análisis de ataques apt
TRANSCRIPT
![Page 1: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/1.jpg)
Understanding targeted attacks
Saturday, February 4, 2012
![Page 2: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/2.jpg)
Who am I?
• Jaime Blasco
• Alienvault Labs Manager
Saturday, February 4, 2012
![Page 3: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/3.jpg)
What are we talking about?
• Group of sophisticated, coordinated and political/financial/military motivated attackers .
• The intruder can exploit publicly known vulnerabilities but the attackers also are highly skilled and well funded and can research and exploit new vulnerabilities.
• The attacker wants to accomplish a mission that can take place over months.
Saturday, February 4, 2012
![Page 4: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/4.jpg)
Agenda
• cat /dev/urandom
Saturday, February 4, 2012
![Page 5: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/5.jpg)
Example: Kalachakra
• Camp information at Bodhgaya.doc
• CVE 2010-3333
Saturday, February 4, 2012
![Page 6: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/6.jpg)
SpearPhishing
Saturday, February 4, 2012
![Page 7: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/7.jpg)
Shellcode
Staged XOR Loader
Saturday, February 4, 2012
![Page 8: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/8.jpg)
Shellcode
• Resolves imports by hashes
• Ror to generate hashes (ror ebx 7)
Saturday, February 4, 2012
![Page 9: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/9.jpg)
Shellcode
Saturday, February 4, 2012
![Page 10: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/10.jpg)
Dropped EXE
Saturday, February 4, 2012
![Page 11: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/11.jpg)
Dropped EXE
• Language of compilation system: Chinese
• Dropped Files:• C:\Documents and Settings\Administrator\7240672406.dat
• C:\Documents and Settings\Administrator\temp.dat
• Mark the presence on the system:
Saturday, February 4, 2012
![Page 12: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/12.jpg)
7240672406.dat
Saturday, February 4, 2012
![Page 13: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/13.jpg)
Injection
Saturday, February 4, 2012
![Page 14: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/14.jpg)
Obfuscation
Saturday, February 4, 2012
![Page 15: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/15.jpg)
Injected Code
• User Mode Process Dumper
• WinDBG to the rescue:
Saturday, February 4, 2012
![Page 16: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/16.jpg)
GET / HTTP/1.0Accept: */*Accept-Language: zh-cnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 6.0)Host: update.microsoft.com/windowsupdate/v7/default.aspx?ln=zh-cnConnection: Keep-Alive
C&C Traffic
Saturday, February 4, 2012
![Page 17: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/17.jpg)
kalachakra32.doc
Saturday, February 4, 2012
![Page 18: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/18.jpg)
Dropped EXE
• Created Files:
AhnLab-V3, DrWeb, JiangminSaturday, February 4, 2012
![Page 19: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/19.jpg)
Embedded Resource
Saturday, February 4, 2012
![Page 20: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/20.jpg)
Debug Info
.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-56: Installer Hello!
.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-75: dwConfigDataSize = [40]
.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-171: ReleaseResource done!
.\install.cpp-InstallSrvPlugin-51: InstallSrvPlugin!
.\install.cpp-InstallSrvPlugin-125: szHost = [218.106.193.184] szPort = [81]
.\install.cpp-InstallSrvPlugin-261: Install Service by WinAPI!
.\install.cpp-InstallSrvPlugin-295: StartServiceEx!
.\SrvPlugin.cpp-ServiceMain-291: g_szServiceName = [5a1bcffe]
.\SrvPlugin.cpp-ConnectClientThread-528: ConnectClientThread
.\SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]
.\SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]
Saturday, February 4, 2012
![Page 21: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/21.jpg)
Create Service"20120131205652.906","2020","82799b64ca7f2e8cd218223da9d146c3.exe","CreateServiceA","FAIL
URE","0x00466f40","lpServiceName->5a1bcffe","dwServiceType->0x00000110","dwStartType->SERV
ICE_AUTO_START","lpBinaryPathName->C:\WINDOWS\system32\rundll32.exe "C:\Archivos de programa\Archivos comunes\Microsoft Shared\Triedit\5a1bcffe.dll",ServiceEntry"
Saturday, February 4, 2012
![Page 22: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/22.jpg)
Av Aware• Check for kisknl.sys (Kingsoft Antivirus)
• Look for KSafeTray.exe and disable it: OpenThread -> SuspendThread
• Check for TmComm.sys (TrendMicro)
• Check for HookPort.sys (QQ 360)
• Depending of the AV present use the native API to install the service or the following method:
• FindWindowA("CabinetWClass", WindowName);
• FindWindowExA(v15, 0, "WorkerW", 0);
• SendMessageA, RegOpenKeyExA, SYSTEM\\CurrentControlSet\\Services\\
Saturday, February 4, 2012
![Page 23: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/23.jpg)
WTF!
Saturday, February 4, 2012
![Page 24: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/24.jpg)
Real World
Saturday, February 4, 2012
![Page 25: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/25.jpg)
Sykipot
Saturday, February 4, 2012
![Page 26: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/26.jpg)
Exploits
Saturday, February 4, 2012
![Page 27: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/27.jpg)
Samples
Saturday, February 4, 2012
![Page 28: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/28.jpg)
Features
Saturday, February 4, 2012
![Page 29: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/29.jpg)
C&C Servers
Saturday, February 4, 2012
![Page 30: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/30.jpg)
Certificate Access
Saturday, February 4, 2012
![Page 31: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/31.jpg)
Smartcard Access
Saturday, February 4, 2012
![Page 32: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/32.jpg)
OpenIOC• Indicators Of Compromise
• XML format to describe:
• File Attributes
• Registry entries
• Process attributes
• Network Attributes
• ...
• http://openioc.org/
Saturday, February 4, 2012
![Page 33: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/33.jpg)
Example
Saturday, February 4, 2012
![Page 34: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/34.jpg)
Example
Saturday, February 4, 2012
![Page 35: Análisis de ataques APT](https://reader031.vdocuments.net/reader031/viewer/2022020207/555a4245d8b42ae1398b4f5b/html5/thumbnails/35.jpg)
Thank you
•Follow me on twitter: jaimeblascob
Saturday, February 4, 2012