Post on 18-Jul-2015
Using Massively Distributed Malware in APT-Style Attacks
Dana Tamir
IBM Trusteer Dir. Enterprise Security
© 2014 IBM Corporation
IBM Security
3
FlameStuxnet
Security
Virus
Trojan
RAT
Threat
Data Credentials
Malware Internet
Wild
Cyber
WAR
DiscoveryAlert!
Breach
Dangerous Detection
Research
$$$
© 2014 IBM Corporation
IBM Security
4
Stuxnet* Designed to attack Siemens industrial systems
* Caused fast-spinning centrifuges to tear themselves apart
* Exploited four zero-day vulnerabilities
Duqu* Looks for info to target industrial control systems
* Not destructive
* Uses jpeg files and encrypted dummy files as containers to exfiltrate data to C&C
Gauss
* A complex Cyber-espionage toolkit
* Steals various kinds of data from infected machines
* Includes an encrypted payload which is activated on certain specific system configs
APTs => Highly Targeted Malware
Flame• A sophisticated
cyber-espionage
malware
• Infected target
machines in
Middle Eastern
countries
• Receives
instructions via
C&C servers
© 2014 IBM Corporation
IBM Security
6
6
Trojans Used in
Financial Fraud
Trojans Used in
APT-Style Attacks
• Targets Consumers
• Used for stealing
• Bank account credentials
• Personal information
• Sophisticated
• Targets Employees
• Used for stealing
• Corporate credentials
• Business and operational
data
• Sophisticated
© 2014 IBM Corporation
IBM Security
7
Typical functions available with these malware families
Capability Description
Keylogging Captures user keystrokes and sends data to attacker
Screenshot capturing record browser session, including data displayed to user
Video capturing record a video stream of a browser session
Form grabbing (HTTP
POST grabbing)
method used to capture user input from a web data
form.
HTML injection a method used for injecting HTML content into legitimate
web pages in order to modify it.
Remote execution of
command line
instructions
enables the operator to collect data and change settings
on one or more remote computers.
Remote control of the
infected machine
allows complete control over the PC and full access to
the corporate network.
Evasion techniques designed to evade anti-virus and other security controls.
Anti-research
techniques
a variety of sophisticated features designed to prevent
researchers from analyzing the malware
7
© 2014 IBM Corporation
IBM Security
8
Using Massive Distribution Campaigns
8
Not Targeted!
Infecting Millions of Machines!
© 2014 IBM Corporation
IBM Security
9 9
Massively Distributed Malware
Massive Distribution Campaigns use techniques like Spear-Phishing, Drive-By Downloads, Malvertising, Watering hole attacks…
© 2014 IBM Corporation
IBM Security
10 10
Massively Distributed Malware
Command and Control ServerRegistration
Configuration file
© 2014 IBM Corporation
IBM Security
11 11
The Configuration Files
• Provided by the Command and Control Server
• Contain operational information, like:
• Targets and Operational Triggers
• Information requested
• Alternative Command and Controls
• Can be Updated!
• New operational triggers and targets
• New information requested
• Alternative Command and Controls
• Software upgrades
© 2014 IBM Corporation
IBM Security
14
Available for sale on the Russian Underground
New version offers “classic” Zeus and new capabilities
Enables the attacker to run shell commands off the infected device
Can map the network on which the infected device is
Obviously not added for financial fraud…
Built-in VNC (the VNCfox)
is a valuable tool
“Crowd-sourcing”
Will not work on devices
that use a Cyrillic keyboard
layout (do not wish to target
Russian or Ukrainian systems)
14
© 2014 IBM Corporation
IBM Security
17
From The Citadel Configuration File
Instructed to look for user access to certain URL addresses
Form Grabbing/ “HTTP POST”: grab all the information submitted by the user
The relevant section from the configuration file (shown in a Trusteer proprietary format)
17
© 2014 IBM Corporation
IBM Security
18
Grabbing webmail login credentials
http://mail.target-company.com/*
18
© 2014 IBM Corporation
IBM Security
20
Citadel triggered by specific processes
Citadel instructed to start keylogging (capturing user keystrokes) when specific processes
are running.
The relevant part of the configuration is shown below (in IBM Trusteer’s proprietary format):
20
© 2014 IBM Corporation
IBM Security
21
Examples of Citadel Evasion Techniques
Designed to evade anti-virus and
other traditional security controls
Anti-research techniques: won’t
execute if env settings are set to
‘debug’ mode
Using “AutoCMD” functionality (run
shell commands on infected device):
– The variant creates a new user on the
infected device
– New user added to native windows
remote desktop protocol (RDP) group.
– So, if the malware is removed from the
infected device, the operator still has a
backdoor into it using Windows RDP.
21
© 2014 IBM Corporation
IBM Security
22
AlienSpy RAT used to deliver the popular Citadel Trojan
Similar to other RATs, AlienSpy RAT provides the attacker with full
control over the compromised system.
Network traffic encryption is performed to obfuscate the malicious
network traffic with the command and control server (CnC)
AlienSpy receives commands to download and execute a file in the victim
system
– At least one variant received commands to infect the victim system with Citadel
C&C
AlienSpy
(PayslipDetails.jar)
Citadel
C&C
Dropper
© 2014 IBM Corporation
IBM Security
23
Using Trojans to Massively Distribute Trojans
…so far managed to infect over 770,000 machines
around the world.
