stuxnet redux malware attribution lessons learned
play

Stuxnet Redux: Malware Attribution & Lessons Learned Blackhat - PowerPoint PPT Presentation

May 28, 2023 •595 likes •1.33k views

Stuxnet Redux: Malware Attribution & Lessons Learned Blackhat DC 2011 Taking the guesswork out of cyber attribution Tom Parker tom.at.rooted.dot.net Media & Cyber War Love Affair WSJ Wide Cyber Attack Is Linked to

  1. Stuxnet Redux: Malware Attribution & Lessons Learned Blackhat DC 2011 Taking the guesswork out of cyber attribution Tom Parker tom.at.rooted.dot.net

  2. Media & “Cyber War” Love Affair  WSJ “Wide Cyber Attack Is Linked to China”  60 Minutes “Sabotaging the System”  Google/Adobe “Aurora Incident”  Most Recently Targeted SCADA Malware

  3. Cyber Conflict Lexicon  Cyber War  Adversary / Actor  Attribution  APT?  Stuxnet an APT?

  4. A T P

  7. Attribution – Why do we care?  LE/Actor Deterrents  Actor Intelligence  Profiling Adversarial Technical Capabilities  Insight into State Sponsored Programs  Creating Linkage Between Actor Groups  Tracking the Supply Chain  Differentiating Between Actors  State Sponsored or Crimeware?

  8. Attribution: What are we looking for?  The obvious – An individual or group of individuals name(s), street address, social networking page etc..  However..  We often don’t care about this..  Doesn’t generally help develop countermeasures  Attributing to the actor/group level is often enough for profiling efforts

  9. Attribution Continued..  Attribution at actor group level  Differentiation between groups  Identification of group geography  Indications of sponsorship  Nation State (China, Russia or Korea?)  Organized Crime (RBN et al?)  Activist Group  Where worlds collide  Code sharing between groups

  10. Conventional Analysis Data Sources  Static and Runtime Binary Analysis  Memory Forensics  Vulnerability Exploitation & Payload Analysis  Command & Control  Post-Exploitation Forensics

  11. Automated Analysis Today  Anti Virus:  Known Signature  Virus-Like Characteristics  Sandbox / Runtime Analysis  What does the code do?

  12. Analysis Today Continued..  What Happened?  How did they get in?  What did they exploit to get in?  What was done once on the system?  Are they still there?  How can this be prevented in the future?

  13. Analysis Today Continued..  Lots of R&D Associated with Modern AV/Analysis Technologies.  Typically Designed to Provide End User with a one or a zero, and no exposure to any shades of grey.  LOTS of useful metadata processed under the hood that we can make better use of.

  14. Existing Attribution Research  2000 RAND Conference  Numerous CARC working group meetings  2004 Syngress Publication  Focus on:  Theoretical attack profiling  Who do we have to care about?  Post event/forensic approach  Forensic actor profile

  15. Adversary attack fingerprints  Key Attack Meta Data  Attack sources  Other Relevant Packet Data  Attack tools and their origins  Attack methodology  Planning  Execution  Follow through

  16. Attack tool meta data: Origins  All attack tools have their origins..  These can be put into two broad categories:  Public  Often simply prove a concept  Often not ‘robust’  Many contain backdoors  Private  Frequently more robust than public counterparts  Generally better written  May be based on private attack API’s

  17. Attack tool meta data: Use  How easy is it to use a given attack tool  Prior technical knowledge required to use tool  Prior target knowledge required to use tool  Was it an appropriate tool to use for a given task?

