Advanced Persistant Threats and Chip Level Security

DIRECTOR OF SECURITY RESEARCH AND COMMUNICATIONS, MCAFEE

DAVE MARCUS

Demystifying the Mighty APT

Dave Marcus

Director, Advanced Research and Threat Intelligence

McAfee Labs

Agenda

•A Brief History

•Spot The APT

•Rootkits and Stealth

•A New Methodology

FOR ESPIONAGE

FOR PROFIT

FOR FUN OR ACTIVISM

Mid-1980’s 2005 Today2003

Historic Stages of Cyber Attacks

A Loose Classification of Attackers

Threat Sophistication

C

apab

ility

fo

r D

amag

e

CybercriminalsHacktivists/Terrorists

Cyberespionage

Nation-State CoordinatedKinetic/Cyber Operations

But which one is an APT??

Is it an APT or is it “just” good malware?

Activities Risk Levels

Attempts to write to a memory location of a Windows system process

Attempts to write to a memory location where winlogon resides

Attempts to load and execute remote code in a previously loaded process

Attempts to write to a memory location of a previously loaded process.

Adds or modifies winlogon userinit registry value. Could be used to launch a program on startup.

Modifies winlogon configuration settings in registry

Enumerates process list

No digital signature is present

The following files were analyzed:B025A4E813.ex

The following files have been added to the system: • %WINDIR%\SYSTEM32\twain32\user.ds• %WINDIR%\SYSTEM32\twain32\local.ds• %WINDIR%\SYSTEM32\twex.exe

The following registry elements have been changed: • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\USERINIT =

%WINDIR%\SYSTEM32\userinit.exe,%WINDIR%\SYSTEM32\twex.exe

File Properties Property Values

McAfee Detection PWS-Zbot.gen.i

Length 70144 bytes

MD5 b025a4e81336caedcccdec336811f461

SHA1 772e79026bef86044e308d290d4d4fdf1167091c

What does malware ACTUALLY do??

I/O Memory Disk Network Display

Virtual Machine

Operating System

Applications/RDBMS

CPU

AV HIPS

BIOS

Infect OS with malware resulting in threats hidden from security products

Traditional attacks—and defenses—focused primarily on the application layer

Rogue peripherals & firmware bypassing all other security measures

Attack and disable security products and

hence all protection

Compromisevirtual machine and

hence all guest machines within

“Ultimate Malware” compromise

devices below OS, either before orafter shipment

Why malware works…..

Casper

Blocks IPs from knownmalicious senders.

Zeus/SpyEyePre-Execution

CVE-2008-2992

Adobe Reader 8.1.2 and earlier, input validation issue in a JavaScript method that could potentially lead to remote code execution.

Zeus/SpyEyePost-Execution

Casper

Blocks IPs from knownmalicious senders.

“APT” Pre-Execution

IP/URL filtering blocks access to exploit URL. More likely to block in this case as this page hosts the actual malware code.

Legacy AV has limited capability to detect some of the most obfuscated URLs. Typically not detected with AV.

IP/URL filtering known to block access to some “infected” URLs. For example, a forum may be clean, and the post itself may be ok, but a link or a shortened URL may point to the actually bad site. Likely 1000’s of posts to blogs, etc.

Legacy AV is more and more challenged by the inherent limitations in the “known threat detection” model

“APT” Post-Execution

Common yet effective evasion techniques to maintain persistence

Common self-preservation techniques. Oftentimes using multiple techniques

New processes need to be monitored

Need for IP/URL Monitoring

Need for malicious process monitoring and behaviors

I Can Has Rootkit?

Kernel Memory

User Memory

Subversion and Rootkit Techniques

Legitimate Device Driver

TDSS

Spam-Mailbot aka: Rustock

Apropos

Bombat

SysEnter/Int2E (MSR)

Index of IDT

Index of IRPTableof a device driver

Index of SSDTNtosKrnl.exe

Exported function (NtQuerySystemInfo)

Jmp “rootkit.sys”

HeadersCode Section…Call FindNextFile…Import data section

FindNextFile: 0x12345678Kernel32.dll0x12345678: FindNextFile CodeRootkit Code. 0x70034622: MyfindnextFile…

HeadersCode Section…Call FindNextFile…Import data section FindNextFile: 0x12345678

Kernel32.dll

0x12345678: FindNextFile Code

Hacker DefenderProcess (Before Hook) Process (After Hook)

