holger unterbrink security researcher · • security engines and tools ... making the internet...
TRANSCRIPT
Holger Unterbrink
Security Researcher
Agenda
• Who Is Talos ?
• Threats Talos has invest igated recent ly
Who is Talos
• Cisco’s threat intelligence organization
• Threat hunting
• Malware analysis
• 5 groups collaborating to produce threat intel
• Reputation feeds, signatures, IOC
• Security engines and tools
• Threat reports and blogs
• Who is behind Talos
• Cisco, Ironport, Sourcefire, ScanSafe,…
• RevEng, Data Scientists, Spam -, Web-,
DNS-, BGP-Experts, …
THREAT DATA CYCLE
TALOS PRODUCTS & INTELLIGENCE
Talos develops the threat intelligence detection that goes into all Cisco Security products and services.
Open Source End Point Cloud Web Network ServicesEmail Intelligence
P R O D U C T S
ESA
SpamCop
SenderBase
Snort Rules
ClamAV Sigs
AMP
ClamAV
CWS
OpenDNS
WSA FirePower
ClamAV
ATA
IR
ThreatGrid
D E T E C T I O N S E R V I C E S
Email Reputation
Malware
Protection
URL, Domain, IP
Reputation
Phishing
Protection
Vulnerability
Protection
Malware
Protection
Policy & Control
Cloud & End
Point IOCs
Malware
Protection
IP Reputation
URL, Domain, IP
Reputation
Malware
Protection
AVC
URL, Domain, IP
Reputation
Malware
Protection
AVC
Policy & Control
Malware
Protection
URL, Domain, IP
Reputation
Vulnerability
Protection
Cloud & End
Point IOCs
Malware
Protection
URL, Domain, IP
Reputation
Vulnerability
Protection
Custom
Protection
Cloud & End
Point IOCs
Malware
Protection
URL, Domain, IP
Reputation
Network
Protection
250+Full Time Threat Intel Researchers
MILLIONSOf Telemetry Agents
4Global Data Centers
1100Threat Traps
Over 100Threat Intelligence Partners
THREAT INTEL
1.5 MILLION
Daily Malware Samples
600 BILLION
Daily Email Messages
16 BILLION
Daily Web Requests
Global
Honeypotnetwork
Open Source
Communities
• Spamcop
• OpenDNS• Senderbase
Vulnerability Discovery (Internal)
3.4 BILLION
AMP requestsTelemetry
ThreatGridCommunity
INTEL SHARING
AspisCrete
AEGIS
3rd Party Programs (MAPP)
ISACs
TALOS INTEL BREAKDOWN
INTELLIGENCE COMMUNITIES
Project Aspis – collaboration between Talos and host providers
• Talos provides expertise and resources to identify major threat actors
• Providers potentially save significant costs in fraudulent charges
• Talos gains real world insight into threats on a global scale, helping us
improve detection and prevention, making the internet safer for everyone
AEGIS – information exchange between Talos and participating members
of the security industry
• Open to partners, customers, and members of the security industry
• Collaborative nexus of intelligence sharing in order to provide better
detection and insight into worldwide threats
Talos Homepage
Threats Investigated by Talos
Ransomware
Ransomware In format ion
TeslaCrypt 3 – Tales from-crypt(o)http://blog.talosintel.com/2016/03/teslacrypt-301-tales-from-crypto.html
• TeslaCrypt Details• Elliptic Curve Cryptography Basics
TeslaCrypt – The Battle is overhttp://blog.talosintel.com/2016/06/teslacrypt-decryptor.html
More Ransomware In format ion
Cryptowall 4:http://blog.talosintel.com/2015/12/cryptowall-4.html
• Localized docs
• Eastern Europe regions excluded
SamSam:http://blog.talosintel.com/2016/03/samsam-ransomware.html
• Manually installed ransomware
Qbot Banking Trojan
Overview
• Around since 2008
• Recently experienced a large surge in development
and deployments
• Infection via browser based exploit kits
• Targets sensitive banking credentials and
FTP credentials
Qbot Banking Trojan
Packer
Header
code
Header
Stub code
packedorg. code
Header
Stub code
unpackedorg. code
jmpunpackpack
Org. executablee.g. Trojan.exe Packed executable
Unpacked executablein memory
Malware Packer
Payload(unpacked malware)
(Un)Packer Frequently changed
Much lessfrequently changed
Executable
Qbot Packer
Payload(unpacked malware)
(Un)Packer
Payload(unpacked malware)
618 different samples 73 different samples
Qbot Dropper
Payload(unpacked malware)
%appdata%\Microsoft\[RandomName]\ [RandomName].exe
{ProductId,Computer Name,Harddrive Serial Number}
PRNG
RC4 encrypted Log Fi le
Script to decrypt logs for enhances IR
analysis
This will print out configuration information including initial infection time andFTP Exfil server information.
RC4 key generated by converting the folder name to lowercase, then taking the SHA1 hash of the resulting string
%appdata%\Microsoft\oykyjxjx\oykyjxj.dll
Updater
http[:]//<maliciousdomain.com>/viewtopic.php
• first 20 bytes are the RC4 key• 20-byte SHA1 hash • Updated version of Obot
Domain Generat ion Algor i thms (DGA)
2.mar.2016.00000001
First digit is the tens digit of the day of the month (though 2 is also used for days 30 and 31)e.g. 16. March 2016 = 1
22. March 2016 = 230. March 2016 = 2
Constant
Get date by sending an innocent looking GET request to Google and parsing the HTTP 301 Response for the date
Generate date based string:
Domain Generat ion Algor i thms (DGA)
2.mar.2016.00000001
Mersenne Twister (PRNG)
llrbprhssvbsmmfrpsojzjct.org
TLD Array[n]:.info.com.org.net…
n
…and use it as seed for the Mersenne Twister PRNG:
Webin jects – Fake Log Off
“set_url https://*.<BankDomain>.com/*logoff* GPR http://<MaliciousSite>/fakes/onlineserv_cm_logoff.html”
Sign out
FTP Exf i l
Content: " ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%s] domain=[%s]
is_admin=[%s] os=[%s] qbot_version=[%s] install_time= %s] exe=[%s]“ …
FTP to a list of servers hardcoded in its config file.