  18. Example Attack Scoring Matrix Web Application Flaws Public Private Proprietary Application Penetration:   SQL Injection 3 5 Open Source Application Penetration:  SQL Injection 3 5  Proprietary Application Penetration:   Arbitrary Code Injection 2 4 Open Source Application Penetration:   Arbitrary Code Injection 2 4 Proprietary Application Penetration:   OS command execution using MSSQL Injection 3 5 Proprietary Application Penetration:   OS command execution using SyBase SQL Injection 3 5 Proprietary Application Penetration:  SQL Injection only (MS SQL) 4 6  Proprietary Application Penetration:   SQL Injection only (IBM DB2) 6 8 Proprietary Application Penetration:   SQL Injection only (Oracle) 6 8

  19. Furthering the Toolset  Large Bodies of RE/Analysis Research  Almost all geared around traditional IR  In most cases; not appropriate for attribution  Clear Need for Reduction in Guesswork  Less art, more science  Use of Common Attribution Models

  20. Adversary Profiling Today  Lots of science behind criminal profiling  Linguistics & Behavioral Analysis  Warm Touch

  21. Application of Current Tool Set To Attribution Doctrine  Can be possible through..  Exploit /Payload Analysis  Known Tooling/Markings  Normally Requires Manual Effort to Identify  Binary Image Meta Data  Email Addresses  User Names  Etc..

  22. Exploit Analysis  Exploits often re-worked for malware  Improved Reliability  Specific host type/OS level targeting  Possible to automate coloration with knowledge base of public exploits  ANI Exploit – Re-worked in malware to avoid IPS signatures for previous exploit

  23. Exploit Reliability & Performance  Crashes & Loose Lips Sink Ships  Improved Performance  Advanced / Improved Shellcode  Re-patching Memory  Repairing Corrupted Heaps  Less Overhead  No Large Heap Sprays  Or Excessive CPU Overhead  Continued Target Process Execution

  24. Exploit Failure  Where possible – failure may be silent  Exploit Self Clean-Up:  Java hs_err log files  System / Application Log files  *NIX Core files

  25. Exploit Applicability  Reconnaissance Performed  Execution based on SW (browser) version?  Operating System  Less likely to function on ASLR / DEP

  26. Exploit Selection  Lots of Attention Toward 0day  1+Day != Low End Adversary?  Old Attacks Often Re-Worked  Bypass IDS/IPS Signatures  Improved Payloads Demonstrate Capability

  28. Code Isomorphism  Lots of Investment from Anti-Code Theft World  Small Prime Product  Create Large Prime # Per Function  Unique Prime # / Each Opcode  Resistant to Reordering  API Call Structure Analysis Prog1.Func Prog2.Func  Function Checksums  Variables / Constant Tracking RegSetValueEx RegSetValueEx MessageBox RegCreateKeyEx RegCreateKeyEx

  29. Code Isomorphism Cont..  Seokwoo Choi, Heewan Park et al A Static Birthmark of Binary Executables Based on API Call Structure   Halvar Flake BinDiff & VxClass   Others..

  30. Function Level Code Isomorphism Based Attribution  Reuse of Code Functions  Useful for closed-source projects  Good for tracking malware ‘genomes’  However..  Most malware based off of ‘kits’  In most cases - doesn't tell us much (or anything) about authors

  31. Code Quality  Nested Statements  Compiler Optimization May Interfere  Unclosed File Handles  Memory Leaks  Unused Variables  Function Redundancy  Debug Strings Present

  32. Nested Conditionals

  33. Debug Symbols  Can indicate developer knowledge  Aware of tool markings assoc with compiler  PDB Locations may provide details of:  User Names  Operating System (Users VS Docume~1)

  34. Stuxnet PDB References  Likely Forged  However…

  35. Stuxnet PDB Contiued  b:\\myrtus\\src\\objfre_w2k_x86\\i386\\guava.pdb  Myrtaceae Family:  Myrtle  Clove  Guava  Stuxnet / mrxnet.sys  Feijoa  Allspice  Eucalyptus

  36. Future Automation  Automation Vital for Scale  Too much badness, not enough analysts  Analyst time better spent on edge cases  LOTS of repetition in most current efforts; ex:  Isomorphic analysis  Cataloguing and identification of tool markings

  37. BlackAxon  Designed as Proof of Concept  Utilizes int3 debugger breakpoints  Yes – you’re malware can detect me  User Sets the Rules  No preconceived notion of ‘badness’  XML Model Defines Functions of Interest  Identification of API call context  Defines weighting of API calls

