The document discusses targeted attacks from sophisticated, coordinated groups. These attackers are highly skilled, well-funded and can research and exploit new vulnerabilities to accomplish missions over months. Specific examples discussed include the Kalachakra attack and details on its spearphishing techniques, dropped executables, and command and control traffic. Methods of antivirus evasion, real world samples, exploit techniques and command and control servers used by advanced persistent threat groups are also covered.

1. Understanding targeted
attacks
Saturday, February 4, 2012

2. Who am I?
• Jaime Blasco
• Alienvault Labs Manager
Saturday, February 4, 2012

3. What are we talking
about?
• Group of sophisticated, coordinated and
political/financial/military motivated
attackers .
• The intruder can exploit publicly known
vulnerabilities but the attackers also are
highly skilled and well funded and can
research and exploit new vulnerabilities.
• The attacker wants to accomplish a mission
that can take place over months.
Saturday, February 4, 2012

4. Agenda
• cat /dev/urandom
Saturday, February 4, 2012

5. Example: Kalachakra
• Camp information at Bodhgaya.doc
• CVE 2010-3333
Saturday, February 4, 2012

6. SpearPhishing
Saturday, February 4, 2012

7. Shellcode
Staged XOR Loader
Saturday, February 4, 2012

8. Shellcode
• Resolves imports by hashes
• Ror to generate hashes (ror ebx 7)
Saturday, February 4, 2012

9. Shellcode
Saturday, February 4, 2012

10. Dropped EXE
Saturday, February 4, 2012

11. Dropped EXE
• Language of compilation system: Chinese
• Dropped Files:
• C:Documents and SettingsAdministrator7240672406.dat
• C:Documents and SettingsAdministratortemp.dat
• Mark the presence on the system:
Saturday, February 4, 2012

12. 7240672406.dat
Saturday, February 4, 2012

13. Injection
Saturday, February 4, 2012

14. Obfuscation
Saturday, February 4, 2012

15. Injected Code
• User Mode Process Dumper
• WinDBG to the rescue:
Saturday, February 4, 2012

16. C&C Traffic
GET / HTTP/1.0
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 6.0)
Host: update.microsoft.com/windowsupdate/v7/default.aspx?ln=zh-cn
Connection: Keep-Alive
Saturday, February 4, 2012

17. kalachakra32.doc
Saturday, February 4, 2012

18. Dropped EXE
• Created Files:
AhnLab-V3, DrWeb, Jiangmin
Saturday, February 4, 2012

19. Embedded Resource
Saturday, February 4, 2012

20. Debug Info
.InstallerMFC.cpp-CInstallerMFCApp::InitInstance-56: Installer Hello!
.InstallerMFC.cpp-CInstallerMFCApp::InitInstance-75: dwConfigDataSize = [40]
.InstallerMFC.cpp-CInstallerMFCApp::InitInstance-171: ReleaseResource done!
.install.cpp-InstallSrvPlugin-51: InstallSrvPlugin!
.install.cpp-InstallSrvPlugin-125: szHost = [218.106.193.184] szPort = [81]
.install.cpp-InstallSrvPlugin-261: Install Service by WinAPI!
.install.cpp-InstallSrvPlugin-295: StartServiceEx!
.SrvPlugin.cpp-ServiceMain-291: g_szServiceName = [5a1bcffe]
.SrvPlugin.cpp-ConnectClientThread-528: ConnectClientThread
.SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]
.SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]
Saturday, February 4, 2012

21. Create Service
"20120131205652.906","2020","82799b64ca7f2e8cd218223da9d146c3.exe","CreateServiceA","FAIL
URE","0x00466f40","lpServiceName->5a1bcffe","dwServiceType->0x00000110","dwStartType-
>SERV
ICE_AUTO_START","lpBinaryPathName->C:WINDOWSsystem32rundll32.exe "C:Archivos de
programaArchivos comunesMicrosoft SharedTriedit5a1bcffe.dll",ServiceEntry"
Saturday, February 4, 2012

22. Av Aware
• Check for kisknl.sys (Kingsoft Antivirus)
• Look for KSafeTray.exe and disable it: OpenThread ->
SuspendThread
• Check for TmComm.sys (TrendMicro)
• Check for HookPort.sys (QQ 360)
• Depending of the AV present use the native API to install the
service or the following method:
• FindWindowA("CabinetWClass", WindowName);
• FindWindowExA(v15, 0, "WorkerW", 0);
• SendMessageA, RegOpenKeyExA, SYSTEM
CurrentControlSetServices
Saturday, February 4, 2012

23. WTF!
Saturday, February 4, 2012

24. Real World
Saturday, February 4, 2012

25. Sykipot
Saturday, February 4, 2012

26. Exploits
Saturday, February 4, 2012

27. Samples
Saturday, February 4, 2012

28. Features
Saturday, February 4, 2012

29. C&C Servers
Saturday, February 4, 2012

30. Certificate Access
Saturday, February 4, 2012

31. Smartcard Access
Saturday, February 4, 2012

32. OpenIOC
• Indicators Of Compromise
• XML format to describe:
• File Attributes
• Registry entries
• Process attributes
• Network Attributes
• ...
• http://openioc.org/
Saturday, February 4, 2012

33. Example
Saturday, February 4, 2012

34. Example
Saturday, February 4, 2012

35. Thank you
• Follow me on twitter:
jaimeblascob
Saturday, February 4, 2012