1. Attribution for Intrusion Detection
Greg Hoglund
CEO, HBGary, Inc.

2. We can do better
IDS only works if you have the right patterns, but how do you make those patterns smarter and more real-time?
Stop depending on the security vendor for DAT files and signature databases
Tune your IDS to detect the threats that are custom to your environment
You need to extract & leverage the evidence that already exists in your own enterprise

3. Threat Intelligence Cycle
Update NIDS
Search Logs
Adverse Event
More Compromise
Compromise Detected
Scan for IOC’s
Get Threat Intel from the host
Reimage Machine

4. Evolving Threat Landscape

5. Evolving Threat Landscape
Adversaries are funded and well equipped
The bad guys are entrenched
AV losing credibility
Web-based attack has 10%-45% chance of bypassing the AntiVirus protection (NSS, Q3 2010)
Exploit-based attack has 25%-97% chance of bypassing the AntiVirus protection (NSS, Q3 2010)

6. Social Networking
A new way to target individuals and workers within a specific industry group
It’s easy to create a false digital identity

7. Attack Vectors Spear-phishing
Booby-trapped documents
Fake-Links to drive-by websites
Trap postings on industry-focused social networks
Forums, Groups (clinician list-servs, AMDIS, web forums)
SQL injections into web-based portals
Employee benefit portals, external labs, etc.

8. Boobytrapped Documents
This is the current trend
Single most effective focused attack today
Human crafts text

9. you know they will click it

10. Social Networking Space
Web-based attack
Social Networking Space
Injected Java-script
Used heavily for large scale infections
Focused, Social network targeting is possible

11. SQL attack, inserts IFRAME or script tags
SQL Injection
SQL attack, inserts IFRAME or script tags

12. The web-based portal is quite helpful

13. Using SEO tracker

14. Google Web Portal Search

15. My First Hit on allinurl:”exchange/logon
My First Hit on allinurl:”exchange/logon.asp” – I haven’t even started yet…

16. Perimeter-less Network
Excuse me while I disconnect from the corporate network, I need to use my mobile hotspot to check facebook…
The host matters more than ever
Regardless of the network data path, the data ends up on the host

17. Cyber Weapons Market
Foreign Intelligence Services, Criminals, and Terrorist’s don’t need to have expert hackers, they can just buy exploits for money
Fully weaponized and ready to use
Mostly developed out of the Eastern Bloc

18. Selling Access to Your Network
Access to your networks is being auctioned

19. They will install for you
Minimum is 1,000 installs – this would be about $100,000 for US installs.

20. Recruiting All Exploiters
Pays per 1,000 infections *

21. Custom Crimeware Programming Houses

22. Eleonore (exploit pack)

23. Tornado (exploit pack)

24. Attribution

25. Sources of Intelligence
Data at rest
Data in motion
Data in execution
This is the gap, and it exists only at the host

26. White listing on disk doesn’t prevent malware from being in memory
Internet Document
PDF, Active X, Flash
Office Document, Video, etc…
DISK FILE
IN MEMORY IMAGE
Public Attack-kits have used memory-only injection for
over 6 years
OS Loader
White listing on disk doesn’t prevent malware from being in memory
Whitelisting typically works by have a list of good hashes with the assumption that you’re loading only good binaries for execution into memory. But bad code can get injected into good programs. White listing does not mean secure code. DDNA will find the bad injected code.
MD5 Checksum
is white listed
White listed code does not mean secure code
Process is trusted

27. OS Loader In memory, traditional checksums don’t work
DISK FILE
IN MEMORY IMAGE
100% dynamic
Copied in full
Copied in part
OS Loader
In memory, traditional checksums don’t work
MD5 Checksum
is not consistent
Software Traits remain consistent
MD5 Checksum
reliable

28. OS Loader Physical memory tends to get around the ‘packing’ problem
IN MEMORY IMAGE
Packer #1
Packer #2
Decrypted
Original
OS Loader
Physical memory tends to get around the ‘packing’ problem
As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same.
Starting Malware
Packed
Malware
Software Traits remain consistent

29. Same malware compiled in three different ways OS Loader
DISK FILE
IN MEMORY IMAGE
Same malware compiled in three different ways
OS Loader
If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors.
MD5 Checksums
all different
Software Traits remain consistent

30. Humans
Attribution is about the human behind the malware, not the specific malware variants
Focus must be on human-influenced factors
Move this way 
 Binary
Human 
We must move our aperture of visibility towards the human behind the malware

