1. Tracking Cyber Spies & Digital Criminals Greg Hoglund HBGary, Inc
Malware Attribution
Tracking Cyber Spies & Digital Criminals
Greg Hoglund
HBGary, Inc
Blackhat Vegas 2010

2. The Bad Guys are Winning
Cybercrime & espionage is the dominant criminal problem globally, surpassing the drug trade
Russians made more money last year in banking fraud than the Columbians made selling cocaine
Chinese are crawling all over commercial & government networks
The largest computing cloud in the world is controlled by Conficker
6.4 million computer systems*
230 countries
230 top level domains globally
18 million+ CPUs
28 terabits per second of bandwidth *

3. Humans
Attribution is about the human behind the malware, not the specific malware variants
Focus must be on human-influenced factors
Move this way 
 Binary
Human 
We must move our aperture of visibility towards the human behind the malware

4. Payment system developer
$500+
Implant Vendor
$1,000+
Exploit Pack Vendor
$10,000+ for 0-day
Exploit Developer
$10,000+ for 0-day
Rootkit Developer
Rogueware Developer
Back Office Developer
$1000+
Wizard
Bot Vendor
eGold
~4% of bank customers
Payment system developer
Country that doesn’t co-op w/ LE
Secondary
atm
Keep 10%
Victims
Small Transfers
A single operator here may recruit 100’s of mules per week
$5,000 incrm.
Drop Man
Account
Buyer
Affiliate Botmaster
ID Thief
Endpoint Exploiters
Keep 50%
$ per 1000 infections
PPI
Forger
Cashier / Mule
Bank Broker
Sells accounts in bulk
Country where account is physically located
$5.00 per
$50
Keep 10%

5. Installs Marketplace

6. Intelligence Spectrum
Blacklists
Net
Recon C2
Developer Fingerprints
TTP
Social Cyberspace DIGINT
Physical Surveillance HUMINT
 Nearly Useless
Nearly Impossible 
SSN & Missile
Coordinates of the Attacker
MD5 Checksum of a single malware sample
Sweet Spot
IDS signatures with long-term viability
Predict the attacker’s next moves

7. Developer Fingerprints
Archaeology layer
Net
Recon C2
Developer Fingerprints
TTP
Actions / Intent (attacker’s behavior, as opposed to code)
Installation + Deployment method
Command + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)
COMS (code level view, as opposed to network sniff)
Defensive / Antiforensics (usually a packer, easily changed)
Exploit weaponization / delivery vehicle
Shellcode
DNS, C2 Protocol, Encryption Method (high rate of change)

8. Intel Value Window Lifetime  Minutes Hours Days Weeks Months Years
Blacklists
ATTRIBUTION-Derived
Developer Toolmarks
Signatures
Algorithms
NIDS sans address
Hooks
Protocol
Install
DNS name
IP Address
Checksums

9. Rule #1
The human is lazy
The use kits and systems to change checksums, hide from A/V, and get around IDS
They DON’T rewrite their code every morning

10. Rule #2
Most attackers are focused on rapid reaction to network-level filtering and black-holes
Multiple DynDNS C2 servers, multiple C2 protocols, obfuscation of network traffic
They are not-so-focused on host level stealth
Most malware is simple in nature, and works great
Enterprises rely on A/V for host, and A/V doesn’t work, and the attackers know this

11. Rule #3 Physical memory is King
Once executing in memory, code has to be revealed, data has to be decrypted

12. OS Loader In memory, traditional checksums don’t work
DISK FILE
IN MEMORY IMAGE
100% dynamic
Copied in full
Copied in part
OS Loader
In memory, traditional checksums don’t work
MD5 Checksum
is not consistent
Software Traits remain consistent
MD5 Checksum
reliable

13. OS Loader Physical memory tends to get around the ‘packing’ problem
IN MEMORY IMAGE
Packer #1
Packer #2
Decrypted
Original
OS Loader
Physical memory tends to get around the ‘packing’ problem
Starting Malware
As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same.
Packed
Malware
Software Traits remain consistent

14. Same malware compiled in three different ways OS Loader
DISK FILE
IN MEMORY IMAGE
Same malware compiled in three different ways
OS Loader
If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors.
MD5 Checksums
all different
Software Traits remain consistent

