Cybercrime in nowadays businesses - A real case study of targeted attack

921 views

Published on

Through a real case study, we will explore the complexity of such attacks which endanger today's businesses.
All: https://www.htbridge.ch/publications/cybercrime_in_nowadays_businesses_a_real_case_study_of_targeted_attack.html

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
921
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cybercrime in nowadays businesses - A real case study of targeted attack

  1. 1. Your texte here …. Hashdays 2011 Cybercrime in nowadays businesses: A real case study of targeted attackFrédéric BOURLAHead of SWISS ETHICAL HACKINGORIGINAL Ethical Hacking Department ©2011 High-Tech Bridge SA – www.htbridge.ch
  2. 2. 0x00 - #whoami Frédéric BOURLA Your texte here …. Head of Ethical Hacking Department High-Tech Bridge SA ~12 years experience in Information Security LPT, CISSP, CCSE, CCSA, ECSA, CEH, eCPPT CHFI, GCFA & GREM in progress RHCE, RHCT, MCP frederic.bourla@htbridge.ch ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  3. 3. 0x01 - #readelf prez Cyber attacks Your texte here ….have evolved: evolved They became more sophisticated They are often targeted It is not uncommon anymore to observe attacks managed by specialized groups and initiated by unfair competitors This talk is an example of such threats. It is based on a post-incident investigation which post- took place in October 2010 To preserve 2010. client’s anonymity, let’s call him Fedor- Fedor- Trading. Trading 1 round of 50’. To save time, please keep your questions until the end. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  4. 4. Table of contents 0x00 texte here …. Your - About me 0x01 - About this conference 0x02 - Project’s context 0x03 - Mail analysis 0x04 - Client’s Website analysis 0x05 - Malware analysis 0x06 - Conclusion ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  5. 5. 0x02 - Project’s context Last year, the CTO of a well known financial Your texte here …. us. institution contacted us Fedor- Fedor-Trading thought about a kind of Phishing attempt and the CTO expected us attempt, to help him reassuring the CEO that everything was fine, and that no real attack really occurred. The initial project was a quick investigation driven by political reasons and it began reasons, with an analysis of the emails that they received in one of their administrative mailboxes. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  6. 6. Table of contents 0x00 texte here …. Your - About me 0x01 - About this conference 0x02 - Project’s context 0x03 - Mail analysis 0x04 - Client’s Website analysis 0x05 - Malware analysis 0x06 - Conclusion ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  7. 7. 0x02 - Mail analysis They received emails which appeared Your texte here ….several to have been sent from Fedor-Trading: ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  8. 8. 0x02 - Mail analysis At a first glance, Your texte here …. all suspicious emails received didn’t look like Phishing Phishing: There is no multiple spelling mistake per line The content itself sounds sophisticated All emails dealt with real matter and entice Forex users to open a PDF Instead, all those emails sounded like targeted attacks. attacks ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  9. 9. 0x02 - Mail analysis Your texte here …. reveal SMTP headers the sending domain: ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  10. 10. 0x02 - Mail analysis FQDN matches Your texte here …. IP address 67.227.134.84. The hosting server is located in US US. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  11. 11. 0x02 - Mail analysis Your texte domain Parent here …. neonrain-vps.com belongs to Neon Rain Interactive since 26 March 2008. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  12. 12. 0x02 - Mail analysis Your texte system Remote here …. hosted an out-of-date Apache out-of- engine and is weakly configured configured: Talkative banners Some indexed directories Lots of Information Disclosure Publicly available cPanel interface Some outdated components ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  13. 13. 0x02 - Mail analysis A texte here …. Yourreverse DNS lookup shown that the IP address 67.227.134.84 was used to host multiple websites websites. At least 82 domains were hosted on the same server. The combination of these factors gave us a strong likelihood that malicious emails were sent from a compromised Web server thus server, attackers. concealing the identity of attackers ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  14. 14. 0x02 - Mail analysis Domain host.neonrain-vps.com Your texte here …. had an MX record for this host. This configuration permitted to bypass most antispam protections, protections and all Fedor- Trading’s clients who did not rely on a deeper SMTP analysis have probably received those suspicious emails. A quick analysis of the received emails consequently lead us to think about a targeted attack and not to a blind one… We attack, definitely needed to get more information and asked for an FTP access to Fedor- Trading’s website. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  15. 15. Table of contents 0x00 texte here …. Your - About me 0x01 - About this conference 0x02 - Project’s context 0x03 - Mail analysis 0x04 - Client’s Website analysis 0x05 - Malware analysis 0x06 - Conclusion ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  16. 16. 