A Hacker's Method to Your Madness - Dave Russell, from the 2011 Computer Forensics Show
36
A Hacker’s Method to Your Madness Dave Russell 403 Labs Drussell[at]403labs[dot]com
-
Upload
403-labs-llc -
Category
Technology
-
view
751 -
download
0
description
Dave Russell, a consultant and GIAC Certified Forensic Analyst (GCFA) at 403 Labs, presented "A Hacker's Method to Your Madness" at the 2011 Computer Forensics Show in San Francisco, CA. The talk examined the motives of today’s hackers, as well as the strategies, tactics and tools they employ as they try to get into your network, do what they want, and leave with as few traces as possible. Dave also drew from his real-word experiences in working side-by-side with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) to detail how hacking incidents actually affect people’s lives. The presentation is meant to provide companies with a better understanding of how predatory hackers work, so they can improve their security posture and implement practices to help them avoid becoming the prey.
Transcript of A Hacker's Method to Your Madness - Dave Russell, from the 2011 Computer Forensics Show
A Hacker’s Methodto Your Madness
Dave Russell
403 Labs
Drussell[at]403labs[dot]com
What Am I About?
• Consultant at 403 Labs, working largely in Payment Card Industry (PCI) space
• Worked on building the 403 Labs PCI Forensic Investigator (PFI) program– One of only nine U.S. companies certified
• Specialize in reverse engineering and unusual circumstances like custom malware
More Background
• Have worked with local, state and federal agencies on cases– Largely criminal– One involved an 18+ month investigation of
corporate sabotage: we’ll talk about this one in depth
• Provided application training classes to a state Department of Justice
• Spoken at numerous conferences, including Toorcon two weeks ago, and Infragard earlier this year
A Brief Overview
• The “hacker” mentality– Not all hackers are created equal
• Finding evidence and how they got in• Case studies
Not All Hackers Are Created Equal
The common misconception: All hackers are out to destroy
things and steal money
Not All Hackers Are Created Equal
• The truth is a “gray” area– While there are many criminal hackers, a
number are actually “Grayhats”• Kevin Mitnick is arguably the most famous
• Most hackers begin with a basic curiosity and a “how far can I go” attitude without ever delving into the criminal– This is not necessarily bad; a lot of security
initiatives have spawned from this mentality
Hacker Taxonomy
• Organized criminals– Often report to “bosses” like other more
conventional organized crime– Highly structured and striated– Goal is almost always, ultimately, money– Covers a lot of territory from payment card
theft to child pornography– Example: the Russian Business Network
(RBN)
Hacker Taxonomy
• Loosely affiliated bands of criminals– Motives vary, but money is often at the center– Organizations team up– Damage is more focused (for example,
targeting specific companies), but can still be devastating
– Example: Albert Gonzales and the TJX/Heartland compromises
Hacker Taxonomy
• Hacktivists– Looking to make a personal or political
statement– Money is very often *not* the motivator,
embarrassment or attention is– Can form groups like criminal organizations– Examples: Lulzsec, Anonymous
Hacker Taxonomy
• Grayhats– Usually motivated by a desire to learn and
“push the envelope” – Not always destructive (at least not
deliberately), and often use appropriate channels for reporting flaws, though theft can still result
– Often the target of hate and harassment from all sides
– Examples: Kevin Mitnick
Hacker Taxonomy
• Whitehats– No criminal motivation– Only release discovered vulnerabilities
through appropriate channels– Often involved in the infosec industry– Examples: a lot
Hacker Taxonomy
• “Skr1pt kiddies”– The lowest on the hacker totem pole– “Joyriders”– Often tricked into doing really stupid things– “Hacking” often involves finding weak passwords
or other obvious flaws for which someone else wrote a tool to exploit (hence the name)
– The threat is low, but damage can be just as high– Fortunately, easy to catch– Example: David Kernell, the Palin email “hacker”
With This In Mind…
• What are attackers after?– Biggest thing: ease of entry - would you rather
rob the locked house or the unlocked one?• Grayhats/whitehats can be an exception
– Money• Two major classifications: direct and indirect
– Direct: going after bank accounts, payment card numbers, etc.
– Indirect: infecting machines for profit, personally-identifiable information (PII), information reselling
– Disruption, though often not a primary motivator
The Almighty Dollar
• If the goal is money, maintaining your presence in the victim’s machine is critical– They won’t advertise their presence– That said, stealth is expensive
• Target identification is easy: find someone who takes payments
• Large groups of people take payments the same way
So Who Would You Target?
• Hacking banks is hard, and you are likely to get caught
• Hacking poor merchants is much easier – their security is often lousy
• You won’t get as many payment cards– A lot of merchants run similar software– Can blanket large groups of merchants
• Even if you only get a few dozen cards at a time, multiply that by a few hundred merchants
Which Gets Back toEase of Access
• How many merchants have *you* visited that have wireless access?
• How many have undefended terminals you could plug a USB drive in to?
