Analyzing Malware Behavior The Secret to a More Secure World Greg Hoglund

Malware The Tip of the Spear

Malware is the single greatest threat to Enterprise security today Fact Malware is the single greatest threat to Enterprise security today Existing security isn’t stopping it Over 80% of corporate intellectual property is stored online, digitally

Google cyber attacks a 'wake-up' call -Director of National Intelligence Dennis Blair http://www.csmonitor.com/USA/2010/0204/Google-cyber-attacks-a-wake-up-call-for-US-intel-chief-says

IP is Leaving The Network Right Now Everybody in this room who manages an Enterprise with more than 10,000 nodes: They are STEALING right now, as you sit in that chair.

Scale Over 100,000 malware are released daily Automated malware infrastructure Signature-based security solutions simply can’t keep up The peculiar thing about signatures is that they are strongly coupled to an individual malware sample More malware was released in the last year than all malware combined previous http://www.avertlabs.com/research/blog/index.php/2009/03/10/avert-passes-milestone-20-million-malware-samples/

Economy Russian Mafia made more money in online banking fraud last year than the drug cartels made selling cocaine An entire industry has cropped up to support the theft of digital information with players in all aspects of the marketplace

35 million computers infected every month with “rogueware” Example: Rogueware 35 million computers infected every month with “rogueware” Many are fake anti-virus scanners Victims pay for these programs, $50+, and stats show that some Eastern Europeans are making upwards of $34 million dollars a month with this scam *http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf

Rogueware

Cash is not the only motive State sponsored economic power Stealing of state secrets intelligence & advantage Stealing of IP competitive / strategic advantage – longer term Infrastructure & SCADA wartime strike capable Info on people (not economic) i.e., Political dissidents

Espionage

MI5 says the Chinese government “represents one of the most significant espionage threats” http://www.timesonline.co.uk/tol/news/uk/crime/article7009749.ece

Big Brother Opennet.net

Why Malware is Not Going Away

Not an antivirus problem Malware isn’t released until it bypasses all the AV products Testing against AV is part of the QA process AV doesn’t address the actual threat – the human who is targeting you AV has been shown as nearly useless in stopping the threat AV has been diminished to a regulatory checkbox – it’s not even managed by the security organization, it’s an IT problem

Malware is a human issue Evolving Threat Malware is a human issue If you detect a malware that is part of an targeted operation and you remove it from the computer, the risk has not been eliminated – the bad guys are still operating “Malware is only a vehicle for intent, tomorrow the bad guy will be back again”

Attack Surface Over Time Value Horizon Hardness of Windows remote RPC Use of Windows remote RPC overflows

Continuous Area of Attack Value Horizon Continuous area of attack Windows remote RPC GDI Image Bugs Flash Overflows IIS Server overflows

Technology Lifecycle Value Horizon Area of attack

Continuous Area of Attack By the time all the surfaces in a given technology are hardened, the technology is obsolete Value Horizon Continuous area of attack We secured java, but now we have flash We secure the web, but now we have Second Life Technology Lifecycle

The Global Malware Economy

This “malware ecosystem” supports both Crimeware and e-Espionage A Global Theatre There are thousands of actors involved in the theft of information, from technology developers to money launderers Over the last decade, an underground economy has grown to support espionage and fraud This “malware ecosystem” supports both Crimeware and e-Espionage

Payment system developer $500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $100.00 per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10%

Crimeware and the State Using crimeware collected from the underground makes it harder to attribute the attack, since it looks like every other criminal attack There is no custom code that can be fingerprinted

China “There are the intelligence-oriented hackers inside the People's Liberation Army” “There are hacker conferences, hacker training academies and magazines” “Loosely defined community of computer devotees working independently, but also selling services to corporations and even the military” When asked whether hackers work for the government, or the military, [he] says "yes." http://news.cnet.com/Hacking-for-fun-and-profit-in-Chinas-underworld/2100-1029_3-6250439.html

C&C map from Shadowserver, C&C for 24 hour period

Crimeware and Terrorism Consider that terrorist groups, often thought to be unsophisticated in the area of cyber attack, can just purchase fully capable exploitation kits for $1,000

Crimeware Affiliate Networks Grown out of older adware business models

Pay-per-install.org

Pays per 1,000 infections Earning4u * http://www.secureworks.com/research/threats/ppi/

PPI Programs * http://www.secureworks.com/research/threats/ppi/

Custom Crimeware Programming Houses

Malware Attribution

Digital fingerprints left by compiler tools Developer code idioms Forensic Toolmarks Digital fingerprints left by compiler tools Developer code idioms Major technology components that can be fingerprinted: Distribution system Exploitation capability Command and Control Payload (what does it do once its in)

Reverse Engineering Focus Areas Compiler version Paths unique to the developer workstation i.e., .pdb paths Language codes, keyboard layouts Unique variations of algorithms obfuscation, compression C&C Protocol design Even spelling mistakes!

