A Hacker’s Method to Your Madness      Dave Russell         403 LabsDrussell[at]403labs[dot]com
What Am I About?• Consultant at 403 Labs, working largely in  Payment Card Industry (PCI) space• Worked on building the 40...
More Background• Have worked with local, state and federal  agencies on cases  – Largely criminal  – One involved an 18+ m...
A Brief Overview• The “hacker” mentality  – Not all hackers are created equal• Finding evidence and how they got in• Case ...
Not All Hackers     Are Created EqualThe common misconception: All hackers are out to destroy     things and steal money
Not All Hackers           Are Created Equal• The truth is a “gray” area  – While there are many criminal hackers, a    num...
Hacker Taxonomy• Organized criminals  – Often report to “bosses” like other more    conventional organized crime  – Highly...
Hacker Taxonomy• Loosely affiliated bands of criminals  – Motives vary, but money is often at the center  – Organizations ...
Hacker Taxonomy• Hacktivists  – Looking to make a personal or political    statement  – Money is very often *not* the moti...
Hacker Taxonomy• Grayhats  – Usually motivated by a desire to learn and    “push the envelope”  – Not always destructive (...
Hacker Taxonomy• Whitehats  – No criminal motivation  – Only release discovered vulnerabilities    through appropriate cha...
Hacker Taxonomy• “Skr1pt kiddies”  – The lowest on the hacker totem pole  – “Joyriders”  – Often tricked into doing really...
With This In Mind…• What are attackers after?  – Biggest thing: ease of entry - would you rather    rob the locked house o...
The Almighty Dollar• If the goal is money, maintaining your  presence in the victim‟s machine is critical  – They won‟t ad...
So Who Would You Target?• Hacking banks is hard, and you are likely  to get caught• Hacking poor merchants is much easier ...
Which Gets Back to          Ease of Access• How many merchants have *you* visited  that have wireless access?• How many ha...
Getting In• Drive-by downloads are still the easiest  – Porn and gambling sites are still king!  – Rates of mutation of ma...
So How Does This Work?• Often, the “base” malware is simply a  gathering point for other malware: the  “dropper”• Calls ou...
What Is Malware          Doing These Days?• A lot of similar things to what it always has• Scanning for account and paymen...
The Good News• A lot of malware these days stinks  – Relies on large libraries and existing non-    malware software like ...
Example of Exfiltration Locations
The Bad News• These guys are FAST  – Websites, email addresses, etc. change    constantly  – Recompiled variants of malwar...
Detection Methods• Conventional preventative tools becoming  less effective, particularly antivirus  – Often no prior indi...
What Gets Left Behind• “Unusual” executables  – Still showing up in the usual places: C:Windows    and its subdirectories ...
Case Study 1:           Merchant Breach• Merchant lost dozens of payment card  numbers and was informed by customers  befo...
Case Study 2:            Merchant Breach• Loss of payment card numbers reported by  the card brands• Investigation did not...
Case Study 3:     Internal Corporate Attack• Began with destruction of data on  corporate servers; company could not  dete...
Case Study 3:     Internal Corporate Attack• Developed custom tools to watch “dropper”  location identified in the earlier...
Case Study 3:     Internal Corporate Attack• Next attack popped messages up on many  user workstations and caused a fair  ...
Case Study 3:     Internal Corporate Attack• Next attack (months later) got us a network  drop – it was internal; FBI was ...
Common Themes• Access was trivial  – Case 1: unclear, likely web browser  – Case 2: weak accounts and remote access    tec...
More Themes• Plenty of evidence left behind  – Cases 1 and 3 required a good amount of effort    to find it though• Basic ...
Summary• Understanding motivations can help track  down evidence• Look for the usual evidence, but be  prepared to spend e...
Useful Tools•   IDAPro•   PE Explorer•   RegRipper•   Memoryze•   Encase/FTK•   Hex editors•   Excel (!)
Questions?     Thank you!       Dave Russell          403 Labsdrussell[at]403labs[dot]com     (877) 403-LABS
A Hacker's Method to Your Madness - Dave Russell, from the 2011 Computer Forensics Show
Upcoming SlideShare
Loading in …5
×

A Hacker's Method to Your Madness - Dave Russell, from the 2011 Computer Forensics Show

1,095 views

Published on

Dave Russell, a consultant and GIAC Certified Forensic Analyst (GCFA) at 403 Labs, presented "A Hacker's Method to Your Madness" at the 2011 Computer Forensics Show in San Francisco, CA.

The talk examined the motives of today’s hackers, as well as the strategies, tactics and tools they employ as they try to get into your network, do what they want, and leave with as few traces as possible. Dave also drew from his real-word experiences in working side-by-side with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) to detail how hacking incidents actually affect people’s lives.

