Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Attribution ROUGH DRAFT OUTLINE.

Published byMargery Richard Modified over 7 years ago

Similar presentations

Presentation on theme: "Malware Attribution ROUGH DRAFT OUTLINE."— Presentation transcript:

1 Malware Attribution ROUGH DRAFT OUTLINE

2 Evolution of Cybercrime
Dominant criminal problem globally Russians make more money per year than Columbians Chinese are crawling all over DoD networks A malware-industry has emerged The largest distributed software system in the world is Conficker, with 600 million nodesNEED CORRECT STATS Current models for defense are not working

3 Payment system developer
$500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $ per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10%

4 Intelligence Spectrum
Blacklists Developer Fingerprints Social Cyberspace DIGINT Physical Surveillance HUMINT  Nearly Useless Nearly Impossible  SSN & Missile Coordinates of the Attacker MD5 Checksum of a single malware sample Sweet Spot IDS signatures with long-term viability Predict the attacker’s next moves

5 Humans Attribution is about the human behind the malware, not the specific malware variants Focus must be on human-influenced factors Move this way   Binary Human  We must move our aperture of visibility towards the human behind the malware

6 Intel Value Window Lifetime  Minutes Hours Days Weeks Months Years
Blacklists ATTRIBUTION-Derived Developer Toolmarks Signatures Algorithms NIDS sans address Hooks Protocol Install DNS name IP Address Checksums

7 Rule #1 The human is lazy The use kits and systems to change checksums, hide from A/V, and get around IDS They DON’T rewrite their code every morning

8 Rule #2 Most attackers are focused on rapid reaction to network-level filtering and black-holes Multiple DynDNS C2 servers, multiple C2 protocols, obfuscation of network traffic They are not-so-focused on host level stealth Most malware is simple in nature, and works great Enterprises rely on A/V for host, and A/V doesn’t work, and the attackers know this

9 Rule #3 Physical memory is King
Once executing in memory, code has to be revealed, data has to be decrypted

10 Attribution is Not Hard
If you can read a packet sniffer, you can attribute malware Yes, this means more people in your organization can do this Focus on strings and human-readable data within a malware program In most cases, code-level reverse engineering is not required

11 The Flow of Forensic Toolmarks
Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries

12 Developer Fingerprints
Communications Functions Developer Installation & Deployment Method Sample Malware Command & Control Functions Compiler Environment Packing Stealth & Antiforensic Techniques

13 Toolkit Fingerprints Machine PPI Affiliate Packed Malware Toolkit

14 Core ‘Backbone’ Sourcecode
Paths Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries

15 Example: Gh0stNet

16 NOTE: Packing is not fully effective here
GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Packer Signature MZx90 This progRy. y cannot be run in DOS mode Embedded executable NOTE: Packing is not fully effective here

17 GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Resource Culture Code 0x0804 MZx90 The embedded executable is tagged with Chinese PRC Culture code This progRy. y cannot be run in DOS mode

18 GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ The embedded executable is extracted to disk. The extracted module is not packed. PDB path reveals malware name, E: drive. 0x0804 MZx90 MZx90 This program cannot be run in DOS mode This progRy. y cannot be run in DOS mode E:\gh0st\Server\Release\install.pdb Embedded PDB Path

19 For Immediate Defense…
 Useless Human  MD5 of the Gh0stNet dropper.EXE Query: “Find Attacker’s PDB Path” PDB Path found within extracted EXE RawVolume.File.BinaryData contains “gh0st\”

20 GhostNet: Backdoor The dropped EXE is loaded as svchost.exe on the victim. It then drops another executable, a device driver. UPX! MZx90 MZx90 This program cannot be run in DOS mode E:\gh0st\Server\Release\install.pdb MZx90 MZx90 e:\gh0st\server\sys\i386\RESSDT.pdb Another embedded EXE Another PDB path

21 Our defense… Query: “Find Attacker’s PDB Path” RawVolume.File.BinaryData contains “gh0st\” Even if we had not known about the second executable, our defense would have worked. This is how moving towards the human offers predicative capability.

22 GhostNet: Embedded Drivers
i386 directory is common to device drivers. Other clues: sys directory ‘SSDT’ in the name Also, embedded strings in the binary are known driver calls: IoXXXX family KeServiceDescriptorTable ProbeForXXXX

23 Core ‘Backbone’ Sourcecode
Timestamps Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries

24 PE Timestamps The ‘lmv’ command in WinDBG will show this value..
PE file Module timestamp* time_t (32 bit) The ‘lmv’ command in WinDBG will show this value.. Debug timestamp time_t (32 bit) This is present if an external PDB file is associated with the EXE *This is not the same as NTFS file times, which are 64 bit and stored in the NTFS file structures.

