SlideShare une entreprise Scribd logo
1  sur  32
Télécharger pour lire hors ligne
RAT-a-tat-tat
Taking the fight to the RAT controllers
Who Am I
• Jeremy du Bruyn
– twitter: @herebepanda, irc: panda

• Pentester / Consultant at SensePost
• Spoken at a previous ZaCon about password
cracking
• Currently doing MSc. At Rhodes
What's this about
• I've done some research on two prolific RAT's that
I'd like to share with y'all
– I am not a malware researcher, I'm just a ex-networkpentester-consultant-infosec guy
– Some dynamic analysis using cuckoo sandbox
– Some static analysis using scripts to pick apart the
server binaries

• Ways to search for these RAT's on the greater
internet
– With an example
Background story
• Malware.lu report on Mandiant APT1
– Python code for finding Poison Ivy C2's

• Are there any Poison Ivy C2's in ZA?
– Writing robust network code is hard
– Rather leverage off of NMAP
• I didn’t find any Poison Ivy C2's in ZA :) / :(

• I really want to play with this, where can I get
some samples?
credit (http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf)
My collection
• VirusTotal provide access to their Private API, which allows for
searching and downloading of samples, to researchers
• After speaking with some malware folks I got a list of the most
popular rats being used in attacks
– (@vlad_o, @undeadsecurity, @bobmcardle)

• Started collecting in August 2013
• Samples downloaded
– Searched for “Poison.* and “Fynloski.*”
– Total 34 GB of samples

• For sure a cheap VPS would hold the few 100 MB's of samples I'd
download
link (https://www.virustotal.com/en/documentation/private-api/)
RAT infrastructure

credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
Poison Ivy
• Been around for many years
– Oldest version on the website is from 2006, first
released in 2005
– Latest public version is 2.3.2 released in 2008
– Private versions still being released, including a Vista+
patch
– Free to download off the authors website

• Apparently very popular amongst Chinese
attackers
– Recently used by Mandiant APT1 groups
– Used in RSA hack
Poison Ivy
• Samples
– 12,133 downloaded
– 5,004 analysed
• Too much pondering/figuring in the beginning

• 26 live
• Not a lot I know, but they provide some interesting insights
• Average PI C2 lifespan is 3 months

• Analysis conducted using a mixture of the
VirusTotal behavioural analysis results and local
cuckoo sandbox instance
VT Behavioural Analysis
• They use a “cluster” of cuckoo sandbox
machines to perform the analysis and provide
data via JSON
• VirusTotal behavioural analysis not conducted
on all samples
– Like 1 in 10
– Not allowed to share samples with 3rd parties
Cuckoo sandbox
• Cuckoo sandbox used for the majority of the samples
– 5 WinXP SP2 virtual machine guests
– Timeout of 2 minutes

• Only allowed DNS traffic to cuckoo host
– Unbound DNS resolver

• Tweaked to report all traffic, even SYN
– modules/processing/network.py (host down, not reported)
– Malwr.com has the same problem

• api.py is super useful
– Submit jobs, get analysis reports in JSON

• At the end able to process a couple hundred samples a day
Analysis system
• System is postgres driven
• Extracted info from the samples put into DB:
– C2 / proxy IP
– Port

• Scripts would pick up unprocessed samples
and perform liveness testing of C2 and extract
the Camellia key
– Again writing to the DB
Poison Ivy
• Camellia key used to authenticate server and
encrypt communication
– Crypto hashing algorithm
– Used for all servers
– Can be extracted from server traffic :)

link (https://en.wikipedia.org/wiki/Camellia_(cipher))
Poison Ivy

• JtR module available for brute-forcing (malware.lu)
– I've asked for its inclusion into hashcat
– @atom, if you are reading this, *cough* oclhashcat
Vulnerabilities
• Metasploit module for Buffer Overflow bug in
Poison Ivy 2.3.2
– Think meterpreter 
– All you need is the C2 IP, port and clear-text Camellia
password
– Malware.lu guys used this to great effect

