
A LITTLE ABOUT US
© 2012 CrowdStrike, Inc. All rights reserved. 6
Commercial RATs
• Manually installed
• “Spy on your girlfriend”
Targeted RATs
• Observed Real World Attacks
• Simple, regular Apps
Advanced Threats
• Demo of Browser based compromise
• What are we just not seeing?
THREAT EVOLUTION AND OUTLINE
© 2012 CrowdStrike, Inc. All rights reserved. 7
WHAT IS A RAT?
• Remote Access Tools, better known as RATs • Post-exploitation tool • Allows administrative controls over the compromised
system • Adversaries have been targeting conventional
computing platforms (PC) for many years
© 2012 CrowdStrike, Inc. All rights reserved. 8
RAT FUNCTIONALITY
• Backdoor functionality and a host of other nefarious features – Activate video cameras and microphones
– Take pictures of remote systems
– Exfiltration - send back files
– Run remote commands
– Log keystrokes
© 2012 CrowdStrike, Inc. All rights reserved. 17
DAWN OF A NEW ERA Mobile RATs
• Mobile RATs • Smartphones are PCs that fit in the palm of your hand • Perfect tool to:
– Intercept calls – Intercept TXTs – Intercept emails – Capture remote video – Listen to sensitive conversations – Track location via GPS
© 2012 CrowdStrike, Inc. All rights reserved. 19
• Usually require physical access to target device
• The attacker must know the target’s password or
the device must be unlocked
• Manual installation via web page or 3rd party market
• iOS devices require a jail break
COMMERCIAL RAT DELIVERY
© 2012 CrowdStrike, Inc. All rights reserved. 20
• Emerged in 2006 timeframe as a consumer- marketed cell phone spying software
• Capabilities include: – Monitoring email
– Monitoring SMS/MMS
– Monitoring chat/Facebook/WhatsApp
– Number flagging
– Call intercept (only live calls)
– Hot Mic
– SMS C2
FlexiSPY
© 2012 CrowdStrike, Inc. All rights reserved. 23
• Android: Mostly regular Apps – Written in Java using the Android SDK and compiled to Dalvik code – Often not even obfuscated (original names retained)
– There are public SDK tools to conceal at least names of non-exported classes and members
– Easy process to reverse to Java code (.dex%→%.class%→%.java) – Visibility issue or principle of least effort required?
• iOS targeted RAT ecosystem largely unexplored – But commercial RATs well-known and documented – Happening for sure but just no good visibility
TARGETED RATs
© 2012 CrowdStrike, Inc. All rights reserved. 24
• Targeted Espionage-Type Operation – Engineering and Research targets – Political activists
• Windows Malware Attributed to Chinese developers – Likely government sponsored civil hacktivism – First seen in June 2011
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf
• Android malware LuckytCat.A found on C2 servers
CASE STUDY: LUCKY CAT (background)
© 2012 CrowdStrike, Inc. All rights reserved. 25
• Simple Service based App that registers for BOOTUP intent – Starts automatically when phone is turned on
• Reports general information (phone number, IMEI, …) on connect
• Can read and write arbitrary files and list directories – Linux is Unix, “Anything is a file” – All logic and parsing on C2 (client) side, not exposed to analysis
• Utilizes custom “encryption” / obfuscation algorithm
LUCKYCAT.A ANALYSIS
© 2012 CrowdStrike, Inc. All rights reserved. 26
LUCKYCAT.A BEACON INFORMATION
• Obtains current phone number
– Chinese error / status message
• Beacons – Phone number as
MAC – Current IP – Per-incident
identifier
© 2012 CrowdStrike, Inc. All rights reserved. 27
• Only supports file based commands – Directory content listing – Download / upload file from / to
phone
• Any interaction with system must be done with this simple mechanism
LUCKYCAT.A FILE COMMANDS
© 2012 CrowdStrike, Inc. All rights reserved. 29
• Commercial mobile RAT sold to governments – “Enterprise” Software development
– Proper encryption, communication protocol, ... • Analyzed iOS sample stolen demo binary
– Courtesy of CitizenLab.org • Capabilities similar to previous commercial RATs • iOS variant requires jail broken device or LPE
exploit
FINSPY MOBILE FOR IOS
© 2012 CrowdStrike, Inc. All rights reserved. 30
• One initial dropper, install_manager.app%• Ad-Hoc distribution with hardcoded UDIDs to run on • Certificate registered to Gamma International, Inc. • Drops the four FinSpy binaries to suid’able directories
– installer, manages persistence in system – logind.app, daemon wrapper invoked by launchd on boot – trampoline.app, a broken no-op in our sample – SyncData.app, the main backdoor that calls home
FINSPY MOBILE FOR IOS INSTALLATION
© 2012 CrowdStrike, Inc. All rights reserved. 31
• installer.app copies binaries to /Application%and %/System%• On a non-jail broken device prohibited by sandbox • installer.app requests root privilege with seteuid(0)%
• Typical for a program started with suid bit
• install_manager.app searches suid’able partitions
FINSPY LPE MISSING LINK
© 2012 CrowdStrike, Inc. All rights reserved. 32
• trampoline.app a no-op in our binary – Invoked by install_manager.app with path to installer – Includes snippets that builds paths from arguments
– Apparently cut-off / sanitized at source level • Placeholder to disable sandbox and suid installer to
infect non-jail broken devices? – Given trampoline.app not an exploit itself
– Checked all entry points and loader behavior
FINSPY LPE MISSING LINK CONT.
