SlideShare une entreprise Scribd logo

Careto: Unmasking a New Level in APT-ware

Télécharger en tant que PPTX, PDF
Lumension
Lumension
Technologie
1  sur  15
Sponsored by Careto:Unmasking a New Level inAPT-ware © 2014 Monterey Technology Group Inc.
Thanks to DanTeal, Sr. Architect © 2014 Monterey Technology Group Inc. www.Lumension.com
Preview of Key Points  Installation  Backdoor components  Use of certificates  Exploit sites  Communication  Command and control servers  Exploits used © 2014 Monterey Technology Group Inc.
Overview  Used many sources for my research but in particular the 65 page Kaspersky report  380 victims in 31 countries  Targets  Government  Energy, oil and gas  Private companies  Research institutions  Financial  Activists  32 and 64 bitWindows  Linux, Mac and Android  2 main components  Careto  User level, collects system info, runs arbitrary code  SGH  Kernel mode  Rootkit  Intercepts system calls  Steals files  Extensible  Skype, encryption keys, WiFi traffic,keystrokes, screen capture… © 2014 Monterey Technology Group Inc.
Initial attack  Began with spear fishing attacks  Videos related to political subjects  Food recipes  Links to malicious server using disguised URLs  After infection redirected to actual resource user expecting © 2014 Monterey Technology Group Inc.
Exploit server  Victim first hits java code to profile their endpoint  Browser  Plugins  OS  Version of Office  Java version  Then depending on profile redirected to appropriate subdirectory for their PC profile  Exploits  Java  Signed applets via CVE-2011-3544  Flash  Plugins for Chrome and Firefox  Windows, linux and OS X © 2014 Monterey Technology Group Inc.
Exploit to Install  Java exploit 1  Redirected to html file that tries to load run signed java applet  Jar file uses CVE-2011-3544  Pulls an exe out of icon.jpg from the Jar file  Java exploit 2  Uses JNLP files  Claims to be Oracle Java update and ask for permission to install  Another Java exploit apparently tailored for Macs  Flash exploit  Leverages CVE-2012-0773  Originally developed byVUPEN to win the pwn2own contest  First known exploit to defeat Chrome sandbox  Chrome plugin  Relied on users to clickContinue on the Chrome “may harm your computer” warning. © 2014 Monterey Technology Group Inc.
Installer  Windows standalone executable installer  Valid signature: TecSystem Ltd., Sofia, BG  Expired 2013.06.28  Extracts the appropriate DLL that hosts the persistent backdoor  32/64 bit named objframe.dll  Saves to either %system% or %appdata% depending on Windows version  Uses or eschews admin authority depending on UAC  Changes file meta data to match kernel.dll  Replaces a COM object in the registry © 2014 Monterey Technology Group Inc.
Backdoor persisitence  Objframe.dll activated in every application that uses the hijacked COM object  Primary targetWindows Explorer – perfect  Loads in the hijacked class DLL  Erases itself from the processes module list  Loads another system DLL not used by current process  Then overwrites contents off that DLL in memory with itself  But leaves the module list alone  Disguising its presence  Would have to compare actual memory contents of library to the file on disk © 2014 Monterey Technology Group Inc.
Communication withC&C Servers  Now watches for calls to start IE, Chrome or Firefox  Injects itself into the browser  AllC&C communication through the browser  Evade local firewalls  Communicates with C&C servers via http/https GET and POST verbs  C&C server sends back commands  Upload  Execute  System report  Etc © 2014 Monterey Technology Group Inc.
SGH module  Even more sophisticated  Careto and SGH can install each other  SGH runs in Kernel mode  Extensible modules include  Skype  Keylogger  File content  Network traffic  Skype  Screenshots  Email messages © 2014 Monterey Technology Group Inc.
How could Careto have been defeated? Spearfishing email Malicious URL Java/Flash Exploit Malware executables installed DLL injected Phone home Awareness training Spearfishing Clicking yes on updatesand warnings Web filtering Patching Application Control Memory protection Next Gen Network Protection © 2014 Monterey Technology Group Inc.
How do you prevent malware like this?
Additional Information Free Security Scanner Tools  Application Scanner – discover all the apps being used in your network  Device Scanner – discover all the devices being used in your network https://www.lumension.com/resources/ premium-security-tools.aspx Reports  Whitepaper “The State of APT Preparedness” from UBM Tech at https://www.lumension.com/resources/ WhitePapers/The-State-of-APT-Preparedness  On-Demand Webcast “Top 9 Mistakes of APT Victims” by Ultimate Windows Security at https://www.lumension.com/resources/ Webcasts/Top-9-Mistakes-of-APT-Victims Free Trial (virtual or download) http://www.lumension.com/endpoint- management-security-suite/free-trial.aspx
Additional Information www.lumension.com/endpoint-management-security-suite/buy-now.aspx

