1 Tracking Cyber Spies & Digital Criminals Greg Hoglund HBGary, IncMalware Attribution Tracking Cyber Spies & Digital Criminals Greg Hoglund HBGary, Inc Blackhat Vegas 2010
2 The Bad Guys are WinningCybercrime & espionage is the dominant criminal problem globally, surpassing the drug trade Russians made more money last year in banking fraud than the Columbians made selling cocaine Chinese are crawling all over commercial & government networks The largest computing cloud in the world is controlled by Conficker 6.4 million computer systems* 230 countries 230 top level domains globally 18 million+ CPUs 28 terabits per second of bandwidth *http://www.readwriteweb.com/cloud/2010/04/the-largest-cloud-in-the-world.php
3 Humans Attribution is about the human behind the malware, not the specific malware variants Focus must be on human-influenced factors Move this way Binary Human We must move our aperture of visibility towards the human behind the malware
4 Payment system developer$500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $ per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10%
5 Installs Marketplace
6 Intelligence SpectrumBlacklists Net Recon C2 Developer Fingerprints TTP Social Cyberspace DIGINT Physical Surveillance HUMINT Nearly Useless Nearly Impossible SSN & Missile Coordinates of the Attacker MD5 Checksum of a single malware sample Sweet Spot IDS signatures with long-term viability Predict the attacker’s next moves
7 Developer FingerprintsArchaeology layer Net Recon C2 Developer Fingerprints TTP Actions / Intent (attacker’s behavior, as opposed to code) Installation + Deployment method Command + Control (primary outer loops) CNA (spreader) CNE (search and exfil tools) COMS (code level view, as opposed to network sniff) Defensive / Antiforensics (usually a packer, easily changed) Exploit weaponization / delivery vehicle Shellcode DNS, C2 Protocol, Encryption Method (high rate of change)
8 Intel Value Window Lifetime Minutes Hours Days Weeks Months YearsBlacklists ATTRIBUTION-Derived Developer Toolmarks Signatures Algorithms NIDS sans address Hooks Protocol Install DNS name IP Address Checksums
9 Rule #1 The human is lazy The use kits and systems to change checksums, hide from A/V, and get around IDS They DON’T rewrite their code every morning
10 Rule #2 Most attackers are focused on rapid reaction to network-level filtering and black-holes Multiple DynDNS C2 servers, multiple C2 protocols, obfuscation of network traffic They are not-so-focused on host level stealth Most malware is simple in nature, and works great Enterprises rely on A/V for host, and A/V doesn’t work, and the attackers know this
11 Rule #3 Physical memory is KingOnce executing in memory, code has to be revealed, data has to be decrypted
12 OS Loader In memory, traditional checksums don’t workDISK FILE IN MEMORY IMAGE 100% dynamic Copied in full Copied in part OS Loader In memory, traditional checksums don’t work MD5 Checksum is not consistent Software Traits remain consistent MD5 Checksum reliable
13 OS Loader Physical memory tends to get around the ‘packing’ problemIN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Physical memory tends to get around the ‘packing’ problem Starting Malware As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same. Packed Malware Software Traits remain consistent
14 Same malware compiled in three different ways OS LoaderDISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors. MD5 Checksums all different Software Traits remain consistent
15 Attribution is Not HardIf you can read a packet sniffer, you can attribute malware Yes, this means more people in your organization can do this Focus on strings and human-readable data within a malware program In most cases, code-level reverse engineering is not required
16 The Flow of Forensic ToolmarksMachine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries
17 Developer FingerprintsCommunications Functions Developer Installation & Deployment Method Sample Malware Command & Control Functions Compiler Environment Packing Stealth & Antiforensic Techniques