15. Attribution is Not Hard
If you can read a packet sniffer, you can attribute malware
Yes, this means more people in your organization can do this
Focus on strings and human-readable data within a malware program
In most cases, code-level reverse engineering is not required

16. The Flow of Forensic Toolmarks
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

17. Developer Fingerprints
Communications Functions
Developer
Installation & Deployment Method
Sample
Malware
Command & Control Functions
Compiler Environment
Packing
Stealth & Antiforensic Techniques

18. Toolkit Fingerprints
Machine
PPI Affiliate
Packed
Malware
Toolkit

19. Toolkits can be detected Toolkit traits are apparent
IN MEMORY IMAGE
OS Loader
Toolkits can be detected
Malware
Tookit
Different
Malware
Authors
Using
Same Toolkit
Toolkit traits are apparent
Packed

20. Core ‘Backbone’ Sourcecode
Paths
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

21. Example: Gh0stNet

22. GhostNet

23. NOTE: Packing is not fully effective here
GhostNet: Dropper
UPX!
¶üÿÿU‹ìƒìSVW3ÿÿ
Packer Signature
MZx90
This progRy. y cannot be run in DOS mode
Embedded executable
NOTE: Packing is not fully effective here

24. GhostNet: Dropper
UPX!
¶üÿÿU‹ìƒìSVW3ÿÿ
Resource Culture Code
0x0804
MZx90
The embedded executable is tagged with Chinese PRC Culture code
This progRy. y cannot be run in DOS mode

25. GhostNet: Dropper
UPX!
¶üÿÿU‹ìƒìSVW3ÿÿ
The embedded executable is extracted to disk. The extracted module is not packed. PDB path reveals malware name, E: drive.
0x0804
MZx90
MZx90
This program cannot be run in DOS mode
This progRy. y cannot be run in DOS mode
E:\gh0st\Server\Release\install.pdb
Embedded PDB Path

26. For Immediate Defense…
 Useless
Human 
MD5 of the Gh0stNet dropper.EXE
Query: “Find Attacker’s PDB Path”
PDB Path found within extracted EXE
RawVolume.File.BinaryData
contains
“gh0st\”

27. Link Analysis
“gh0st\”
The web reveals Chinese hacker sites that reference the “gh0st\” artifact

28. GhostNet: Backdoor
The dropped EXE is loaded as svchost.exe on the victim. It then drops another executable, a device driver.
UPX!
MZx90
MZx90
This program cannot be run in DOS mode
E:\gh0st\Server\Release\install.pdb
MZx90
MZx90
e:\gh0st\server\sys\i386\RESSDT.pdb
Another embedded EXE
Another PDB path

29. Our defense…
Query: “Find Attacker’s PDB Path”
RawVolume.File.BinaryData
contains
“gh0st\”
Even if we had not known about the second executable, our defense would have worked. This is how moving towards the human offers predicative capability.

30. What do we know…
i386 directory is common to device drivers. Other clues:
sys directory
‘SSDT’ in the name
SSDT means System Service Descriptor Table – this is a common place for rootkits and HIPS products to place hooks.
Also, embedded strings in the binary are known driver calls:
IoXXXX family
KeServiceDescriptorTable
ProbeForXXXX
KeServiceDescriptorTable is used when SSDT hooks are placed. We know this is a hooker.

31. What do we know…
IofCompleteRequest, IoCreateDevice, IoCreateSymbolicLink, and friends are used when the driver communicates to usermode. This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver.
When communication takes place between usermode & kernelmode, there will be a device path.

32. For Immediate Defense…
MD5 of the Gh0stNet dropper.EXE
Device Path of the kernel mode driver and the Symbolic Link name
 Useless
Human 
Query: “Find Rootkit Device Path or Symlink”
Physmem.WindowsObject.Name
contains
“RESSDT”

33. Link Analysis
“RESSDT”
A readme file on Kasperky’s site references a Ressdt rootkit.

34. Doc/View is usually MFC
TMC
Rootkit
e:\gh0st\server\sys\i386\RESSDT.pdb
e:\job\gh0st\Release\Loader.pdb
Cgh0stView
Cgh0stDoc
e:\job\gh0st\Release\gh0st.pdb
C:\gh0st3.6_src\HACKER\i386\HACKE.pdb
\gh0st3.6_src\Server\sys\i386\CHENQI.pdb
Dropper
GUI (MFC)
Doc/View is usually MFC
Rootkits
Already at version 3.6

35. gh0st _RAT, source code, team, and forum

36. Case Study: Chinese APT
2004
2005
2007
2009
2010
SvcHost.DLL.log
SvcHost.DLL.log &
“bind cmd frist!”
SvcHost.DLL.log
Just “bind cmd frist!”