0x04 - Client’s Website analysis The frontal website Your texte here …. was hosted externally, externally on Infomaniak Network. The first thing we noticed is that the website hosted a talkative «robots.txt» file «robots. file: ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  17. 17. 0x04 - Client’s Website analysis Your texte here file The passwd …. revealed several forgotten accounts, but no trace of a potential compromise. The website contained huge amount of logs. logs We downloaded them to carry out local inspection. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  18. 18. 0x04 - Client’s Website analysis Fedor-Trading’s website Your texte here …. was often under attacks. automated attacks ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  19. 19. 0x04 - Client’s Website analysis Your texte here …. In parallel with attack patterns queries in those huge logs (quite slow as there were quite slow, no timeframe for this hypothetic attack), we looked furtively at the website security level. Despite a kind of Web Application Firewall successfully prevented our first attacks, the website sounded vulnerable to SQLi SQLi. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  20. 20. 0x04 - Client’s Website analysis Your texte herelogs We parsed …. for usual SQL injections signatures, and lots of occurrences were also identified. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  21. 21. 0x04 - Client’s Website analysis Your texte here ….injections Quite evolved were attempted. First identified attacks were unsuccessful and only relied on automated exploitation tools. For example, banner & hexadecimal constant used while trying to determine the number of fields in the SQL query indicated Havij tool. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  22. 22. 0x04 - Client’s Website analysis Your texte here step The next …. therefore consisted in simulating such automated attacks to assess the level of information which could have been collected by hackers. Indeed, we used the current 1.12 version of Havij against Fedor-Trading. This tool has been proven inefficient in this specific case. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  23. 23. 0x04 - Client’s Website analysis Nevertheless it permitted to confirm the Your texte here …. SQLi attack vector as the name of the vector, database was successfully dumped. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  24. 24. 0x04 - Client’s Website analysis Your order to…. In texte here efficiently identify successful SQLi exploitation in the huge web server logs, we asked the client for temporary credentials on their Infomaniak’s web administration page. This offered us the best view of operational structures, and therefore permitted to fine- fine- tune our queries with keywords which had a high probability of occurrence in case of successful SQLi exploitation. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  25. 25. 0x04 - Client’s Website analysis This was much faster. Your texte here …. faster New attacks were quickly identified identified. More pernicious, those attacks clearly shown that Fedor-Trading’s website was Fedor- compromised, compromised and that nearly whole backend stolen. database was stolen ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  26. 26. 0x04 - Client’s Website analysis Indeed, here tables Your textemost…. were remotely dumped by hackers, and customers email addresses of stolen. our client were stolen The source IP address 89.165.79.237 was located in Iran and didn’t hosted any publicly available service. It was most probably a bot intended to hide attackers’ identity. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  27. 27. 0x04 - Client’s Website analysis Your texte here …. web The impacted application consisted of self- self-made code as well as Joomla open source CMS and several commercial plugins plugins. The exploited vulnerability resided in a Joomla commercial plugin named Sh404Sef Sh404Sef. 404Sef The latter security module provides SEO, SEO analytics and URL Rewriting It is also Rewriting. supposed to prevent XSS, flooding and other malicious page requests… requests But unfortunately it allowed hackers to inject SQL code In that particular case, the code. insecurity. security module brought insecurity ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  28. 28. 0x04 - Client’s Website analysis The SQLi injection Your texte here …. vulnerability was a little bit tricky tricky, and none of the leading it. automated tools was able to exploit it Most of them even didn’t detect any security problem on Fedor-Trading’s website. Facts are that only a slow and manual attack could have permitted its exploitation. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  29. 29. 0x04 - Client’s Website analysis Your texte PoC,…. we As a here demonstrated that the following parameters in GET requests permitted to remotely dump all sensitive information from the backend database: ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  30. 30. 0x04 - Client’s Website analysis Your this attack, In texte here …. information leakage occured in the title bar of Internet browser’s window. The 1st request simply permits to identify the version. PHP engine version ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  31. 31. 0x04 - Client’s Website analysis 3 permit to get username Your texte here …. Requests 2 and and database name name. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  32. 32. 0x04 - Client’s Website analysis Your texte hereto Requests 4 …. 