Análisis de ataques APT

35
Understanding targeted attacks Saturday, February 4, 2012

Transcript of Análisis de ataques APT

Page 1: Análisis de ataques APT

Understanding targeted attacks

Saturday, February 4, 2012

Page 2: Análisis de ataques APT

Who am I?

• Jaime Blasco

• Alienvault Labs Manager

Saturday, February 4, 2012

Page 3: Análisis de ataques APT

What are we talking about?

• Group of sophisticated, coordinated and political/financial/military motivated attackers .

• The intruder can exploit publicly known vulnerabilities but the attackers also are highly skilled and well funded and can research and exploit new vulnerabilities.

• The attacker wants to accomplish a mission that can take place over months.

Saturday, February 4, 2012

Page 4: Análisis de ataques APT

Agenda

• cat /dev/urandom

Saturday, February 4, 2012

Page 5: Análisis de ataques APT

Example: Kalachakra

• Camp information at Bodhgaya.doc

• CVE 2010-3333

Saturday, February 4, 2012

Page 6: Análisis de ataques APT

SpearPhishing

Saturday, February 4, 2012

Page 7: Análisis de ataques APT

Shellcode

Staged XOR Loader

Saturday, February 4, 2012

Page 8: Análisis de ataques APT

Shellcode

• Resolves imports by hashes

• Ror to generate hashes (ror ebx 7)

Saturday, February 4, 2012

Page 9: Análisis de ataques APT

Shellcode

Saturday, February 4, 2012

Page 10: Análisis de ataques APT

Dropped EXE

Saturday, February 4, 2012

Page 11: Análisis de ataques APT

Dropped EXE

• Language of compilation system: Chinese

• Dropped Files:• C:\Documents and Settings\Administrator\7240672406.dat

• C:\Documents and Settings\Administrator\temp.dat

• Mark the presence on the system:

Saturday, February 4, 2012

Page 12: Análisis de ataques APT

7240672406.dat

Saturday, February 4, 2012

Page 13: Análisis de ataques APT

Injection

Saturday, February 4, 2012

Page 14: Análisis de ataques APT

Obfuscation

Saturday, February 4, 2012

Page 15: Análisis de ataques APT

Injected Code

• User Mode Process Dumper

• WinDBG to the rescue:

Saturday, February 4, 2012

Page 16: Análisis de ataques APT

GET / HTTP/1.0Accept: */*Accept-Language: zh-cnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 6.0)Host: update.microsoft.com/windowsupdate/v7/default.aspx?ln=zh-cnConnection: Keep-Alive

C&C Traffic

Saturday, February 4, 2012

Page 17: Análisis de ataques APT

kalachakra32.doc

Saturday, February 4, 2012

Page 18: Análisis de ataques APT

Dropped EXE

• Created Files:

AhnLab-V3, DrWeb, JiangminSaturday, February 4, 2012

Page 19: Análisis de ataques APT

Embedded Resource

Saturday, February 4, 2012

Page 20: Análisis de ataques APT

Debug Info

.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-56: Installer Hello!

.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-75: dwConfigDataSize = [40]

.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-171: ReleaseResource done!

.\install.cpp-InstallSrvPlugin-51: InstallSrvPlugin!

.\install.cpp-InstallSrvPlugin-125: szHost = [218.106.193.184] szPort = [81]

.\install.cpp-InstallSrvPlugin-261: Install Service by WinAPI!

.\install.cpp-InstallSrvPlugin-295: StartServiceEx!

.\SrvPlugin.cpp-ServiceMain-291: g_szServiceName = [5a1bcffe]

.\SrvPlugin.cpp-ConnectClientThread-528: ConnectClientThread

.\SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]

.\SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]

Saturday, February 4, 2012

Page 21: Análisis de ataques APT

Create Service"20120131205652.906","2020","82799b64ca7f2e8cd218223da9d146c3.exe","CreateServiceA","FAIL

URE","0x00466f40","lpServiceName->5a1bcffe","dwServiceType->0x00000110","dwStartType->SERV

ICE_AUTO_START","lpBinaryPathName->C:\WINDOWS\system32\rundll32.exe "C:\Archivos de programa\Archivos comunes\Microsoft Shared\Triedit\5a1bcffe.dll",ServiceEntry"

Saturday, February 4, 2012

Page 22: Análisis de ataques APT

Av Aware• Check for kisknl.sys (Kingsoft Antivirus)

• Look for KSafeTray.exe and disable it: OpenThread -> SuspendThread

• Check for TmComm.sys (TrendMicro)

• Check for HookPort.sys (QQ 360)

• Depending of the AV present use the native API to install the service or the following method:

• FindWindowA("CabinetWClass", WindowName);

• FindWindowExA(v15, 0, "WorkerW", 0);

• SendMessageA, RegOpenKeyExA, SYSTEM\\CurrentControlSet\\Services\\

Saturday, February 4, 2012

Page 23: Análisis de ataques APT

WTF!