37. Core ‘Backbone’ Sourcecode
Timestamps
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

38. Image Data Directories
PE Timestamps
PE file
Module timestamp*
time_t (32 bit)
e_lfanew
The ‘lmv’ command in WinDBG will show this value..
Image File Header
Optional Header
Image Data Directories
IMAGE DEBUG DIRECTORY
Debug timestamp
time_t (32 bit)
This is present if an external PDB file is associated with the EXE
*This is not the same as NTFS file times, which are 64 bit and stored in the NTFS file structures.

39. Timestamp Formats time_t – 32 bit, seconds since Jan. 1 1970 UTC
0x3DE03E0A  usually start with ‘3’ or ‘4’
‘3’ started in 1995 and ‘4’ ends in 2012
Use ‘ctime’ function to convert
FILETIME – 64 bit, 100-nanosecond intervals since Jan UTC
0x01C195C2.5100E190  usually start with ‘01’ and a letter
01A began in 1972 and 01F ends in 2057
Use FileTimeToSystemTime(), GetDateFormat(), and GetTimeFormat() to convert

40. Case Study: Chinese APT
2004
2005
2007
2009
2010
XX/XX/2005 – XX:XX PM
12/XX/2007 – X:XX AM
12/XX/2007 – X:XX PM
11/XX/2009 – 9:XX AM
2/XX/2010 – XX:XX AM
12/XX/2009 – 11:XX PM
3/XX/2010 – XX:XX AM
3/XX/2010 – XX:XX PM
Compile times extracted from ‘soysauce’ backdoor program.
3/XX/2010 – XX:XX PM

41. For Immediate Defense…
Compile time
 Useless
Human 
Query: “Find Modules Created Within Attack Window”
RawVolume.File.CompileTime
>
3/1/2010
<
3/31/2010

42. Core ‘Backbone’ Sourcecode
MAC Address
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

43. This technique was used to track the author of the Melissa virus
GUID V1
The OSF specified algorithm for GUID V1 uses the MAC address of the network card for the last 48 bits of the 128 bit GUID
This was deprecated on Windows 2000 and greater, so this has limited value
{21EC2020-3AEA-1069-A2DD-08002B30309D}
V1 GUIDS have a 1 in this position
This is the MAC of the machine
This technique was used to track the author of the Melissa virus

44. Core ‘Backbone’ Sourcecode
Compiler Version
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

45. Visual Studio Static or dynamic linked runtime library?
Single-threaded or multi-threaded?
Use of STL?
Use of older iostream libraries?*
See: * support.microsoft.com/kb/154753

46. Visual Studio – Static Linking
Version
Libraries linked with
Type
Compiler flag
VC++ .NET 2003 and earlier
LIBC.LIB, LIBCP.LIB
Single Threaded Static
/ML
LIBCD.LIB, LIBCPD.LIB
/MLd
All
LIBCMT.LIB, LIBCPMT.LIB
Multi-threaded Static
/MT
LIBCMTD.LIB, LIBCPMTD.LIB
/MTd
Visual Studio – Dynamic Linking
Version
DLL Linked with
VC++ 4.2
MSVCRT.DLL/MSVCRTD.DLL
VC++ 5.0
MSVCR50.DLL
VC++ 6.0
MSVCR60.DLL
VC++ .NET 2002
MSVCR70.DLL
VC++ .NET 2003
MSVCR71.DLL
VC++ .NET 2005
MSVCR80.DLL
VC++ .NET 2008
MSVCR90.DLL