“article_covezh618946_1450458170.zip”
“article” string | Random Value| Seconds since Linux Epoch |.zip
Compi la t ion by Day (Sun -Sat)
Compi le Time – Working Hours ?
MS Rich Headers (undocumented)
Embedded compiler and linker version
MS Visual Studio executables
Rich Headers - Unpacked b inar ies
• 154 unpacked binaries contained only 6 unique Rich Headers• Some of which were almost identical • Likely caused by minor compiler updates on the same computer
These headers suggest the unpacked binaries were compiled in 3 unique environments
Rich Headers – Packed b inar ies
• The packed binaries contained 44 unique Rich Headers• 35 of which seemed to be slight variants of the others. • None of which matched the 3 Rich Headers from the unpacked binaries.
The packed binaries appear to be compiled from 9 unique environments
The Group ?
Coder Team3 group members
6AM-8PM GMTMo-Fr* (Su)
Packer Team9 group members~10AM - 10:30PM GMTMo-Sa* (Su)
Developing and maintaining malware and a malicious infrastructure is a full time job !
More In format ion
Qbot on the risehttp://blog.talosintel.com/2016/04/qbot-on-the-rise.html
ShadowGate Takedown
What is a Gate?
redir-iframes
profiling andexploitation
Proxy ExploitKit Server (EK)
Gate
Victim
WebServer• Compromised or• Malvertising
What is ShadowGate?
• Large scale Malvertising based EK gate• Moved from Angler to Neutrino EK• Long lasting periods of inactivity• Very picky:
• Only 0.1% send finally to an EK• Large Scale Malvertising Campaign
• US/Canada/Middle East/China/New Zealand• Delivered various payloads including
Ransomware and Trojans
• Other Gates: Darkleech, Pseudo Darkleech, EITest
Campaign Deta i ls
Action Taken• Shadowed Domains Registered through GoDaddy
• Worked with GoDaddy to get domains shutdown• After first shutdown Gate pivoted• Found second server/campaign
• Also shutdown by GoDaddy
Domain shadowing:<attacker registered sub domain>. <legit domain>e.g. hasdsakdal.merrybrycemas.com
More In format ion
Shadow Gate Campaign Take down (blog post)http://blog.talosintel.com/2016/09/shadowgate-takedown.html
Shadow Gate in action (video):
http://blog.talosintel.com/2016/09/shadowgate-takedown.html
Closing
http://www.talosintelligence.com/
@talossecurity
Aegis Program: [email protected] Program: [email protected]
Angler Exploit Kit
Vic t ims View Demo
Explo i t Deta i ls
“Hacking Team” Adobe Flash 0days
CVE-2015-5119, CVE-2015-5122
IE 10 and 11 JScript9 Memory
Corruption Vulnerability
CVE-2015-2419
IE OLE Vulnerability
CVE 2014-6332
No JAVA ! Adobe Flash
CVE
2014-6332
Silverlight
Analys is
• Extremely innovative in evading or bypassing security devices
• Infrastructure
• One landing page serving 90000 victims a day
• 10% served with an exploit
• 40% success rate
• Hosting Information
• Found 60%+ Angler activity for month at two providers
• Limestone Networks and Hetzner
• $10,000 in cost and lost revenue each month for Limestone
due to use of stolen CC
Angler Back-End Archi tecture Exposed
Redirect to Proxy Server
Overview
• Ransomware first seen beginning of 2015• First ransomware targeting gamers• Distributed via Exploitkits and Phishing Emails• Fast Evolution, but…• A history of cryptographic flaws
TeslaCrypt
Simpl i f ied Encrypt ion Algor i thm
Temp.AES256
key15/10/07 12:39 <DIR> .15/10/07 12:39 <DIR> ..15/10/07 12:36 78,971 1.jpg15/10/07 12:39 154,330 2.jpg15/10/07 12:36 123,240 3.jpg…
AES Encryption
1.jpg
PublicKey Encryption
Encrypted AES256 key
Meta data
Encrypted 1.jpg
• Elliptic Curve Cryptography• Encrypted Temporary AES key can only be decrypted with the private key• The public key is embedded in the malware dropper
Scan logical volumes
.XXX, .TTT, .MICRO, others*
Encrypted File
Org. File
They are ly ing, can you bel ieve i t ?
More In format ion
TeslaCrypt 3 – Tales from-crypt(o)http://blog.talosintel.com/2016/03/teslacrypt-301-tales-from-crypto.html
• TeslaCrypt Details• Elliptic Curve Cryptography Basics
TeslaCrypt – The Battle is overhttp://blog.talosintel.com/2016/06/teslacrypt-decryptor.html
Other Ransomware
Cryptowall 4:http://blog.talosintel.com/2015/12/cryptowall-4.html
• Localized docs
• Eastern Europe regions excluded
SamSam:http://blog.talosintel.com/2016/03/samsam-ransomware.html
• Manually installed ransomware