• FireEye “PIVY memory-decoding tool” for
Immunity debugger can also extract this info
Link (http://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof)
(http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
My contribution
• NMAP service probes to detect C2’s across the
Internet and NSE script to extract Camellia key
from server traffic
DarkComet
• Very popular around the world
• Development abandoned by the author after
Syrian government use
– Crippled version available on author website
– Current public full version is 5.3.1
– Current public crippled version 5.4.1 “Legacy”

• Fairly good collection available via .torrent
Link (http://darkcomet-rat.com/)
(https://thepiratebay.sx/torrent/7420705/DarkComet_RAT_Collection)
DarkComet
• Samples
– 33,592 downloaded (32GB)
– 12,133 analysed
• 4408 successfully

• 40 live
• Analysis script inspired by AlienVault Labs
– Only worked on V5, updated to work on V5.1+
credit (https://code.google.com/p/alienvault-labs-garage/downloads/list)
DarkComet
• Encrypted server configuration information contained within the
binary
– C2 IP, port, password
– FTP host, port, username, password, path

• Server configuration encrypted using static keys:
–
–
–
–
–
–

V5.1+
V5.0
V4.2F
V4.2
V4.1
V2.x + 3.x

: #KCMDDC51#-890
: #KCMDDC5#-890
: #KCMDDC42F#-890
: #KCMDDC42#-890
: #KCMDDC4#-890
: #KCMDDC2#-890

• Static key and password (“PWD”) used to authenticate and encrypt
communications
credit (http://www.arbornetworks.com/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report1.pdf)
DarkComet
1.16

8.62

90.22

#KCMDDC51#-890

#KCMDDC51#-8900123456789

Other
DarkComet

• All this is encrypted using the static key +
'PWD‘
credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
Vulnerabilties
• Makes use of SQLite DB
– SQLi

• Arbitrary File Download vulnerability
– RAT allows controller to overwrite files
– Doesn't check that C2 initiated connection

•

(comet.db)
• Contains information on all connected servers

credit (http://www.matasano.com/research/PEST-CONTROL.pdf)
My contribution
• NMAP service probes to detect C2’s across the
Internet
– DarkComet
• Receives “IDTYPE” encrypted with default (and most
popular) password

– Xtreme RAT
• Sends “myversion|3.6 Publicrn”
• Receives
– Bytes 1-3 "x58x0dx0a
– Bytes 4 – 12 "xd2x02x96x49x00x00x00x00"
My contribution

• Updated DarkComet configuration extraction
script, for v5.1+
menuPass Campaign
• One of my samples had the filename
“Strategy_Meeting.exe” and a Google gave me the FireEye
report “Poison Ivy: Assessing Damage and Extracting
Intelligence”
– menuPass campaign launched in 2009 targeting defense
contractors
– Main industries targeted where
• Defense, Consulting / Engineering, ISP, Aerospace, Heavy
Industry, Government

• Spear-phishing used as initial attack vector
– Weaponised .doc and .zip

• Using Pentest footprinting techniques I uncovered a bit
about their infrastructure
Link (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
menuPass Campaign

credit (http://www.paterva.com/web6/products/casefile.php)
menuPass Campaign
• “The IP 60.10.1.120 hosted the domain
apple.cmdnetview.com”
• This hostname appeared in my analysis but with
an IP of 112.213.118.34
• One of my samples has hk.2012yearleft.com
(112.213.118.33) and tw.2012yearleft.com
(50.2.160.125) as C2’s
– tw.2012yearleft.com was 60.10.1.114, 60.1.1.114 in
FireEye report
– 5 live samples using this C2 in my collection
– All used Camellia key “ketcxsAWfeAxiQ64ndURvA==”
menuPass Campaign
• New hostnames found using
“ketcxsAWfeAxiQ64ndURvA==” from my samples:
– banana.cmdnetview.com
– drives.methoder.com
– muller.exprenum.com