47. MFC
"^MFC(?<type>(|O|D|N|S))(?<version>[0-9]+)(?<debug>(|U|D|UD))\\.DLL"
O:"Microsoft Foundation Classes (MFC) for Active Technologies, version: " + version;
D:"Microsoft Foundation Classes (MFC) for database, version: " + version;
N:"Microsoft Foundation Classes (MFC) for network (sockets), version: " + version;
S: "Microsoft Foundation Classes (MFC) statically linked code, version: " + version;
default: "Microsoft Foundation Classes (MFC) standard, version: " + version;
D:"ANSI Debug";
UD:"Unicode Debug";
U: "Unicode Release";
default: "ANSI Release";

48. Static Linking
C runtime library strings will be embedded in the EXE itself, as opposed to being in an external DLL
DOMAIN error
TLOSS error
SING error
R6027
Other libraries can also be detected in same manner (MFC, OpenSSL, etc)

49. Debug Symbols Debug timestamp (time_t – seconds since 01.01.1970)
Version of the PDB file
NB09 - Codeview 4.10
NB11 - Codeview 5.0
NB10 - PDB 2.0
RSDS - PDB 7.0
Age – number of times the malware has been compiled

50. Debug Information Format
Types:
Standard Program Database
Program Database for Edit and Continue (/ZI)
C7 Compatible

51. Name Mangling

52. Undecorate Visual C++ demangle: DWORD WINAPI UnDecorateSymbolName(
__in PCTSTR DecoratedName,
__out PTSTR UnDecoratedName,
__in DWORD UndecoratedLength,
__in DWORD Flags );
Also, see source to winedbg
GNU C++ demangle
see libiberty/cplus-dem.c and include/demangle.h

53. Delphi Give-away strings: SOFTWARE\Borland\Delphi\RTL
This program must be run under Win32
- Borland’s tlink32 linker

54. Delphi Uses specific function names – easy to identify
Language is derived from Pascal
78 hits for pascal, only 2 for c++

55. DOS stubs MZ\x50 MX\x90 “This program cannot be run in DOS mode”
VC, gcc, MASM
“This program requires Microsoft Windows”
“This program must be run under win32”

56. Embedded Manifest Contains name, description, platform
Contains list of dependent modules + versions
May contain key tokens that identify specific dependent modules (aka strongly named)
May contain public key that is tied to the developer if assembly itself is strongly named
not likely!
Public/private key pair (sn.exe)

57. Manifest
assemblyIdentity version=.+\\<description\\>(?<description>.+)\\</description\\>
assemblyIdentity version=\\\"(?<version>[0-9\\.]+)\\\"
processorArchitecture=\\\"(?<proc>.+)\\\" name=\\\"(?<asm_name>.+)\\\" type
\\<dependentAssembly\\>\\<assemblyIdentity .+ name=\\\"(?<asm_name>.+)\\\“
version=\\\"(?<version>[0-9\\.]+)\\\" processorArchitecture=\\\"(?<proc>.+)\\\“
publicKeyToken=\\\"(?<token>[0-9a-fA-F]+)\\\"
I hope you like Regex

58. Choice of string handling functions
UNICODE, ASCII, MultiByte
“wprintf” – wide
“f_sprintf” – safe
“(n|w)printf” – length check
“_v” - var-arg
“_f” - file output

59. Compiler Options Optimize for Size / Speed Inline Function Expansion
Intrinsic Functions
Fast code over small code

60. Frame Pointer Omission
Look for a certain & of [esp] variable initializations
Example: C mov dword ptr [esp+0x8],0x0
Don’t need a disassembler, this can be byte pattern based

61. Exception Handling Structured (SEH) Vectored
“__except_handler3” or “__local_unwind3” – VS < 8.0
“__except_handler4” or “__local_unwind4” or “_XcptFilter” – VS 8.0+
64 ff push dword fs:[0] (SEH save)
mov fs:[0], esp (SEH init)
Vectored
“AddVectoredExceptionHandler” or
“RemoveVectoredExceptionHandler”

62. Buffer Security Checks
F 8B 4D FC mov ecx,dword ptr [ebp-0x4]
CD xor ecx,ebp
E8 05 FC FF FF call 0x E▲ // sub_ E
AddPattern(theList, "Buffer Security Checks", "8B 4D FC 33 CD E8", 1, 0, null);

