Malware Attribution ROUGH DRAFT OUTLINE

Evolution of Cybercrime Dominant criminal problem globally Russians make more money per year than Columbians Chinese are crawling all over DoD networks A malware-industry has emerged The largest distributed software system in the world is Conficker, with 600 million nodesNEED CORRECT STATS Current models for defense are not working

Payment system developer $500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $100.00 per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10%

Intelligence Spectrum Blacklists Developer Fingerprints Social Cyberspace DIGINT Physical Surveillance HUMINT  Nearly Useless Nearly Impossible  SSN & Missile Coordinates of the Attacker MD5 Checksum of a single malware sample Sweet Spot IDS signatures with long-term viability Predict the attacker’s next moves

Humans Attribution is about the human behind the malware, not the specific malware variants Focus must be on human-influenced factors Move this way   Binary Human  We must move our aperture of visibility towards the human behind the malware

Intel Value Window Lifetime  Minutes Hours Days Weeks Months Years Blacklists ATTRIBUTION-Derived Developer Toolmarks Signatures Algorithms NIDS sans address Hooks Protocol Install DNS name IP Address Checksums

Rule #1 The human is lazy The use kits and systems to change checksums, hide from A/V, and get around IDS They DON’T rewrite their code every morning

Rule #2 Most attackers are focused on rapid reaction to network-level filtering and black-holes Multiple DynDNS C2 servers, multiple C2 protocols, obfuscation of network traffic They are not-so-focused on host level stealth Most malware is simple in nature, and works great Enterprises rely on A/V for host, and A/V doesn’t work, and the attackers know this

Rule #3 Physical memory is King Once executing in memory, code has to be revealed, data has to be decrypted

Attribution is Not Hard If you can read a packet sniffer, you can attribute malware Yes, this means more people in your organization can do this Focus on strings and human-readable data within a malware program In most cases, code-level reverse engineering is not required

The Flow of Forensic Toolmarks Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries

Developer Fingerprints Communications Functions Developer Installation & Deployment Method Sample Malware Command & Control Functions Compiler Environment Packing Stealth & Antiforensic Techniques

Toolkit Fingerprints Machine PPI Affiliate Packed Malware Toolkit

Core ‘Backbone’ Sourcecode Paths Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries

Example: Gh0stNet

NOTE: Packing is not fully effective here GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Packer Signature MZx90 This progRy. y cannot be run in DOS mode Embedded executable NOTE: Packing is not fully effective here

GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Resource Culture Code 0x0804 MZx90 The embedded executable is tagged with Chinese PRC Culture code This progRy. y cannot be run in DOS mode

GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ The embedded executable is extracted to disk. The extracted module is not packed. PDB path reveals malware name, E: drive. 0x0804 MZx90 MZx90 This program cannot be run in DOS mode This progRy. y cannot be run in DOS mode E:\gh0st\Server\Release\install.pdb Embedded PDB Path

For Immediate Defense…  Useless Human  MD5 of the Gh0stNet dropper.EXE Query: “Find Attacker’s PDB Path” PDB Path found within extracted EXE RawVolume.File.BinaryData contains “gh0st\”

GhostNet: Backdoor The dropped EXE is loaded as svchost.exe on the victim. It then drops another executable, a device driver. UPX! MZx90 MZx90 This program cannot be run in DOS mode E:\gh0st\Server\Release\install.pdb MZx90 MZx90 e:\gh0st\server\sys\i386\RESSDT.pdb Another embedded EXE Another PDB path

Our defense… Query: “Find Attacker’s PDB Path” RawVolume.File.BinaryData contains “gh0st\” Even if we had not known about the second executable, our defense would have worked. This is how moving towards the human offers predicative capability.

GhostNet: Embedded Drivers i386 directory is common to device drivers. Other clues: sys directory ‘SSDT’ in the name Also, embedded strings in the binary are known driver calls: IoXXXX family KeServiceDescriptorTable ProbeForXXXX

Core ‘Backbone’ Sourcecode Timestamps Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries

PE Timestamps The ‘lmv’ command in WinDBG will show this value.. PE file Module timestamp* time_t (32 bit) The ‘lmv’ command in WinDBG will show this value.. Debug timestamp time_t (32 bit) This is present if an external PDB file is associated with the EXE *This is not the same as NTFS file times, which are 64 bit and stored in the NTFS file structures.