© 2012 CrowdStrike, Inc. All rights reserved. 33
• 1,000,000 UDIDs leaked • UDID, APNs tokens, device name leaked from unknown
source • Ad-hoc distribution profile requires UDID, each profile has
up to 100 devices – User-interaction required for installation – Code still sandboxed
• Device information reportedly leaked from Blue Toad
UDID LEAK IMPACT
© 2012 CrowdStrike, Inc. All rights reserved. 35
• Mobile exploits being actively bought on the “market” – iOS, BlackBerry, Android (loosely ordered by price) – Remote: Baseband, Browser and SMS Apps – Local: Really anything that gets you elevated privileges
• Development of payload up to the customer – FinSpy Mobile looks like good fit for LPE trampoline.app%
• We know these attacks are out there yet we do not have conclusive evidence.
• “If the mobile manufacturers don’t give us root privileges, only the attackers will have root privileges.”
FEASIBILITY STUDY RATIONALE
© 2012 CrowdStrike, Inc. All rights reserved. 36
• Vulnerability in Webkit (fixed in 4.0.2, public since Nov 2011) – No CVE assigned, just a bug leading to degraded user experience…
• Circumvents XN & partial ASLR on Android 4.0.1 – Android ≥ 2.3 activates XN, comparable to x86 NX bit
– Requires hardware support but most phones do support it – Android ≥ 4.0 adds partial ASLR
– Heap, stack and dynamic linker still at predictable address – Android ≥ 4.1 adds full ASLR
• Use ROP in the dynamic linker to circumvent 4.0 mitigations
ANDROID 4.0.1 BROWSER EXPLOIT
© 2012 CrowdStrike, Inc. All rights reserved. 37
• Native stand-alone executables are easily built using the NDK – Creating a Makefile and a “Hello World” is < 2 hours if familiar with GCC
• Huge amount of new “App Analysis (Dalvik) Experts” – Has anyone of those ever analyzed native ARM code? – Can anyone of those handle a simple UPX packed binary?
• No Rootkit required, people barely look at native processes – Native processes do not show up in Android or 3rd party Task Managers – Potentially visible in ps%but trivially obfuscated
– strcpy(argv[0],%“…”)%
FEASIBILITY FOR NATIVE RAT FOR ANDROID
© 2012 CrowdStrike, Inc. All rights reserved. 40
• Quarterly webcasts: Industry leaders presenting cutting-edge topics
• Blogs, whitepapers, and other industry resources
• Webcast archives for on-demand viewing
HTTP://WWW.HACKINGEXPOSED7.COM
© 2012 CrowdStrike, Inc. All rights reserved. © 2012 CrowdStrike, Inc. All rights reserved.
CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive IP. CrowdStrike encompasses three core offerings: Services, Intelligence, and Technology. For Incident Response services: http://www.crowdstrike.com/services.html For Intelligence as a Service: Email us at [email protected] Technology (Coming soon): If you have interest in being a beta customer send your request to [email protected] Website: www.crowdstrike.com @CrowdStrike Blog: http://blog.crowdstrike.com facebook.com/crowdstrike
youtube.com/crowdstrike
© 2012 CrowdStrike, Inc. All rights reserved. 42 © 2012 CrowdStrike, Inc. All rights reserved. 42
Q & A