63. Runtime Type Information (RTTI)
"Run-Time Check Failure #%d"

64. Calling Convention
__cdelc
__stdcall
__fastcall

65. C versus C++ Pattern is apparent when C++ objects are used
Call thru vtable

66. UAC asInvoker highestAvailable requireAdministrator
“Bypass” UI Protection

67. Core ‘Backbone’ Sourcecode
Tracking Source Code
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

68. Main Functions Main DllMain ServiceMain Same argument parsing
Init of global variables
WSAStartup
DllMain
ServiceMain

69. Service Routines Install / Uninstall Service RunDll32
Service Start/Stop
ServiceMain
ControlService

70. Hard coded sleep( ) times
Skeleton of a service
Sleep loop at end
DllMain() {
// store the HANDLE to the module in a global variable }
ServiceMain()
// RegisterServiceCtrlHandler & store handle to service in global variable
// call SetServiceStatus, set PENDING, then RUNNING
// call to main malware function(s)
ServiceCtrlHandler_Callback
// handle various commands, start/stop/pause/etc
dwWaitHint
Size of local buffer
Hard coded sleep( ) times

71. Skeleton of a service Size of local buffer Service Name
Main_Malware_Function {
// do stuff }
InstallService()
// OpenSCManager
// CreateService
UninstallService()
// DeleteService
Size of local buffer
Service Name
Exception Handling
Registry Keys

72. Filename Creation Log files, EXE’s, DLL’s Subdirectories
Environment Variables
Random numbers

73. Case Study: Chinese APT
2004
2005
2009
2010
2005 posting of similar source code, includes poster’s handle.

74. Case Study: Chinese APT
Continued searching will reveal many, many references to the base source code of this malware.
All malware samples for this attacker are derived from this basic framework, but many additions & modifications have been made.

75. Core ‘Backbone’ Sourcecode
3rd Party SourceCode
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

76. Format Strings
These are written by humans, so they provide good uniqueness

77. Logging Strings Searching for: “Unable to determine” & “Unknown type!”
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material.

79. Mutex Names
Mutex names remain consistent at least for one infection-push, as they are designed to prevent multiple-infections for the same malware.

80. Link Analysis

81. Core ‘Backbone’ Sourcecode
3rd Party Libraries
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

82. Copyright & Version Strings
OpenSSL/0.9.6
RAND part of OpenSSL 0.9.8e 23 Feb 2007
MD5 part of OpenSSL 0.9.8k 25 Mar 2009
libdes part of OpenSSL 0.9.7b 10 Apr 2003
inflate Copyright Mark Adler
inflate Copyright Mark Adler
inflate Copyright Mark Adler
inflate Copyright Mark Adler
inflate Copyright Mark Adler
inflate Copyright Mark Adler
inflate Copyright Mark Adler

83. zlib Fingerprinting
Every new version of zlib has a unique pattern of bits in the data tables – these are modified for each version specifically
This pattern is a data constant and can be used even if the copyright notices have been removed

84. inflate library patterns
Not as specific as zlib patterns but can be used to detect the inflate decompressor

85. Installation & Deployment
Communications Functions
Developer
Installation & Deployment Method
Sample
Malware
Command & Control Functions
Compiler Environment
Packing
Stealth & Antiforensic Techniques

86. Case Study: Chinese APT
2004
2005
2009
2010
Alters the DLL value of an existing service named “RemoteRegistry”:
Original ServiceDll value: regsvc.dll
Trojan ServiceDll value: regsvr.dll
Registers a service named “IPRIP” which operates as a DLL loaded under svchost.exe
Registers a service named “IPRIP” which operates as a DLL loaded under svchost.exe

87. Method used to find base of kernel32
FindKernel32:
pushad
and esi, 0FFFF0000h
mov ecx, 100h
FK32_Loop:
call TryAddress
jnc FK32_Success
sub esi, h
loop FK32_Loop
FK32_Hardcodes:
mov esi, KERNEL32_WIN9X
mov esi, KERNEL32_WINNT
mov esi, KERNEL32_WIN2K
mov esi, KERNEL32_WINME
FK32_Fail:
popad
stc
ret
FK32_Success:
mov [ebp + Kernel32], esi
clc
Mask off ESI to a page boundary
Load ECX w/ a length to scan backwards from
Subtract, try again
Try a bunch of hard coded offsets if the scan fails

88. Command & Control Communications Functions
Developer
Installation & Deployment Method
Sample
Malware
Command & Control Functions
Compiler Environment
Packing
Stealth & Antiforensic Techniques

89. Command and Control Once installed, the malware phones home… TIMESTAMP
SOURCE COMPUTER USERNAME
VICTIM IP
ADMIN?
OS VERSION
HD SERIAL NUMBER

90. C&C Hello Message this queries the uptime of the machine..
checks whether it's a laptop or desktop machine...
enumerates all the drives attached to the system, including USB and network...
gets the windows username and computername...
gets the CPU info... and finally,
the version and build number of windows.