6 permit to list databases databases. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  33. 33. 0x04 - Client’s Website analysis Your texte here …. GSDB only hosts 3 databases as there is no databases, result for the 7th GET request request: ?id=3-9999+union+SELECT%20schema_name%20FROM %20information_schema.schemata%20limit%203,1-- ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  34. 34. 0x04 - Client’s Website analysis Your texte here and Requests 8 …. 9 permits to get schema and tables. tables ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  35. 35. 0x04 - Client’s Website analysis Your texte th request The 10 here …. permits to enumerate database. tables from main database Request 11 enumerates columns from the table. jos_users table ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  36. 36. 0x04 - Client’s Website analysis And finally the Your texte here ….12th request permits to collect names, emails et passwords hashes from the jos_users table. With a small automation script it was script, possible to remotely dump all sensitive tables, tables such as personal data related to Forex accounts from the TAibs_c table and trading platform administrators password hash from the USERS table. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  37. 37. 0x04 - Client’s Website analysis Your texte here …. After the version 1.5, Joomla relied on a random salt in its password hashing function. This approach permits to efficiently disturb Time- Time-Memory TradeOff attacks attacks: $hash=md5($pass.$salt) Since then, Rainbow Tables attacks against accounts gathered from compromised Joomla websites remain inefficient. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  38. 38. Nevertheless, Your texte here …. one of the administrators’ accounts had no salt The password was salt. therefore stored in a weak MD5 hash It was MD5 hash. most probably an old account created with a previous version of the web application, which remained unchanged since the migration. The vulnerable account belonged to an consultant. external consultant Anonymised:Anonymised:anonymised@anonymised .com:c2e285cb33cecdbeb83d2189e983a8c0ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  39. 39. 0x04 - Client’s Website analysis It was possible Your texte here …. to break it in a few seconds seconds. account. Hackers never logged with this account Fortunately, a noisy defacing would have been out of scope and totally counterproductive. counterproductive ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  40. 40. 0x04 - Client’s Website analysis Internal adminaccounts were salted and Your texte here …. strong enough to resist most dictionary attacks. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  41. 41. Table of contents 0x00 texte here …. Your - About me 0x01 - About this conference 0x02 - Project’s context 0x03 - Mail analysis 0x04 - Client’s Website analysis 0x05 - Malware analysis 0x06 - Conclusion ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  42. 42. 0x05 - Malware analysis Your texte having After here ….stolen MySQL databases through an SQL Injection on the trading platform, hackers ran into a Social Engineering phase which targeted Forex users. Most of them received a credible fake email which enticed into opening an embedded PDF file. Therefore, the last part of the attack which required a deep analysis dealt with the PDF files attached to the fake emails. Several emails were sent, but all of them included a renamed version of the same PDF. PDF ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  43. 43. 0x05 - Malware analysis Your texte here …. PDF is one of the most prevalent method for exploitation: remote exploitation Victims can be easily sent targeted socially engineered emails with such attachments PDF links are common on websites and may permit drive-by exploitation drive- This file format is widely spread among companies and most often authorized by perimeter protections It is still quite hard for antivirus to detect malicious content ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  44. 44. 0x05 - Malware analysis The 9th October Your texte here ….2010, 2010 only 4 antivirus on 43 detected a threat in this PDF, which is a rate: 9.3% detection rate AntiVir Emsisoft Ikarus Microsoft One year later, the 13rd October 2011 only 2011, 16 antivirus on 43 efficiently detect a threat. This is still a low detection rate of 37. 37.2%. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  45. 45. 0x05 - Malware analysis Indeed, here supports Your texte PDF …. different compression formats which help hiding code code: FlateDecode ASCIIHexDecode LZWDecode ASCII85Decode RunLengthDecode It also supports encryption encryption: 40+128 bits RC4 128 bits AES ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  46. 46. 0x05 - Malware analysis And PDF format Your texte here …. also natively supports Unicode, Hex as well as fromCharCode All fromCharCode. of them are widely used for obfuscation purpose. Internal logical streams can embed other objects which support further client side scripting, such as Flash’ ActionScript ActionScript. It offers an efficient way to carry out Heap Hunting. Spraying and Egg Hunting For all those reasons, PDF is an attack hackers. vector of choice for hackers ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  47. 47. 