Same malware compiled in three different ways DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader MD5 Checksums all different Code idioms remains consistent

In-memory analysis tends to defeat packers IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader In-memory analysis tends to defeat packers Starting Malware Packed Malware Unpacked portions remains consistent

Toolkits and developer signatures can be detected IN MEMORY IMAGE OS Loader Toolkits and developer signatures can be detected Malware Toolkit Different Malware Authors Using Same Toolkit Toolkit Marks Detected Packed

Country of Origin Country of origin Is the bot designed for use by certain nationality? Geolocation of IP is NOT a strong indicator However, there are notable examples Is the IP in a network that is very unlikely to have a third-party proxy installed? For example, it lies within a government installation C&C map from Shadowserver, C&C for 24 hour period

Language codes in resources Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality Be aware some technologies have multiple language support Language codes in resources

Command and Control These commands map to a foreign language keyboard.

ZeuS (botnet)

ZeuS C&C server source code. Written in PHP Specific “Hello” response (note, can be queried from remote to fingerprint server) Clearly written in Russian In many cases, the authors make no attempt to hide…. You can purchase ZeuS and just read the source code…

A GIF file included in the ZeuS C&C server package.

Caution: The developer != operator The developer may not have any relation to those who operate the malware The operation is what’s important Ideally, we want to form a complete picture of the ‘operation’ – who is running the operation that targets you and what their intent is

Stage I: Exploitation

Malware Distribution Systems Large scale systems to deploy malware Browser component attacks Precise spearphising attacks Contain boobytrapped documents Backdoored physical media USB, Camera, CD’s left in parking lot, ‘gifts’

Attack Vector: Boobytrapped Documents This is the current trend Single most effective focused attack today Human crafts text

Example: PDF Boobytrap Exploit is chosen based on version of Acrobat Reader™ Malicious PDF Analysis: http://www.hbgary.com/community/phils-blog/

Attack Vector: Web based attack Social Networking Space Injected Java-script Used heavily for large scale infections Social network targeting is possible

Example: Trap Postings I www.somesite.com/somepage.php <script> </script> Some text to be posted to… the site ….

Example: Trap Postings II www.somesite.com/somepage.php <IFRAME src= style=“display:none”></IFRAME> Some text to be posted to… the site ….

Example: SQL Injection www.somesite.com/somepage.php SQL attack, inserts IFRAME or script tags

Example: ‘Reflected’ injection Link contains a URL variable w/ embedded script or IFRAME * User clicks link, thus submitting the variable too Trusted site, like .com, .gov, .edu The site prints the contents of the variable back as regular HTML *For an archive of examples, see xssed.com

Actor: Vuln Researchers Paid well into the five figures for a good, reliable exploit $20,000 or more for a dependable IE exploit on latest version Injection vector & activation point can be fingerprinted Method for heap grooming, etc Delivery vehicle

Actor: Endpoint Exploiter Endpoint Exploiters $100.00 per 1000 infections The exploiter of the end nodes, sets up the XSS or javascript injections to force redirects Newcomers can learns various attack methods from their PPI affiliate site (mini-training) These are generally recruited hackers from forums (social space) The malware will have an affiliate ID “somesite.com/something?aflid=23857  look for potential ID’s – this ID’s the individual endpoint exploiter

Link Analysis Using Link Analysis URL artifact Unique Affiliate ID’s Codenamed Botmaster C&C Fingerprint Endpoints Link Analysis

Fingerprinting Exploit Packs Common methods in shellcode Heap grooming/spray techniques Methods to located shellcode in memory Methods to load function pointers from kernel32.dll, etc Web Server version Backend technology – cgi, PHP, etc. HTTP variable names, number formats, etc.

Eleonore (exploit pack)

Tornado (exploit pack)

Napoleon / Siberia (exploit pack)

Exploitation Complete: A three step infection Injected Java-script Exploit Server Redirect 1010101010 Browser Exploit Payload Server Dropper

Stage II: Droppers

Fingerprinting Droppers Use of certain packer version Compiler and settings used Delphi? C++ classes? Stack pointer omission, etc. How are embedded resources used? Language codes? Compressed? Dropper-webserver type / version Brute-force URL’s to find all the downloadable exe’s

CRUM (protector)

‘Dropper’ or Payload Server A machine that has the actual malware dropper ready for download. The exploit server will redirect the victim to download a binary from this location

malwaredomainlist.com abuse.ch spamcop.net team-cymru.org Intelligence Feeds malwaredomainlist.com abuse.ch spamcop.net team-cymru.org shadowserver.org

NOTE: Packing is not fully effective here GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Packer Signature MZx90 This program cannot be run in DOS mode Embedded executable NOTE: Packing is not fully effective here

GhostNet: Resource Culture Codes The embedded executable is tagged with Chinese PRC Culture code

PDB path reveals malware name GhostNet: PDB Paths UPX! The embedded executable is extracted to disk. The extracted module is NOT PACKED. MZx90 MZx90 E:\gh0st\Server\Release\install.pdb PDB path reveals malware name

Actionable Intelligence Information obtained via droppers that you can use for immediate defense: File and Registry Paths used for the installation Enterprise tools can scan for these to detect other infections

Stage III: Implants

The ‘persistent’ backdoor program Hide in plain sight strategy Implants The ‘persistent’ backdoor program Hide in plain sight strategy General purpose hacking tool Stealth capabilities In-field update capabilities Has command-and-control system