Timestamp Formats time_t – 32 bit, seconds since Jan. 1 1970 UTC 0x3DE03E0A  usually start with ‘3’ or ‘4’ ‘3’ started in 1995 and ‘4’ ends in 2012 Use ‘ctime’ function to convert FILETIME – 64 bit, 100-nanosecond intervals since Jan. 1 1600 UTC 0x01C195C2.5100E190  usually start with ‘01’ and a letter 01A began in 1972 and 01F ends in 2057 Use FileTimeToSystemTime(), GetDateFormat(), and GetTimeFormat() to convert

Core ‘Backbone’ Sourcecode Compiler Version Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries

Visual Studio Static or dynamic linked runtime library? Single-threaded or multi-threaded? Use of STL? Use of older iostream libraries?* See: * support.microsoft.com/kb/154753

Visual Studio – Static Linking Version Libraries linked with Type Compiler flag VC++ .NET 2003 and earlier LIBC.LIB, LIBCP.LIB Single Threaded Static /ML LIBCD.LIB, LIBCPD.LIB /MLd All LIBCMT.LIB, LIBCPMT.LIB Multi-threaded Static /MT LIBCMTD.LIB, LIBCPMTD.LIB /MTd Visual Studio – Dynamic Linking Version DLL Linked with VC++ 4.2 MSVCRT.DLL/MSVCRTD.DLL VC++ 5.0 MSVCR50.DLL VC++ 6.0 MSVCR60.DLL VC++ .NET 2002 MSVCR70.DLL VC++ .NET 2003 MSVCR71.DLL VC++ .NET 2005 MSVCR80.DLL VC++ .NET 2008 MSVCR90.DLL

Debug Symbols Debug timestamp (time_t – seconds since 01.01.1970) Version of the PDB file NB09 - Codeview 4.10 NB11 - Codeview 5.0 NB10 - PDB 2.0 RSDS - PDB 7.0 Age – number of times the malware has been compiled

Coms Communications Functions Installation & Deployment Method Developer Installation & Deployment Method Sample Malware Command & Control Functions Compiler Environment Packing Stealth & Antiforensic Techniques

Command and Control Once installed, the malware phones home… TIMESTAMP SOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER

Command and Control Server The C&C system may vary Custom protocol (Aurora-like) Plain Old URL’s IRC (not so common anymore) Stealth / embedded in legitimate traffic Machine identification Stored infections in a back end SQL database

‘SoySauce’ C&C Hello Message this queries the uptime of the machine.. checks whether it's a laptop or desktop machine... enumerates all the drives attached to the system, including USB and network... gets the windows username and computername... gets the CPU info... and finally, the version and build number of windows.

SLIDES PAST THIS POINT ARE SCRATCH AREA

How a program looks in memory Physical Memory Virtual Memory PE Header Tables Data Code More data

OS Loader In memory, traditional checksums don’t work DISK FILE IN MEMORY IMAGE 100% dynamic Copied in full Copied in part OS Loader In memory, traditional checksums don’t work MD5 Checksum is not consistent Software Traits remain consistent MD5 Checksum reliable

OS Loader Physical memory tends to get around the ‘packing’ problem IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Physical memory tends to get around the ‘packing’ problem As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same. Starting Malware Packed Malware Software Traits remain consistent

Same malware compiled in three different ways OS Loader DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors. MD5 Checksums all different Software Traits remain consistent

Toolkits can be detected Toolkit traits are apparent IN MEMORY IMAGE OS Loader Toolkits can be detected Malware Tookit Different Malware Authors Using Same Toolkit Toolkit traits are apparent Packed

Source Code Core that the developer keeps re-using 3rd party sources ‘Hello World’ equivalent for malware Service, Driver, Dropper, Browser Helper Object, etc. 3rd party sources Functions that are cut-and-paste into the malware Encryption, communications, enumeration, etc.

Programming Language C C++ Delphi ECX is used as the *this pointer in function calls Delphi Apparent in ASCII strings that are embedded

Name Mangling TODO

3rd Party Libraries Static or dynamic linking Compression / Encryption OpenSSL gzip

Tweaks and Mods Especially good for detecting a developer May change often, evolve over time

Compiler & Machine Version of compiler Machine-data leakage GUID V1 leaks MAC address Compile time

Custom Crimeware Programming Houses These guys are going to resell the same code 500 times with different icons…

Pay-per-install.org

Rogueware 35 million computers infected every month with rogueware. Some eastern European groups are making over $34 million dollars a month on this scam alone. “The Business of Rogueware.pdf” – Panda Security

Packing UPX VMProtect Themida ASProtect

Country of Origin ZeuS C&C server source code. Written in PHP Specific “Hello” response (note, can be queried from remote to fingerprint server) Clearly written in Russian In many cases, the authors make no attempt to hide…. You can purchase ZeuS and just read the source code…

User Language Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality Be aware some technologies have multiple language support Resource-culture-codes for embedded resources in the EXE

These commands map to a foreign language keyboard.

The embedded executable is tagged with Chinese PRC Culture code

Embedded Manifest TODO