6/22/2010 Kris Harms Kris Harms Peter Silberman Peter Silberman INTRUSION RESPONSE INTRUSION RESPONSE REALITY CHECK USA USA vs vs Slovenia Slovenia 2 Score Update Score Update 1
6/22/2010 MANDIANT MANDIANT 3 APT and CDT experts APT and CDT experts VISA Qualified Incident VISA Qualified Incident Response Assessor (QIRA) Response Assessor (QIRA) Located in Located in − Washington Washington − New York New York − Los Angeles Los Angeles Los Angeles Los Angeles − San Francisco San Francisco Services, software, and Services, software, and education education MANDIANT Intelligent Response MANDIANT Intelligent Response 4 (MIR) (MIR) Collect indicators Collect indicators f f from thousands of from thousands of th th d d f f agents agents Index and search the Index and search the results results Live IR on thousands Live IR on thousands of systems at once of systems at once of systems at once of systems at once From disk images to From disk images to registry keys to live registry keys to live memory forensics memory forensics 2
6/22/2010 Introductions Introductions 5 Kris Harms Kris Harms − IR Engagement Lead Instructor IR Engagement Lead, Instructor IR Engagement Lead, Instructor IR Engagement Lead Instructor Peter Peter Silberman Silberman − Researcher / Researcher / Engineer, Co Engineer, Co- - Author Author of of Memoryze and Audit Viewer, Malware Memoryze and Audit Viewer, Malware Analysis Team Analysis Team Important note Important note 6 All information All information is derived is derived from MANDIANT observations from MANDIANT observations in non in non- -classified environments. classified environments. Some information has been sanitized Some information has been sanitized Some information has been sanitized Some information has been sanitized to protect our clients’ interests. to protect our clients’ interests. 3
6/22/2010 Agenda Agenda 7 Why Most Defenders Lose Why Most Defenders Lose A Few Malware Samples and Attacker A Few Malware Samples and Attacker A Few Malware Samples and Attacker A Few Malware Samples and Attacker Techniques Techniques How to Win How to Win A Few Investigation Techniques That Work A Few Investigation Techniques That Work Today Today Why Defenders Lose Why Defenders Lose 8 VS VS Your Company L Logo Here H 4
6/22/2010 Why Defenders Lose Why Defenders Lose 9 Why Defenders Lose Why Defenders Lose 10 5
6/22/2010 Why Defenders Lose Why Defenders Lose 11 VS GENERAL WINDOWS GENERAL WINDOWS YOUR NETWORK YOUR NETWORK KNOWLEDGE KNOWLEDGE CONFIGURATION CONFIGURATION Choose Your Theater Why Defenders Lose Why Defenders Lose 12 Porn Sites Porn Sites (sorry no pictures) 6
6/22/2010 Well…It Depends Well…It Depends 15 Sample A Sample A − Obfuscated Obfuscated shellcode shellcode − Built in Built in Keylogger Keylogger functionality functionality Ability to download functionality Ability to download functionality Unknown functionality Unknown functionality − Compromised accounts? Compromised accounts? Compromised accounts? Compromised accounts? − Exploit component? Exploit component? − Pivot component? Pivot component? Hiding in plain sight Hiding in plain sight 16 7
6/22/2010 Persistence Mechanism Persistence Mechanism 18 Of the APT backdoor Of the APT backdoor samples we have samples we have collected, 60% were collected, 60% were , 3% 3% persistent on the persistent on the 27% targeted system. targeted system. Interestingly, of the Interestingly, of the 70% non non- -persistent persistent samples, almost a samples, almost a third used process third used process injection to injection to injection to injection to masquerade their masquerade their network traffic as network traffic as legitimate legitimate communication. communication. HKLM Run key Service Other Persistence Persistence 19 sens.dll sens.dll – – 5 byte persistence FTW 5 byte persistence FTW services exe services exe – bringing services.exe services.exe bringing cron bringing bringing cron cron back cron back back back 8
