advanced persistant threats and chip level security
Post on 19-Oct-2014
1.553 views
DESCRIPTION
Dave Marcus, Director of Security Research and Communications, McAfeeTRANSCRIPT
DIRECTOR OF SECURITY RESEARCH AND COMMUNICATIONS, MCAFEE
DAVE MARCUS
Demystifying the Mighty APT
Dave Marcus
Director, Advanced Research and Threat Intelligence
McAfee Labs
Agenda
•A Brief History
•Spot The APT
•Rootkits and Stealth
•A New Methodology
FOR ESPIONAGE
FOR PROFIT
FOR FUN OR ACTIVISM
Mid-1980’s 2005 Today2003
Historic Stages of Cyber Attacks
A Loose Classification of Attackers
Threat Sophistication
C
apab
ility
fo
r D
amag
e
CybercriminalsHacktivists/Terrorists
Cyberespionage
Nation-State CoordinatedKinetic/Cyber Operations
But which one is an APT??
Is it an APT or is it “just” good malware?
Activities Risk Levels
Attempts to write to a memory location of a Windows system process
Attempts to write to a memory location where winlogon resides
Attempts to load and execute remote code in a previously loaded process
Attempts to write to a memory location of a previously loaded process.
Adds or modifies winlogon userinit registry value. Could be used to launch a program on startup.
Modifies winlogon configuration settings in registry
Enumerates process list
No digital signature is present
The following files were analyzed:B025A4E813.ex
The following files have been added to the system: • %WINDIR%\SYSTEM32\twain32\user.ds• %WINDIR%\SYSTEM32\twain32\local.ds• %WINDIR%\SYSTEM32\twex.exe
The following registry elements have been changed: • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\USERINIT =
%WINDIR%\SYSTEM32\userinit.exe,%WINDIR%\SYSTEM32\twex.exe
File Properties Property Values
McAfee Detection PWS-Zbot.gen.i
Length 70144 bytes
MD5 b025a4e81336caedcccdec336811f461
SHA1 772e79026bef86044e308d290d4d4fdf1167091c
What does malware ACTUALLY do??
I/O Memory Disk Network Display
Virtual Machine
Operating System
Applications/RDBMS
CPU
AV HIPS
BIOS
Infect OS with malware resulting in threats hidden from security products
Traditional attacks—and defenses—focused primarily on the application layer
Rogue peripherals & firmware bypassing all other security measures
Attack and disable security products and
hence all protection
Compromisevirtual machine and
hence all guest machines within
“Ultimate Malware” compromise
devices below OS, either before orafter shipment
Why malware works…..
Casper
Blocks IPs from knownmalicious senders.
Zeus/SpyEyePre-Execution
CVE-2008-2992
Adobe Reader 8.1.2 and earlier, input validation issue in a JavaScript method that could potentially lead to remote code execution.
Zeus/SpyEyePost-Execution
Casper
Blocks IPs from knownmalicious senders.
“APT” Pre-Execution
IP/URL filtering blocks access to exploit URL. More likely to block in this case as this page hosts the actual malware code.
Legacy AV has limited capability to detect some of the most obfuscated URLs. Typically not detected with AV.
IP/URL filtering known to block access to some “infected” URLs. For example, a forum may be clean, and the post itself may be ok, but a link or a shortened URL may point to the actually bad site. Likely 1000’s of posts to blogs, etc.
Legacy AV is more and more challenged by the inherent limitations in the “known threat detection” model
“APT” Post-Execution
Common yet effective evasion techniques to maintain persistence
Common self-preservation techniques. Oftentimes using multiple techniques
New processes need to be monitored
Need for IP/URL Monitoring
Need for malicious process monitoring and behaviors
I Can Has Rootkit?