  38. Stuxnet (Dropper) Example

  39. Nest Analysis 8000 7000 6000 5000 4000 3000 2000 1000 0 calc.exe nest test netcat stuxnet firefox Nuwar.R Nimda conficker dropper

  40. API Call Hit/Context Tracing: Persistence CreateToolhelp32Snapshot Process32First OpenProcess CreateProcess VirtualAllocEx WriteProcessMemory (CREATE_SUSPENDED)

  41. API Call Hit/Context Tracing: Persistence URLDownloadToFile Read & Xor CreateProcess UrlDownloadToFile CreateProcess

  42. Further Development..  DETOURS Hooks  Kernel Hooks

  43. Digital Evidence Forgery  Always a Possibility  Requires Knowledge of ‘What’ to Forge  Cost of Forgery May Outweigh ROI

  44. When code analysis #fails  Code Analysis Can be Inconclusive  Out of Band Data Useful to Support Hypothesis  C&C Channel Hosts Correlation  Check-In Server Identification  Post-Incident Artifacts  Auxiliary Tools / Code Utilized  Data Exfiltrated  Secondary Targets Attacked

  45. When code analysis #fails  Some automation available  Meta Data Link Analysis:  Maltego  Palantir  Analysts Desktop  Alternate data sources include..  Social Networking / Chat  Whois databases  Website Archives (archive.org)  DNS record archives (dnshistory.org)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based malware: Exploit kits Fake AV Ransomware Today (continuation) How Malware Spreads Adware Computer Virus A type of malicious

647 views • 23 slides
Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Protg 2006, July 26th, Stanford I R I S A C 1 R E C Saint-Cyr Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From Ontology Ontology Design Design Ontology Ontology Design Design Jean Andr B

371 views • 12 slides
Lessons Learned In Smart Grid Cybersecurity Chris Blask Chair ICS-ISAC TCIPG Workshop, October

Lessons Learned In Smart Grid Cybersecurity Chris Blask Chair ICS-ISAC TCIPG Workshop, October

Lessons Learned In Smart Grid Cybersecurity Chris Blask Chair ICS-ISAC TCIPG Workshop, October 30, 2012 Cyberwar Hits Energy Firms Escalating from Interruption to Destruction Iranian nuclear program: Stuxnet destroys 1,000+

253 views • 12 slides
1 8 Months of Redux March 4, 2017 Yuri Takhteyev CTO + 19 Ranglers Redux at Rangle

1 8 Months of Redux March 4, 2017 Yuri Takhteyev CTO + 19 Ranglers Redux at Rangle

1 8 Months of Redux March 4, 2017 Yuri Takhteyev CTO + 19 Ranglers Redux at Rangle Weve been actively using Redux for a bit over 18 months. This is a good opportunity to re fl ect on what weve De fi ne learned. Prepare

545 views • 33 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
Lessons from the Dakota Access Pipeline Redux New Orleans 18 October 2018 WindHorse

Lessons from the Dakota Access Pipeline Redux New Orleans 18 October 2018 WindHorse

What Does Better Engagement Look Like from Various Public Stakeholders? Lessons from the Dakota Access Pipeline Redux New Orleans 18 October 2018 WindHorse Strategic Initiatives, LLC Legal Disclaimer : This presentation,

554 views • 41 slides
Institutionalizing Lessons Learned October 25, 2006 Loren Plisco Region II Background

Institutionalizing Lessons Learned October 25, 2006 Loren Plisco Region II Background

Institutionalizing Lessons Learned October 25, 2006 Loren Plisco Region II Background SEP 2002 Davis-Besse Lessons Learned Task Force AUG 2004 - Effectiveness Review Lessons Learned Task Force JAN 2005 - EDO Charters

269 views • 22 slides
OSHA Lessons Learned Adam Fries OSHA Compliance Officer February 13, 2018 OSHA Lessons Learned