0x05 - Malware analysis Yourour case, …. In texte here the maliciously crafted PDF file exploited a critical vulnerability which affected all Adobe Reader applications prior to version 9.4 on multiple OS (CVE-2010- 2883). Opening this file within Adobe Reader v9.3.4 or any older version could alter its execution flow and run arbitrary code code. This vulnerability was actively exploited on Internet when the attack occurred. Since Adobe Reader v.9.4 was publicly available on 5th October 2010 this attack implied a 0-day 2010, with a high rate of successful compromise. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  48. 48. 0x05 - Malware analysis Yourquick here …. A texte search for risky keywords within PDFID revealed client-side code. Quite unusual in malicious PDF Action automatically performed executed on form load ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  49. 49. 0x05 - Malware analysis The proportion of randomness in the file can Your texte here …. also tell us more about this PDF. The total entropy and the entropy of bytes inside streams objects are close to the max of 8, which suggest a normal PDF document. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  50. 50. 0x05 - Malware analysis Nevertheless, the entropy outside streams Your texte here …. object is also quite high In a normal PDF, it high. is usually between 4 and 5. This may leads us to think about a malformed PDF document, where data is added without stream objects stream objects. We can also notice that there is only one %%EOF %%EOF in the document despite there are document, lots of bytes after the last %%EOF which %%EOF EOF, added. also suggests that data has been added ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  51. 51. 0x05 - Malware analysis So a good idea should be to dig a little bit Your texte here …. further through Origami Unfortunately the Origami. errors. Walker GUI was tricked into errors ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  52. 52. 0x05 - Malware analysis Your texte here ….extraction Command line problems, also got problems but at least confirmed some results. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  53. 53. 0x05 - Malware analysis Yourfact, even…. In texte here Adobe damaged. thought it was damaged Unfortunately he managed to read it it. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  54. 54. 0x05 - Malware analysis Logical here remained Your texte flaw …. identify. easy to identify ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  55. 55. 0x05 - Malware analysis Nevertheless, we were still not able to Your texte here …. extract embedded JavaScript code. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  56. 56. 0x05 - Malware analysis Your texte 3 contains Object here …. the string “/JavaScript” and was configured to execute code from object 7. Object 30 also contained the string “/JS” and holds code code. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  57. 57. 0x05 - Malware analysis Nevertheless, Your texte here …. the payload was quite heavily obfuscated. obfuscated ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  58. 58. 0x05 - Malware analysis rely on simple XOR with a Your texte here ….PDF Most crafted single byte long key or use ROL/ROR operations for obfuscation purpose… But not there As a consequence, tools like there. result. XorSearch didn’t get any result The only one solution seemed to be the reverse engineering approach approach. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  59. 59. 0x05 - Malware analysis Indeed, interesting Your texte here …. content was encrypted with a 4 bytes XOR operation operation. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  60. 60. 0x05 - Malware analysis After the identification Your texte here …. of the 4 bytes key 0x4114D345, we were able to extract the “mea. “mea.dll” file embedded in the malicious PDF. This one was not encrypted and revealed encrypted, the final URL which hosted the ultimate payload, as confirmed by following analysis. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  61. 61. 0x05 - Malware analysis Opening CoolType.dll CoolType. Your texte here …. in Adobe Reader with IDA revealed the abused “strcat”. The “strcat” “uniqueName” field from the SING table structure was being used in that function. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  62. 62. 0x05 - Malware analysis The exploit relied Your texte here …. on /AcroForm JavaScript to detect the version of Adobe Reader and payload. switch to the appropriate payload Then the heap spray was used to put ROP data into memory at a guessable address. This heap spray followed a huge RED sled, which acted as a more classical NOP string while transitioning between the stack Buffer Overflow and the ROP payload. Gadgets used in the ROP payload come from module “icucnv36.dll icucnv36 icucnv36.dll”, which was not compiled with ASLR, as discussed soon. ASLR ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  63. 63. 0x05 - Malware analysis Attackers used Your texte here ….ROP techniques Instead of techniques. redirecting the execution flow on the heap, it jumps to a Code section in a DLL which indeed has the Execute rights. This is achieved by overwriting the Saved EIP on the stack, and by chaining calls on this DLL at specific places through a RET sled crafted on the stack. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  64. 64. 0x05 - Malware analysis Your texte here created The exploit …. an empty iso88591 file iso88591 and mapped it to memory in order to get an executable space where shellcode could be space, copied and executed. