Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gh0st.

Published byDamon Potter Modified over 6 years ago

Similar presentations

Presentation on theme: "Gh0st."— Presentation transcript:

1 gh0st

2 Example: Gh0stNet

3 GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Resource Culture Code 0x0804 MZx90 The embedded executable is tagged with Chinese PRC Culture code This progRy. y cannot be run in DOS mode

4 Link Analysis “gh0st\” The web reveals Chinese hacker sites that reference the “gh0st\” artifact

5 Link Analysis “RESSDT” A readme file on Kasperky’s site references a Ressdt rootkit.

6 Doc/View is usually MFC
TMC Rootkit e:\gh0st\server\sys\i386\RESSDT.pdb e:\job\gh0st\Release\Loader.pdb Cgh0stView Cgh0stDoc e:\job\gh0st\Release\gh0st.pdb C:\gh0st3.6_src\HACKER\i386\HACKE.pdb \gh0st3.6_src\Server\sys\i386\CHENQI.pdb Dropper GUI (MFC) Doc/View is usually MFC Rootkits Already at version 3.6

7 gh0st _RAT, source code, team, and forum

8 soysauce

9 Case Study: Chinese APT
2004 2005 2007 2009 2010 SvcHost.DLL.log SvcHost.DLL.log & “bind cmd frist!” SvcHost.DLL.log Just “bind cmd frist!”

10 Case Study: Chinese APT
2004 2005 2007 2009 2010 XX/XX/2005 – XX:XX PM 12/XX/2007 – X:XX AM 12/XX/2007 – X:XX PM 11/XX/2009 – 9:XX AM 2/XX/2010 – XX:XX AM 12/XX/2009 – 11:XX PM 3/XX/2010 – XX:XX AM 3/XX/2010 – XX:XX PM Compile times extracted from ‘soysauce’ backdoor program. 3/XX/2010 – XX:XX PM

11 Case Study: Chinese APT
2004 2005 2009 2010 Alters the DLL value of an existing service named “RemoteRegistry”: Original ServiceDll value: regsvc.dll Trojan ServiceDll value: regsvr.dll Registers a service named “IPRIP” which operates as a DLL loaded under svchost.exe Registers a service named “IPRIP” which operates as a DLL loaded under svchost.exe

12 keylogger

13 Keylogger (link analysis)

14 HBGary’s fingerprint tool

15 The set of Mark Russinovich’s free system tools
The set of Mark Russinovich’s free system tools. You can see which ones are just variants of the same source base, or were compiled on the same platform in or around the same time.

16 system32 directory – Windows 7 64 bit Professional
Old-school DOS command EXE’s These were very small binaries with almost no fingerprint data More old school, but these have extra cmd-parsing features Hypigon Rebel Base Virut Autorun infecting sysinternals Language support binaries (NLS) tskill, tsdiscon, logoff, changelogon, etc Vobfus 1/41 on virtualtotal Azero YahLover Rungbu

17 HBGary, Inc.

18 HBGary, Inc.

19 HBGary, Inc.

Download ppt "Gh0st."

Similar presentations

In Review JAVA C++ GUIs - Windows Webopedia.com.

In Review JAVA C++ GUIs - Windows Webopedia.com.
Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.

1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
The Basic Java Tools A text editor to write Java program source code. A compiler to translate source code into bytecode. An interpreter to translate.

The Basic Java Tools A text editor to write Java program source code. A compiler to translate source code into bytecode. An interpreter to translate.
WHAT IS PHP PHP is an HTML-embedded scripting language primarily used for dynamic Web applications.

WHAT IS PHP PHP is an HTML-embedded scripting language primarily used for dynamic Web applications.
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
Parts of a Computer Why Use Binary Numbers? Source Code - Assembly - Machine Code.

Parts of a Computer Why Use Binary Numbers? Source Code - Assembly - Machine Code.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
How To Fix Common Computer Errors m.

How To Fix Common Computer Errors m.
Importing outside DLLs into.Net platform and using them By Anupama Atmakur.

Importing outside DLLs into.Net platform and using them By Anupama Atmakur.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.

SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.
Software Engineering in Robotics Packaging and Deployment of Systems Henrik I. Christensen –

Software Engineering in Robotics Packaging and Deployment of Systems Henrik I. Christensen –
Tutorial 121 Creating a New Web Forms Page You will find that creating Web Forms is similar to creating traditional Windows applications in Visual Basic.

Tutorial 121 Creating a New Web Forms Page You will find that creating Web Forms is similar to creating traditional Windows applications in Visual Basic.

Similar presentations

Ads by Google