9/19/16
1
OffensivetechnologiesFall2016
Lecture1Introduc-on
FabioMassacci
9/19/16 FabioMassacci-OffensiveTechnologies 1
• Willbeoffensivetechnologiestheretostay?– Hackingtechniques“expire”,…ideas“stay”• WelloldthingsaresGllthere…
– AIackerstyleisimportancefordefense– Ifthereissomethingthatcanbeabusedàitwillbeabused• MoGvaGonisimportant–costhastobefeasible–engineering
– SameproblemmayapplyforprotecGonmechanism
FabioMassacci-OffensiveTechnologies
Ques7on
9/19/16 2
9/19/16
2
Doyoutrusttheseorganisa7ons?
• S-TRUSTAuthen-ca-onandEncryp-onRoot– DeutscherSparkassenVerlag
GmbH,StuIgart,Baden-WuerIemberg(DE)
• NetLockKozjegyzoiTanusitvanykiado– Tanusitvanykiadok,NetLock
HalozatbiztonsagiK\.,Budapest,Hungary
• TÜRKTRUSTElektronikSer-fikaHizmetSağlayıcısı– BilgiİleGşimveBilişimGüvenliği
HizmetleriA.Ş.ANKARA,Turkey• CA沃通根
– WoSignCALimited,China
• Toguaranteethatawebsiteisreallywhatitclaimstobe?
9/19/16 FabioMassacci-OffensiveTechnologies 3
So,what’sthat?
• Itisjustsomewebsiteswithoutanytrouble
• justpictures,videos,andtext
9/19/16 FabioMassacci-OffensiveTechnologies 4
9/19/16
3
What’sthis?
• ONEwebpage– Plentyofads
• Process– WeDON’Tlookattheads
– Onlyclickonmail
• Anddownloadtheprogramoftheinfosecconference
9/19/16 FabioMassacci-OffensiveTechnologies 5
What’sthis?
• ONEPDFfile,essenGallyanimage
• Whathappensifweopenit?– Nothing– AcrobatReadershowstheimageonthemonitor
9/19/16
4
What’sthis?
• Aphotocopier• Aprinter• Yousendafile,anditprints
9/19/16 FabioMassacci-OffensiveTechnologies 7
Whatreallyisthis?Justlikethat!Xeroxcomputertojustprintafile:IntelCeleron-733MHZ–128MB
NASAcomputertolandApollo16totheMoonAGC–1MHz–4KBRAM
9/19/16 FabioMassacci-OffensiveTechnologies 8
9/19/16
5
Whatreallyisthis?
• That’saprogramcontaining– atleast1682instrucGons
• Whathappenswhenweopenit?– AllinstrucGonsareexecuted– Notnecessarilytruethatthe
resultisdisplayed• PDFlanguageisTuring
Complete– ANYfuncGoncanbewriIenin
PDFlanguage– OpeningaPDFfilecan
seamlesslydisplayanimageandsimultaneouslysolveFermat’sliIletheorem
9/19/16 FabioMassacci-OffensiveTechnologies 9
Whatreallyisthis?• Whenwetypewww.libero.iton
thebrowser,YOURcomputerwill:
• Execute– 186localfuncGons– 15funcGonsfromexternalsites
• Aggregatesta-ccontentsfrom– 676websitesofwhich– 370externalwebsites– 193maybejustimages
• Aggregatedynamiccontentfrom– 8adverGsers(atleast)
• Arealloftheseac-ons“good”ones?
9/19/16 FabioMassacci-OffensiveTechnologies 10
9/19/16
6
Cyberlifeisneverwhatitseems-UK• WhatitREALLYis• ItisONEwebsitewithoutany
troublejustpictureandtext• 12webtrackersforadver-sing• 72javascriptsnipsexecutedbyyour
browserwhileyouloadit• Morethan100referencesto
differentsites,someofthemexecu-ngcode– hIp://player.ooyala.com– hIp://widget.cloud.opta.net– Someofthemdynamicallycreatedon
theflye.g.byb.scorecardresearch.com• >100errors/warningsinprocessing• Howcanyoutellwhat’sgoodwhat’s
bad?