…designed primarily to disseminate other kinds of
malware and has been operating since at least
2012 somewhat under the radar of researchers…
© 2014 IBM Corporation
IBM Security
24
The Dyre Trojan
First appeared in June 2014
Distributed through massive spear-phishing campaigns
Initially targeted customers of large financial institutions
Targets include: Bank of America, Citigroup, and Royal Bank
of Scotland Group Plc, and JP Morgan Chase customers.
Undergone many changes in a very short period
Uses some noteworthy propagation
and evasion techniques.
24
© 2014 IBM Corporation
IBM Security
26
Dyre compromises MS-Outlook to spread out
26
Spear-phishing email with
weaponized attachmentUptare
downloaderC&C
Dyre Trojan
C&C
WORM_MAILSPAM.XDPHijacks MS-Outlook Client to send
out more spear-phising emails Worm deletes itself so no
evidence is left
© 2014 IBM Corporation
IBM Security
27
Dyre Evasion Techniques
Fast evolution: a new binary code version can be released every three
days.
Uses Secure Socket Layers (SSL) to protect C&C communications
Has a mechanism that enables the Trojan to find an alternate C&C (in
case the hard coded C&Cs aren’t available)
– Uses a domain generation algorithm (DGA) to generate URLs on various top-
level domains (cc, ws, to, in, hk, cn, tk, and so)
– Similar to the mechanism used by Downad/Conficker malware.
27
© 2014 IBM Corporation
IBM Security
30
The Carbanak Malware
Distributed through drive-by downloads and spear-phishing
Designed for espionage, data exfiltration and providing remote access
Once the system is infected, Carbanak logs keystrokes and takes
screenshots every 20 seconds (intercepts ResumeThread call)
Can install additional malware like the Ammyy RAT
30
© 2014 IBM Corporation
IBM Security
31
Carbanak Evasion Techniques
Carbanak copies itself into
“%system32%\com” with the name
“svchost.exe” and then deletes the original
exploit payload
Carbanak injects its code into svchost.exe.
Most of the actions described below happen
within this process.
To communicate with the C&C it uses the
HTTP protocol with RC2+Base64
encryption, adding characters not included
in Base64.
Latest Carbanak samples are digitally
signed (seem trusted)
© 2014 IBM Corporation
IBM Security
34
Recommendations
Traditional security controls aren’t effective
• > New approach needed!
There is no silver bullet!
Multi-layered protection required
– Employee Endpoints
– Servers
– Networks
Security Intelligence
Emergency Response Services
34
© 2014 IBM Corporation
IBM Security
35
IBM is uniquely positioned to offer integrated protection
35
A dynamic, integrated system to disrupt the lifecycle of advanced attacks
and prevent loss
Open Integrations Global Threat Intelligence
Ready for IBM Security
Intelligence Ecosystem
IBM Security Network
Protection XGS
Smarter Prevention Security Intelligence
IBM Emergency
Response Services
Continuous Response
IBM X-Force
Threat Intelligence
• Leverage threat intelligencefrom multiple expert sources
• Prevent malware installation and disrupt malware communications
• Prevent remote network exploits and limit the use of risky web applications
• Discover and prioritize vulnerabilities
• Correlate enterprise-wide threats and detect suspicious behavior
• Retrace full attack activity, Search for breach indicators and guide defense hardening
• Assess impact and plan strategically and leverage experts to analyze data and contain threats
• Share security context across multiple products
• 100+ vendors, 400+ products
Trusteer Apex Endpoint
Malware Protection
IBM Security QRadar
Security Intelligence
IBM Security QRadar
Incident Forensics
IBM Guardium Data
Activity Monitoring
• Prevent remote network exploits and limit the use of risky web applications
IBM Endpoint Manager• Automate and manage continuous
security configuration policy compliance
© 2014 IBM Corporation
IBM Security
36
Trusteer Apex Advanced Malware Protection
Multi-layered protection against advanced malware and credentials theft
36
Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting
Advanced Threat Analysis and Turnkey Service
CredentialProtection
Exploit Chain Disruption
Advanced Malware
Detection and Mitigation
Malicious Communication
Prevention
Lockdownfor Java
Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud
• Alert and prevent
phishing and
reuse on non-
corporate sites
• Prevent infections
via exploits
• Zero-day defense
by controlling
exploit-chain
choke point
• Mitigates mass-
distributed
advanced malware
infections
• Cloud based file
inspection for
legacy threats
• Block malware
communication
• Disrupt C&C
control
• Prevent data
exfiltration
• Prevent high-risk
actions by
malicious Java
applications
© 2014 IBM Corporation
IBM Security
37 37
No
. o
f T
yp
es
Attack Progression
Data exfiltrationExploit
Deliveryof weaponized
content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Breaking the Threat LifeCycle
Pre-exploit
0011100101110100001011110001100011001101
Strategic Chokepoint
Strategic Chokepoint
Strategic Chokepoint
Advanced Malware
Prevention
Endpoint Vulnerability
Reporting
CredentialProtection
Destinations (C&C traffic detection)
Endless
Unpatchedand zero-day vulnerabilities
(patching)
ManyWeaponized
content(IPS, sandbox)
Endless
Maliciousfiles
(antivirus, whitelisting)
Endless
Many
Maliciousbehavioractivities
(HIPs)
Exploit Chain Disruption
Lockdown for Java
Malicious Communication
Blocking
© 2013 IBM Corporation
IBM Security Systems
38
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.