18 Toolkit Fingerprints Machine PPI Affiliate Packed Malware Toolkit
19 Toolkits can be detected Toolkit traits are apparentIN MEMORY IMAGE OS Loader Toolkits can be detected Malware Tookit Different Malware Authors Using Same Toolkit Toolkit traits are apparent Packed
20 Core ‘Backbone’ SourcecodePaths Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries
21 Example: Gh0stNet
22 GhostNet
23 NOTE: Packing is not fully effective hereGhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Packer Signature MZx90 This progRy. y cannot be run in DOS mode Embedded executable NOTE: Packing is not fully effective here
24 GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Resource Culture Code 0x0804 MZx90 The embedded executable is tagged with Chinese PRC Culture code This progRy. y cannot be run in DOS mode
25 GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ The embedded executable is extracted to disk. The extracted module is not packed. PDB path reveals malware name, E: drive. 0x0804 MZx90 MZx90 This program cannot be run in DOS mode This progRy. y cannot be run in DOS mode E:\gh0st\Server\Release\install.pdb Embedded PDB Path
26 For Immediate Defense… Useless Human MD5 of the Gh0stNet dropper.EXE Query: “Find Attacker’s PDB Path” PDB Path found within extracted EXE RawVolume.File.BinaryData contains “gh0st\” { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://slideplayer.com/12265938/72/images/26/For+Immediate+Defense%E2%80%A6.jpg", "name": "For Immediate Defense…", "description": " Useless. Human MD5 of the Gh0stNet dropper.EXE. Query: Find Attacker’s PDB Path PDB Path found within extracted EXE. RawVolume.File.BinaryData. contains. gh0st\", "width": "1024" }
28 GhostNet: Backdoor The dropped EXE is loaded as svchost.exe on the victim. It then drops another executable, a device driver. UPX! MZx90 MZx90 This program cannot be run in DOS mode E:\gh0st\Server\Release\install.pdb MZx90 MZx90 e:\gh0st\server\sys\i386\RESSDT.pdb Another embedded EXE Another PDB path
30 What do we know… i386 directory is common to device drivers. Other clues: sys directory ‘SSDT’ in the name SSDT means System Service Descriptor Table – this is a common place for rootkits and HIPS products to place hooks. Also, embedded strings in the binary are known driver calls: IoXXXX family KeServiceDescriptorTable ProbeForXXXX KeServiceDescriptorTable is used when SSDT hooks are placed. We know this is a hooker.
31 What do we know… IofCompleteRequest, IoCreateDevice, IoCreateSymbolicLink, and friends are used when the driver communicates to usermode. This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver. When communication takes place between usermode & kernelmode, there will be a device path.
32 For Immediate Defense…MD5 of the Gh0stNet dropper.EXE Device Path of the kernel mode driver and the Symbolic Link name Useless Human Query: “Find Rootkit Device Path or Symlink” Physmem.WindowsObject.Name contains “RESSDT”
33 Link Analysis “RESSDT” A readme file on Kasperky’s site references a Ressdt rootkit.
34 Doc/View is usually MFCTMC Rootkit e:\gh0st\server\sys\i386\RESSDT.pdb e:\job\gh0st\Release\Loader.pdb Cgh0stView Cgh0stDoc e:\job\gh0st\Release\gh0st.pdb C:\gh0st3.6_src\HACKER\i386\HACKE.pdb \gh0st3.6_src\Server\sys\i386\CHENQI.pdb Dropper GUI (MFC) Doc/View is usually MFC Rootkits Already at version 3.6
35 gh0st _RAT, source code, team, and forum
36 Case Study: Chinese APT2004 2005 2007 2009 2010 SvcHost.DLL.log SvcHost.DLL.log & “bind cmd frist!” SvcHost.DLL.log Just “bind cmd frist!”
37 Core ‘Backbone’ SourcecodeTimestamps Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries
38 Image Data DirectoriesPE Timestamps PE file Module timestamp* time_t (32 bit) e_lfanew The ‘lmv’ command in WinDBG will show this value.. Image File Header Optional Header Image Data Directories IMAGE DEBUG DIRECTORY Debug timestamp time_t (32 bit) This is present if an external PDB file is associated with the EXE *This is not the same as NTFS file times, which are 64 bit and stored in the NTFS file structures.