91. Command and Control Server
The C&C system may vary
Custom protocol (Aurora-like)
Plain Old URL’s
IRC (not so common anymore)
Stealth / embedded in legitimate traffic
Machine identification
Stored infections in a back end SQL database

92. Aurora C&C parser
Command is stored as a number, not text. It is checked here.
Each individual command handler is clearly visible below the numerical check
After the command handler processes the command, the result is sent back to the C&C server

93. Command & Control Communications Functions
Developer
Installation & Deployment Method
Sample
Malware
Command & Control Functions
Compiler Environment
Packing
Stealth & Antiforensic Technique vds

94. Antidebugging Place SEH handler Divide by zero error DetectDebuggers:
pushad
PUT_SEH_HANDLER FD_Continue ; Use SEH to kill debuggers
xor eax, eax ; Generate a exception (divide by 0)
div eax ;
RESTORE_SEH_HANDLER ; Here some abnormal occured
jmp FD_Debugger_Found ; So lets quit
FD_Continue: ; Execution should resume at this pnt
RESTORE_SEH_HANDLER ; Remove handler
mov eax, fs:[20h] ; Detect application-level debugger
test eax, eax ; Is present?
jnz FD_Debugger_Found ; Quit!
popad ; No debuggers found, so restore
clc ; registers, clear carry flag and
ret ; return!
FD_Debugger_Found:
popad
stc
ret
Divide by zero error

95. Debugger Detection Call IsDebuggerPresent
Or, read offset 2 from the PEB structure
mov eax, fs:[30h] mov eax, byte ptr [eax+2] test eax, eax jnz __found_debugger
Check the Heap Manipulation Flags in NtGlobalFlags
FLG_HEAP_ENABLE_TAIL_CHECK,
FLG_HEAP_ENABLE_FREE_CHECK,
FLG_HEAP_VALIDATE_PARAMETERS
mov eax, fs:[30h]
mov eax, [eax+68h]
and eax, 0x70
test eax, eax
jnz __found_debugger

96. Debugger Detection
Heap Flags, not the same as NtGlobalFlags but affected by the use of FLG_HEAP_*
mov eax, fs:[30h]
mov eax, [eax+18h]  process heap
// EAX now points to the first heap header…
mov eax, [eax+10h]  heap flags member in the header
// EAX can now be tested for any heap flags that may be enabled
test eax, eax
jnz __found_debugger

97. Debugger Detection NtQueryInformationProcess
Called with a ProcessInformationClass of 7 (ProcessDebugPort), will set ProcessInformation pointer to 0xFFFFFFFF if process is being debugged

98. Debugger Detection CheckRemoteDebuggerPresent
This just wraps NtQueryInformationProcess, but in this case the OUT DWORD is set to 1 (TRUE) if a debugger is present

99. Debugger Detection TRAP_FLAG Checking to see if it’s set
Or, setting it with an exception handler
The debugger would process the single step and the exception handler would not be called if a debugger were present

100. Debugger Detection ZwClose
If a program is being debugged, calling ZwClose with an invalid handle will generate an exception STATUS_INVALID_HANDLE (0xC )

101. Debugger Detection SetUnhandledExceptionFilter
Will not be called if a debugger is attached
If a debugger is attached, the program will terminate due to the unhandled exception

102. Debugging and Timers Calling QueryPerformanceCounter
Calling GetTickCount
RDTSC instruction

103. Hiding a Thread from a Debugger
Call NtSetInformationThread with a ThreadInformationClass of 0x11 (ThreadHideFromDebugger) – the thread will be detached from any debuggers

104. Advanced Fingerprinting

105. GhostNet: Screen Capture Algorithm
Loops, scanning every 50th line (cY) of the display.
Reads screenshot data, creates a special DIFF buffer
LOOP: Compare new screenshot to previous, 4 bytes at a time
If they differ, enter secondary loop here, writing a ‘data run’ for as long as there is no match.
Offset in screenshot
Len in bytes
Data….

