October 20, 2011Advanced Persistent Threats –Myth or Reality?Rahul MohandasResearch Manager, McAfee
Advanced Persistent Threats Agenda• Threat Landscape – Past, Present & Future• Advanced Persistent Threats      –     The ...
Advanced Persistent ThreatsThe definition• Actors – STATE sponsored / activists / members of  organized crime• Motives – E...
Advanced Persistent ThreatsPhasesStep     •         1   ReconnaissanceStep     •         2   Establish a backdoorStep     ...
Advanced Persistent ThreatsThreat vectors• Social-Engineering Attacks    − Spear phishing    − Drive-by downloads    − Ema...
Advanced Persistent ThreatsAssociated costs• APTs are not focusing on costs or revenue.• 0 day cost ~ $100k    Vulnerabili...
RSA Hack& Adobe Flash zero day7                        January 2, 2012
Advanced Persistent ThreatsRSA attack8                             January 2, 2012
Advanced Persistent ThreatsHistory of Flash exploits    Detection          Description                                 Fir...
Advanced Persistent ThreatsCVE-2011-0609 -- vulnerability     Clean                       Malicious     4CC4 10 07 00 00  ...
Advanced Persistent ThreatsPoison Ivy backdoor - decrypted11                                January 2, 2012
Advanced Persistent ThreatsSignature evasion techniques• Public function loadBytes  (bytes:ByteArray,   context:LoaderCont...
StuxnetA step closer to the hardware13                              January 2, 2012
Advanced Persistent ThreatStuxnet - overview                              Siemens                                PLCs     ...
Advanced Persistent ThreatStuxnet - under the hood                                                      CVE-2010-         ...
Advanced Persistent ThreatStuxnet – working (cont..)• When the folder is opened in Explorer.exe, the .lnk files exploit th...
Advanced Persistent ThreatStuxnet –MRxCls.sys & MRxNet.sys0xF8153747BAE8B4AE48837EE17172151E• Injects malicious code into ...
StuxnetCommand and Control (C&C/C2)• Stuxnet attempts to access following C&C servers:     – www.mypremierfutbol.com     –...
Simulating a Real World Attack (DEMO)19                                      January 2, 2012
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United State...
Upcoming SlideShare
Loading in …5
×

Advanced Persistent Threats: Reality or Myth

3,835 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,835
On SlideShare
0
From Embeds
0
Number of Embeds
836
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • http://www.darkreading.com/security/security-management/208803924/bucks-for-bugs.html
  • RSA hacked in March 2011 using a Adobe Flash vulnerability.CVE2011-0609 discovered as a zero day in March 2011.The carrier Flash file was embedded inside the Excel file.Upon executing the excel file with a vulnerable version of flash player the exploit is triggered It loads shellcode inside memory, performs heap-spraying, and loads a Flash byte stream from memory to exploit the vulnerability.Once the exploit is successful a backdoor (PoisonIvy) is installed on the machine.
  • Getproperty- Get the named property of the given target.Coerce -Convert a value to the type given by the name argument. This implements the ES4 implicit conversion.
  • Discovered in July 2010 by VirusBlokAda company in Minsk, BelarusAffecting 14 plants to-date in Iran, Indonesia, India, UK, North America, KoreaTargets Siemens WinCC and SIMATIC Process Control System (PCS7)A user opens a folder that contains the .lnk template files (.pif files also vulnerable)Rootkit drivers signed with valid certificates (Realtek and Jmicron)UPX packed, XOR encoded everywhereOnce loaded, queries Siemens database with known default passwordConnected to C&C servers, sending sensitive dataManipulating the database to control the HMI output and manipulating the PLC’s
  • Using four 0-day vulnerabilities plus Conficker (MS08-067) *Shortcut icon vulnerability (CVE-2010-2568/MS10-046) – affecting every version of Windows since Windows 2000 (even Win95) (patched Aug. 2)Design flaw in Print Spooler (MS10-061/CVE-2010-2729) (patched on Tues)Two privilege escalations exploits [win32k.sys] (yet to be patched) *
  • Decrypt the configuration data used by the threatDrop two .sys files and install them as a kernel level rootkitAccess files created by the Siemens Step 7 software packageUpdate itselfDrop more .dll and .dat filesInfect removable drives with custom .lnk filesInject into the lsass.exe process and execute custom codeInject into the iexplore.exe processCheck if certain antivirus applications are runningScan the network for serversRemove itselfCommunicate with the C&C server
  • Advanced Persistent Threats: Reality or Myth