Recommandé

Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part Onebackdoor
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesBunmi Sowande
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 

Recommandé

Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part Onebackdoor
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesBunmi Sowande
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File InclusionImperva
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Network security
Network securityNetwork security
Network securityAkhilesh Jain
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresAlexander Benoit
 
Chapter 2 program-security
Chapter 2 program-securityChapter 2 program-security
Chapter 2 program-securityVamsee Krishna Kiran
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilitiesphanleson
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security RiskDedi Dwianto
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMfaraz hussain
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
Network security
Network securityNetwork security
Network securityسودان وب لأمن المعلومات
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
Privacy and data-treatment certificate of attendance
Privacy and data-treatment certificate of attendancePrivacy and data-treatment certificate of attendance
Privacy and data-treatment certificate of attendanceDario Musolino
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging ThreatsLumension
 

Contenu connexe

Tendances

Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File InclusionImperva
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresAlexander Benoit
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilitiesphanleson
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security RiskDedi Dwianto
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMfaraz hussain
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 

Tendances (20)

Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File Inclusion
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Network security
Network securityNetwork security
Network security
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Android security
Android securityAndroid security
Android security
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
 
Chapter 2 program-security
Chapter 2 program-securityChapter 2 program-security
Chapter 2 program-security
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security Risk
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
COMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEMCOMPUTER SECURITY AND OPERATING SYSTEM
COMPUTER SECURITY AND OPERATING SYSTEM
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
 
Network security
Network securityNetwork security
Network security
 
Android Security
Android SecurityAndroid Security
Android Security
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
 

En vedette

Privacy and data-treatment certificate of attendance
Privacy and data-treatment certificate of attendancePrivacy and data-treatment certificate of attendance
Privacy and data-treatment certificate of attendanceDario Musolino
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging ThreatsLumension
 
O briens2010
O briens2010O briens2010
O briens2010Praxiom
 
Managing performance
Managing performanceManaging performance
Managing performancePraxiom
 
Twas the day before renewal[1]
Twas the day before renewal[1]Twas the day before renewal[1]
Twas the day before renewal[1]Praxiom
 
Peo administrative cost calculator
Peo administrative cost calculatorPeo administrative cost calculator
Peo administrative cost calculatorPraxiom
 
Managing performance
Managing performanceManaging performance
Managing performancePraxiom
 
Corporate risk management
Corporate risk managementCorporate risk management
Corporate risk managementPraxiom
 

En vedette (8)

Privacy and data-treatment certificate of attendance
Privacy and data-treatment certificate of attendancePrivacy and data-treatment certificate of attendance
Privacy and data-treatment certificate of attendance
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats
 
O briens2010
O briens2010O briens2010
O briens2010
 
Managing performance
Managing performanceManaging performance
Managing performance
 
Twas the day before renewal[1]
Twas the day before renewal[1]Twas the day before renewal[1]
Twas the day before renewal[1]
 
Peo administrative cost calculator
Peo administrative cost calculatorPeo administrative cost calculator
Peo administrative cost calculator
 
Managing performance
Managing performanceManaging performance
Managing performance
 
Corporate risk management
Corporate risk managementCorporate risk management
Corporate risk management
 

Similaire à Careto: Unmasking a New Level in APT-ware

Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidCysinfo Cyber Security Community
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)TzahiArabov
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 

Similaire à Careto: Unmasking a New Level in APT-ware (20)

Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
Code protection
Code protectionCode protection
Code protection
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from Patents
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 
UNIT-4.docx
UNIT-4.docxUNIT-4.docx
UNIT-4.docx
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
Ransomware
RansomwareRansomware
Ransomware
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 

Plus de Lumension

Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsUsing SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsLumension
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers GuideLumension
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationLumension
 
2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary ResultsLumension
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Lumension
 
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data TheftSecuring Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data TheftLumension
 
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...Lumension
 
2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and AnalysisLumension
 
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint RiskGreatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint RiskLumension
 
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You MigrateWindows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You MigrateLumension
 
Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Lumension
 
Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats Lumension
 
APTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskAPTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskLumension
 
2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security SolutionsLumension
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesLumension
 
BYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security RisksBYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security RisksLumension
 
3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT RiskLumension
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...Lumension
 
Defending Your Corporate Endpoints How to Go Beyond Anti-Virus
Defending Your Corporate Endpoints How to Go Beyond Anti-VirusDefending Your Corporate Endpoints How to Go Beyond Anti-Virus
Defending Your Corporate Endpoints How to Go Beyond Anti-VirusLumension
 

Plus de Lumension (20)

Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsUsing SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
 
2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
 
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data TheftSecuring Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
 
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
 
2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis
 
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint RiskGreatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
 
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You MigrateWindows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
 
Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You?
 
Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats
 
APTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskAPTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize Risk
 
2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
 
BYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security RisksBYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security Risks
 
3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
 
Defending Your Corporate Endpoints How to Go Beyond Anti-Virus
Defending Your Corporate Endpoints How to Go Beyond Anti-VirusDefending Your Corporate Endpoints How to Go Beyond Anti-Virus
Defending Your Corporate Endpoints How to Go Beyond Anti-Virus
 

Dernier

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Dernier (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Careto: Unmasking a New Level in APT-ware

