t argeted attacks from being a victim to counter attacking
play

T argeted attacks: from being a victim to counter attacking - PowerPoint PPT Presentation

Aug 19, 2022 •483 likes •1.02k views

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz <at> signal11.eu www.signal11.eu Motivation Are we able to counteratack ? Different possibilities: Traditional network scan and attack

  1. T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz <at> signal11.eu www.signal11.eu

  2. Motivation • Are we able to counteratack ? • Different possibilities: • Traditional network scan and attack known open ports • Running honeypot with infected documents to steal • Discovering new vulnerability in the backdoor program intruders use

  3. Outline • Intro • Scenario • Analysis of an infected document • RAT (Remote Administration T ool) • Closer look at Poison Ivy RAT • Unobfuscating the code • The vulnerability • The exploit (demo) • The intellingence from the field

  4. Intro: targeted attacks • Highly focused on particular organisations (or organisation type) • Making less noize than the « non-targeted » malware • The most popular attack vector is an e-mail with an infected document or link to a web page with an exploit • T ools used to maintain the control and infiltrate the target are more individual-oriented (designed for managing less machines, but you can do more with a single machine) • Main focus on stealing documents (amongst other things ...)

  5. Intro: targeted attacks (2) • Different attackers from different countries with different skills • Simplest attacks: only social engineering « here is your unpaid bill: http://badness.com/bad.exe » • More advanced attacks: infected DOC/PPT/PDF or link to a web page • The most advanced: 0-day vulnerability exploited in MS/Adobe products

  6. Scenario • Our scenario starts here: an e-mail with the PDF attached was sent to a pharmaceutical company • The PDF, when opened, makes the Adobe Reader disappear for a second, and then reappers with an « analysis of the future of the drug market » • Closer analysis and Internet search reveals that the article was copied from the news • The analysis of the PDF file reveals that it exploits a vulnerability in Collab.collectEmailInfo in Adobe Reader up to 8.1.1 (CVE-2007-5659)

  7. Scenario (2) • Althought this was not 0-day at this time, the system was not patched (quite common with Adobe products until recently) • The security products (the AntiVirus and the IDS system) failed to block the threat becasue the JavaScript in the PDF was obfuscated (see http://www.signal11.eu/en/research/articles/m on how easy is to fool the AV)

  8. Static analysis: Malicious JavaScript • Static analysis: the PDFTK (PDF toolkit) or the pdf-parser.py • After uncompressing, the following code is visible:

  9. Static analysis: shellcode analysis Malicious JavaScript contains shellcode: We discontinue the static analysis because it's too time consuming – let's move on to dynamic analysis

  10. Dynamic analysis: Network footprint Network footprint: 256 bytes sent right after a successful TCP handshake. These bytes appear random; they are different with each run:

  11. Dynamic analysis: Behavioral analysis • This is to give the overall picture what's going on in the system: Process Monitor can be used, or some publicly available sandboxing services: Sunbelt CWSandbox, ThreatExpert, Anubis • Using these tools it is easy to see that the code injects remote threads to other processes and creates new processes as well • T o get to the final code we need to follow all these hops • This will serve as a base for the third element of dynamic analysis: code debugging

  12. Dynamic analysis: Debugging code • First, the code calls CreateRemoteThread() in the explorer.exe process • We can attach a second copy of the debugger to explorer.exe and break exactly where the new remote thread starts

  13. Dynamic analysis: Debugging code (2) • The hopping is not over; the injected explorer.exe thread calls CreateProcess() on iexplore.exe in the suspended state,injects code and resumes the process • We can use the good old method; find the injeced code in the injecting process, and modify its frist bytes to jump-to-itself. The thread in iexplore.exe process will wait for us in the infinite loop

  14. Dynamic analysis: Debugging code (3) This seems to be a right payload: • Position independent code: CALL ESI + n, where ESI is a base register

  15. Dynamic analysis: code walk-through

  16. Remote Administration T ool: Introducing the term RAT • Now we now something about the code, let’s check if it’s not something that we can grab from the Internet • According to Wikipedia: A Remote Administration Tool (known more commonly on the Internet as a RAT ) is used to remotely connect and manage a single or multiple computers with a variety of tools, such as: • Screen/camera capture or control • File management (download/upload/execute/etc.) • Shell control (usually piped from command prompt) • Computer control (power off/on/log off) • Registry management (query/add/delete/modify) • Other product-specific function • Watch out for terminology: server is the remote part, client is the GUI C&C part