PAGE 15
Kernel Memory
User Memory
Subversion and Rootkit Techniques
Legitimate Device Driver
TDSS
Spam-Mailbot aka: Rustock
Apropos
Bombat
SysEnter/Int2E (MSR)
Index of IDT
Index of IRPTableof a device driver
Index of SSDTNtosKrnl.exe
Exported function (NtQuerySystemInfo)
Jmp “rootkit.sys”
HeadersCode Section…Call FindNextFile…Import data section
FindNextFile: 0x12345678Kernel32.dll0x12345678: FindNextFile CodeRootkit Code. 0x70034622: MyfindnextFile…
HeadersCode Section…Call FindNextFile…Import data section FindNextFile: 0x12345678
Kernel32.dll
0x12345678: FindNextFile Code
Hacker DefenderProcess (Before Hook) Process (After Hook)
Replace first five bytes of code withjmp 0x70034622
Rootkit.sys
PAGE 16
Kernel Memory
User Memory
Host-Based kernel rootkit detection strategy
Initiate Rootkit Scanning
Code sent to scanner for
scanning
Legitimate Device Driver
TDSS
Spam-Mailbot aka: Rustock
Apropos
Bombat
SysEnter/Int2E (MSR)
Index of IDT
Index of IRPTableof a device driver
Index of SSDTNtosKrnl.exe
Exported function (NtQuerySystemInfo)
Jmp “rootkit.sys”
Rootkit.sys
TraditionalAV
Detect Detour
Kernel module of VirusScan
A New Methodology
Moving Beyond The Operating System with Silicon
Technology by McAfee and Intel
Industry’s First Hardware Assisted Security Platform
New Vantage Point on Security—Operates Beyond the OS
Technology Foundation to Deliver Future Products
Services and Applications
Application
Application
Application
OS Initialization
DeepSAFE Loaded Beyond the OS
McAfeeDeepSAFE malware
Other DriversBoot Drivers
Rootkit
DeepSAFE Loader/Agent
DeepDefender
Agent
Driver
Driver
AV Driver
Boot Driver
Boot Driver
Rootkit
Intel i3/i5/i7 CPU(BIO
S VT-x Enabled)
OS Loader
Deep Defender - Stopping a Stealthy Rootkit
Driver
19
Real-time kernel-level monitor of memoryIdentifies kernel-mode rootkits in real-timePrevents the drivers from loadingDeepSAFE Technology loads before the OSDeepSAFE technology informs Deep Defender of suspicious behavior
PAGE 20
PAGE 20
Silicon-enabled kernel rootkit prevention strategy
Initiate on demand Rootkit Scanning
Code sent to scanner for
scanning
TDSS
Rustock
Apropos
Bombat
Legitimate Device Driver SysEnter/Int2E (MSR)
Index of IDT
Index of IRPTableof a device driver
Index of SSDTNtosKrnl.exe
Exported function (NtQuerySystemInfo)
Jmp “rootkit.sys”
Rootkit.sys
Traditional AV
Detect other kernel anomalies
Kernel module of VirusScan
The Vt-X Layer
Kernel module ofDeepDefender
Initiate memory monitoring and protection
Code sent to scanner for
scanning
Op
tio
nal
Kernel Memory
User Memory
Op
era
tin
g S
ys
tem
Intel CPU
Deep Defender Architecture In-Depth
21
Event MonitoringEvent Blocking
DeepSAFEAgent
Update Servers
GTI Cloud Servers
ePolicy Orchestrator
Deep Defender
Operating System
McAfee DeepSAFE™ Hardware
McAfee DeepSAFE(ring 0p, vmx-root)
Operating System(vmx-non root)
Firmware
Deep Defender/Casper(ring 3)
Register AccessMemory Access
Privileged Instruction Trapping
Drivers(ring 0d)
Applications(ring 3)
DeepSAFE Agent(ring 0d)
VM Framework
DeepSAFE API
VMExit Handler
DeepSAFE API Lib
CPU (with VT-x)
Chipset
4
Deep Defender Protection Tiers
Initial Top 20 Families1 Adware-BDSearch 2 Backdoor-AWQ 3 TDSS 4 Almanahe 5 Generic rootkit.d 6 Backdoor-DoQ 7 Generic Backdoor.u 8 Spy-Agent.bw 9 Backdoor-CKB 10 LDPINCH 11 StealthMBR.c 12 Puper 13 Lando 14 Spam-Mailbot.l (Slenfbot)
15 Hidden Process.a 16 PigSearch 17 Generic rootkit.g 18 Generic rootkit.ec 19 W32/Routrobot.worm 20 DNSCHanger
Enhanced Self/System Protection• DeepSAFE is first to load• Driver self-protection
Protection areas• Kernel_IDT, Kernel_SSDT• Kernel_SysEnter• Kernel_DKOM• Kernel_inline• Kernel_IAT, Kernel_EAT• Kernel_DispRoutine• Kernel_IRP• + additional areas specified by content
Additional Event Tracking• Driver Install Watch
Top 20 prevalent families targeted for remediation
• New families added over time
8 April, 201122
Deep Defender Details
• Supported Intel chipsets– Intel® Core™ i3, i5, i7 processors– Utilizes Intel Virtualization
Technology (VT)
• Supports Windows 7; 32 & 64 bit• Managed by ePO 4.5 and 4.6• Supports VSE 8.7 and 8.8• Integrates with McAfee’s
GTI cloud• Available Q1 2012
64-BIT 32-BIT