  • 1. Sponsored by Careto:Unmasking a New Level inAPT-ware © 2014 Monterey Technology Group Inc.
  • 2. Thanks to DanTeal, Sr. Architect © 2014 Monterey Technology Group Inc. www.Lumension.com
  • 3. Preview of Key Points  Installation  Backdoor components  Use of certificates  Exploit sites  Communication  Command and control servers  Exploits used © 2014 Monterey Technology Group Inc.
  • 4. Overview  Used many sources for my research but in particular the 65 page Kaspersky report  380 victims in 31 countries  Targets  Government  Energy, oil and gas  Private companies  Research institutions  Financial  Activists  32 and 64 bitWindows  Linux, Mac and Android  2 main components  Careto  User level, collects system info, runs arbitrary code  SGH  Kernel mode  Rootkit  Intercepts system calls  Steals files  Extensible  Skype, encryption keys, WiFi traffic,keystrokes, screen capture… © 2014 Monterey Technology Group Inc.
  • 5. Initial attack  Began with spear fishing attacks  Videos related to political subjects  Food recipes  Links to malicious server using disguised URLs  After infection redirected to actual resource user expecting © 2014 Monterey Technology Group Inc.
  • 6. Exploit server  Victim first hits java code to profile their endpoint  Browser  Plugins  OS  Version of Office  Java version  Then depending on profile redirected to appropriate subdirectory for their PC profile  Exploits  Java  Signed applets via CVE-2011-3544  Flash  Plugins for Chrome and Firefox  Windows, linux and OS X © 2014 Monterey Technology Group Inc.
  • 7. Exploit to Install  Java exploit 1  Redirected to html file that tries to load run signed java applet  Jar file uses CVE-2011-3544  Pulls an exe out of icon.jpg from the Jar file  Java exploit 2  Uses JNLP files  Claims to be Oracle Java update and ask for permission to install  Another Java exploit apparently tailored for Macs  Flash exploit  Leverages CVE-2012-0773  Originally developed byVUPEN to win the pwn2own contest  First known exploit to defeat Chrome sandbox  Chrome plugin  Relied on users to clickContinue on the Chrome “may harm your computer” warning. © 2014 Monterey Technology Group Inc.
  • 8. Installer  Windows standalone executable installer  Valid signature: TecSystem Ltd., Sofia, BG  Expired 2013.06.28  Extracts the appropriate DLL that hosts the persistent backdoor  32/64 bit named objframe.dll  Saves to either %system% or %appdata% depending on Windows version  Uses or eschews admin authority depending on UAC  Changes file meta data to match kernel.dll  Replaces a COM object in the registry © 2014 Monterey Technology Group Inc.
  • 9. Backdoor persisitence  Objframe.dll activated in every application that uses the hijacked COM object  Primary targetWindows Explorer – perfect  Loads in the hijacked class DLL  Erases itself from the processes module list  Loads another system DLL not used by current process  Then overwrites contents off that DLL in memory with itself  But leaves the module list alone  Disguising its presence  Would have to compare actual memory contents of library to the file on disk © 2014 Monterey Technology Group Inc.
  • 10. Communication withC&C Servers  Now watches for calls to start IE, Chrome or Firefox  Injects itself into the browser  AllC&C communication through the browser  Evade local firewalls  Communicates with C&C servers via http/https GET and POST verbs  C&C server sends back commands  Upload  Execute  System report  Etc © 2014 Monterey Technology Group Inc.
  • 11. SGH module  Even more sophisticated  Careto and SGH can install each other  SGH runs in Kernel mode  Extensible modules include  Skype  Keylogger  File content  Network traffic  Skype  Screenshots  Email messages © 2014 Monterey Technology Group Inc.
  • 12. How could Careto have been defeated? Spearfishing email Malicious URL Java/Flash Exploit Malware executables installed DLL injected Phone home Awareness training Spearfishing Clicking yes on updatesand warnings Web filtering Patching Application Control Memory protection Next Gen Network Protection © 2014 Monterey Technology Group Inc.
  • 14. Additional Information Free Security Scanner Tools  Application Scanner – discover all the apps being used in your network  Device Scanner – discover all the devices being used in your network https://www.lumension.com/resources/ premium-security-tools.aspx Reports  Whitepaper “The State of APT Preparedness” from UBM Tech at https://www.lumension.com/resources/ WhitePapers/The-State-of-APT-Preparedness  On-Demand Webcast “Top 9 Mistakes of APT Victims” by Ultimate Windows Security at https://www.lumension.com/resources/ Webcasts/Top-9-Mistakes-of-APT-Victims Free Trial (virtual or download) http://www.lumension.com/endpoint- management-security-suite/free-trial.aspx

Notes de l'éditeur

  1. Notes …Know your enemyOther resources = DHS, CERT, POS vendors,Infosec vendors, Bank / ACH / etc.Restrict internet access from POS systemsRemote POS hacksTarget market cap impact …~63 in late-Dec~55 at low point (early Feb)~57 nowAbout Remote POS Hacks (http://blog.icorps.com/bid/137975/New-Trend-The-Point-of-Sale-System-Hack) … There are many vulnerabilities within a PoS system - if a system is not properly protected, anyone with an inside knowledge of how the systems work can carry out a hack without much difficulty. Hackers are becoming more skilled, therefore PoS systems that used to be seen as a challenge are not as daunting as before. Because many PoS devices come pre-loaded with an operating system, the inner workings and weaknesses of that system are known to hackers. All they need to do is find an unsecured IP address or hack into a secure Wi-Fi connection if proper protections have not been put in place. A well-known weakness of PoS devices is their Internet printing protocol, which many businesses use for remote printing. Protecting your business against PoS Hacks:There are some simple and straightforward steps you can take to make your system less accessible to hackers, for example:Ensure all Wi-Fi connections on your network are secureAvoid using a Wi-Fi network name that is associated with your businessImplement a lockout system for failed login attemptsAlways change the default password for softwareFollow best practices on secure password creationUpdate your systems as often as possible – manufacturers are usually quick to respond to known vulnerabilities by releasing patches and software updatesHowever, no matter how many precautions you take, there is still likely to be one or more vulnerabilities that you are unaware of. Invest in the future of your business by hiring a reputable IT company to assess your system and identify your existing security risks.