39 Timestamp Formats time_t – 32 bit, seconds since Jan. 1 1970 UTC0x3DE03E0A usually start with ‘3’ or ‘4’ ‘3’ started in 1995 and ‘4’ ends in 2012 Use ‘ctime’ function to convert FILETIME – 64 bit, 100-nanosecond intervals since Jan UTC 0x01C195C2.5100E190 usually start with ‘01’ and a letter 01A began in 1972 and 01F ends in 2057 Use FileTimeToSystemTime(), GetDateFormat(), and GetTimeFormat() to convert
40 Case Study: Chinese APT2004 2005 2007 2009 2010 XX/XX/2005 – XX:XX PM 12/XX/2007 – X:XX AM 12/XX/2007 – X:XX PM 11/XX/2009 – 9:XX AM 2/XX/2010 – XX:XX AM 12/XX/2009 – 11:XX PM 3/XX/2010 – XX:XX AM 3/XX/2010 – XX:XX PM Compile times extracted from ‘soysauce’ backdoor program. 3/XX/2010 – XX:XX PM
41 For Immediate Defense…Compile time Useless Human Query: “Find Modules Created Within Attack Window” RawVolume.File.CompileTime > 3/1/2010 < 3/31/2010
42 Core ‘Backbone’ SourcecodeMAC Address Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries
43 This technique was used to track the author of the Melissa virusGUID V1 The OSF specified algorithm for GUID V1 uses the MAC address of the network card for the last 48 bits of the 128 bit GUID This was deprecated on Windows 2000 and greater, so this has limited value {21EC2020-3AEA-1069-A2DD-08002B30309D} V1 GUIDS have a 1 in this position This is the MAC of the machine This technique was used to track the author of the Melissa virus
44 Core ‘Backbone’ SourcecodeCompiler Version Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries
45 Visual Studio Static or dynamic linked runtime library?Single-threaded or multi-threaded? Use of STL? Use of older iostream libraries?* See: * support.microsoft.com/kb/154753
46 Visual Studio – Static LinkingVersion Libraries linked with Type Compiler flag VC++ .NET 2003 and earlier LIBC.LIB, LIBCP.LIB Single Threaded Static /ML LIBCD.LIB, LIBCPD.LIB /MLd All LIBCMT.LIB, LIBCPMT.LIB Multi-threaded Static /MT LIBCMTD.LIB, LIBCPMTD.LIB /MTd Visual Studio – Dynamic Linking Version DLL Linked with VC++ 4.2 MSVCRT.DLL/MSVCRTD.DLL VC++ 5.0 MSVCR50.DLL VC++ 6.0 MSVCR60.DLL VC++ .NET 2002 MSVCR70.DLL VC++ .NET 2003 MSVCR71.DLL VC++ .NET 2005 MSVCR80.DLL VC++ .NET 2008 MSVCR90.DLL
47 MFC "^MFC(?
48 Static Linking C runtime library strings will be embedded in the EXE itself, as opposed to being in an external DLL DOMAIN error TLOSS error SING error R6027 Other libraries can also be detected in same manner (MFC, OpenSSL, etc)
49 Debug Symbols Debug timestamp (time_t – seconds since 01.01.1970)Version of the PDB file NB09 - Codeview 4.10 NB11 - Codeview 5.0 NB10 - PDB 2.0 RSDS - PDB 7.0 Age – number of times the malware has been compiled
50 Debug Information FormatTypes: Standard Program Database Program Database for Edit and Continue (/ZI) C7 Compatible
51 Name Mangling
52 Undecorate Visual C++ demangle: DWORD WINAPI UnDecorateSymbolName(__in PCTSTR DecoratedName, __out PTSTR UnDecoratedName, __in DWORD UndecoratedLength, __in DWORD Flags ); Also, see source to winedbg GNU C++ demangle see libiberty/cplus-dem.c and include/demangle.h
53 Delphi Give-away strings: SOFTWARE\Borland\Delphi\RTLThis program must be run under Win32 - Borland’s tlink32 linker
54 Delphi Uses specific function names – easy to identifyLanguage is derived from Pascal 78 hits for pascal, only 2 for c++
55 DOS stubs MZ\x50 MX\x90 “This program cannot be run in DOS mode”VC, gcc, MASM “This program requires Microsoft Windows” “This program must be run under win32”
56 Embedded Manifest Contains name, description, platformContains list of dependent modules + versions May contain key tokens that identify specific dependent modules (aka strongly named) May contain public key that is tied to the developer if assembly itself is strongly named not likely! Public/private key pair (sn.exe)
.+)\\\ name=\\\ ( .+)\\\ type. \\\\
58 Choice of string handling functionsUNICODE, ASCII, MultiByte “wprintf” – wide “f_sprintf” – safe “(n|w)printf” – length check “_v” - var-arg “_f” - file output
59 Compiler Options Optimize for Size / Speed Inline Function ExpansionIntrinsic Functions Fast code over small code
60 Frame Pointer OmissionLook for a certain & of [esp] variable initializations Example: C mov dword ptr [esp+0x8],0x0 Don’t need a disassembler, this can be byte pattern based
61 Exception Handling Structured (SEH) Vectored“__except_handler3” or “__local_unwind3” – VS < 8.0 “__except_handler4” or “__local_unwind4” or “_XcptFilter” – VS 8.0+ 64 ff push dword fs:[0] (SEH save) mov fs:[0], esp (SEH init) Vectored “AddVectoredExceptionHandler” or “RemoveVectoredExceptionHandler”
62 Buffer Security ChecksF 8B 4D FC mov ecx,dword ptr [ebp-0x4] CD xor ecx,ebp E8 05 FC FF FF call 0x E▲ // sub_ E AddPattern(theList, "Buffer Security Checks", "8B 4D FC 33 CD E8", 1, 0, null);