6/22/2010 The Legitimate The Legitimate DllMain DllMain() Function () Function 20 The code in the The code in the DllMain () function calls two library function calls two library DllMain() functions: functions: DisableThreadLibraryCalls () and and DisableThreadLibraryCalls() GetProcessHeap GetProcessHeap() GetProcessHeap GetProcessHeap() () () 722D12B9 ; int __stdcall _DllMain (struct HINSTANCE__ *, unsigned long, void *) 722D12B9 mov edi, edi 722D12BB push ebp 722D12BC mov ebp, esp 722D12BE mov eax, [ebp+fdwReason] 722D12C1 dec eax 722D12C2 jnz short loc_722D12D8 722D12C4 push [ebp+hLibModule] 722D12C7 call ds:__imp__ DisableThreadLibraryCalls @4 ds:__imp__ GetProcessHeap @0 GetProcessHeap @0 722D12CD 722D12CD call ll d i 722D12D3 mov ?ghSensHeap@@3PAXA, eax 722D12D8 loc_722D12D8: 722D12D8 xor eax, eax 722D12DA inc eax 722D12DB pop ebp 722D12DC retn 0Ch 722D12DC DllEntryPoint endp The Trojanized DllMain() Function The Trojanized DllMain() Function 21 Now code in the DllMain() only GetProcessHeap() gets called. The Call to DisableThreadLibraryCalls() has been y () replaced by a mysterious jmp instruction. 722D12B9 ; 722D12B9 ; int int __ __stdcall stdcall _DllMain DllMain (struct struct HINSTANCE__ *, unsigned long, void *) HINSTANCE__ *, unsigned long, void *) 722D12B9 722D12B9 mov mov edi edi, , edi edi 722D12BB 722D12BB push push ebp ebp 722D12BC 722D12BC mov mov ebp ebp, , esp esp 722D12BE 722D12BE mov mov eax eax, [ , [ebp+ ebp+fdwReason fdwReason] ] 722D12C1 722D12C1 dec dec eax eax 722D12C2 722D12C2 jnz jnz short loc_722D12D8 short loc_722D12D8 722D12C4 722D12C4 push [ push [ebp+ ebp+hinstDLL hinstDLL] ] jmp jmp loc_722D822D loc_722D822D 722D12C7 722D12C7 722D12C7 722D12C7 ; ; ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 722D12CC 722D12CC db 88h db 88h 722D12CD 722D12CD ; ; ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 722D12CD loc_722D12CD: 722D12CD loc_722D12CD: ds:__imp__ GetProcessHeap GetProcessHeap @0 722D12CD 722D12CD call call ds:__imp__ @0 722D12D3 722D12D3 mov mov ? ?ghSensHeap ghSensHeap@@3PAXA, @@3PAXA, eax eax 722D12D8 722D12D8 loc_722D12D8: loc_722D12D8: 722D12D8 722D12D8 xor xor eax, eax , eax eax 722D12DA 722D12DA inc inc eax eax 722D12DB 722D12DB pop pop ebp ebp 722D12DC 722D12DC retn retn 0Ch 0Ch 722D12DC DllEntryPoint 722D12DC DllEntryPoint endp endp 9
6/22/2010 Would you know its bad? Would you know its bad? 22 Entry Location Description Publisher Image Path HKLM\System\CurrentC HKLM\System\CurrentC (Not verified) Internet (Not verified) Internet c:\program files\iss\proventia c:\program files\iss\proventia ontrolSet\Services VPatch Security Systems, Inc. desktop\vpatch.exe HKLM\System\CurrentC (Not verified) Internet c:\windows\system32\drivers\makon ontrolSet\Services MakoNT Security Systems, Inc. t.sys HKLM\System\CurrentC (Not verified) Internet c:\windows\system32\drivers\rapdrv. ontrolSet\Services rap Security Systems, Inc. sys HKLM\System\CurrentC (Not verified) Microsoft ontrolSet\Services SENS Corporation c:\windows\system32\sens.dll HKLM\Software\Microsof t\Windows\CurrentVersio n\Shell \S e Directory ecto y ( e (Verified) Microsoft ed) c oso t Extensions\Approved Service Find Windows Publisher c:\windows\system32\dsquery.dll HKLM\Software\Microsof t\Windows\CurrentVersio Directory n\Shell Service (Verified) Microsoft Extensions\Approved Common UI Windows Publisher c:\windows\system32\dsuiext.dll HKLM\Software\Microsof t\Windows\CurrentVersio Directory n\Shell Service (Verified) Microsoft Extensions\Approved Common UI Windows Publisher c:\windows\system32\dsuiext.dll Abusing services.exe Abusing services.exe 23 MODIFIED MODIFIED UNMODIFIED UNMODIFIED 10
Recommend
More recommend