• Plenty need reporting and such from home and other locations – holes often exist
• Just steal a piece of equipment from one!– Vendors often use lousy credentials for logins
across more than one merchant
Getting In
• Drive-by downloads are still the easiest– Porn and gambling sites are still king!– Rates of mutation of malware make it possible to
stay ahead of antivirus
• Phishing/spear-phishing attacks• Install the software yourself
– Might require more manual effort– If you are exploiting a hole in common software
(like a POS), it might be feasible
• OS exploits getting rare
So How Does This Work?
• Often, the “base” malware is simply a gathering point for other malware: the “dropper”
• Calls out to external websites and other locations to pull down its friends that do the heavy lifting
• All malware can be highly polymorphic; two programs can do the same thing but have different signatures
What Is Malware Doing These Days?
• A lot of similar things to what it always has• Scanning for account and payment card
numbers, both in files AND in memory!– Bad news for poorly-written software that
doesn’t clean up after itself
• Exfiltrating this and other system data: web, email and FTP are three common routes
• Establish backchannel to gain access again– More likely to lead to detection, however
The Good News
• A lot of malware these days stinks– Relies on large libraries and existing non-
malware software like “grep”– Not at all stealthy
• Not packed, no attempts to avoid detection in process lists, etc.
– Easily reverse engineered to discover the destination of data and thus, provide a lead on who is involved
Example of Exfiltration Locations
The Bad News
• These guys are FAST– Websites, email addresses, etc. change constantly– Recompiled variants of malware stay ahead of
antivirus signatures
• There are “point-and-click” toolkits for doing a lot of this
• Tons of “companies” willing to help– Some provide 24x7 support!
• Information is highly accessible
Detection Methods
• Conventional preventative tools becoming less effective, particularly antivirus– Often no prior indication there was something
wrong
• Currently, we in the security industry seem to be playing catch-up
• Traditional investigative techniques work to find the evidence– … but it’s becoming harder to figure out WHAT
has occurred
What Gets Left Behind
• “Unusual” executables– Still showing up in the usual places: C:\Windows
and its subdirectories– Memory analysis often shows running services
and executables
• Locating the files is most easily done using timeline analysis– Registry keys are also useful
• Clean-up of collected data seems to be quite good in many cases
Case Study 1:Merchant Breach
• Merchant lost dozens of payment card numbers and was informed by customers before the banks found out
• Investigation revealed numerous custom malware installations not previously seen in the wild
• Reverse-engineering revealed that they were repackages of known functionality
• Watched for card numbers in files and memory• Data exfiltrated to Poland via web and email
Case Study 2:Merchant Breach
• Loss of payment card numbers reported by the card brands
• Investigation did not reveal malware, but did reveal poor infrastructure architecture
• Vendor maintaining the systems used a terrible login for administrative access (login name equal to password)
• Numerous remote access mechanisms• Those credentials probably were in use on
other systems at other merchants
Case Study 3: Internal Corporate Attack
• Began with destruction of data on corporate servers; company could not determine how it was happening
• Engaged our company to get to the bottom of it– Initially, no clear path to access was found– Suggested the usual remediation measures
• Another attack occurred and left a few remnants behind
• Developed custom tools to watch “dropper” location identified in the earlier attack
• After a few weeks, a new attack occurred– Copies made of all the malware that was used
• Reverse engineering showed an unusually high amount of knowledge about the company, such as file share mappings
• Likely that a present or former employee or contractor was involved
Case Study 3: Internal Corporate Attack
• Next attack popped messages up on many user workstations and caused a fair amount of alarm:– “Can you say ‘Al Got Rhythm’ three times
fast? A surprise is coming :)”
• Had information on the machine involved and knew it was transient
• Set up a trap to catch it popping on the network
Case Study 3: Internal Corporate Attack
• Next attack (months later) got us a network drop – it was internal; FBI was called.
• FBI retrieved and obtained an image of the disk from the employee’s desk
• Employee was fired a few days later – caught with a CD containing source code for the malware used in attacks, as well as salary spreadsheets
• Pleaded guilty to a class F felony (became a State charge)
Case Study 3: Internal Corporate Attack
Common Themes
• Access was trivial– Case 1: unclear, likely web browser– Case 2: weak accounts and remote access
technology available– Case 3: deep knowledge of environment,
easy to maintain persistent access
• Motivations were clear– Money for cases 1 and 2– “Axe to grind” for case 3
More Themes
• Plenty of evidence left behind– Cases 1 and 3 required a good amount of effort
to find it though
• Basic investigation techniques were effective– Timeline analysis, profiling, simple reverse
engineering
• For payment card theft cases, definite evidence of carder groups that LEOs have expressed an interest in reviewing
Summary
• Understanding motivations can help track down evidence
• Look for the usual evidence, but be prepared to spend extra effort decoding it
• Realize that the simple things like poor passwords and infrastructure are just as often to blame as malware
Useful Tools
• IDAPro• PE Explorer• RegRipper• Memoryze• Encase/FTK• Hex editors• Excel (!)
Questions?
Thank you!
Dave Russell403 Labs
drussell[at]403labs[dot]com(877) 403-LABS