9/19/16 FabioMassacci-OffensiveTechnologies 11
Cyberlifeisneverwhatitseems-US• WhatitREALLYis• ItisONEwebsitewithoutany
troublejustpictureandtext• 8webtrackersforadver-sing• 122javascriptsnipsexecutedby
yourbrowserbeforeyouseeanything
• Morethan500referencestoexternalsites,manyexecu-ngcode– Garretn-cdn.com– Brightcove.com– Tags.Gqcdn.com
• >164errors/warningsprocessingwebpage
• Howcanyoutellgoodfrombad?• AndIdidn’tloadFlash,sorry…
9/19/16 FabioMassacci-OffensiveTechnologies 12
9/19/16
7
Cyberlifeisneverwhatitseems-NL• WhatitREALLYis• ItisONEwebsitewithoutany
troublejustpictureandtext• 13webtrackersforadver-sing• 207javascriptsnipsexecutedby
yourbrowserbeforeyouseeanything!
• >200referencestodifferentsites,someofthemexecu-ngcode– Easypoll– Hotjar– Tiq
• >100errors/warningsinprocessingthewebpage
• Howcanyoutellgoodvsbad?• Andtheywantedmetodisablethe
adblocker!Sorrymates…
9/19/16 FabioMassacci-OffensiveTechnologies 13
Whotruststhese?Everybody.
• S-TRUSTAuthen-ca-onandEncryp-onRoot– DeutscherSparkassenVerlag
GmbH,StuIgart,Baden-WuerIemberg(DE)
• NetLockKozjegyzoiTanusitvanykiado– Tanusitvanykiadok,NetLock
HalozatbiztonsagiK\.,Budapest,Hungary
• TÜRKTRUSTElektronikSer-fikaHizmetSağlayıcısı– BilgiİleGşimveBilişimGüvenliği
HizmetleriA.Ş.ANKARA,Turkey• 沃通根
– WoSignCALimited,China
9/19/16 FabioMassacci-OffensiveTechnologies 14
9/19/16
8
Aretheyreliable?
• Read– AxelArnbak,HadiAsghari,MichelVanEeten,andNicoVanEijk“SecurityCollapseintheHTTPSMarket”.CommunicaGonsoftheACM57,no.10(2014):47-55.
– hIp://queue.acm.org/detail.cfm?id=2673311
• OrListento– hIps://www.youtube.com/watch?v=uTWqV47QZZw#acGon=share
9/19/16 FabioMassacci-OffensiveTechnologies 15
• Evenwiththebasicassump-on– What’sfrominsideistrusted– What’sfromoutsideisuntrusted
• BUTintodaysInternetthisisnottrue– ComesfrominsideàGoesoutàComesback– Visualiseawebpage=HTTPGET
• HTTPGET=goout,deliverwhatyoufind,andwhatyoufindisanexecutable(forconvenience)
– E-mailscomefromoutsideetc.etc.• Wehavetoomanypowerfulthingsthatmakeourlifenice,
toopowerfultocontrolandlockthemdownandlockthemout
FabioMassacci-OffensiveTechnologies
Ques7on-discussion
9/19/16 16
9/19/16
9
• Typeofinfec-onisafunc-onofanacker’sgoal:– BotnetcreaGonàsimpleformofcontrolforlimitedfuncGonaliGes
– Virus/keylogger→credenGalthe\/spoofing/spam/remotecontrol
– Full-fledgedbackdoors→monitoring/remotecontrol– Ransomware→directmoneGsaGon&lowprofile
• Regardlessofwhattheanackerwantstodo,he/shemusthavesomelevelofaccesstothemachine– Remotecontrol=longtermavenuefortheaIackerto“valorize"theinfecGon
AXackdelivery
FabioMassacci-OffensiveTechnologies9/19/16 17
• Humanvector(socialengineering)àuservulnerability– TheaIackerconvincestheuserondoingsomethingforhim/her(e.g.
installavirusmaskedasananG-virus→fakeAV)• Tecnologicalvectoràsoqwarevulnerability
– PrincipalcauseisthatmostsystemsarenotcapableofdisGnguishing“legiGmate”inputfrom“rogue”input(e.g.asprovidedbytheaIacker)
– Thesystemexecuteswhatever’sinmemory.– Virtuallyanyso\warehasbugsthattheaIackercanexploittodeviate
theexecuGonoftheso\waretowardsacGonsinhisownagenda.• Mixed:e.g.linkonsocialnetwork,linkclickedbyauseronadocument,
openinganemailwithamalware,IPconnectedcamerawithpre-loadedmalwareetc.
Howdoestheinfec7onhappen?