Saturday, February 4, 2012

Page 24: Análisis de ataques APT

Real World

Saturday, February 4, 2012

Page 25: Análisis de ataques APT

Sykipot

Saturday, February 4, 2012

Page 26: Análisis de ataques APT

Exploits

Saturday, February 4, 2012

Page 27: Análisis de ataques APT

Samples

Saturday, February 4, 2012

Page 28: Análisis de ataques APT

Features

Saturday, February 4, 2012

Page 29: Análisis de ataques APT

C&C Servers

Saturday, February 4, 2012

Page 30: Análisis de ataques APT

Certificate Access

Saturday, February 4, 2012

Page 31: Análisis de ataques APT

Smartcard Access

Saturday, February 4, 2012

Page 32: Análisis de ataques APT

OpenIOC• Indicators Of Compromise

• XML format to describe:

• File Attributes

• Registry entries

• Process attributes

• Network Attributes

• ...

• http://openioc.org/

Saturday, February 4, 2012

http://openioc.org/
http://openioc.org/
Page 33: Análisis de ataques APT

Example

Saturday, February 4, 2012

Page 34: Análisis de ataques APT

Example

Saturday, February 4, 2012

Page 35: Análisis de ataques APT

Thank you

•Follow me on twitter: jaimeblascob

Saturday, February 4, 2012


mag-print.ru, CBOVIM enVIHCTBOM Mbl CV1/1bHbl! APT. 1-01 APT. Soft 180 py6/um APT. APT. SnoKHor Soft 75 APT. SnoKHOT-nnaHtueT C pyqKoü Sott 350 py6/um touch. 155 py6/wr. APT. 1-09

mag-print.ru, CBOVIM enVIHCTBOM Mbl CV1/1bHbl! APT. 1-01 APT. Soft 180 py6/um APT. APT. SnoKHor Soft 75 APT. SnoKHOT-nnaHtueT C pyqKoü Sott 350 py6/um touch. 155 py6/wr. APT. 1-09

Análisis Forense Digital 1 - OASAnálisis Forense Digital 5 organización, pues los ataques a dichos sistemas no sólo ha aumentado en número sino que también lo han hecho en variedad

Análisis Forense Digital 1 - OASAnálisis Forense Digital 5 organización, pues los ataques a dichos sistemas no sólo ha aumentado en número sino que también lo han hecho en variedad

APT Preparations for WTSA-12 APT Preparations for WTSA-12 by: APT Secretariat Asia-Pacific Telecommunity Third APT Preparatory Meeting for ITU World Telecommunication.

APT Preparations for WTSA-12 APT Preparations for WTSA-12 by: APT Secretariat Asia-Pacific Telecommunity Third APT Preparatory Meeting for ITU World Telecommunication.

Ataques de retransmisi on inteligente en protocolos de ...webdiis.unizar.es/~ricardo/files/PFCs-TFGs/Relay-Inteligente-EMV/... · ataques man-in-the-middle (insertar, manipular o

Ataques de retransmisi on inteligente en protocolos de ...webdiis.unizar.es/~ricardo/files/PFCs-TFGs/Relay-Inteligente-EMV/... · ataques man-in-the-middle (insertar, manipular o

El Hacking y Tecnicas de Contra-Ataques Seguridad

El Hacking y Tecnicas de Contra-Ataques Seguridad

Mutilaciones producidas por ataques de avestruces rabiosas.

Mutilaciones producidas por ataques de avestruces rabiosas.

