Advanced High-tech Security Clampi Steven Branigan, President [email protected] Author of…

Advanced High-tech Securityhtt

p:/

/ww

w.c

yanlin

e.c

om

Clampi

Steven Branigan, President

[email protected]

Author of…


p:/

/ww

w.c

yanlin

e.c

om

Copyright (c) 2009, CyanLine LLC. All rights reserved.

2

Who am I?

• Former…– Bell Labs Researcher, Bellcore Engineer, Cop

• Author of High Tech Crimes Revealed.– Observed that insiders are more dangerous than

outsiders.

• My company, CyanLine handles– Wireless security products.– Network auditing and consulting.– Devising new tools for technical investigations.


p:/

/ww

w.c

yanlin

e.c

om


3

The glossary for today

• The glossary• 3GThe term used to describe the next generation of mobile network infrastructure that supports high-speed, high-bandwidth wireless services

for advanced applications. • 802.11A family of wireless Local Area Network specifications also known as "Wi-Fi." The three main standards are 802.11a, 802.11b and

802.11g. • 802.11a5GHz; 5 times faster than 802.11b; fewer interference issues because of 5GHz spectrum; not backwards compatible; 54 Mbps max

link rate; 8 radio channels • 802.11b2.4 GHz; Transfers data at 11 Mbps up to 300 ft; Shares spectrum with cordless phone, microwaves; 11Mbps max link rate; 3 radio

channels • 802.11g2.4GHz; 5 times faster than 802.11b; more secure; backwards compatible with 802.11b; 54 Mbps max link rate; 3 radio channels • AMPS(Advanced Mobile Phone Service) The analog cellular air interface standard used in the United States and other countries. • AES(Advanced Encryption Standard) Federal information-coding protocol that ensures privacy via 128-, 192-, and 256-bit keys. AES is part of

the forthcoming 802.11i specification. • AP(Access Point) A hardware device or a computer's software that acts as a communication hub for users of a wireless device to connect to a

wired LAN. • Bluetooth A short-range wireless networking technology with a range of about 30 feet and a raw data transmission rate of 1Mbps. It's

designed primarily as a cable replacement.• Bluetooth SIG(Special Interest Group) A trade association comprised of industry leaders and some volunteers who are promoting the

development of Bluetooth-enabled products. • Broadband Using a wide-bandwidth channel for voice, data and/or video services • Backhaul Getting data to a point from which it can be distributed over a network. • CDMA(Code Division Multiple Access) A technology used to send digital transmissions between a mobile phone and a radio base station. It

allows for multiple transmissions to be carried simultaneously on a single wireless channel. • CDPD(Cellular Digital Packet Data) A technology that allows telecommunications companies to transfer data over existing cellular networks to

users. • Cell site The location where the wireless antenna and network communications equipment is placed. • DMZ(Demilitarized Zone) A small network inserted as a neutral area between a company's private network and the outside public network. It

provides indirect access to internal resources. • DHCP(Dynamic Host Configuration Protocol) A standard that enables individual computers on an IP network to retrieve their IP addresses and

other settings from a server on demand. • Decibel A unit used to express relative difference in power or intensity, usually between two acoustic or electric signals, equal to ten times the

common logarithm of the ratio of the two levels. • EDGE(Enhanced Data for GSM Evolution) A faster technology for GSM and TDMA networks that may offer transfer rates up to 384 Kbps• Fresnel Zone The area around the visual line-of-sight that radio waves spread out into after they leave the antenna. This area must be clear

or else signal strength will weaken • Full-Duplex The radio term applied to transmissions such as telephone calls or wireless data that allow talking and listening at the same time

by using two frequencies to create one channel. Each frequency is used solely for either transmitting or receiving. • GPRS(General Packet Radio Service) A 2.5G technology being implemented in GSM networks. It is an "always on" technology with data

transfer speeds up to 114 Kbps • GSM(Global Systems for Mobile Communication) A digital cellular or PCS standard for how data is coded and transferred through the wireless

spectrum. It is the 2G wireless standard throughout the world - except in the United States. GSM is an alternative to CDMA. • GHz(Gigahertz) One billion radio waves, or cycles, per second. Equal to 1,000 megahertz. • GPS(Global Positioning System) A satellite-based navigation system made up of a network of 24 satellites placed into orbit by the U.S.

Department of Defense. • Hot Spots Wireless access points that are found in public places such as airports, conventions centers, hotels and coffee shops • Hz(Hertz) A unit of measurement of one cycle per second, or one radio wave passing one point in one second of time. • ISP(Internet Service Provider) Company which resells internet access • LAN(Local Area Network) A system that links together electronic office equipment, such as computers and word processors, and forms a

network within an office or building. • MMS(Multimedia Messaging Service) A method for transmitting graphics, video clips, sound files and short text messages over wireless

networks using the WAP protocol. • MHz(Megahertz) One million radio waves, or cycles, per second. Equal to one thousand Kilohertz. • MAC(Media-Access Control) A hard-coded or permanent address applied to hardware at the factory. • NAT(Network Address Translation) A security technique—generally applied by a router—that makes many different IP addresses on an

internal network appear to the Internet as a single address • Ping(Packet Information Groper) A protocol that sends a message to another computer and waits for acknowledgment, often used to check if