Replace first five bytes of code withjmp 0x70034622

Rootkit.sys

Kernel Memory

User Memory

Host-Based kernel rootkit detection strategy

Initiate Rootkit Scanning

Code sent to scanner for

scanning

Legitimate Device Driver

TDSS

Spam-Mailbot aka: Rustock

Apropos

Bombat

SysEnter/Int2E (MSR)

Index of IDT





Rootkit.sys

TraditionalAV

Detect Detour

Kernel module of VirusScan

A New Methodology

Moving Beyond The Operating System with Silicon

Technology by McAfee and Intel

Industry’s First Hardware Assisted Security Platform

New Vantage Point on Security—Operates Beyond the OS

Technology Foundation to Deliver Future Products

Services and Applications

Application

Application

Application

OS Initialization

DeepSAFE Loaded Beyond the OS

McAfeeDeepSAFE malware

Other DriversBoot Drivers

Rootkit

DeepSAFE Loader/Agent

DeepDefender

Agent

Driver

Driver

AV Driver

Boot Driver

Boot Driver

Rootkit

Intel i3/i5/i7 CPU(BIO

S VT-x Enabled)

OS Loader

Deep Defender - Stopping a Stealthy Rootkit

Driver

19

Real-time kernel-level monitor of memoryIdentifies kernel-mode rootkits in real-timePrevents the drivers from loadingDeepSAFE Technology loads before the OSDeepSAFE technology informs Deep Defender of suspicious behavior

PAGE 20

Silicon-enabled kernel rootkit prevention strategy

Initiate on demand Rootkit Scanning


scanning

TDSS

Rustock

Apropos

Bombat

Legitimate Device Driver SysEnter/Int2E (MSR)

Index of IDT





Rootkit.sys

Traditional AV

Detect other kernel anomalies

Kernel module of VirusScan

The Vt-X Layer

Kernel module ofDeepDefender

Initiate memory monitoring and protection


scanning

Op

tio

nal

Kernel Memory

User Memory

Op

era

tin

g S

ys

tem

Intel CPU

Deep Defender Architecture In-Depth

21

Event MonitoringEvent Blocking

DeepSAFEAgent

Update Servers

GTI Cloud Servers

ePolicy Orchestrator

Deep Defender

Operating System

McAfee DeepSAFE™ Hardware

McAfee DeepSAFE(ring 0p, vmx-root)

Operating System(vmx-non root)

Firmware

Deep Defender/Casper(ring 3)

Register AccessMemory Access

Privileged Instruction Trapping

Drivers(ring 0d)

Applications(ring 3)

DeepSAFE Agent(ring 0d)

VM Framework

DeepSAFE API

VMExit Handler

DeepSAFE API Lib

CPU (with VT-x)

Chipset

4

Deep Defender Protection Tiers

Initial Top 20 Families1 Adware-BDSearch 2 Backdoor-AWQ 3 TDSS 4 Almanahe 5 Generic rootkit.d 6 Backdoor-DoQ 7 Generic Backdoor.u 8 Spy-Agent.bw 9 Backdoor-CKB 10 LDPINCH 11 StealthMBR.c 12 Puper 13 Lando 14 Spam-Mailbot.l (Slenfbot)

15 Hidden Process.a 16 PigSearch 17 Generic rootkit.g 18 Generic rootkit.ec 19 W32/Routrobot.worm 20 DNSCHanger

Enhanced Self/System Protection• DeepSAFE is first to load• Driver self-protection

Protection areas• Kernel_IDT, Kernel_SSDT• Kernel_SysEnter• Kernel_DKOM• Kernel_inline• Kernel_IAT, Kernel_EAT• Kernel_DispRoutine• Kernel_IRP• + additional areas specified by content

Additional Event Tracking• Driver Install Watch

Top 20 prevalent families targeted for remediation

• New families added over time

8 April, 201122

Deep Defender Details

• Supported Intel chipsets– Intel® Core™ i3, i5, i7 processors– Utilizes Intel Virtualization

Technology (VT)

• Supports Windows 7; 32 & 64 bit• Managed by ePO 4.5 and 4.6• Supports VSE 8.7 and 8.8• Integrates with McAfee’s

GTI cloud• Available Q1 2012

64-BIT 32-BIT

Advanced Persistant Threats and Chip Level Security

Technology

Transcript of Advanced Persistant Threats and Chip Level Security