Análisis de ataques APT

  • 568 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
568
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
11
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Understanding targeted attacksSaturday, February 4, 2012
  • 2. Who am I? • Jaime Blasco • Alienvault Labs ManagerSaturday, February 4, 2012
  • 3. What are we talking about? • Group of sophisticated, coordinated and political/financial/military motivated attackers . • The intruder can exploit publicly known vulnerabilities but the attackers also are highly skilled and well funded and can research and exploit new vulnerabilities. • The attacker wants to accomplish a mission that can take place over months.Saturday, February 4, 2012
  • 4. Agenda • cat /dev/urandomSaturday, February 4, 2012
  • 5. Example: Kalachakra • Camp information at Bodhgaya.doc • CVE 2010-3333Saturday, February 4, 2012
  • 6. SpearPhishingSaturday, February 4, 2012
  • 7. Shellcode Staged XOR LoaderSaturday, February 4, 2012
  • 8. Shellcode • Resolves imports by hashes • Ror to generate hashes (ror ebx 7)Saturday, February 4, 2012
  • 9. ShellcodeSaturday, February 4, 2012
  • 10. Dropped EXESaturday, February 4, 2012
  • 11. Dropped EXE • Language of compilation system: Chinese • Dropped Files: • C:Documents and SettingsAdministrator7240672406.dat • C:Documents and SettingsAdministratortemp.dat • Mark the presence on the system:Saturday, February 4, 2012
  • 12. 7240672406.datSaturday, February 4, 2012
  • 13. InjectionSaturday, February 4, 2012
  • 14. ObfuscationSaturday, February 4, 2012
  • 15. Injected Code • User Mode Process Dumper • WinDBG to the rescue:Saturday, February 4, 2012
  • 16. C&C Traffic GET / HTTP/1.0 Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 6.0) Host: update.microsoft.com/windowsupdate/v7/default.aspx?ln=zh-cn Connection: Keep-AliveSaturday, February 4, 2012
  • 17. kalachakra32.docSaturday, February 4, 2012
  • 18. Dropped EXE • Created Files: AhnLab-V3, DrWeb, JiangminSaturday, February 4, 2012
  • 19. Embedded ResourceSaturday, February 4, 2012
  • 20. Debug Info .InstallerMFC.cpp-CInstallerMFCApp::InitInstance-56: Installer Hello! .InstallerMFC.cpp-CInstallerMFCApp::InitInstance-75: dwConfigDataSize = [40] .InstallerMFC.cpp-CInstallerMFCApp::InitInstance-171: ReleaseResource done! .install.cpp-InstallSrvPlugin-51: InstallSrvPlugin! .install.cpp-InstallSrvPlugin-125: szHost = [218.106.193.184] szPort = [81] .install.cpp-InstallSrvPlugin-261: Install Service by WinAPI! .install.cpp-InstallSrvPlugin-295: StartServiceEx! .SrvPlugin.cpp-ServiceMain-291: g_szServiceName = [5a1bcffe] .SrvPlugin.cpp-ConnectClientThread-528: ConnectClientThread .SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81] .SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]Saturday, February 4, 2012
  • 21. Create Service"20120131205652.906","2020","82799b64ca7f2e8cd218223da9d146c3.exe","CreateServiceA","FAIL URE","0x00466f40","lpServiceName->5a1bcffe","dwServiceType->0x00000110","dwStartType- >SERV ICE_AUTO_START","lpBinaryPathName->C:WINDOWSsystem32rundll32.exe "C:Archivos de programaArchivos comunesMicrosoft SharedTriedit5a1bcffe.dll",ServiceEntry"Saturday, February 4, 2012
  • 22. Av Aware • Check for kisknl.sys (Kingsoft Antivirus) • Look for KSafeTray.exe and disable it: OpenThread -> SuspendThread • Check for TmComm.sys (TrendMicro) • Check for HookPort.sys (QQ 360) • Depending of the AV present use the native API to install the service or the following method: • FindWindowA("CabinetWClass", WindowName); • FindWindowExA(v15, 0, "WorkerW", 0); • SendMessageA, RegOpenKeyExA, SYSTEM CurrentControlSetServicesSaturday, February 4, 2012
  • 23. WTF!Saturday, February 4, 2012
  • 24. Real WorldSaturday, February 4, 2012
  • 25. SykipotSaturday, February 4, 2012
  • 26. ExploitsSaturday, February 4, 2012
  • 27. SamplesSaturday, February 4, 2012
  • 28. FeaturesSaturday, February 4, 2012
  • 29. C&C ServersSaturday, February 4, 2012
  • 30. Certificate AccessSaturday, February 4, 2012
  • 31. Smartcard AccessSaturday, February 4, 2012
  • 32. OpenIOC • Indicators Of Compromise • XML format to describe: • File Attributes • Registry entries • Process attributes • Network Attributes • ... • http://openioc.org/Saturday, February 4, 2012
  • 33. ExampleSaturday, February 4, 2012
  • 34. ExampleSaturday, February 4, 2012
  • 35. Thank you • Follow me on twitter: jaimeblascobSaturday, February 4, 2012