FabioMassacci-OffensiveTechnologies9/19/16 18
9/19/16
10
• Anackerconvincestheusertoinstallavirusmaskedasalegi-mateapplica-on
• Theexamplehereisafakean-virusproductcalled“Win8SecuritySystem”– Userthinksit’sactualAV– Inrealityitinfectsthesystem
Humanvector:socialengineering
FabioMassacci-OffensiveTechnologies9/19/16 19
ExampleofaXemptedinfec7on
FabioMassacci-OffensiveTechnologies9/19/16 20
9/19/16
11
Technologicalvector
• Theanackusuallyexploitssomevulnerabilityinsoqware• Systemisfedwithcomputa-onallyvalidcodesininputto
avulnerablesoqware→codeisexecuted• Severaltypesofvulnerabili-es
– XSS– Bufferoverflow– SQLi– PrivilegeescalaGon– …
• Moreexercisesanddetailsin– NetworkSecurityCourse– SecurityTesGngCourse
9/19/16 FabioMassacci-OffensiveTechnologies 21
Vulnerabilityexamples
FabioMassacci-OffensiveTechnologies9/19/16 22
9/19/16
12
Notallvulnerabili7esareequal• Publicilydisclosedvulnerabili-es→knowledgeaboutthevulnisinthepublic
domain– Responsibledisclosure
• Vulndisclosedfirsttovendor• Vendorreleasespatch• Vulnerabilityisdisclosed
– “Notresponsible”disclosure• Vulnisdisclosed• Vendorgetstoknowit(word-of-mouth,secresearcher..)• Vendor(eventually)patches
• Privatelydisclosedvulnerabili-es– Somebodyfoundthevuln– keepsinfoforhim/herself– ORsellsittoafewcostumers
• Privatelydisclosedvulnsalsocalled“0-day”– 0-dayexploitis“DefinedascomputerlanguagecodewriIentotakeadvantageofaparGcular
vulnerability,whichhasbeendiscoveredbutisnotpubliclyknown.”• FirstdefiniGoninacademicliteraturebyArkinin2002.
9/19/16 FabioMassacci-OffensiveTechnologies 23
Publicvsprivate
• Twoseparatemarkets– Publicvulns→vendorpaysresearcherforfindingit– Privatevulns→richplayerpaysresearchertoownexclusiveinformaGon
• Vulnerabili-esareinforma-on– Intheory:oncetheinfoisout,vulnis“replicable”
• Privatevuln→novalueifdisclosed• Publicvuln→novaluea\erpublicaGon
– NotreallytruebutdisclosuresGllchangesgame• EngineeringexploitsisdifficultàBlackmarkettoolsonlyuseanhandfulofdisclosedvulns
• HighprofilevicGmsmightbealertedbysecurityàlowprofilevicGmsmayremainvulnerable
9/19/16 FabioMassacci-OffensiveTechnologies 24
9/19/16
13
Alledged(1st7me)pricelistfor0-days
• hnp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-soqware-exploits/
9/19/16 FabioMassacci-OffensiveTechnologies 25
Whobuysintothesemarkets?
• Allegedly(2nd-me),mostlygovernments• Ok,butfromwhom?• Allegedly(3rd-me),fromprivateagenciesthatsellmalwareandexploitstogovernments– Whichgovernments?– Mostlyoppressiveones(yes,allegedly,4thGme)
• Sampleofagencynames– VuPEN(usedtobeinFrance)– GammaInternaGonal(UK/Germany)– HackingTeam(Italy)
9/19/16 FabioMassacci-OffensiveTechnologies 26
9/19/16
14
Researchon“private”tech
• Security“hack-vists”conductedresearchon“phishy”ac-vi-esbytheseagencies
• MostresearchdonebyCi-zenLab– 2015EFF(ElectronicFreedomFoundaGon)Pioneeraward
• AnexampleisFinFisherbyGammaInterna-onal– hIps://www.gammagroup.com– HeadquatersinUK(Gammagroup)/Munich(GammaGmbH)
9/19/16 FabioMassacci-OffensiveTechnologies 27
Gammainterna7onalGmbH
• FinFisherisalineofsoqwareproducts– remoteintrusion– surveillance– Typical“beachhead”diffusedthroughemailcampaign
• Soldexclusivelytolawenforcementandgovernments– “Official”use
• surveillanceofcriminals/prevenGon– Actualdeployment(instanceof)
• surveillanceofpoliGcaldissidentsinBahrain
9/19/16 FabioMassacci-OffensiveTechnologies 28
9/19/16
15
Gammainterna7onal(GmbH)
• FinSpygathersinforma-onfromtheinfectedcomputer– passwords– Screenshots– Skypecalls
