Análisis de ataques APT
-
Upload
linenoise -
Category
Technology
-
view
605 -
download
1
Transcript of Análisis de ataques APT
Understanding targeted attacks
Saturday, February 4, 2012
Who am I?
• Jaime Blasco
• Alienvault Labs Manager
Saturday, February 4, 2012
What are we talking about?
• Group of sophisticated, coordinated and political/financial/military motivated attackers .
• The intruder can exploit publicly known vulnerabilities but the attackers also are highly skilled and well funded and can research and exploit new vulnerabilities.
• The attacker wants to accomplish a mission that can take place over months.
Saturday, February 4, 2012
Agenda
• cat /dev/urandom
Saturday, February 4, 2012
Example: Kalachakra
• Camp information at Bodhgaya.doc
• CVE 2010-3333
Saturday, February 4, 2012
SpearPhishing
Saturday, February 4, 2012
Shellcode
Staged XOR Loader
Saturday, February 4, 2012
Shellcode
• Resolves imports by hashes
• Ror to generate hashes (ror ebx 7)
Saturday, February 4, 2012
Shellcode
Saturday, February 4, 2012
Dropped EXE
Saturday, February 4, 2012
Dropped EXE
• Language of compilation system: Chinese
• Dropped Files:• C:\Documents and Settings\Administrator\7240672406.dat
• C:\Documents and Settings\Administrator\temp.dat
• Mark the presence on the system:
Saturday, February 4, 2012
7240672406.dat
Saturday, February 4, 2012
Injection
Saturday, February 4, 2012
Obfuscation
Saturday, February 4, 2012
Injected Code
• User Mode Process Dumper
• WinDBG to the rescue:
Saturday, February 4, 2012
GET / HTTP/1.0Accept: */*Accept-Language: zh-cnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 6.0)Host: update.microsoft.com/windowsupdate/v7/default.aspx?ln=zh-cnConnection: Keep-Alive
C&C Traffic
Saturday, February 4, 2012
kalachakra32.doc
Saturday, February 4, 2012
Dropped EXE
• Created Files:
AhnLab-V3, DrWeb, JiangminSaturday, February 4, 2012
Embedded Resource
Saturday, February 4, 2012
Debug Info
.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-56: Installer Hello!
.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-75: dwConfigDataSize = [40]
.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-171: ReleaseResource done!
.\install.cpp-InstallSrvPlugin-51: InstallSrvPlugin!
.\install.cpp-InstallSrvPlugin-125: szHost = [218.106.193.184] szPort = [81]
.\install.cpp-InstallSrvPlugin-261: Install Service by WinAPI!
.\install.cpp-InstallSrvPlugin-295: StartServiceEx!
.\SrvPlugin.cpp-ServiceMain-291: g_szServiceName = [5a1bcffe]
.\SrvPlugin.cpp-ConnectClientThread-528: ConnectClientThread
.\SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]
.\SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]
Saturday, February 4, 2012
Create Service"20120131205652.906","2020","82799b64ca7f2e8cd218223da9d146c3.exe","CreateServiceA","FAIL
URE","0x00466f40","lpServiceName->5a1bcffe","dwServiceType->0x00000110","dwStartType->SERV
ICE_AUTO_START","lpBinaryPathName->C:\WINDOWS\system32\rundll32.exe "C:\Archivos de programa\Archivos comunes\Microsoft Shared\Triedit\5a1bcffe.dll",ServiceEntry"
Saturday, February 4, 2012
Av Aware• Check for kisknl.sys (Kingsoft Antivirus)
• Look for KSafeTray.exe and disable it: OpenThread -> SuspendThread
• Check for TmComm.sys (TrendMicro)
• Check for HookPort.sys (QQ 360)
• Depending of the AV present use the native API to install the service or the following method:
• FindWindowA("CabinetWClass", WindowName);
• FindWindowExA(v15, 0, "WorkerW", 0);
• SendMessageA, RegOpenKeyExA, SYSTEM\\CurrentControlSet\\Services\\
Saturday, February 4, 2012
WTF!
Saturday, February 4, 2012
Real World
Saturday, February 4, 2012
Sykipot
Saturday, February 4, 2012
Exploits
Saturday, February 4, 2012
Samples
Saturday, February 4, 2012
Features
Saturday, February 4, 2012
C&C Servers
Saturday, February 4, 2012
Certificate Access
Saturday, February 4, 2012
Smartcard Access
Saturday, February 4, 2012
OpenIOC• Indicators Of Compromise
• XML format to describe:
• File Attributes
• Registry entries
• Process attributes
• Network Attributes
• ...
• http://openioc.org/
Saturday, February 4, 2012
Example
Saturday, February 4, 2012
Example
Saturday, February 4, 2012
Thank you
•Follow me on twitter: jaimeblascob
Saturday, February 4, 2012