The document discusses targeted attacks from sophisticated, coordinated groups. These attackers are highly skilled, well-funded and can research and exploit new vulnerabilities to accomplish missions over months. Specific examples discussed include the Kalachakra attack and details on its spearphishing techniques, dropped executables, and command and control traffic. Methods of antivirus evasion, real world samples, exploit techniques and command and control servers used by advanced persistent threat groups are also covered.
2. Who am I?
• Jaime Blasco
• Alienvault Labs Manager
Saturday, February 4, 2012
3. What are we talking
about?
• Group of sophisticated, coordinated and
political/financial/military motivated
attackers .
• The intruder can exploit publicly known
vulnerabilities but the attackers also are
highly skilled and well funded and can
research and exploit new vulnerabilities.
• The attacker wants to accomplish a mission
that can take place over months.
Saturday, February 4, 2012
4. Agenda
• cat /dev/urandom
Saturday, February 4, 2012
5. Example: Kalachakra
• Camp information at Bodhgaya.doc
• CVE 2010-3333
Saturday, February 4, 2012
11. Dropped EXE
• Language of compilation system: Chinese
• Dropped Files:
• C:Documents and SettingsAdministrator7240672406.dat
• C:Documents and SettingsAdministratortemp.dat
• Mark the presence on the system:
Saturday, February 4, 2012
22. Av Aware
• Check for kisknl.sys (Kingsoft Antivirus)
• Look for KSafeTray.exe and disable it: OpenThread ->
SuspendThread
• Check for TmComm.sys (TrendMicro)
• Check for HookPort.sys (QQ 360)
• Depending of the AV present use the native API to install the
service or the following method:
• FindWindowA("CabinetWClass", WindowName);
• FindWindowExA(v15, 0, "WorkerW", 0);
• SendMessageA, RegOpenKeyExA, SYSTEM
CurrentControlSetServices
Saturday, February 4, 2012