The presentation is meant to provide companies with a better understanding of how predatory hackers work, so they can improve their security posture and implement practices to help them avoid becoming the prey.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,095
On SlideShare
0
From Embeds
0
Number of Embeds
195
Actions
Shares
0
Downloads
33
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

A Hacker's Method to Your Madness - Dave Russell, from the 2011 Computer Forensics Show

  1. 1. A Hacker’s Method to Your Madness Dave Russell 403 LabsDrussell[at]403labs[dot]com
  2. 2. What Am I About?• Consultant at 403 Labs, working largely in Payment Card Industry (PCI) space• Worked on building the 403 Labs PCI Forensic Investigator (PFI) program – One of only nine U.S. companies certified• Specialize in reverse engineering and unusual circumstances like custom malware
  3. 3. More Background• Have worked with local, state and federal agencies on cases – Largely criminal – One involved an 18+ month investigation of corporate sabotage: we‟ll talk about this one in depth• Provided application training classes to a state Department of Justice• Spoken at numerous conferences, including Toorcon two weeks ago, and Infragard earlier this year
  4. 4. A Brief Overview• The “hacker” mentality – Not all hackers are created equal• Finding evidence and how they got in• Case studies
  5. 5. Not All Hackers Are Created EqualThe common misconception: All hackers are out to destroy things and steal money
  6. 6. Not All Hackers Are Created Equal• The truth is a “gray” area – While there are many criminal hackers, a number are actually “Grayhats” • Kevin Mitnick is arguably the most famous• Most hackers begin with a basic curiosity and a “how far can I go” attitude without ever delving into the criminal – This is not necessarily bad; a lot of security initiatives have spawned from this mentality
  7. 7. Hacker Taxonomy• Organized criminals – Often report to “bosses” like other more conventional organized crime – Highly structured and striated – Goal is almost always, ultimately, money – Covers a lot of territory from payment card theft to child pornography – Example: the Russian Business Network (RBN)
  8. 8. Hacker Taxonomy• Loosely affiliated bands of criminals – Motives vary, but money is often at the center – Organizations team up – Damage is more focused (for example, targeting specific companies), but can still be devastating – Example: Albert Gonzales and the TJX/Heartland compromises
  9. 9. Hacker Taxonomy• Hacktivists – Looking to make a personal or political statement – Money is very often *not* the motivator, embarrassment or attention is – Can form groups like criminal organizations – Examples: Lulzsec, Anonymous
  10. 10. Hacker Taxonomy• Grayhats – Usually motivated by a desire to learn and “push the envelope” – Not always destructive (at least not deliberately), and often use appropriate channels for reporting flaws, though theft can still result – Often the target of hate and harassment from all sides – Examples: Kevin Mitnick
  11. 11. Hacker Taxonomy• Whitehats – No criminal motivation – Only release discovered vulnerabilities through appropriate channels – Often involved in the infosec industry – Examples: a lot
  12. 12. Hacker Taxonomy• “Skr1pt kiddies” – The lowest on the hacker totem pole – “Joyriders” – Often tricked into doing really stupid things – “Hacking” often involves finding weak passwords or other obvious flaws for which someone else wrote a tool to exploit (hence the name) – The threat is low, but damage can be just as high – Fortunately, easy to catch – Example: David Kernell, the Palin email “hacker”
  13. 13. With This In Mind…• What are attackers after? – Biggest thing: ease of entry - would you rather rob the locked house or the unlocked one? • Grayhats/whitehats can be an exception – Money • Two major classifications: direct and indirect – Direct: going after bank accounts, payment card numbers, etc. – Indirect: infecting machines for profit, personally-identifiable information (PII), information reselling – Disruption, though often not a primary motivator
  14. 14. The Almighty Dollar• If the goal is money, maintaining your presence in the victim‟s machine is critical – They won‟t advertise their presence – That said, stealth is expensive• Target identification is easy: find someone who takes payments• Large groups of people take payments the same way
  15. 15. So Who Would You Target?• Hacking banks is hard, and you are likely to get caught• Hacking poor merchants is much easier – their security is often lousy• You won‟t get as many payment cards – A lot of merchants run similar software – Can blanket large groups of merchants • Even if you only get a few dozen cards at a time, multiply that by a few hundred merchants
  16. 16. Which Gets Back to Ease of Access• How many merchants have *you* visited that have wireless access?• How many have undefended terminals you could plug a USB drive in to?• Plenty need reporting and such from home and other locations – holes often exist• Just steal a piece of equipment from one! – Vendors often use lousy credentials for logins across more than one merchant
  17. 17. Getting In• Drive-by downloads are still the easiest – Porn and gambling sites are still king! – Rates of mutation of malware make it possible to stay ahead of antivirus• Phishing/spear-phishing attacks• Install the software yourself – Might require more manual effort – If you are exploiting a hole in common software (like a POS), it might be feasible• OS exploits getting rare