another computer on a network is reachable. • Point-to-Point Method of transporting IP packets over a serial link between the user and the ISP. • Point-to-Multipoint A communications network that provides a path from one location to multiple locations (from one to many).• RFID(Radio Frequency Identification) An analog-to-digital conversion technology that uses radio frequency waves to transfer data between a

moveable item and a reader to identify, track or locate that item.• SID(System Identification) A five digit number that indicates which service area the phone is in. Most carriers have one SID assigned to their

service area. • SSID(Service Set Identifier) A unique 32-character password that is assigned to every WLAN device and detected when one device sends

data packets to another. • TDMA(Time Division Multiple Access) A wireless technology that allows for digital transmission of radio signals between a mobile device and a

fixed radio base station. It allows for increased bandwidth over digital cellular networks. • TCP/IP(Transmission Control Protocol / Internet Protocol) Internet protocol suite developed by the US Department of Defense in the 1970s.

TCP governs the exchange of sequential data. IP routes outgoing and recognizes incoming messages. • VoIP(Voice over Internet Protocol) Any technology providing voice telephony services over IP, including CODECs, streaming protocols and

session control. • VHG(Very High Frequency) Referring to radio channels in the 30 to 300 MHz band • WAP(Wireless Application Protocol) A technology for wideband digital radio communications in Internet, multimedia, video and other capacity-

demanding applications. It provides a data rate of 2Mbps • WEP(Wired Equivalent Privacy) A feature used to encrypt and decrypt data signals transmitted between WLAN devices • Wi-Fi Short for wireless fidelity -- used generically when referring of any type of 802.11 network, including 802.11b, 802.11a, 802.11g • WAN(Wide Area Network) A communications network that uses such devices as telephone lines, satellite dishes, or radio waves to span a

larger geographic area than can be covered by a LAN • WISP(Wireless Internet Service Provider) See ISP • Zulu Time Synonymous with Greenwich Meridian Time, a time designation used in satellite systems


p:/

/ww

w.c

yanlin

e.c

om

The start

• Bank called CFO to advise that $80K was about to transferred via ACH to 9 clients.– Average transfer of just under $10k/person– Were created through the CFO’s ids.– Were approved by a second id.


4


p:/

/ww

w.c

yanlin

e.c

om

Indicators of potential fraud

• #1 – The IP address was not the usual IP address for the transactions.– However, it was geographically similar– The IP address came back to a home system.

• #2 – The ACH transfers were intended for individuals.– All near, but not exceeding, the $10K SAR

threshold


5


p:/

/ww

w.c

yanlin

e.c

om

What happened?

• Were the IDs stolen or was this an inside job?

• Investigation started by imaging the CFO and the assistant’s systems.


6


p:/

/ww

w.c

yanlin

e.c

om

First Analysis showed

• Nothing suspicious in the IE history on either.

• Both systems had current AV software.


7


p:/

/ww

w.c

yanlin

e.c

om

Follow-up analysis

• Examined the Windows startup


8


p:/

/ww

w.c

yanlin

e.c

om

Suspicious

• Startup files in the Application Data directory?– Not normal

• Ran this program through a different virus scanner, which reported “clampi”.


9


p:/

/ww

w.c

yanlin

e.c

om

The gateslist


10


p:/

/ww

w.c

yanlin

e.c

om

The gatelisted (explained)

• The Gateslist is a hex encoded list of URLs of the malware controller.

• Sample URLs:– 61.153.3.48/OcOLWIskOXxqvMHA– 64.18.143.52/MldLsmdK1Lsdn5Ka– 66.128.55.82/3kbLJ2Aghp5Tw4Vk– 66.199.237.139/IvhNAd2Vellpa8eQ


11


p:/

/ww

w.c

yanlin

e.c

om

Using URLs?

• Using URLs make clampi communications difficult to detect.

• The IP addresses are of compromised home systems.


12


p:/

/ww

w.c

yanlin

e.c

om

Modules

• The registry keys are, with limited exception, malware programs.– This confuses virus scanners, as the file

being read is the registry, not a virus file.

• Most of the programs are encrypted.– Except PSEXEC, a program that copies

the malware from one system to another.


13


p:/

/ww

w.c

yanlin

e.c

om

Summary

• Intercepts banking credentials.• Communicated out via port 80.• The software is not completely stored on

disk as a file.• The software has encrypted components

have slowed analysis.• The software has the ability to copy itself

to other computers in the network.


14


p:/

/ww

w.c

yanlin

e.c

om

Recommendation

• Manual inspection of registry entries.• Use dedicated computers for banking

transactions.• When surfing, use tools like DropMyRights or

Sandboxie• If found on one system in the network:

– Change passwords on banking credentials from safe systems at once.

– Eradicate from network.


15


p:/

/ww

w.c

yanlin

e.c

om

More information

• Inside the jaws of clampi by Nicolas Falliere with Patrick Fitzgerald and Eric Chien(http://www.symantec.com/content/en/us/enterprise/media/

security_response/whitepapers/inside_trojan_clampi.pdf)


16

Advanced High-tech Security Clampi Steven Branigan, President [email protected] Author of…

Documents

Transcript of Advanced High-tech Security Clampi Steven Branigan, President [email protected] Author of…