• Sendstheinforma-ontoaFinSpycommand&controlserver.– Researcher@Rapid7tracedC&Cfingerprint– Binaryanalysisofmalwaresamples→allbelongtosamefamily– hIps://www.virustotal.com/en/file/cc3b65a0f559fa5e6bf4e60eef3bffe8d568a93dbb850f78bdd3560f38218b5c/analysis/
9/19/16 FabioMassacci-OffensiveTechnologies 29
FinSpy
• Disguisesitselfasapicture• FilenamehasUnicodeRight-to-LeqOverridechar(U+202einunicode)– Realnamegpj.1bajaR.exe– Displayedname:exe.Rajab1.jpg
• Anexecutabledisguisedasapicture• Differentpicturesfordifferentsamples
9/19/16 FabioMassacci-OffensiveTechnologies 30
9/19/16
16
FinSpy-delivery
9/19/16 FabioMassacci-OffensiveTechnologies 31
FinSpy–Execu7on(1)
• Createsrandomdirname– C:\DOCUME~1\User\LOCALS~1\Temp\\TMP44D8C9F9
• Dropscopyofitselfandlaunches– C:\DOCUME~1\User\LOCALS~1\Temp\\driverw.sys– DriveralreadyseeninothersamplesofFinFishermalware• FuncGonalityunknown
– Newrandomdirtostorescreenshots,logs,etc.tosendtoC&C
9/19/16 FabioMassacci-OffensiveTechnologies 32
9/19/16
17
FinSpy–Execu7on(2)
• Actualmalwarefunc-onalityuponreboot• Injectsitselfinwinlogon– SpawnslegiGmateprocessesandthenreplacescodeimagewithmaliciousone(processhollowing)
– HooksonseveralsystemfuncGons– CatchescallandsendsdatatoC&C
9/19/16 FabioMassacci-OffensiveTechnologies 33
SomeC&CIPs
9/19/16 FabioMassacci-OffensiveTechnologies 34
9/19/16
18
Disclaimer
• Malwareanribu-onisaverycomplicatedproblem
• Canbebasedsolelyon– Binaryfeatures– Behavioralanalysis/implementaGonoftechniques
• Hencethe“allegedlythis”,“allegedlythat”.• Problem→malwareanalysisishardbecausetheyaremadetobeunderstoodbycomputers– Whatifwehadsomethingmadetobeunderstoodbyhumans?
9/19/16 FabioMassacci-OffensiveTechnologies 35
TheHackingTeam(HT)case
• TheItaliangroupHackingTeamexposed– Significantplayerinthemarket– Mainproduct:GalileoRCS
• remotecontrolsystem– 400GBsofexfiltrateddata
• Malwaresamples(computercanparse)• SourcecodeinGITrepos(humancansortofparse)• Billingandemails(humancanfullyparse)
• Keyques-on:– whattechnologyweretheyusing,andtowhomwheretheysellingit?
– Isthetechnologyanygoodreally?
9/19/16 FabioMassacci-OffensiveTechnologies 36
9/19/16
19
Governmentalmalware:isitthatsophis7cated?
• FinSpymalwareisnotpar-cularlycomplex– Nopolymorphism– Deliverymechanism==emailaIachment
• Whatistheactualsophis-ca-onofthetechnologydevelopedanddeployedbytheseplayers?
• FromtheHTdump:
• “Good”guydistractsthevic-mwhileotherguywhiteliststhemalware– ..Lame– Isthisreallythenatureofthegame,oristheremoretoit?
9/19/16 FabioMassacci-OffensiveTechnologies 37
Addi7onalReadings• Firstacademicpapermen-oning0-days(thatIknowof)
– O.Arkin.“TracingHackers:Part1.”ComputersandSecurity,2002.• Insightinthemarket
– C.Miller.TheLegiGmateVulnerabilityMarket.WorkshoponEconomicsofInforma8onSecurity,2006.
– AxelArnbak,HadiAsghari,MichelVanEeten,andNicoVanEijk“SecurityCollapseintheHTTPSMarket”.CommunicaGonsoftheACM57,no.10(2014):47-55.
• Somedifferentperspec-vesoncybercrime– NickNykodymetal.“Criminalprofilingandinsidercybercrime.”DigitalInves8ga8on,2005.– D.Florencioetal.“Sex,LiesandCybercrimeSurveys”.WorkshoponEconomicsofInforma8on
Security,2006.– J.Franklin.“AnInquiryintotheNatureandCausesoftheWealthofInternetMiscreants”.
ACMConferenceonComputerandCommunica8onSecurity,2007• Atutorialonthedifficultyofanribu-on
– M.Marquis-Boire.BigGameHunGng:ThePeculiariGesofNaGon-StateMalwareResearch.BlackHatUSA,2015.
9/19/16 FabioMassacci-OffensiveTechnologies 38