Poison Ivy (implant)

A device driver is embedded in the executable GhostNet Implant A device driver is embedded in the executable Dropped as a svchost.exe DLL: MZx90 MZx90

GhostNet: Embedded Drivers i386 directory is common to device drivers. Other clues: sys directory ‘SSDT’ in the name Also, embedded strings in the binary are known driver calls: IoXXXX family KeServiceDescriptorTable ProbeForXXXX

Command and Control Once installed, the malware phones home… TIMESTAMP SOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER

Command and Control Server The C&C system may vary Custom protocol (Aurora-like) Plain Old URL’s IRC (not so common anymore) Stealth / embedded in legitimate traffic Machine identification Stored infections in a back end SQL database

‘SoySauce’ C&C Hello Message this queries the uptime of the machine.. checks whether it's a laptop or desktop machine... enumerates all the drives attached to the system, including USB and network... gets the windows username and computername... gets the CPU info... and finally, the version and build number of windows.

Aurora C&C parser Command is stored as a number, not text. It is checked here. Each individual command handler is clearly visible below the numerical check After the command handler processes the command, the result is sent back to the C&C server

Triad (botnet)

ZeuS (botnet)

Fragus (botnet)

Actionable Intelligence Information obtained via implants that you can use for immediate defense: IP and URL’s used for command and control can be used for NIDS, egress filtering, and searches against archived netflow data

Intellectual Property Threats

Soysauce: Steal Credentials Outlook Email Password Generic stored passwords

All the file types that are exfiltrated Soysauce: Steal Files All the file types that are exfiltrated

A place to store all the stolen goods before it gets ‘exfiltrated’ Staging Server A place to store all the stolen goods before it gets ‘exfiltrated’ Data is moved off the network in a variety of ways – ‘Hacking Exposed’ level behavior

Drop Site Sometimes the stolen data is moved to a tertiary system, not the same as the C&C

Drop-point is in Reston, VA in the AOL netblock

Actionable Intelligence Information obtained via staging server that you can use for immediate defense: Drive forensics will reveal what has already been stolen

Advanced Fingerprinting

GhostNet: Screen Capture Algorithm Loops, scanning every 50th line (cY) of the display. Reads screenshot data, creates a special DIFF buffer LOOP: Compare new screenshot to previous, 4 bytes at a time If they differ, enter secondary loop here, writing a ‘data run’ for as long as there is no match. Offset in screenshot Len in bytes Data….

GhostNet: Searching for sourcecode Large grouping of constants Search source code of the ‘Net

GhostNet: Refining Search Has something to do with audio… Further refine the search by including ‘WAVE_FORMAT_GSM610’ in the search requirements…

GhostNet: Source Discovery We discover a nearly perfect ‘c’ representation of the disassembled function. Clearly cut-and-paste. We can assume most of the audio functions are this implementation of ‘CAudio’ class – no need for any further low-level RE work.

Sell bot systems for four figures Actor: Developers Sell bot systems for four figures $4,000 - $8,000 with complete C&C and SQL backend Sell advanced rootkits for low five figures Possibly integrated into a bot system Possibly used as a custom extension to a bot, integrated by a botmaster, $10,000 or more easily for this All of this development is strongly fingerprinted in the malware chain

Link Analysis Link Analysis We want to find a connection here C&C Fingerprint Botmaster URL artifact Affiliate ID Developer Protocol Fingerprint Endpoints Developer C&C products Link Analysis

Softlinking into the Social Space Where is it sold, does that location have a social space? If it has a social space, then this can be targeted Forum, IRC, instant messaging Using link-analysis, softlink can be created between the developer of a malware product and anyone else in the social space Slightly harder link if the two have communicated directly If someone asks for tech support, indicates they have purchased If someone queries price, etc, then possibly they have purchased

Link Analysis Link Analysis Software Author Software Author Social Space Social Space Link Analysis

Example: Link Analysis with Palantir™ Implant Forensic Toolmark specific to Implant Searching the ‘Net reveals source code that leads to Actor Actor is supplying a backdoor Group of people asking for technical support on their copies of the backdoor

Working back the timeline Who sells it, when did that capability first emerge? Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces Requires budget for acquisition of emerging malware products

Link Analysis with Timeline Software Author Social Space i.e., Technical Support Query made AFTER version 1.4 Release Use of timeline to differentiate links Link Analysis

Conclusion

Existing security doesn’t stop ‘bad guys’ Takeaways Actionable intelligence can be obtained from malware infections for immediate defense: File, Registry, and IP/URL information Existing security doesn’t stop ‘bad guys’ Go ‘beyond the checkbox’ Adversaries have intent and funding Need to focus on the criminal, not malware Attribution is possible thru forensic toolmarking combined with open and closed source intelligence

Solutions for Enterprises About HBGary www.hbgary.com Solutions for Enterprises Digital DNA™ - codified tracking of malware authors Integrated into several Enterprise products: McAfee ePO Guidance EnCase Enterprise, more to be announced Responder™ – malware analysis and physical memory forensics