63 Runtime Type Information (RTTI)"Run-Time Check Failure #%d"
64 Calling Convention __cdelc __stdcall __fastcall
65 C versus C++ Pattern is apparent when C++ objects are usedCall thru vtable
66 UAC asInvoker highestAvailable requireAdministrator“Bypass” UI Protection
67 Core ‘Backbone’ SourcecodeTracking Source Code Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries
68 Main Functions Main DllMain ServiceMain Same argument parsingInit of global variables WSAStartup DllMain ServiceMain
69 Service Routines Install / Uninstall Service RunDll32Service Start/Stop ServiceMain ControlService
70 Hard coded sleep( ) timesSkeleton of a service Sleep loop at end DllMain() { // store the HANDLE to the module in a global variable } ServiceMain() // RegisterServiceCtrlHandler & store handle to service in global variable // call SetServiceStatus, set PENDING, then RUNNING // call to main malware function(s) ServiceCtrlHandler_Callback // handle various commands, start/stop/pause/etc dwWaitHint Size of local buffer Hard coded sleep( ) times
71 Skeleton of a service Size of local buffer Service NameMain_Malware_Function { // do stuff } InstallService() // OpenSCManager // CreateService UninstallService() // DeleteService Size of local buffer Service Name Exception Handling Registry Keys
72 Filename Creation Log files, EXE’s, DLL’s SubdirectoriesEnvironment Variables Random numbers
73 Case Study: Chinese APT2004 2005 2009 2010 2005 posting of similar source code, includes poster’s handle.
74 Case Study: Chinese APTContinued searching will reveal many, many references to the base source code of this malware. All malware samples for this attacker are derived from this basic framework, but many additions & modifications have been made.
75 Core ‘Backbone’ Sourcecode3rd Party SourceCode Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries
76 Format Strings These are written by humans, so they provide good uniqueness
77 Logging Strings Searching for: “Unable to determine” & “Unknown type!”Reveals that the attacker is using the source-code of BO2k for cut-and-paste material.
78
79 Mutex Names Mutex names remain consistent at least for one infection-push, as they are designed to prevent multiple-infections for the same malware.
80 Link Analysis
81 Core ‘Backbone’ Sourcecode3rd Party Libraries Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries
82 Copyright & Version StringsOpenSSL/0.9.6 RAND part of OpenSSL 0.9.8e 23 Feb 2007 MD5 part of OpenSSL 0.9.8k 25 Mar 2009 libdes part of OpenSSL 0.9.7b 10 Apr 2003 inflate Copyright Mark Adler inflate Copyright Mark Adler inflate Copyright Mark Adler inflate Copyright Mark Adler inflate Copyright Mark Adler inflate Copyright Mark Adler inflate Copyright Mark Adler
83 zlib Fingerprinting Every new version of zlib has a unique pattern of bits in the data tables – these are modified for each version specifically This pattern is a data constant and can be used even if the copyright notices have been removed
84 inflate library patternsNot as specific as zlib patterns but can be used to detect the inflate decompressor
85 Installation & DeploymentCommunications Functions Developer Installation & Deployment Method Sample Malware Command & Control Functions Compiler Environment Packing Stealth & Antiforensic Techniques
86 Case Study: Chinese APT2004 2005 2009 2010 Alters the DLL value of an existing service named “RemoteRegistry”: Original ServiceDll value: regsvc.dll Trojan ServiceDll value: regsvr.dll Registers a service named “IPRIP” which operates as a DLL loaded under svchost.exe Registers a service named “IPRIP” which operates as a DLL loaded under svchost.exe
87 Method used to find base of kernel32FindKernel32: pushad and esi, 0FFFF0000h mov ecx, 100h FK32_Loop: call TryAddress jnc FK32_Success sub esi, h loop FK32_Loop FK32_Hardcodes: mov esi, KERNEL32_WIN9X mov esi, KERNEL32_WINNT mov esi, KERNEL32_WIN2K mov esi, KERNEL32_WINME FK32_Fail: popad stc ret FK32_Success: mov [ebp + Kernel32], esi clc Mask off ESI to a page boundary Load ECX w/ a length to scan backwards from Subtract, try again Try a bunch of hard coded offsets if the scan fails
88 Command & Control Communications FunctionsDeveloper Installation & Deployment Method Sample Malware Command & Control Functions Compiler Environment Packing Stealth & Antiforensic Techniques
89 Command and Control Once installed, the malware phones home… TIMESTAMPSOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER
90 C&C Hello Message this queries the uptime of the machine..checks whether it's a laptop or desktop machine... enumerates all the drives attached to the system, including USB and network... gets the windows username and computername... gets the CPU info... and finally, the version and build number of windows.