• New hostnames in 50.2.160.0/24 from samples:
–
–
–
–

kmd.crabdance.com
banana.cmdnetview.com
drives.methoder.com
muller.exprenum.com

50.2.160.104
50.2.160.146
50.2.160.125
50.2.160.125
menuPass Campaign
• Using my NMAP poison-ivy.nse and nmap-service-probes.pi I found
additional C2's in 50.2.160.0/24:
– 50.2.160.42:80/443
3ntLjgUGgQUYeKl3ncWgeQ==
– 50.2.160.84:80/443 (daddy.gostudyantivirus.com)
(AoFSY4Fi5u8sX3Bo7To86w==)
– 50.2.160.104:443
gdWSvDcDqmZFC5/qvQiwhQ==
– 50.2.160.125:80/443
(document.methoder.com, drives.methoder.com, mocha.100fanwen.c
om, scrlk.exprenum.com, zone.demoones.com)
(ketcxsAWfeAxiQ64ndURvA==)
– 50.2.160.146:443
ketcxsAWfeAxiQ64ndURvA==
– 50.2.160.179:443
gdWSvDcDqmZFC5/qvQiwhQ==
– 50.2.160.193:443
tG3Sl8fQtuyKj/jh97O67w==
– 50.2.160.226:443
gdWSvDcDqmZFC5/qvQiwhQ==
– 50.2.160.241:443
gdWSvDcDqmZFC5/qvQiwhQ==
menuPass Campaign
• Same key (gdWSvDcDqmZFC5/qvQiwhQ==) as kmd.crabdance.com (from
50.2.160.104):
– ux.niushenghuo.info
– for.ddns.mobi

142.4.121.144
142.4.121.144

• Hostnames from samples in 142.4.121.0/24:
– gold.polopurple.com

142.4.121.138

• Additional PI C2 in 142.4.121.0/24 using NMAP:
–
–
–
–
–
–
–
–

142.4.121.137:80/443
142.4.121.139:80/443
142.4.121.140:443
142.4.121.141:80
142.4.121.142:443
142.4.121.144:443
142.4.121.181:443
142.4.121.203:443

3ntLjgUGgQUYeKl3ncWgeQ==
AoFSY4Fi5u8sX3Bo7To86w==
gdWSvDcDqmZFC5/qvQiwhQ==
ketcxsAWfeAxiQ64ndURvA==
ketcxsAWfeAxiQ64ndURvA==
gdWSvDcDqmZFC5/qvQiwhQ==
gdWSvDcDqmZFC5/qvQiwhQ==
gdWSvDcDqmZFC5/qvQiwhQ==
menuPass Campaign
• zhengyanbin8@gmail.com registered:
– 2012yearleft.com
– cmdnetview.com
– gostudyantivirus.com
– 100fanwen.com

• DomainTools reports that this email address
has been used to register 157 domains
– So still a lot of research to be done
Conclusion
• Those with an interest in amateur malware
analysis
– I utilised my pentesting skillset to work on this stuff

• Defenders looking for more ways to defend
– Using these methods you can start investigating
attacks on your organisation and start moving up the
kill-chain

• Greyhats wanting to increase the cost of attackers
running these RAT's
Thank You
• If there’s time for questions, shoot.
• Otherwise catch me at lunch

Contenu connexe

Tendances

Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1Chong-Kuan Chen
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Breaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksBreaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksjselvi
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 

Tendances (20)

Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Addios!
Addios!Addios!
Addios!
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Pwn phone2014 jrs
Pwn phone2014 jrsPwn phone2014 jrs
Pwn phone2014 jrs
 
2012 S&P Paper Reading Session1
2012 S&P Paper Reading Session12012 S&P Paper Reading Session1
2012 S&P Paper Reading Session1
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Breaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksBreaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacks
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
 

En vedette

Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesTrowalts
 
Hacking with Remote Admin Tools (RAT)
 Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tpinkflawd
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoorsGaurav Dalvi
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Trojan Horse Presentation
Trojan Horse PresentationTrojan Horse Presentation
Trojan Horse Presentationikmal91
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 

En vedette (9)

Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Hacking with Remote Admin Tools (RAT)
 Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
 