SQL Injection: SQLMAP Advanced options - el-palomo.com · Opciones de ataques avanzados Ataques manuales de SQL Injection Ataques automatizados con Metasploit Conclusiones y contramedidas

SQL Injection: SQLMAP Advanced options - el-palomo.com · Opciones de ataques avanzados Ataques manuales de SQL Injection Ataques automatizados con Metasploit Conclusiones y contramedidas

Análisis de botnets y ataques de denegación de servicio...potencial de estos ataques. Tabla 1. Estadísticas de la duración de ataques DDoS en Duración (horas) Víctimas 2014 (4to

Análisis de botnets y ataques de denegación de servicio...potencial de estos ataques. Tabla 1. Estadísticas de la duración de ataques DDoS en Duración (horas) Víctimas 2014 (4to

REG20aPORBRE Ataques Cerebrais Miguel Martinez Almoyna

REG20aPORBRE Ataques Cerebrais Miguel Martinez Almoyna

BY VILLAGE THEN TOWN THEN ALL STREETS IN ALPHABETICAL … · A01 Walk-up Apt. A02 Converted Apt. A03 Garden Apt. A04 Townhouse Apt. A05 Highrise Apt. A06 Raw Apartment A07 External

BY VILLAGE THEN TOWN THEN ALL STREETS IN ALPHABETICAL … · A01 Walk-up Apt. A02 Converted Apt. A03 Garden Apt. A04 Townhouse Apt. A05 Highrise Apt. A06 Raw Apartment A07 External

APT Power Engineering LimitedAPT Power Engineering Limitedqcfihyderabad.com/.../APT-Presentation.pdf · APT ROLE IN CEMENT INDUSTRY: •APT is into Cement Industry from the year 2008,

APT Power Engineering LimitedAPT Power Engineering Limitedqcfihyderabad.com/.../APT-Presentation.pdf · APT ROLE IN CEMENT INDUSTRY: •APT is into Cement Industry from the year 2008,

ADVERTENCIA — ATAQUES EPILÉPTICOSus.media.blizzard.com/manuals/wow/us/mop/wow-mop... · ADVERTENCIA — ATAQUES EPILÉPTICOS Un pequeño porcentaje de la gente puede sufrir ataques

ADVERTENCIA — ATAQUES EPILÉPTICOSus.media.blizzard.com/manuals/wow/us/mop/wow-mop... · ADVERTENCIA — ATAQUES EPILÉPTICOS Un pequeño porcentaje de la gente puede sufrir ataques

Ataques a Aplicaciones de Bases de Datos - ekoparty security … Fayo... · 2018-08-28 · Ataques a Aplicaciones de Bases de Datos Esteban Esteban MartínezMartínezFayóFayó ArgenissArgeniss

Ataques a Aplicaciones de Bases de Datos - ekoparty security … Fayo... · 2018-08-28 · Ataques a Aplicaciones de Bases de Datos Esteban Esteban MartínezMartínezFayóFayó ArgenissArgeniss

Ataques cibernéticos e seus impactos na definição de ...periodicoalethes.com.br/media/pdf/9/ataques-ciberneticos-e-seus... · ... somente um elemento será objeto de apreciação:

Ataques cibernéticos e seus impactos na definição de ...periodicoalethes.com.br/media/pdf/9/ataques-ciberneticos-e-seus... · ... somente um elemento será objeto de apreciação:

Índicedownload.xbox.com/content/4d4a07d8/GHP2 360 MANUAL-SP.pdf · 2012-11-30 · “ataques epilépticos fotosensibles” cuando fijan la vista en un videojuego. Estos ataques presentan

Índicedownload.xbox.com/content/4d4a07d8/GHP2 360 MANUAL-SP.pdf · 2012-11-30 · “ataques epilépticos fotosensibles” cuando fijan la vista en un videojuego. Estos ataques presentan

Academic Progress Template (APT) Reporting …€¦ · Web viewAcademic Progress Template (APT) Reporting Template This document houses two items: the APT rubric and an optional APT

Academic Progress Template (APT) Reporting …€¦ · Web viewAcademic Progress Template (APT) Reporting Template This document houses two items: the APT rubric and an optional APT

Ataques Al Rey - Baranov, B F - 1973

Ataques Al Rey - Baranov, B F - 1973

Class4crypt Aula Virtual de Criptografía · Módulo 8. Criptografía simétrica en bloque Lección 8.5. Ataques al DES, DES Challenge y 3DES 1. Debilidades del DES 2. Ataques en

Class4crypt Aula Virtual de Criptografía · Módulo 8. Criptografía simétrica en bloque Lección 8.5. Ataques al DES, DES Challenge y 3DES 1. Debilidades del DES 2. Ataques en

Cartão MIFARE classic ataques e medidas de contorno

Cartão MIFARE classic ataques e medidas de contorno

Cyber espionaje. ataques dirigidos

Cyber espionaje. ataques dirigidos