OSHA Lessons Learned Adam Fries OSHA Compliance Officer February 13, 2018 OSHA Lessons Learned

OSHA Lessons Learned Adam Fries OSHA Compliance Officer February 13, 2018 OSHA Lessons Learned Jobsite Safety and Health Inspections/Audits better known as; PAPER WORK You hate it, Your safety director requires it, OSHA loves it, Does it

926 views • 35 slides
3/8/2019 Epidemiology, Risk Factors, and Outcomes of Pediatric PVD: LESSONS learned from the

3/8/2019 Epidemiology, Risk Factors, and Outcomes of Pediatric PVD: LESSONS learned from the

3/8/2019 Epidemiology, Risk Factors, and Outcomes of Pediatric PVD: LESSONS learned from the Spanish Registry: Lessons Learned from the Registries o Is It possible (and worthy) to do a national registry? Lessons learned from the o

1.16k views • 43 slides
DEBUGGING LESSONS LEARNED WHILE DEBUGGING LESSONS LEARNED WHILE FIXING NETBSD FIXING NETBSD

DEBUGGING LESSONS LEARNED WHILE DEBUGGING LESSONS LEARNED WHILE FIXING NETBSD FIXING NETBSD

DEBUGGING LESSONS LEARNED WHILE DEBUGGING LESSONS LEARNED WHILE FIXING NETBSD FIXING NETBSD ABOUT ME ABOUT ME maya@NetBSD.org coypu@sdf.org NetBSD/pkgsrc for the last 3 years THIS TALK THIS TALK Mix of a bunch of bugs Not solo work

695 views • 31 slides
Lessons Learned A Value Added Product of the Project Life Cycle R Gilman April 19, 2006 Agenda

Lessons Learned A Value Added Product of the Project Life Cycle R Gilman April 19, 2006 Agenda

Lessons Learned A Value Added Product of the Project Life Cycle R Gilman April 19, 2006 Agenda Introduction What are Lessons Learned? Value to the Project Process and Organization Keanes Approach to Lessons Learned Keys to

261 views • 24 slides
Jonathan Pollet conference Part 2: Stuxnet APT-Style Attacks on SCADA Systems Stuxnet Night

Jonathan Pollet conference Part 2: Stuxnet APT-Style Attacks on SCADA Systems Stuxnet Night

Rome, May 31, 2011 Jonathan Pollet conference Part 2: Stuxnet APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant Red Tiger Security - USA 1 speaker Jonathan

223 views • 21 slides
Four Major Events in Our History and the Lessons Learned Coleen Reiswig, Isobel McDonald, Ted

Four Major Events in Our History and the Lessons Learned Coleen Reiswig, Isobel McDonald, Ted

Four Major Events in Our History and the Lessons Learned Coleen Reiswig, Isobel McDonald, Ted Pincock, Carolyn Bouchard Joanne Archer Outline: 1) Common Themes 2) The Event and lessons learned: Spanish Influenza 1918 SARS

417 views • 38 slides
Lessons Learned from Japans NPL Experience Ladies and gentlemen, today I would like to discuss

Lessons Learned from Japans NPL Experience Ladies and gentlemen, today I would like to discuss

Beijing International Finance Forum Chairman Junichi Ujiie 2004/05/19 Lessons Learned from Japans NPL Experience Ladies and gentlemen, today I would like to discuss the lessons to be learned from Japans NPL problems: first, the disposal

344 views • 3 slides
Malware Datasets Aleieldin Salem and Alexander Pretschner Technische Universitt Mnchen

Malware Datasets Aleieldin Salem and Alexander Pretschner Technische Universitt Mnchen

Poking the Bear: Lessons Learned from Probing Three Android Malware Datasets Aleieldin Salem and Alexander Pretschner Technische Universitt Mnchen Garching bei Mnchen {salem, pretschn @in.tum.de} Montpellier, 04.09.2018 Abstract

590 views • 34 slides
Some lessons learned from Team Science Some lessons learned from Team Science Lewis Cantley Weill