31. Intel Value Window Lifetime  Minutes Hours Days Weeks Months Years
Blacklists
ATTRIBUTION-Derived
Developer Toolmarks
Signatures
Algorithms
NIDS sans address
Hooks
Protocol
Install
DNS name
IP Address
Checksums

32. Intelligence Spectrum
Blacklists
Net
Recon C2
Developer Fingerprints
TTP
Social Cyberspace DIGINT
Physical Surveillance HUMINT
 Nearly Useless
Nearly Impossible 
SSN & Missile
Coordinates of the Attacker
MD5 Checksum of a single malware sample
Sweet Spot
IDS signatures with long-term viability
Predict the attacker’s next moves

33. Developer Fingerprints
Communications Functions
Developer
Installation & Deployment Method
Sample
Malware
Command & Control Functions
Compiler Environment
Packing
Stealth & Antiforensic Techniques

34. The Flow of Forensic Toolmarks
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

35. Developer Fingerprints
Archaeology layer
Net
Recon C2
Developer Fingerprints
TTP
Actions / Intent (attacker’s behavior, as opposed to code)
Installation + Deployment method
Command + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)
COMS (code level view, as opposed to network sniff)
Defensive / Antiforensics (usually a packer, easily changed)
Exploit weaponization / delivery vehicle
Shellcode
DNS, C2 Protocol, Encryption Method (high rate of change)

36. Rule #1
The human is lazy
The use kits and systems to change checksums, hide from A/V, and get around IDS
They DON’T rewrite their code every morning

37. Rule #2
Most attackers are focused on rapid reaction to network-level filtering and black-holes
Multiple DynDNS C2 servers, multiple C2 protocols, obfuscation of network traffic
They are not-so-focused on host level stealth
Most malware is simple in nature, and works great
Enterprises rely on A/V for host, and A/V doesn’t work, and the attackers know this

38. Rule #3 Physical memory is King
Once executing in memory, code has to be revealed, data has to be decrypted

39. Attribution Example: Paths

40. Core ‘Backbone’ Sourcecode
Paths
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

41. Example: Gh0stNet

42. GhostNet

43. NOTE: Packing is not fully effective here
GhostNet: Dropper
UPX!
¶üÿÿU‹ìƒìSVW3ÿÿ
Packer Signature
MZx90
This progRy. y cannot be run in DOS mode
Embedded executable
NOTE: Packing is not fully effective here

44. GhostNet: Dropper
UPX!
¶üÿÿU‹ìƒìSVW3ÿÿ
Resource Culture Code
0x0804
MZx90
The embedded executable is tagged with Chinese PRC Culture code
This progRy. y cannot be run in DOS mode

45. GhostNet: Dropper
UPX!
¶üÿÿU‹ìƒìSVW3ÿÿ
The embedded executable is extracted to disk. The extracted module is not packed. PDB path reveals malware name, E: drive.
0x0804
MZx90
MZx90
This program cannot be run in DOS mode
This progRy. y cannot be run in DOS mode
E:\gh0st\Server\Release\install.pdb
Embedded PDB Path

46. For Immediate Defense…
 Useless
Human 
MD5 of the Gh0stNet dropper.EXE
Query: “Find Attacker’s PDB Path”
PDB Path found within extracted EXE
RawVolume.File.BinaryData
contains
“gh0st\”

47. Link Analysis
“gh0st\”
The web reveals Chinese hacker sites that reference the “gh0st\” artifact

48. GhostNet: Backdoor
The dropped EXE is loaded as svchost.exe on the victim. It then drops another executable, a device driver.
UPX!
MZx90
MZx90
This program cannot be run in DOS mode
E:\gh0st\Server\Release\install.pdb
MZx90
MZx90
e:\gh0st\server\sys\i386\RESSDT.pdb
Another embedded EXE
Another PDB path

49. Our defense…
Query: “Find Attacker’s PDB Path”
RawVolume.File.BinaryData
contains
“gh0st\”
Even if we had not known about the second executable, our defense would have worked. This is how moving towards the human offers predicative capability.

50. What do we know…
i386 directory is common to device drivers. Other clues:
sys directory
‘SSDT’ in the name
SSDT means System Service Descriptor Table – this is a common place for rootkits and HIPS products to place hooks.
Also, embedded strings in the binary are known driver calls:
IoXXXX family
KeServiceDescriptorTable
ProbeForXXXX
KeServiceDescriptorTable is used when SSDT hooks are placed. We know this is a hooker.

51. What do we know…
IofCompleteRequest, IoCreateDevice, IoCreateSymbolicLink, and friends are used when the driver communicates to usermode. This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver.
When communication takes place between usermode & kernelmode, there will be a device path.