91 Command and Control ServerThe C&C system may vary Custom protocol (Aurora-like) Plain Old URL’s IRC (not so common anymore) Stealth / embedded in legitimate traffic Machine identification Stored infections in a back end SQL database
92 Aurora C&C parser Command is stored as a number, not text. It is checked here. Each individual command handler is clearly visible below the numerical check After the command handler processes the command, the result is sent back to the C&C server
93 Command & Control Communications FunctionsDeveloper Installation & Deployment Method Sample Malware Command & Control Functions Compiler Environment Packing Stealth & Antiforensic Technique vds
94 Antidebugging Place SEH handler Divide by zero error DetectDebuggers:pushad PUT_SEH_HANDLER FD_Continue ; Use SEH to kill debuggers xor eax, eax ; Generate a exception (divide by 0) div eax ; RESTORE_SEH_HANDLER ; Here some abnormal occured jmp FD_Debugger_Found ; So lets quit FD_Continue: ; Execution should resume at this pnt RESTORE_SEH_HANDLER ; Remove handler mov eax, fs:[20h] ; Detect application-level debugger test eax, eax ; Is present? jnz FD_Debugger_Found ; Quit! popad ; No debuggers found, so restore clc ; registers, clear carry flag and ret ; return! FD_Debugger_Found: popad stc ret Divide by zero error
95 Debugger Detection Call IsDebuggerPresentOr, read offset 2 from the PEB structure mov eax, fs:[30h] mov eax, byte ptr [eax+2] test eax, eax jnz __found_debugger Check the Heap Manipulation Flags in NtGlobalFlags FLG_HEAP_ENABLE_TAIL_CHECK, FLG_HEAP_ENABLE_FREE_CHECK, FLG_HEAP_VALIDATE_PARAMETERS mov eax, fs:[30h] mov eax, [eax+68h] and eax, 0x70 test eax, eax jnz __found_debugger
96 Debugger Detection Heap Flags, not the same as NtGlobalFlags but affected by the use of FLG_HEAP_* mov eax, fs:[30h] mov eax, [eax+18h] process heap // EAX now points to the first heap header… mov eax, [eax+10h] heap flags member in the header // EAX can now be tested for any heap flags that may be enabled test eax, eax jnz __found_debugger
97 Debugger Detection NtQueryInformationProcessCalled with a ProcessInformationClass of 7 (ProcessDebugPort), will set ProcessInformation pointer to 0xFFFFFFFF if process is being debugged
98 Debugger Detection CheckRemoteDebuggerPresentThis just wraps NtQueryInformationProcess, but in this case the OUT DWORD is set to 1 (TRUE) if a debugger is present
99 Debugger Detection TRAP_FLAG Checking to see if it’s setOr, setting it with an exception handler The debugger would process the single step and the exception handler would not be called if a debugger were present
100 Debugger Detection ZwCloseIf a program is being debugged, calling ZwClose with an invalid handle will generate an exception STATUS_INVALID_HANDLE (0xC )
101 Debugger Detection SetUnhandledExceptionFilterWill not be called if a debugger is attached If a debugger is attached, the program will terminate due to the unhandled exception
102 Debugging and Timers Calling QueryPerformanceCounterCalling GetTickCount RDTSC instruction
103 Hiding a Thread from a DebuggerCall NtSetInformationThread with a ThreadInformationClass of 0x11 (ThreadHideFromDebugger) – the thread will be detached from any debuggers
104 Advanced Fingerprinting
105 GhostNet: Screen Capture AlgorithmLoops, scanning every 50th line (cY) of the display. Reads screenshot data, creates a special DIFF buffer LOOP: Compare new screenshot to previous, 4 bytes at a time If they differ, enter secondary loop here, writing a ‘data run’ for as long as there is no match. Offset in screenshot Len in bytes Data….