Trojan ppt pianca
Trojan ppt piancaTrojan ppt pianca
Trojan ppt pianca
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren't
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
Trojan Horse Presentation
Trojan Horse PresentationTrojan Horse Presentation
Trojan Horse Presentation
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
 

Similaire à Rat a-tat-tat

Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Anirban webappsecusa2014
Anirban webappsecusa2014Anirban webappsecusa2014
Anirban webappsecusa2014banerjeea
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 -  N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 -  N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008Ali Ikinci
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk   apt, cyber espionage threat(130119) #fitalk   apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 

Similaire à Rat a-tat-tat (20)

Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario Malicioso
 
Computer security
Computer securityComputer security
Computer security
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Anirban webappsecusa2014
Anirban webappsecusa2014Anirban webappsecusa2014
Anirban webappsecusa2014
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 -  N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 -  N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk   apt, cyber espionage threat(130119) #fitalk   apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
 

Plus de SensePost

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile explorationSensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationSensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitSensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksSensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsSensePost
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine cloudsSensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemSensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get HackedSensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application HackingSensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorismSensePost
 
Major global information security trends - a summary
Major global information security trends - a  summaryMajor global information security trends - a  summary
Major global information security trends - a summarySensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and DefencesSensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2SensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nationSensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?SensePost
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessessSensePost
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 

Plus de SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a  summaryMajor global information security trends - a  summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 

Dernier

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 

Dernier (20)