52. For Immediate Defense…
MD5 of the Gh0stNet dropper.EXE
Device Path of the kernel mode driver and the Symbolic Link name
 Useless
Human 
Query: “Find Rootkit Device Path or Symlink”
Physmem.WindowsObject.Name
contains
“RESSDT”

53. Link Analysis
“RESSDT”
A readme file on Kasperky’s site references a Ressdt rootkit.

54. Doc/View is usually MFC
TMC
Rootkit
e:\gh0st\server\sys\i386\RESSDT.pdb
e:\job\gh0st\Release\Loader.pdb
Cgh0stView
Cgh0stDoc
e:\job\gh0st\Release\gh0st.pdb
C:\gh0st3.6_src\HACKER\i386\HACKE.pdb
\gh0st3.6_src\Server\sys\i386\CHENQI.pdb
Dropper
GUI (MFC)
Doc/View is usually MFC
Rootkits
Already at version 3.6

55. gh0st _RAT, source code, team, and forum

56. Case Study: Chinese APT
2004
2005
2007
2009
2010
SvcHost.DLL.log
SvcHost.DLL.log &
“bind cmd frist!”
SvcHost.DLL.log
Just “bind cmd frist!”

57. Attribution Example: Timestamps

58. Core ‘Backbone’ Sourcecode
Timestamps
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

59. Image Data Directories
PE Timestamps
PE file
Module timestamp*
time_t (32 bit)
e_lfanew
The ‘lmv’ command in WinDBG will show this value..
Image File Header
Optional Header
Image Data Directories
IMAGE DEBUG DIRECTORY
Debug timestamp
time_t (32 bit)
This is present if an external PDB file is associated with the EXE
*This is not the same as NTFS file times, which are 64 bit and stored in the NTFS file structures.

60. Timestamp Formats time_t – 32 bit, seconds since Jan. 1 1970 UTC
0x3DE03E0A  usually start with ‘3’ or ‘4’
‘3’ started in 1995 and ‘4’ ends in 2012
Use ‘ctime’ function to convert
FILETIME – 64 bit, 100-nanosecond intervals since Jan UTC
0x01C195C2.5100E190  usually start with ‘01’ and a letter
01A began in 1972 and 01F ends in 2057
Use FileTimeToSystemTime(), GetDateFormat(), and GetTimeFormat() to convert

61. Case Study: Chinese APT
2004
2005
2007
2009
2010
XX/XX/2005 – XX:XX PM
12/XX/2007 – X:XX AM
12/XX/2007 – X:XX PM
11/XX/2009 – 9:XX AM
2/XX/2010 – XX:XX AM
12/XX/2009 – 11:XX PM
3/XX/2010 – XX:XX AM
3/XX/2010 – XX:XX PM
Compile times extracted from ‘soysauce’ backdoor program.
3/XX/2010 – XX:XX PM

62. For Immediate Defense…
Compile time
 Useless
Human 
Query: “Find Modules Created Within Attack Window”
RawVolume.File.CompileTime
>
3/1/2010
<
3/31/2010

63. Attribution Example: Sourcecode

64. Source Code Clues
Bad guys keep re-using their same source code

65. Source Code Trade!

66. Core ‘Backbone’ Sourcecode
Tracking Source Code
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

67. Main Functions Main DllMain ServiceMain Same argument parsing
Init of global variables
WSAStartup
DllMain
ServiceMain

68. Service Routines Install / Uninstall Service RunDll32
Service Start/Stop
ServiceMain
ControlService

69. Hard coded sleep( ) times
Skeleton of a service
Sleep loop at end
DllMain() {
// store the HANDLE to the module in a global variable }
ServiceMain()
// RegisterServiceCtrlHandler & store handle to service in global variable
// call SetServiceStatus, set PENDING, then RUNNING
// call to main malware function(s)
ServiceCtrlHandler_Callback
// handle various commands, start/stop/pause/etc
dwWaitHint
Size of local buffer
Hard coded sleep( ) times

70. Skeleton of a service Size of local buffer Service Name
Main_Malware_Function {
// do stuff }
InstallService()
// OpenSCManager
// CreateService
UninstallService()
// DeleteService
Size of local buffer
Service Name
Exception Handling
Registry Keys

71. Filename Creation Log files, EXE’s, DLL’s Subdirectories
Environment Variables
Random numbers

72. Case Study: Chinese APT
2004
2005
2009
2010
2005 posting of similar source code, includes poster’s handle.

73. Case Study: Chinese APT
Continued searching will reveal many, many references to the base source code of this malware.
All malware samples for this attacker are derived from this basic framework, but many additions & modifications have been made.