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  65. 65. 0x05 - Malware analysis The AcroRd32.exe Your texte here …. process was also abused to load icucnv34.dll module, a DLL which icucnv34 34. was not compiled with ASLR and is therefore always loaded at the same address in memory. It is then possible to use its own IAT Kernel32 to get the address of Kernel32 ASLRed APIs. APIs ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  66. 66. 0x05 - Malware analysis As a consequence, Your texte here …. both DEP & ASLR were bypassed! bypassed Finally, the exploit also worked on Vista and 7, as it didn’t use hardcoded XP syscall. syscall So basically it was already the end of the game… ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  67. 67. 0x05 - Malware analysis Your texte here …. Malware also used some tricks to prevent its analysis For example, each time we used a analysis. Memory BP we arrived in a long loop which BP, always ended by an exception exception. After having dropped another binary from itself, the “mea.dll” overwrites part of its “mea. own Text section to prevent memory dump dump. Malware also skipped part of its code while running within Immunity Debugger. For example, the “adobe1.exe” file was not dropped, even if hidedebug plugin was used. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  68. 68. 0x05 - Malware analysis Your texte here …. was Another trick name. to parse processes name When Process Monitor was running, we didn’t see anything… We had far more results by just renaming the tool, we binary. showed the creation of a new binary File access monitoring confirmed the creation of the new “adobe1.exe” binary. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  69. 69. This new binary Your texte here …. was an unencrypted dropper dropper.ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  70. 70. 0x05 - Malware analysis This was also Your texte here ….confirmed through a behaviour analysis. analysis Here we simply used a rogue DNS service to redirect traffic to an analysis server. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  71. 71. 0x05 - Malware analysis This process downloaded Your texte here …. the “update2.exe” “update2 binary on www.bringithomedude.com. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  72. 72. 0x05 - Malware analysis Your texte here ….are! And here we The final aim of hackers was to silently get and execute a banking Trojan derived from SpyEyes code. So let’s summarize what’s happened here. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  73. 73. 0x05 - Malware analysis Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  74. 74. 0x05 - Malware analysis Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  75. 75. 0x05 - Malware analysis Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  76. 76. 0x05 - Malware analysis Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  77. 77. 0x05 - Malware analysis Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  78. 78. 0x05 - Malware analysis Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  79. 79. 0x05 - Malware analysis Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  80. 80. 0x05 - Malware analysis The file adobe adobe1 is a simple loader of Your texte here …. 1.exe 2’560 bytes. It was not encrypted. encrypted On the other hand, the final update2.exe update2 malware was a C# based binary of 668 Kb which included several protections aimed at preventing its reverse engineering. Disassembly revealed BASE64 encoding for BASE64 raw data as well as encryption algorithms based on MD5 (System.Security.Cryptogra MD5 phy.MD5CryptoServiceProvider), 3DES (Sys tem.Security.Cryptography.TripleDESCryptS erviceProvider) and AES (System.Security. Cryptography.RijndaelManaged). ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  81. 81. 0x05 - Malware analysis When this attack Your texte here ….occurred, Those files were antivirus. undetected by most antivirus A few European antivirus detected a potential threat, but all Eastern solutions such as Kaspersky, NOD32, DrWeb32 or VBA32 didn’t detect anything anything. It is therefore possible that the Russian market was the initial target of our malware writers. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  82. 82. 0x05 - Malware analysis The 8th October Your texte here …. 2010, 2010 16 antivirus on 43 detected a potential threat in the final binary. Detection rate was about 37%. 37% The 15th October 2010 19 antivirus on 43 2010, were efficient. Detection rate is about 44%. 44% Around 8 months later, the 2nd June 2011,2011 34 antivirus on 43 detected a potential threat. This is a detection rate of 79%. 79% Kaspersky, McAfee, Sophos and Microsoft were the most reactive. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  83. 83. 0x05 - Malware analysis Your texte Panda Gdata, here …. and Sophos were the next ones. ClamAV, eSafe, F-Secure, Fortinet & PrevX have proven far less effective. The final payload behave like Zbot It was Zbot. based on a mutation of SpyEyes It is a SpyEyes. Trojan aimed to target financial sector and it is able to disable Windows Firewall and steal financial data, such as credit card numbers, eBanking information or trading credentials. Common Trojan features were also available, such screen capture, additional malware download or remote administration capabilities. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  84. 84. 