25 Timestamp Formats time_t – 32 bit, seconds since Jan. 1 1970 UTC
0x3DE03E0A  usually start with ‘3’ or ‘4’ ‘3’ started in 1995 and ‘4’ ends in 2012 Use ‘ctime’ function to convert FILETIME – 64 bit, 100-nanosecond intervals since Jan UTC 0x01C195C2.5100E190  usually start with ‘01’ and a letter 01A began in 1972 and 01F ends in 2057 Use FileTimeToSystemTime(), GetDateFormat(), and GetTimeFormat() to convert

26 Core ‘Backbone’ Sourcecode
Compiler Version Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries

27 Visual Studio Static or dynamic linked runtime library?
Single-threaded or multi-threaded? Use of STL? Use of older iostream libraries?* See: * support.microsoft.com/kb/154753

28 Visual Studio – Static Linking
Version Libraries linked with Type Compiler flag VC++ .NET 2003 and earlier LIBC.LIB, LIBCP.LIB Single Threaded Static /ML LIBCD.LIB, LIBCPD.LIB /MLd All LIBCMT.LIB, LIBCPMT.LIB Multi-threaded Static /MT LIBCMTD.LIB, LIBCPMTD.LIB /MTd Visual Studio – Dynamic Linking Version DLL Linked with VC++ 4.2 MSVCRT.DLL/MSVCRTD.DLL VC++ 5.0 MSVCR50.DLL VC++ 6.0 MSVCR60.DLL VC++ .NET 2002 MSVCR70.DLL VC++ .NET 2003 MSVCR71.DLL VC++ .NET 2005 MSVCR80.DLL VC++ .NET 2008 MSVCR90.DLL

29 Debug Symbols Debug timestamp (time_t – seconds since 01.01.1970)
Version of the PDB file NB09 - Codeview 4.10 NB11 - Codeview 5.0 NB10 - PDB 2.0 RSDS - PDB 7.0 Age – number of times the malware has been compiled

30

31 Coms Communications Functions Installation & Deployment Method
Developer Installation & Deployment Method Sample Malware Command & Control Functions Compiler Environment Packing Stealth & Antiforensic Techniques

32 Command and Control Once installed, the malware phones home… TIMESTAMP
SOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER

33 Command and Control Server
The C&C system may vary Custom protocol (Aurora-like) Plain Old URL’s IRC (not so common anymore) Stealth / embedded in legitimate traffic Machine identification Stored infections in a back end SQL database

34 ‘SoySauce’ C&C Hello Message
this queries the uptime of the machine.. checks whether it's a laptop or desktop machine... enumerates all the drives attached to the system, including USB and network... gets the windows username and computername... gets the CPU info... and finally, the version and build number of windows.

35

36 SLIDES PAST THIS POINT ARE SCRATCH AREA

37 How a program looks in memory
Physical Memory Virtual Memory PE Header Tables Data Code More data

38 OS Loader In memory, traditional checksums don’t work
DISK FILE IN MEMORY IMAGE 100% dynamic Copied in full Copied in part OS Loader In memory, traditional checksums don’t work MD5 Checksum is not consistent Software Traits remain consistent MD5 Checksum reliable

39 OS Loader Physical memory tends to get around the ‘packing’ problem
IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Physical memory tends to get around the ‘packing’ problem As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same. Starting Malware Packed Malware Software Traits remain consistent

40 Same malware compiled in three different ways OS Loader
DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors. MD5 Checksums all different Software Traits remain consistent

41 Toolkits can be detected Toolkit traits are apparent
IN MEMORY IMAGE OS Loader Toolkits can be detected Malware Tookit Different Malware Authors Using Same Toolkit Toolkit traits are apparent Packed

42 Source Code Core that the developer keeps re-using 3rd party sources
‘Hello World’ equivalent for malware Service, Driver, Dropper, Browser Helper Object, etc. 3rd party sources Functions that are cut-and-paste into the malware Encryption, communications, enumeration, etc.

43 Programming Language C C++ Delphi
ECX is used as the *this pointer in function calls Delphi Apparent in ASCII strings that are embedded

44 Name Mangling TODO

45 3rd Party Libraries Static or dynamic linking Compression / Encryption
OpenSSL gzip

46 Tweaks and Mods Especially good for detecting a developer
May change often, evolve over time

47 Compiler & Machine Version of compiler Machine-data leakage
GUID V1 leaks MAC address Compile time

48 Custom Crimeware Programming Houses
These guys are going to resell the same code 500 times with different icons…

49

50 Pay-per-install.org

51 Rogueware 35 million computers infected every month with rogueware.
Some eastern European groups are making over $34 million dollars a month on this scam alone. “The Business of Rogueware.pdf” – Panda Security

52 Packing UPX VMProtect Themida ASProtect

53

54 Country of Origin ZeuS C&C server source code. Written in PHP Specific “Hello” response (note, can be queried from remote to fingerprint server) Clearly written in Russian In many cases, the authors make no attempt to hide…. You can purchase ZeuS and just read the source code…

55 User Language Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality Be aware some technologies have multiple language support Resource-culture-codes for embedded resources in the EXE

56 These commands map to a foreign language keyboard.

57 The embedded executable is tagged with Chinese PRC Culture code

58 Embedded Manifest TODO

Download ppt "Malware Attribution ROUGH DRAFT OUTLINE."

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Portability CPSC 315 – Programming Studio Spring 2008 Material from The Practice of Programming, by Pike and Kernighan.

Portability CPSC 315 – Programming Studio Spring 2008 Material from The Practice of Programming, by Pike and Kernighan.
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
CIS 330 -.NET Applications1 Chapter 2 –.NET Component- Oriented Programming Essentials.

CIS NET Applications1 Chapter 2 –.NET Component- Oriented Programming Essentials.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
© Janice Regan, CMPT 300, May 2007 0 CMPT 300 Introduction to Operating Systems Memory: Relocation.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Dealing with Malware By: Brandon Payne Image source: TechTips.com.

Dealing with Malware By: Brandon Payne Image source: TechTips.com.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.

Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Chapter 1 Real World Incidents Spring 2016 - Incident Response & Computer Forensics.

Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics.

Similar presentations

Ads by Google