Advanced Persistent Threats

CS461/ECE422Spring 2012

Traditional Malware• Infect as many machines as possible

– Non-discriminating• Goal is the machine resources.

– Less the information on the machine• Use CPU resources

– Sell DDoS abilities– Sell SPAM abilities

• Use machines for storage– Stash stolen or illicit information on infected machine

• Use network resources– Launch attacks or indirect through infected machines

• Even where information is the goal, the specific owner of the information is not important– Gather credit card numbers– Perform extra bank transactions

Advanced Persistent Threat (APT)

• Has been there all along. Just has gotten more attention recently

• Attacker is concerned with the specific target– Discriminating, narrow, focused attack– E.g., attacker wants to find specific information

from a specific organization• May perform some more generic infection

techniques, but the ultimate goal is very specific

Successful APT

• Lower volume– Unlikely to be part of standard virus scanner/IDS

signature base– Generally the ones that are discovered are not

particularly interesting• Evolving– Perhaps changing on each campaign

• Focused– Just being more secure than your neighbors may not

be good enough

Tibet Ghostnet

• http://en.wikipedia.org/wiki/GhostNet• Discovered March 2009• Infection initiated via targeted infected emails– Infected attachment installs Trojan– Trojan contacts control server and ways for

commands• One command installed Gh0st Rat which

allows complete control on windows system

Shady RAT

• RAT = Remote Access Trojan• Report released by McAffee in August 2011– www.mcafee.com/us/resources/white.../wp-operation-shady-rat.pdf

– Reviewed the logs of one CNC botnet staring from 2006• The botnet infiltrated many government and

commercial organizations– Claimed sophisticated attack and targeted information

gathering– Concretely identified 71 infiltrated organizations

How is the target computer infected?

• Send emails to people at the target organization– Infected attachments, e.g. MS word, Excel, PDF, powerpoint– Victim opens infected attachment. Results extra code executing which

installs a Trojan• Trojan attempts to contact some hard codes sites

– Generally html or jpeg which don’t arouse much attention from the firewall or other network defenses

– Commands are encrypted in the comments of the html file or embedding in the jpeg using steganographic techniques.

– Example commands• Run: {URL/Filename} – Download and execute file• Sleep:{number} – Sleep for specified time

• Info from Symantec review– http://www.symantec.com/connect/blogs/truth-behind-shady-rat

Using the machine once it’s infected

• Using the {IP Address}:{port} command the Trojan connects to the remote server– Copies cmd.exe to svchost.exe and launchs the

new version of cmd shell to listen on the port• Lots of instances of svchost run on a windows machine

– This gives the attacker almost complete freedom to launch their attack from the infected machine

• Does not use very sophisticated techniques

Stuxnet• Came to public attention June 2010 but in hindsight appeared in

November 2008– Symantec analysis

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

• Truly more sophisticated– Replicates via removable drives (jumping the air gap)– Also leverages SMB and printer spooling vulnerabilities plus much more– Sophisticated binary hiding and execution

• Targeting a specific industrial control system (a Siemens PLC). Ultimately rootkits that PLC.– Supposedly the code altered behavior of centrifuges in a subtle way.

Enough to alter the results of the centrifuging, but not enough so the operator would notice right away.

W32.Duqu• Probable evolution of the Stuxnet code base• Reports released around October 2011

– Symantec report http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf

• Still figuring out the original infection vectors– One appears to be a zero-day MS doc issue

http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit

• Infected execution starts through a registered device driver– Device driver loaded on system boot– Device driver is signed with a legitimately signed certificate, so it does

not raise attention– The driver injects a main dll into services.exe– The main dll is encrypted on disk. The key is stored in the registry

Duqu loading• Performs basic anti-debugging checks

– Are debugging types of processes running?– Uninstall if it has been running for 36 days

• The next phase is loaded from an encrypted resource in the main dll– The resource is decrypted into memory– The new DLL is injected into a standard process such as explorer.exe

• The newly injected code is a payload loader– It gets information from CNC– It uses rootkit techniques to execute the payload bytes (load library)

without ever writing the bytes to disk• Ultimately, it appears that the malware installs infostealing software

– Appears to exchange data via information embedded in jpeg files.