Some lessons learned from Team Science Some lessons learned from Team Science Lewis Cantley Weill

Some lessons learned from Team Science Some lessons learned from Team Science Lewis Cantley Weill Cornell Medical College, New York Presbyterian Hospital Past participation in Team Science Period Period Type of grant Type of grant Role in Grant

380 views • 20 slides
Director, Integrated Care Portfolio eHealth NSW Strategic Partnership in Support of Childrens

Director, Integrated Care Portfolio eHealth NSW Strategic Partnership in Support of Childrens

Steve Badham Director, Integrated Care Portfolio eHealth NSW Strategic Partnership in Support of Childrens Health and Wellbeing Federal and Jurisdictional Partners The Collaborative Vision Harnessing the power of digital technology

403 views • 17 slides
Modeling System Structure and System Behavior Mark Austin E-mail: austin@isr.umd.edu Institute

Modeling System Structure and System Behavior Mark Austin E-mail: austin@isr.umd.edu Institute

ENES 489P Hands-On Systems Engineering Projects Modeling System Structure and System Behavior Mark Austin E-mail: austin@isr.umd.edu Institute for Systems Research, University of Maryland, College Park p. 1/40 System Structure and System

1.16k views • 40 slides
2:00 p.m. Eastern Dial In: 888.863.0985 Conference ID: 49390169 Slide 1 Speakers LaToshia

2:00 p.m. Eastern Dial In: 888.863.0985 Conference ID: 49390169 Slide 1 Speakers LaToshia

Tuesday, October 17, 2017 2:00 p.m. Eastern Dial In: 888.863.0985 Conference ID: 49390169 Slide 1 Speakers LaToshia Rouse Alliance for Innovation of Maternal Health Patient Partner Perinatal Quality Collaborative of North Carolina Arthur

530 views • 22 slides
Precipitous Delivery Review the basic equipment needed for a successful emergency department

Precipitous Delivery Review the basic equipment needed for a successful emergency department

Objectives Review the physiology of labor & delivery Precipitous Delivery Review the basic equipment needed for a successful emergency department delivery Are you prepared? Manage complications associated with antepartum and

650 views • 22 slides
Introduction to data display Useful questions to ask when considering how to display information

Introduction to data display Useful questions to ask when considering how to display information

Introduction to data display Useful questions to ask when considering how to display information What do you want to show? What methods are available for this? Is the method chosen the best? Would another have been better?

1.55k views • 115 slides
+ Disclosures I have nothing to disclose Twins: Timing and Management of Delivery Mari-Paule

+ Disclosures I have nothing to disclose Twins: Timing and Management of Delivery Mari-Paule

+ + Disclosures I have nothing to disclose Twins: Timing and Management of Delivery Mari-Paule Thiet, MD Director, Division of Maternal-Fetal Medicine Vice-Chair of Patient Safety and Quality Assurance Department of Obstetrics, Gynecology

475 views • 9 slides
Preventing the First Cesarean Robyn Lamar, MD, MPH Assistant Professor of OB GYN, UCSF Outline

Preventing the First Cesarean Robyn Lamar, MD, MPH Assistant Professor of OB GYN, UCSF Outline

10/18/2018 Disclosures: none, but a debt of gratitude . . . Preventing the First Cesarean Robyn Lamar, MD, MPH Assistant Professor of OB GYN, UCSF Outline Why It Matters Why it matters Cesareans can be lifesaving

695 views • 16 slides
Pregel A System for Large-Scale Graph Processing Grzegorz Malewicz, Matthew H. Austern, et. al.

Pregel A System for Large-Scale Graph Processing Grzegorz Malewicz, Matthew H. Austern, et. al.

Pregel A System for Large-Scale Graph Processing Grzegorz Malewicz, Matthew H. Austern, et. al. Google, Inc. 2010 ACM SIGMOD Conference Presented By: Ezequiel Aguilar Gonzalez Computer Science and Engineering The University of Texas at

1.13k views • 44 slides

More recommend