0x05 - Malware analysis Upon execution, Your texte here ….the Trojan creates a folder named svhostxxup.exe in the c: drive. Then it svhostxxup. config. svhostxxup. creates files config.bin and svhostxxup.exe in that folder. The latter binary is then called. It is responsible for creating new memory pages in several system applications’ address space, space and therefore permits attackers to inject their malicious code into privileged programs. programs ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  85. 85. 0x05 - Malware analysis Your textethen …. Trojan here modifies a few registry keys and persistent. become persistent ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  86. 86. 0x05 - Malware analysis The Reverse-Trojan Reverse- Your texte here …. also verifies the path from which it was run and it checks that run, file “C:Documents.exe”, “C:Documents and SettingsuserDesktop.exe” or “C:Documents and SettingsuserDesktopupdate2.exe” does exist in order to authorize or deny its own execution. It also check for the registry key “HKEY_CLASSES_ROOTAppIDupdate2.exe”. These are common practices among malware writers to help disturbing Reverse Engineers. Engineers ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  87. 87. 0x05 - Malware analysis Your textethen …. Trojan here gets the compromised computer name by querying LSA and lists the C: drive before doing a recursive search of living directory. files within its parent directory Getting computer and user names is also a common practice for Trojans as they most Trojans, often need to declare unique zombies on their C&C server to permit accurate communication with Bot Herders. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  88. 88. 0x05 - Malware analysis Your texte tried to Trojan here …. send HTTP packets to 2 servers: different servers After having redirected those IP addresses with ARP Poisoning and simulating an HTTP service, service we can see Trojan saying a kind of “Hello, I’m here to those web applications. Hello, here” ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  89. 89. 0x05 - Malware analysis The first serverwas probably aimed to offer Your texte here …. an alternate route in case the second one was taken down. It actually forwarded its packets to greenchina.com. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  90. 90. 0x05 - Malware analysis Involved domains Your texte here …. exist since quite a long time. time serv.com and greenchina.com domains were respectively registered in November 1994 and April 2001 The IP addresses which 2001. received the suspicious GET requests, 211.119.134. 211.119.134.197 and 218.145.65.200, 218.145.65.200 respectively hosted 1644 and 11 websites websites. Despite its parameters, the URL http://www.greenchina.com/?guid=UserName!COMPUTERNAME! dangerous... 00CD1A40 did not look like so a dangerous ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  91. 91. 0x05 - Malware analysis It visually reached Your texte here …. webpage… a standard webpage But there were hidden information information. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  92. 92. Table of contents 0x00 texte here …. Your - About me 0x01 - About this conference 0x02 - Project’s context 0x03 - Mail analysis 0x04 - Client’s Website analysis 0x05 - Malware analysis 0x06 - Conclusion ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  93. 93. 0x06 - Conclusion Finally, the target Your texte here …. of this complex attack was not directly our client, but his own customers. customers For sure, it has also impacted Fedor-Trading Fedor-Trading. Once the website was compromised, fast. everything happened really fast Attacks were initiated by an unfair competitor who afforded the services of market. underground market Both financial companies are present in Switzerland and abroad. abroad ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  94. 94. 0x06 - Conclusion Your globally the So texte here …. attack implied: Malware Code Writing (dropper, downloader, Banking Trojan) 0-day Uncovering (Adobe Reader stack buffer overflow) Social Engineering (Forex Regulation) Web Attacks (Sh404Sef SQL Injection) And most probably money transfer In fact, we are typically in a modern scenario of underground skills renting. renting. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  95. 95. 0x06 - Conclusion Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  96. 96. 0x06 - Conclusion Your texte heremany This offers …. business opportunities. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  97. 97. 0x06 - Conclusion Your texte here cybercrimes Organised …. exist in lots of countries, and a sophisticated underground economy has rapidly flourished those last years. But the huge majority of attacks Brazil. involved China, Russia and Brazil ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  98. 98. 0x06 - Conclusion There is much less Hacking For Fun and Your texte here …. Fun, Profit. much more Hacking For Profit Cybercrime has therefore become an enterprise with a thriving underground economy. New cybercriminals don’t have to develop their own code… They can rent botnets and even purchase licensed malware that comes with its own tech support support. Cybercrime is now developing and spreading faster than ever. So welcome in the World Wild Web Web… And happy Forensics! :) ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch
  99. 99. xC29900: RETN 99 Your texte here …. Your questions are always welcome! frederic.bourla@htbridge.ch ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch

×