Advanced Persistent Threats CS461/ECE422 Spring 2012.
-
Upload
ashley-mason -
Category
Documents
-
view
217 -
download
2
Transcript of Advanced Persistent Threats CS461/ECE422 Spring 2012.
Advanced Persistent Threats
CS461/ECE422Spring 2012
Traditional Malware• Infect as many machines as possible
– Non-discriminating• Goal is the machine resources.
– Less the information on the machine• Use CPU resources
– Sell DDoS abilities– Sell SPAM abilities
• Use machines for storage– Stash stolen or illicit information on infected machine
• Use network resources– Launch attacks or indirect through infected machines
• Even where information is the goal, the specific owner of the information is not important– Gather credit card numbers– Perform extra bank transactions
Advanced Persistent Threat (APT)
• Has been there all along. Just has gotten more attention recently
• Attacker is concerned with the specific target– Discriminating, narrow, focused attack– E.g., attacker wants to find specific information
from a specific organization• May perform some more generic infection
techniques, but the ultimate goal is very specific
Successful APT
• Lower volume– Unlikely to be part of standard virus scanner/IDS
signature base– Generally the ones that are discovered are not
particularly interesting• Evolving– Perhaps changing on each campaign
• Focused– Just being more secure than your neighbors may not
be good enough
Tibet Ghostnet
• http://en.wikipedia.org/wiki/GhostNet• Discovered March 2009• Infection initiated via targeted infected emails– Infected attachment installs Trojan– Trojan contacts control server and ways for
commands• One command installed Gh0st Rat which
allows complete control on windows system
Shady RAT
• RAT = Remote Access Trojan• Report released by McAffee in August 2011– www.mcafee.com/us/resources/white.../wp-operation-shady-rat.pdf
– Reviewed the logs of one CNC botnet staring from 2006• The botnet infiltrated many government and
commercial organizations– Claimed sophisticated attack and targeted information
gathering– Concretely identified 71 infiltrated organizations
How is the target computer infected?
• Send emails to people at the target organization– Infected attachments, e.g. MS word, Excel, PDF, powerpoint– Victim opens infected attachment. Results extra code executing which
installs a Trojan• Trojan attempts to contact some hard codes sites
– Generally html or jpeg which don’t arouse much attention from the firewall or other network defenses
– Commands are encrypted in the comments of the html file or embedding in the jpeg using steganographic techniques.
– Example commands• Run: {URL/Filename} – Download and execute file• Sleep:{number} – Sleep for specified time
• Info from Symantec review– http://www.symantec.com/connect/blogs/truth-behind-shady-rat
Using the machine once it’s infected
• Using the {IP Address}:{port} command the Trojan connects to the remote server– Copies cmd.exe to svchost.exe and launchs the
new version of cmd shell to listen on the port• Lots of instances of svchost run on a windows machine
– This gives the attacker almost complete freedom to launch their attack from the infected machine
• Does not use very sophisticated techniques
Stuxnet• Came to public attention June 2010 but in hindsight appeared in
November 2008– Symantec analysis
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
• Truly more sophisticated– Replicates via removable drives (jumping the air gap)– Also leverages SMB and printer spooling vulnerabilities plus much more– Sophisticated binary hiding and execution
• Targeting a specific industrial control system (a Siemens PLC). Ultimately rootkits that PLC.– Supposedly the code altered behavior of centrifuges in a subtle way.
Enough to alter the results of the centrifuging, but not enough so the operator would notice right away.
W32.Duqu• Probable evolution of the Stuxnet code base• Reports released around October 2011
– Symantec report http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf
• Still figuring out the original infection vectors– One appears to be a zero-day MS doc issue
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
• Infected execution starts through a registered device driver– Device driver loaded on system boot– Device driver is signed with a legitimately signed certificate, so it does
not raise attention– The driver injects a main dll into services.exe– The main dll is encrypted on disk. The key is stored in the registry
Duqu loading• Performs basic anti-debugging checks
– Are debugging types of processes running?– Uninstall if it has been running for 36 days
• The next phase is loaded from an encrypted resource in the main dll– The resource is decrypted into memory– The new DLL is injected into a standard process such as explorer.exe
• The newly injected code is a payload loader– It gets information from CNC– It uses rootkit techniques to execute the payload bytes (load library)
without ever writing the bytes to disk• Ultimately, it appears that the malware installs infostealing software
– Appears to exchange data via information embedded in jpeg files.