  18. 18. So How Does This Work?• Often, the “base” malware is simply a gathering point for other malware: the “dropper”• Calls out to external websites and other locations to pull down its friends that do the heavy lifting• All malware can be highly polymorphic; two programs can do the same thing but have different signatures
  19. 19. What Is Malware Doing These Days?• A lot of similar things to what it always has• Scanning for account and payment card numbers, both in files AND in memory! – Bad news for poorly-written software that doesn‟t clean up after itself• Exfiltrating this and other system data: web, email and FTP are three common routes• Establish backchannel to gain access again – More likely to lead to detection, however
  20. 20. The Good News• A lot of malware these days stinks – Relies on large libraries and existing non- malware software like “grep” – Not at all stealthy • Not packed, no attempts to avoid detection in process lists, etc. – Easily reverse engineered to discover the destination of data and thus, provide a lead on who is involved
  21. 21. Example of Exfiltration Locations
  22. 22. The Bad News• These guys are FAST – Websites, email addresses, etc. change constantly – Recompiled variants of malware stay ahead of antivirus signatures• There are “point-and-click” toolkits for doing a lot of this• Tons of “companies” willing to help – Some provide 24x7 support!• Information is highly accessible
  23. 23. Detection Methods• Conventional preventative tools becoming less effective, particularly antivirus – Often no prior indication there was something wrong• Currently, we in the security industry seem to be playing catch-up• Traditional investigative techniques work to find the evidence – … but it‟s becoming harder to figure out WHAT has occurred
  24. 24. What Gets Left Behind• “Unusual” executables – Still showing up in the usual places: C:Windows and its subdirectories – Memory analysis often shows running services and executables• Locating the files is most easily done using timeline analysis – Registry keys are also useful• Clean-up of collected data seems to be quite good in many cases
  25. 25. Case Study 1: Merchant Breach• Merchant lost dozens of payment card numbers and was informed by customers before the banks found out• Investigation revealed numerous custom malware installations not previously seen in the wild• Reverse-engineering revealed that they were repackages of known functionality• Watched for card numbers in files and memory• Data exfiltrated to Poland via web and email
  26. 26. Case Study 2: Merchant Breach• Loss of payment card numbers reported by the card brands• Investigation did not reveal malware, but did reveal poor infrastructure architecture• Vendor maintaining the systems used a terrible login for administrative access (login name equal to password)• Numerous remote access mechanisms• Those credentials probably were in use on other systems at other merchants
  27. 27. Case Study 3: Internal Corporate Attack• Began with destruction of data on corporate servers; company could not determine how it was happening• Engaged our company to get to the bottom of it – Initially, no clear path to access was found – Suggested the usual remediation measures• Another attack occurred and left a few remnants behind
  28. 28. Case Study 3: Internal Corporate Attack• Developed custom tools to watch “dropper” location identified in the earlier attack• After a few weeks, a new attack occurred – Copies made of all the malware that was used• Reverse engineering showed an unusually high amount of knowledge about the company, such as file share mappings• Likely that a present or former employee or contractor was involved
  29. 29. Case Study 3: Internal Corporate Attack• Next attack popped messages up on many user workstations and caused a fair amount of alarm: – “Can you say „Al Got Rhythm‟ three times fast? A surprise is coming :)”• Had information on the machine involved and knew it was transient• Set up a trap to catch it popping on the network
  30. 30. Case Study 3: Internal Corporate Attack• Next attack (months later) got us a network drop – it was internal; FBI was called.• FBI retrieved and obtained an image of the disk from the employee‟s desk• Employee was fired a few days later – caught with a CD containing source code for the malware used in attacks, as well as salary spreadsheets• Pleaded guilty to a class F felony (became a State charge)
  31. 31. Common Themes• Access was trivial – Case 1: unclear, likely web browser – Case 2: weak accounts and remote access technology available – Case 3: deep knowledge of environment, easy to maintain persistent access• Motivations were clear – Money for cases 1 and 2 – “Axe to grind” for case 3
  32. 32. More Themes• Plenty of evidence left behind – Cases 1 and 3 required a good amount of effort to find it though• Basic investigation techniques were effective – Timeline analysis, profiling, simple reverse engineering• For payment card theft cases, definite evidence of carder groups that LEOs have expressed an interest in reviewing
  33. 33. Summary• Understanding motivations can help track down evidence• Look for the usual evidence, but be prepared to spend extra effort decoding it• Realize that the simple things like poor passwords and infrastructure are just as often to blame as malware
  34. 34. Useful Tools• IDAPro• PE Explorer• RegRipper• Memoryze• Encase/FTK• Hex editors• Excel (!)
  35. 35. Questions? Thank you! Dave Russell 403 Labsdrussell[at]403labs[dot]com (877) 403-LABS

×