106. GhostNet: Searching for sourcecode
Large grouping of constants
Search source code of the ‘Net

107. GhostNet: Refining Search
Has something to do with audio…
Further refine the search by including ‘WAVE_FORMAT_GSM610’ in the search requirements…

108. GhostNet: Source Discovery
We discover a nearly perfect ‘c’ representation of the disassembled function. Clearly cut-and-paste.
We can assume most of the audio functions are this implementation of ‘CAudio’ class – no need for any further low-level RE work.

109. On link analysis…

110. Example: Link Analysis with Palantir™
Implant
Forensic Toolmark specific to Implant
Searching the ‘Net reveals source code that leads to Actor
Actor is supplying a backdoor
Group of people asking for technical support on their copies of the backdoor

111. Keylogger (link analysis)

112. Working back the timeline
Who sells it, when did that capability first emerge?
Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces
Requires budget for acquisition of emerging malware products

113. Penetrating Cyberspaces
Maintaining and building digital cover
Non-attrib pop on ‘net
Multiple identities
Contribution for bonafides

114. carders.cc
Final

115. Defining Threat Groups
Smallest atomic unit: the individual
Largest cloud unit: the scam
Fraud, IP-theft, access reseller
A.B.C  narrowing cloudspace to individual
Developers
Less than number of malware (with malware defined before MD5 created aka pre-packing)
Users
Larger than number of developers

116. Fingerprint.exe

117. Fingerprint Utility
Developer Fingerprint Utility, Copyright 2010 HBGary, INC
File: 1228ad2e39befa e98d8ed2890.livebin
Original project name: RESSDT
Developer's project directory: e:\gh0st\server\sys\i386
Compiler: Microsoft Visual C release
User interface: Windows GDI/Common Controls
Media: Windows multimedia API
Media: Microsoft VfW (Video for Windows)
Compression: Inflate Library version: 1.1.4
Networking: Windows sockets (TCP/IP)
Networking: Windows Internet API
Source directory: e:\gh0st\server\sys\i386

118. Sample compiled at 5:50:13 AM compared against DB
“Smars” malware
Sample compiled at 5:50:13 AM compared against DB
All samples have different MD5 checksums, may have been packed in
various ways. All but one score in 90%+ range.

119. The set of Mark Russinovich’s free system tools
The set of Mark Russinovich’s free system tools. You can see which ones are just variants of the same source base, or were compiled on the same platform in or around the same time.

120. Clustering a malware collection
Large number of samples
Need to group self-similar items into “clusters”
Like a “strange attractor”
From the cluster, perform link analysis into social cyberspaces to find “participants”
Some participants may “resolve” into a developer, user, or other archetype

121. system32 directory – Windows 7 64 bit Professional
Old-school DOS command EXE’s
These were very small binaries with almost no fingerprint data
More old school, but these have extra cmd-parsing features
Hypigon
Rebel Base
Virut
Autorun infecting
sysinternals
Language support binaries (NLS)
tskill, tsdiscon, logoff, changelogon, etc
Vobfus
1/41 on virtualtotal
Azero
YahLover
Rungbu

122. HBGary, Inc.

123. HBGary, Inc.

124. HBGary, Inc.

125. Conclusion

126. Takeaways
Actionable intelligence can be obtained from malware infections for immediate defense:
File, Registry, and IP/URL information
Existing security doesn’t stop ‘bad guys’
Go ‘beyond the checkbox’
Adversaries have intent and funding
Need to focus on the criminal, not malware
Attribution is possible thru forensic toolmarking combined with open and closed source intelligence

127. Continued Work
Will be performing large-scale fingerprint analysis over 400gigs+ of malware captured by the U.S. Intelligence Community
HBGary is interested in processing as many malware collections as possible, both targeted/APT and non-targeted, both classified and unclassified, commercial or govt/govt contractor

128. Fingerprint Download Get fingerprint from www.hbgary.com -- or --
Stop by the HBGary booth to get a CD

129. Thank You HBGary, Inc. (www.hbgary.com)
HBGary Federal (