74. Core ‘Backbone’ Sourcecode
3rd Party SourceCode
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

75. Format Strings
These are written by humans, so they provide good uniqueness

76. Logging Strings Searching for: “Unable to determine” & “Unknown type!”
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material.

78. Mutex Names
Mutex names remain consistent at least for one infection-push, as they are designed to prevent multiple-infections for the same malware.

79. Link Analysis

80. GhostNet: Searching for sourcecode
Large grouping of constants
Search source code of the ‘Net

81. GhostNet: Refining Search
Has something to do with audio…
Further refine the search by including ‘WAVE_FORMAT_GSM610’ in the search requirements…

82. GhostNet: Source Discovery
We discover a nearly perfect ‘c’ representation of the disassembled function. Clearly cut-and-paste.
We can assume most of the audio functions are this implementation of ‘CAudio’ class – no need for any further low-level RE work.

83. Attribution Example: Command and Control

84. Command & Control Communications Functions
Developer
Installation & Deployment Method
Sample
Malware
Command & Control Functions
Compiler Environment
Packing
Stealth & Antiforensic Techniques

85. Command and Control
Remote attackers must communicate with embedded access, this is their primary weakness
We need to detection signatures for these COMS channels

86. API Usage
Once code is decrypted, remote access behaviors are always the same – if you have host access this is a great way to detect compromise

87. Command and Control Once installed, the malware phones home… TIMESTAMP
SOURCE COMPUTER USERNAME
VICTIM IP
ADMIN?
OS VERSION
HD SERIAL NUMBER

88. C&C Hello Message this queries the uptime of the machine..
checks whether it's a laptop or desktop machine...
enumerates all the drives attached to the system, including USB and network...
gets the windows username and computername...
gets the CPU info... and finally,
the version and build number of windows.

89. Command and Control Server
The C&C system may vary
Custom protocol (Aurora-like)
Plain Old URL’s
IRC (not so common anymore)
Stealth / embedded in legitimate traffic
Machine identification
Stored infections in a back end SQL database

90. Aurora C&C parser
Command is stored as a number, not text. It is checked here.
Each individual command handler is clearly visible below the numerical check
After the command handler processes the command, the result is sent back to the C&C server

91. Attribution Example: Algorithms

92. GhostNet: Screen Capture Algorithm
Loops, scanning every 50th line (cY) of the display.
Reads screenshot data, creates a special DIFF buffer
LOOP: Compare new screenshot to previous, 4 bytes at a time
If they differ, enter secondary loop here, writing a ‘data run’ for as long as there is no match.
Offset in screenshot
Len in bytes
Data….

93. How to apply attribution

94. Continuous Protection
The bad guys are going to get in. Accept it.
Because intruders are always present, you need to have a continuous countering force to detect and remove them.
Your continuous protection solution needs to get smarter over time – it must learn how the attackers work and get better at detecting them. Security is an intelligence problem.

95. Continuous Protection
Inoculate
Update NIDS
Adverse Event
Breakdown #3
Check AV Log
Breakdown #1
More Compromise
Check with AD
Scan for IOC’s
Breakdown #2
Compromise Detected
Reimage Machine
Get Threat Intel

96. The Breakdowns #1 – Trusting the AV #2 – Not using threat intelligence
AV doesn’t detect most malware, even variants of malware that it’s supposed to detect
#2 – Not using threat intelligence
The only way to get better at detecting intrusion is to learn how to detect them next time
#3 – Not preventing re-infection
If you don’t harden your network then you are just throwing money away

97. The Intelligent Perimeter
Connect host-based intelligence back to the perimeter security devices
Extract any C2 / DNS / Protocol from physical memory and apply to NIDS

98. Host System Analysis Address all three of these:
Physical Memory
Raw Disk (forensically sound)
Live Operating System (for speed, agentless)
Be able to extract artifacts from all three sources

99. Timelines Any timestamped event, regardless of source
Make easy to extract in one step
User registry
Event log
MFT
Temporary internet files
Prefetch
Etc…

100. Malware Analysis This needs to be easy
No more disassembly, just show me the strings!

101. Intelligent Perimeter
The Solution
Inoculate
Update NIDS
Intelligent Perimeter
COMS
Adverse Event
More Compromise
Compromise Detected
Scan Hosts
Artifacts
Malware Analysis
Timelines
Host Analysis
Reimage Machine
Get Threat Intel

102. For copies of this slide deck contact
Thank you
HBGary, Inc.
For copies of this slide deck contact
Karen Burke