106 GhostNet: Searching for sourcecodeLarge grouping of constants Search source code of the ‘Net
107 GhostNet: Refining SearchHas something to do with audio… Further refine the search by including ‘WAVE_FORMAT_GSM610’ in the search requirements…
108 GhostNet: Source DiscoveryWe discover a nearly perfect ‘c’ representation of the disassembled function. Clearly cut-and-paste. We can assume most of the audio functions are this implementation of ‘CAudio’ class – no need for any further low-level RE work.
109 On link analysis…
110 Example: Link Analysis with Palantir™Implant Forensic Toolmark specific to Implant Searching the ‘Net reveals source code that leads to Actor Actor is supplying a backdoor Group of people asking for technical support on their copies of the backdoor
111 Keylogger (link analysis)
112 Working back the timelineWho sells it, when did that capability first emerge? Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces Requires budget for acquisition of emerging malware products
113 Penetrating CyberspacesMaintaining and building digital cover Non-attrib pop on ‘net Multiple identities Contribution for bonafides
114 carders.cc Final
115 Defining Threat GroupsSmallest atomic unit: the individual Largest cloud unit: the scam Fraud, IP-theft, access reseller A.B.C narrowing cloudspace to individual Developers Less than number of malware (with malware defined before MD5 created aka pre-packing) Users Larger than number of developers
116 Fingerprint.exe
117 Fingerprint Utility Developer Fingerprint Utility, Copyright 2010 HBGary, INC File: 1228ad2e39befa e98d8ed2890.livebin Original project name: RESSDT Developer's project directory: e:\gh0st\server\sys\i386 Compiler: Microsoft Visual C release User interface: Windows GDI/Common Controls Media: Windows multimedia API Media: Microsoft VfW (Video for Windows) Compression: Inflate Library version: 1.1.4 Networking: Windows sockets (TCP/IP) Networking: Windows Internet API Source directory: e:\gh0st\server\sys\i386
118 Sample compiled at 5:50:13 AM compared against DB“Smars” malware Sample compiled at 5:50:13 AM compared against DB All samples have different MD5 checksums, may have been packed in various ways. All but one score in 90%+ range.
119 The set of Mark Russinovich’s free system toolsThe set of Mark Russinovich’s free system tools. You can see which ones are just variants of the same source base, or were compiled on the same platform in or around the same time.
120 Clustering a malware collectionLarge number of samples Need to group self-similar items into “clusters” Like a “strange attractor” From the cluster, perform link analysis into social cyberspaces to find “participants” Some participants may “resolve” into a developer, user, or other archetype
121 system32 directory – Windows 7 64 bit ProfessionalOld-school DOS command EXE’s These were very small binaries with almost no fingerprint data More old school, but these have extra cmd-parsing features Hypigon Rebel Base Virut Autorun infecting sysinternals Language support binaries (NLS) tskill, tsdiscon, logoff, changelogon, etc Vobfus 1/41 on virtualtotal Azero YahLover Rungbu
122 HBGary, Inc.
123 HBGary, Inc.
124 HBGary, Inc.
125 Conclusion
126 Takeaways Actionable intelligence can be obtained from malware infections for immediate defense: File, Registry, and IP/URL information Existing security doesn’t stop ‘bad guys’ Go ‘beyond the checkbox’ Adversaries have intent and funding Need to focus on the criminal, not malware Attribution is possible thru forensic toolmarking combined with open and closed source intelligence
127 Continued Work Will be performing large-scale fingerprint analysis over 400gigs+ of malware captured by the U.S. Intelligence Community HBGary is interested in processing as many malware collections as possible, both targeted/APT and non-targeted, both classified and unclassified, commercial or govt/govt contractor
128 Fingerprint Download Get fingerprint from www.hbgary.com -- or --Stop by the HBGary booth to get a CD
129 Thank You HBGary, Inc. (www.hbgary.com)HBGary Federal (www.hbgaryfederal.com)