  17. Remote Administration T ool: Four candidates • Searching on Remote Access T ool gives some results. After analysis, I chosed four that seem most popular and can be publicly downloaded: – Nuclear RAT – Gh0st RAT – Bifrost Remote Controller – Poison Ivy • Let’s analyse each of them to check if some of them match to what we already know about our sample

  18. RAT: Remote Access T ool Nuclear RAT • Traffic characteristics does not match our case; data is sent in clear

  19. Remote Administration T ool Gh0st RAT • Infamous one, played main role in the GhostNet report • The network footprint of this one does not match either because, even if it’s encrypted, it starts the transmission with the string « Gh0st », which is not our case

  20. Remote Administration T ool Bifrost Remote Controller • This one seems close to what we are observing, at first glance • Data is encrypted, but it is 9 bytes more than 256 • If looked at closely, we can see that the first four bytes desribe the length of the encrypted part • Not our case either

  21. Remote Administration T ool Poison Ivy RAT • The traffic characteristic is a 100% match; 256 random bytes • The code from the generated server matches as well • That means: WE’VE FOUND THE RIGHT ONE !

  22. Closer look at Poison Ivy: Introduction • Free for download at its home site: www.poisonivy-rat.com • The license says you can order special, undetected version • It also says that updating to new version is very easy because the remote part does not need to be updated

  23. Closer look at Poison Ivy: The architecture • In the Poison Ivy naming convention (other RAT s as well), the client is the GUI console and the server is the remote agent siting in the infected computer

  24. Closer look at Poison Ivy: The server • Generated from within the client with user supplied options (IP to connect, password etc.) • Very small: around 6 kb of code (position independent), all the rest sent on-demand from the client • Hides very well in the system: I’ve seen behavioral tools failing to detect it because they couldn’t reconginze the API calls • Generate options include: – Password when authenticating with the client – IP address to connect to – Is starting at boot or no – Where to drop the EXE – Whether to perform the code injection, etc, etc.

  25. Closer look at Poision Ivy: The client

  26. Closer look at Poison Ivy: The client Its capabilities include: File manager • File shredder • Registry manipulator • Process viewer and manipulator • Services and driver viewer • TCP/IP relay proxy • Active connection and port lister • Remote cmd.exe shell • Password dumper • Key logger • Screen and audio capture • Inernet camera capture • Has plugin architecture that allows writing more •

  27. Closer look at Poison Ivy: The comms • Site says it uses Camelia Encryption • Challenge-response authentication: first 256 random bytes is a chalenge, the client sends the response and the server verifies if the client knows the password • The encryption is not well implemented; re- seeding the crypto with each trasmission

  28. Closer look at Poison Ivy: The comms (2) • The encryption routines can be spotted by seeing a lot of arithmetic operations • By tracing how these function work, we can locate the password – very important

  29. Unobfuscating the code • Distributed obfuscated by ExeStealth v2.7x, as identified by DiE.exe (Detect-It-Easy), PEiD failed to detect it • The code is written in Borland Delphi • The packer performs antidebugging tricks such as spaghetti jumps, jumping to the middle of instruction, checking « BeingDebugged » flags, calculating the CRC over its own code • There is an easy trick to unpack this: after the first Access Violation exception, place the breakpoint on the CODE section – the next break will be OEP • We need to hide the debugger; PhantOm for Olly is ok! • The final step is to use Import Reconstructor with the appropiate plugin to rebuild the exe

  30. Unobfuscating the code (2)

  31. The vulnerability: Process stalking • After making sure the program works after rebuilding it, we are ready to have closer look at it • It contains loads of code, so we probably have to figure out which part we are interested in • Let’s employ Process Stalking technique and use the PaiMei by Pedram Amini – an excellent debugging framework writen in Python

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DDoS Jeff Chase Duke University Flood Attacks Direct a stream of packets toward a victim.

DDoS Jeff Chase Duke University Flood Attacks Direct a stream of packets toward a victim.