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 

Rat a-tat-tat

  • 1. RAT-a-tat-tat Taking the fight to the RAT controllers
  • 2. Who Am I • Jeremy du Bruyn – twitter: @herebepanda, irc: panda • Pentester / Consultant at SensePost • Spoken at a previous ZaCon about password cracking • Currently doing MSc. At Rhodes
  • 3. What's this about • I've done some research on two prolific RAT's that I'd like to share with y'all – I am not a malware researcher, I'm just a ex-networkpentester-consultant-infosec guy – Some dynamic analysis using cuckoo sandbox – Some static analysis using scripts to pick apart the server binaries • Ways to search for these RAT's on the greater internet – With an example
  • 4. Background story • Malware.lu report on Mandiant APT1 – Python code for finding Poison Ivy C2's • Are there any Poison Ivy C2's in ZA? – Writing robust network code is hard – Rather leverage off of NMAP • I didn’t find any Poison Ivy C2's in ZA :) / :( • I really want to play with this, where can I get some samples? credit (http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf)
  • 5. My collection • VirusTotal provide access to their Private API, which allows for searching and downloading of samples, to researchers • After speaking with some malware folks I got a list of the most popular rats being used in attacks – (@vlad_o, @undeadsecurity, @bobmcardle) • Started collecting in August 2013 • Samples downloaded – Searched for “Poison.* and “Fynloski.*” – Total 34 GB of samples • For sure a cheap VPS would hold the few 100 MB's of samples I'd download link (https://www.virustotal.com/en/documentation/private-api/)
  • 7. Poison Ivy • Been around for many years – Oldest version on the website is from 2006, first released in 2005 – Latest public version is 2.3.2 released in 2008 – Private versions still being released, including a Vista+ patch – Free to download off the authors website • Apparently very popular amongst Chinese attackers – Recently used by Mandiant APT1 groups – Used in RSA hack
  • 8. Poison Ivy • Samples – 12,133 downloaded – 5,004 analysed • Too much pondering/figuring in the beginning • 26 live • Not a lot I know, but they provide some interesting insights • Average PI C2 lifespan is 3 months • Analysis conducted using a mixture of the VirusTotal behavioural analysis results and local cuckoo sandbox instance
  • 9. VT Behavioural Analysis • They use a “cluster” of cuckoo sandbox machines to perform the analysis and provide data via JSON • VirusTotal behavioural analysis not conducted on all samples – Like 1 in 10 – Not allowed to share samples with 3rd parties
  • 10. Cuckoo sandbox • Cuckoo sandbox used for the majority of the samples – 5 WinXP SP2 virtual machine guests – Timeout of 2 minutes • Only allowed DNS traffic to cuckoo host – Unbound DNS resolver • Tweaked to report all traffic, even SYN – modules/processing/network.py (host down, not reported) – Malwr.com has the same problem • api.py is super useful – Submit jobs, get analysis reports in JSON • At the end able to process a couple hundred samples a day
  • 11. Analysis system • System is postgres driven • Extracted info from the samples put into DB: – C2 / proxy IP – Port • Scripts would pick up unprocessed samples and perform liveness testing of C2 and extract the Camellia key – Again writing to the DB
  • 12. Poison Ivy • Camellia key used to authenticate server and encrypt communication – Crypto hashing algorithm – Used for all servers – Can be extracted from server traffic :) link (https://en.wikipedia.org/wiki/Camellia_(cipher))
  • 13. Poison Ivy • JtR module available for brute-forcing (malware.lu) – I've asked for its inclusion into hashcat – @atom, if you are reading this, *cough* oclhashcat
  • 14. Vulnerabilities • Metasploit module for Buffer Overflow bug in Poison Ivy 2.3.2 – Think meterpreter  – All you need is the C2 IP, port and clear-text Camellia password – Malware.lu guys used this to great effect • FireEye “PIVY memory-decoding tool” for Immunity debugger can also extract this info Link (http://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof) (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
  • 15. My contribution • NMAP service probes to detect C2’s across the Internet and NSE script to extract Camellia key from server traffic
  • 16. DarkComet • Very popular around the world • Development abandoned by the author after Syrian government use – Crippled version available on author website – Current public full version is 5.3.1 – Current public crippled version 5.4.1 “Legacy” • Fairly good collection available via .torrent Link (http://darkcomet-rat.com/) (https://thepiratebay.sx/torrent/7420705/DarkComet_RAT_Collection)
  • 17. DarkComet • Samples – 33,592 downloaded (32GB) – 12,133 analysed • 4408 successfully • 40 live • Analysis script inspired by AlienVault Labs – Only worked on V5, updated to work on V5.1+ credit (https://code.google.com/p/alienvault-labs-garage/downloads/list)