    1. 1. October 20, 2011Advanced Persistent Threats –Myth or Reality?Rahul MohandasResearch Manager, McAfee
    2. 2. Advanced Persistent Threats Agenda• Threat Landscape – Past, Present & Future• Advanced Persistent Threats – The definition – Phases – Threat vectors – Associated costs• Recent APT Attacks Demystified – RSA Hack & Adobe Flash zero-day – Stuxnet: A step closer to hardware• Simulating a Real World Attack (DEMO) The information in this presentation is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to2 change without notice, and is provided ―AS IS‖ without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.
    3. 3. Advanced Persistent ThreatsThe definition• Actors – STATE sponsored / activists / members of organized crime• Motives – Economic & political gain• Targets – IP rich organizations• Goals – Steal sensitive data, monitor communication or disrupt operations3 January 2, 2012
    4. 4. Advanced Persistent ThreatsPhasesStep • 1 ReconnaissanceStep • 2 Establish a backdoorStep • 3 Steal user credentialsStep • 4 Data exfiltrationStep • 5 Maintain persistence4 January 2, 2012
    5. 5. Advanced Persistent ThreatsThreat vectors• Social-Engineering Attacks − Spear phishing − Drive-by downloads − Email attachments• Physical device Infections − Infected memory sticks / storage devices − Tampered equipments• Internet Infections − SQL Injection − Application / network vulnerabilities − DNS Poisoning5 January 2, 2012
    6. 6. Advanced Persistent ThreatsAssociated costs• APTs are not focusing on costs or revenue.• 0 day cost ~ $100k Vulnerability/Exploit Value Source ―Some exploits‖ $200,000 - $250,000 Various Industry Sources A ―real good‖ exploit over $100,000 Official from SNOsoft research Vista exploit $50,000 Raimund Genes, Trend Micro ―Weaponized exploit‖ $20,000-$30,000 David Maynor, SecureWorks• APTs cost – Stuxnet utilized 4 0-day exploits. If you include the development and weaponized associated cost, the attack was worth well over half a million dollars.6 January 2, 2012
    7. 7. RSA Hack& Adobe Flash zero day7 January 2, 2012
    8. 8. Advanced Persistent ThreatsRSA attack8 January 2, 2012
    9. 9. Advanced Persistent ThreatsHistory of Flash exploits Detection Description First Reported CVE-2007-0071 Vulnerability in June 2008 DefineSceneAndFrameLabelData tag CVE-2010-1297 Vulnerability in AVM2 New June 2010 Function() vulnerability CVE-2010- 2884 Vulnerability in ActionScript Virtual September 2010 Machine 2 CVE-2010-3654 Vulnerability in AVM2 MultiName October 2010 button class CVE-2011-0609 Vulnerability in AVM2 verifier while March 2011 handling branch instructions CVE-2011-0611 Vulnerability in AVM1 bytecode July 20119 January 2, 2012
    10. 10. Advanced Persistent ThreatsCVE-2011-0609 -- vulnerability Clean Malicious 4CC4 10 07 00 00 3EA1 10 29 00 00 jump loc_4CCF jump loc_3ECE … …. 4CCF 80 2C 3ECE 66 D6 02 coerce getproperty <name> 0x10 – unconditional branch is altered10 January 2, 2012
    11. 11. Advanced Persistent ThreatsPoison Ivy backdoor - decrypted11 January 2, 2012
    12. 12. Advanced Persistent ThreatsSignature evasion techniques• Public function loadBytes (bytes:ByteArray, context:LoaderContext = null):void• Loads from binary data stored in a ByteArray object XOR Key• Bytes:ByteArray — A ByteArray object. The XOR’ed contents of the ByteArray Flash can be any of the file Header formats supported by the Loader class: SWF, GIF, JPEG, or PNG.12 January 2, 2012
    13. 13. StuxnetA step closer to the hardware13 January 2, 2012
    14. 14. Advanced Persistent ThreatStuxnet - overview Siemens PLCs Nuclear Enrichment Centrifuges Propagation exploits FOUR new,enrichment controllers Actual Target: delivery online or via USB drive Initial Specific nuclear unknown vulnerabilities14 January 2, 2012
    15. 15. Advanced Persistent ThreatStuxnet - under the hood CVE-2010- Rootkit MS10-046 2772 Anti-AV MS10-061 Covert Exploits Digital MS08-067 Certificate Stuxnet Worm MS10-073 MS08-092 Propagation USB Drives P2P Network controller15 January 2, 2012
    16. 16. Advanced Persistent ThreatStuxnet – working (cont..)• When the folder is opened in Explorer.exe, the .lnk files exploit the 0-day vulnerability to silently load the first file ~WTR4141.tmp (a DLL file) into memory and pass control to it (execute it) in Explorer.exe address space – Once running, the worm’s rootkit features hide all files names ending in *.lnk and starting with ~wtr (including the the above files) by hooking the following APIs: • FindFirstFileW • FindNextFileW • FindFirstFileExW • NtQueryDirectoryFile • ZwQueryDirectoryFile• Then it loads the 2nd .tmp file, ~WTR4132.tmp file (which is a .CPL file)16 January 2, 2012
    17. 17. Advanced Persistent ThreatStuxnet –MRxCls.sys & MRxNet.sys0xF8153747BAE8B4AE48837EE17172151E• Injects malicious code into existing processes (services.exe, svchost.exe, lsass.exe)• Creates HKLMSystemCurrentControlSet ServicesServicesMRxCls registry key0xCC1DB5360109DE3B857654297D262CA1• Monitors system events and activities (i.e. – new program loading, hides *.tmp files)• Creates HKLMSystemCurrentControlSet ServicesServicesMRxNet registry key17 January 2, 2012
    18. 18. StuxnetCommand and Control (C&C/C2)• Stuxnet attempts to access following C&C servers: – www.mypremierfutbol.com – www.todaysfutbol.com• The data is encrypted and sent: – http://mypremierfutbol.com/index.php?data=66a96e2888c9bb53f503e334 d5d775e99b7905ac6e541529e2dadd4640fa3f995391d36ff2a7c058a21d6 99d2fb4a875ec1ce7a0f9e7dd11b6bfa1fe5377d602c39621b7f329• Malware uses RPC protocol for requesting a service from the client (compromised machine) over the network.• Following actions may be executed as a response to RPC calls: – create process, terminate process, read file, write file, delete file, set file attribute, inject file to a system process18 January 2, 2012
    19. 19. Simulating a Real World Attack (DEMO)19 January 2, 2012
    20. 20. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimedas the property of others. Copyright © 2011 McAfee, Inc.

    ×