DDoS Jeff Chase Duke University Flood Attacks Direct a stream of packets toward a victim. Require the victim to do work per packet. Classic: TCP SYN floods (2000pps sufficient) ICMP floods Victim has insufficient

382 views • 6 slides
Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Agenda Network ID Systems Architecture, Problems Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c Normalization Priyank Porwal Active Mapping COMP 290 Network Intrusion Detection

397 views • 11 slides
VICTIM A ASSISTANCE SSISTANCE VICTIM IN ALBANIA IN ALBANIA Presented by Victim Assistance

VICTIM A ASSISTANCE SSISTANCE VICTIM IN ALBANIA IN ALBANIA Presented by Victim Assistance

VICTIM A ASSISTANCE SSISTANCE VICTIM IN ALBANIA IN ALBANIA Presented by Victim Assistance Officer Albanian Mine Action Executive, (AMAE) Mine/UXO Victim Assistance Components Access Legislation Data and Public Collection Awareness

166 views • 5 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William G.J. Halfond Alessandro Orso Panagiotis Manolios Georgia Institute of Technology Supported by NSF awards CCR-0205422 and CCR-0306372 to GA Tech and

678 views • 34 slides
Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William Halfond &amp; Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to

187 views • 17 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Attacking AUTOSAR using Software and Hardware Attacks Pascal al Nasahl Graz University of

Attacking AUTOSAR using Software and Hardware Attacks Pascal al Nasahl Graz University of

Attacking AUTOSAR using Software and Hardware Attacks Pascal al Nasahl Graz University of Technology Niek Timmer mers Riscure 1 Introduction 2 Introduction Niek Timmers Principal Security Analyst @ Riscure 3 Introduction

1.34k views • 115 slides
Victim Impact Statement Implementing the EU Directive: The voice of the victim in court; the

Victim Impact Statement Implementing the EU Directive: The voice of the victim in court; the

Victim Impact Statement Implementing the EU Directive: The voice of the victim in court; the victim impact statement in the Netherlands Alex Sas Policy advisor VSE Seminar Procedural Rights: Victim November 2014 Impact Statement Victim

393 views • 35 slides
Low-weight correlation-immune Boolean functions for counter-measures to side channel attacks

Low-weight correlation-immune Boolean functions for counter-measures to side channel attacks

Low-weight correlation-immune Boolean functions for counter-measures to side channel attacks Claude Carlet LAGA, Universities of Paris 8 and Paris 13, CNRS, France and University of Bergen, Norway Work in common with Xi Chen Outline

498 views • 45 slides
M AKING THE R ACE F AIR FOR Y OUNG C HILDREN AT R ISK : A T ARGETED P REVENTION A PPROACH TO

M AKING THE R ACE F AIR FOR Y OUNG C HILDREN AT R ISK : A T ARGETED P REVENTION A PPROACH TO

M AKING THE R ACE F AIR FOR Y OUNG C HILDREN AT R ISK : A T ARGETED P REVENTION A PPROACH TO R EDUCING C HILD E MOTIONAL AND B EHAVIOUR P ROBLEMS Terry Bennett, MD, FRCPC, PhD D EDICATION Growing Up in Canada is like race. I dont

169 views • 14 slides
COMPUTER INTRUSION INVESTIGATIONS Investigative Challenges Victim preparedness and response

COMPUTER INTRUSION INVESTIGATIONS Investigative Challenges Victim preparedness and response

John Chesson Special Agent InfraGard Coordinator FBI San Francisco Division Counter Intelligence Computer Intrusion COMPUTER INTRUSION INVESTIGATIONS Investigative Challenges Victim preparedness and response capabilities Volatility of

404 views • 15 slides
Software Security Explorative Lecture A brief history of security problems attacks on

Software Security Explorative Lecture A brief history of security problems attacks on

1/30/2020 Software Security Explorative Lecture A brief history of security problems attacks on multi-user UNIX systems for fun viruses &amp; worms attacking operating systems due to buffer overflow, format string attacks, integer

477 views • 37 slides
Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week Using buffer overruns or format string attacks to read out or corrupt the stack, esp. the control data on the stack: frame pointers and return

647 views • 42 slides
DNS: Victim or Attacker Paul Ebersman Paul_Ebersman@cable.comcast.com, @paul_ipv6 ICANN49, 24

DNS: Victim or Attacker Paul Ebersman Paul_Ebersman@cable.comcast.com, @paul_ipv6 ICANN49, 24