  • 18. DarkComet • Encrypted server configuration information contained within the binary – C2 IP, port, password – FTP host, port, username, password, path • Server configuration encrypted using static keys: – – – – – – V5.1+ V5.0 V4.2F V4.2 V4.1 V2.x + 3.x : #KCMDDC51#-890 : #KCMDDC5#-890 : #KCMDDC42F#-890 : #KCMDDC42#-890 : #KCMDDC4#-890 : #KCMDDC2#-890 • Static key and password (“PWD”) used to authenticate and encrypt communications credit (http://www.arbornetworks.com/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report1.pdf)
  • 20. DarkComet • All this is encrypted using the static key + 'PWD‘ credit (http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/)
  • 21. Vulnerabilties • Makes use of SQLite DB – SQLi • Arbitrary File Download vulnerability – RAT allows controller to overwrite files – Doesn't check that C2 initiated connection • (comet.db) • Contains information on all connected servers credit (http://www.matasano.com/research/PEST-CONTROL.pdf)
  • 22. My contribution • NMAP service probes to detect C2’s across the Internet – DarkComet • Receives “IDTYPE” encrypted with default (and most popular) password – Xtreme RAT • Sends “myversion|3.6 Publicrn” • Receives – Bytes 1-3 "x58x0dx0a – Bytes 4 – 12 "xd2x02x96x49x00x00x00x00"
  • 23. My contribution • Updated DarkComet configuration extraction script, for v5.1+
  • 24. menuPass Campaign • One of my samples had the filename “Strategy_Meeting.exe” and a Google gave me the FireEye report “Poison Ivy: Assessing Damage and Extracting Intelligence” – menuPass campaign launched in 2009 targeting defense contractors – Main industries targeted where • Defense, Consulting / Engineering, ISP, Aerospace, Heavy Industry, Government • Spear-phishing used as initial attack vector – Weaponised .doc and .zip • Using Pentest footprinting techniques I uncovered a bit about their infrastructure Link (http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
  • 26. menuPass Campaign • “The IP 60.10.1.120 hosted the domain apple.cmdnetview.com” • This hostname appeared in my analysis but with an IP of 112.213.118.34 • One of my samples has hk.2012yearleft.com (112.213.118.33) and tw.2012yearleft.com (50.2.160.125) as C2’s – tw.2012yearleft.com was 60.10.1.114, 60.1.1.114 in FireEye report – 5 live samples using this C2 in my collection – All used Camellia key “ketcxsAWfeAxiQ64ndURvA==”
  • 27. menuPass Campaign • New hostnames found using “ketcxsAWfeAxiQ64ndURvA==” from my samples: – banana.cmdnetview.com – drives.methoder.com – muller.exprenum.com • New hostnames in 50.2.160.0/24 from samples: – – – – kmd.crabdance.com banana.cmdnetview.com drives.methoder.com muller.exprenum.com 50.2.160.104 50.2.160.146 50.2.160.125 50.2.160.125
  • 28. menuPass Campaign • Using my NMAP poison-ivy.nse and nmap-service-probes.pi I found additional C2's in 50.2.160.0/24: – 50.2.160.42:80/443 3ntLjgUGgQUYeKl3ncWgeQ== – 50.2.160.84:80/443 (daddy.gostudyantivirus.com) (AoFSY4Fi5u8sX3Bo7To86w==) – 50.2.160.104:443 gdWSvDcDqmZFC5/qvQiwhQ== – 50.2.160.125:80/443 (document.methoder.com, drives.methoder.com, mocha.100fanwen.c om, scrlk.exprenum.com, zone.demoones.com) (ketcxsAWfeAxiQ64ndURvA==) – 50.2.160.146:443 ketcxsAWfeAxiQ64ndURvA== – 50.2.160.179:443 gdWSvDcDqmZFC5/qvQiwhQ== – 50.2.160.193:443 tG3Sl8fQtuyKj/jh97O67w== – 50.2.160.226:443 gdWSvDcDqmZFC5/qvQiwhQ== – 50.2.160.241:443 gdWSvDcDqmZFC5/qvQiwhQ==
  • 29. menuPass Campaign • Same key (gdWSvDcDqmZFC5/qvQiwhQ==) as kmd.crabdance.com (from 50.2.160.104): – ux.niushenghuo.info – for.ddns.mobi 142.4.121.144 142.4.121.144 • Hostnames from samples in 142.4.121.0/24: – gold.polopurple.com 142.4.121.138 • Additional PI C2 in 142.4.121.0/24 using NMAP: – – – – – – – – 142.4.121.137:80/443 142.4.121.139:80/443 142.4.121.140:443 142.4.121.141:80 142.4.121.142:443 142.4.121.144:443 142.4.121.181:443 142.4.121.203:443 3ntLjgUGgQUYeKl3ncWgeQ== AoFSY4Fi5u8sX3Bo7To86w== gdWSvDcDqmZFC5/qvQiwhQ== ketcxsAWfeAxiQ64ndURvA== ketcxsAWfeAxiQ64ndURvA== gdWSvDcDqmZFC5/qvQiwhQ== gdWSvDcDqmZFC5/qvQiwhQ== gdWSvDcDqmZFC5/qvQiwhQ==
  • 30. menuPass Campaign • zhengyanbin8@gmail.com registered: – 2012yearleft.com – cmdnetview.com – gostudyantivirus.com – 100fanwen.com • DomainTools reports that this email address has been used to register 157 domains – So still a lot of research to be done
  • 31. Conclusion • Those with an interest in amateur malware analysis – I utilised my pentesting skillset to work on this stuff • Defenders looking for more ways to defend – Using these methods you can start investigating attacks on your organisation and start moving up the kill-chain • Greyhats wanting to increase the cost of attackers running these RAT's
  • 32. Thank You • If there’s time for questions, shoot. • Otherwise catch me at lunch