DNS: Victim or Attacker Paul Ebersman Paul_Ebersman@cable.comcast.com, @paul_ipv6 ICANN49, 24 Mar 2014, Singapore 1 Attacking your cache 2 Recursion DNS queries are either recursive or nonrecursive 2) Nonrecursive query recursive for

577 views • 36 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
METAPOISON: LEARNING TO CRAFT POISON W. Ronny Huang,* Jonas Geiping,* Liam Fowl,^ Tom Goldstein

METAPOISON: LEARNING TO CRAFT POISON W. Ronny Huang,* Jonas Geiping,* Liam Fowl,^ Tom Goldstein

METAPOISON: LEARNING TO CRAFT POISON W. Ronny Huang,* Jonas Geiping,* Liam Fowl,^ Tom Goldstein *Equal Contribution ^Speaker University of Maryland NeurIPS MetaLearn 2019 DATA POISONING Training data Testing example Plane Frog Base

251 views • 11 slides
Causal Theory of Intention Phil 255 David Armstrong Armstrong begins with some meta - philosophy:

Causal Theory of Intention Phil 255 David Armstrong Armstrong begins with some meta - philosophy:

Causal Theory of Intention Phil 255 David Armstrong Armstrong begins with some meta - philosophy: Logical positivists generated a crisis in philosophy: Wittgenstein: role for philosophy was to clarify problems Ryle: philosophers were to perform

273 views • 14 slides
Poison centres: why notify now? a Brexit special Caroline Raine | Principal regulatory

Poison centres: why notify now? a Brexit special Caroline Raine | Principal regulatory

Poison centres: why notify now? a Brexit special Caroline Raine | Principal regulatory consultant www.the-ncec/poisoncentres Agenda Introduction to poison centres Annex VIII to CLP What is it? How will it affect businesses?

652 views • 38 slides
New Vulnerabilities and Implications, or: DNS NSSEC SEC, , th the ti time me ha has come

New Vulnerabilities and Implications, or: DNS NSSEC SEC, , th the ti time me ha has come

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNS NSSEC SEC, , th the ti time me ha has come s come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013 About us Bar Ilan University

463 views • 32 slides
The Tobacco Industry, Tobacco Control &amp; Media 2.0: Same Poison, New Bottle Stan Shatenstein

The Tobacco Industry, Tobacco Control &amp; Media 2.0: Same Poison, New Bottle Stan Shatenstein

The Tobacco Industry, Tobacco Control &amp; Media 2.0: Same Poison, New Bottle Stan Shatenstein Editor &amp; Publisher, STAN Bulletin Smoking &amp; Tobacco Abstracts &amp; News shatensteins@sympatico.ca TI Marketing: Media 1.0 TI Marketing:

789 views • 30 slides
A THEORETICAL LOOKS AT ADVERSARIAL EXAMPLES Tom Goldstein and also Ali Shafahi, Ronny

A THEORETICAL LOOKS AT ADVERSARIAL EXAMPLES Tom Goldstein and also Ali Shafahi, Ronny

A THEORETICAL LOOKS AT ADVERSARIAL EXAMPLES Tom Goldstein and also Ali Shafahi, Ronny Huang, Mahyar Najibi, Octavian Suciu, Christoph Studer, Soheil Feizi, Tudor Dumitras OVERVIEW Why is optimization so easy on neural nets? What are

860 views • 84 slides
The Limitations of Federated Learning in Sybil Settings Clement Fung*, Chris J.M. Yoon + , Ivan

The Limitations of Federated Learning in Sybil Settings Clement Fung*, Chris J.M. Yoon + , Ivan

The Limitations of Federated Learning in Sybil Settings Clement Fung*, Chris J.M. Yoon + , Ivan Beschastnikh + * Carnegie Mellon University + University of British Columbia The evolution of machine learning at scale Machine learning (ML) is a

723 views • 55 slides
CS7038 - Malware Analysis - Wk02.2 Attack Introduction Coleman Kane kaneca@mail.uc.edu January

CS7038 - Malware Analysis - Wk02.2 Attack Introduction Coleman Kane kaneca@mail.uc.edu January

CS7038 - Malware Analysis - Wk02.2 Attack Introduction Coleman Kane kaneca@mail.uc.edu January 18, 2018 Content This lecture covers the following concepts: Demo setting up specific lab environments in VirtualBox Utilizing

393 views • 11 slides

More recommend