TS/NOFORN
-
Upload
pinkflawd -
Category
Engineering
-
view
755 -
download
4
description
Transcript of TS/NOFORN
![Page 2: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/2.jpg)
Welcome to the keynote circuit – I thought that‘s where old people like me go to die? ;)
- Halvar Flake, Oct.14 2014
![Page 3: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/3.jpg)
www.desktopextreme.com
![Page 4: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/4.jpg)
http://www.mirror.co.uk/
OFFENDERS
![Page 5: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/5.jpg)
http://www.moviepilot.com
DEFENDERS
![Page 6: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/6.jpg)
http://www.screenrant.com/
SOPHISTICATED
WEAPONRY
![Page 7: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/7.jpg)
http://www.fanpop.com/
SOPHISTICATED
WEAPONRY
WITH
SUPERPOWERS
![Page 8: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/8.jpg)
http://tasteofawesome.com
![Page 9: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/9.jpg)
• YOU DON‘T SEE YOUR ADVERSARY
• YOU DON‘T KNOW WHOSE DEATH STAR IT IS THERE ON YOUR MACHINE
• YOU PROBABLY WON‘T EVEN FIND THE DEATH STAR ON YOUR MACHINE
http://glee.wikia.com
![Page 10: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/10.jpg)
• INTELLECTUAL PROPERTY BEING STOLEN
• POLITICAL OPPONENTS PUT TO JAIL
• INTERNET COMMUNICATION BEING BLOCKED
• VENDOR FINDING A NEW EXPLOIT
• SAME TIME, HACKER WRITES 5 MORE
• CONTROL OF MEDIA
• ENTERPRISES LOOSING CUSTOMER DATA
• NATION STATES SPYING ON THEIR CITIZENS
• NATION STATES BEING HACKED
• LITTLE PAUL LOOSING HIS HOMEWORK
![Page 11: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/11.jpg)
FAIRYTALEhttp://www.playbuzz.com/
![Page 12: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/12.jpg)
SUSPECT #1
• FILESIZE:192512
• COMPILETIME: 2010:05:06
• C&C: CALLIENTEFEVER.INFO
• HTTP ACCEPT-LANGUAGE: FR
![Page 13: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/13.jpg)
SUSPECT #1
• DYNAMIC API LOADING
BY NAME HASH
![Page 14: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/14.jpg)
PING
EXEC
HTTPF
ASPFLOOD
TCPFLOOD
WEBFLOOD
POSTFLOOD
ATCLEAR
STATISTICS
KILL
SET
UPLOAD
UPDATE
PLUGIN
SUSPECT #1F
LO
OD
IN
G A
LL
TH
E T
HIN
GS
![Page 15: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/15.jpg)
SUSPECT #1
![Page 16: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/16.jpg)
OMG!!
![Page 17: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/17.jpg)
SUSPECTS #[2-4]
• FILESIZE: 184320
• CODESIZE: 139264
• COMPILETIME: 2010:02:16 18:05:54+01:00
• FILESIZE: 184320
• CODESIZE: 139264
• COMPILETIME: 2010:03:11 17:55:03+01:00
• FILESIZE: 792064
• CODESIZE: 583680
• COMPILETIME: 2011:10:2520:28:39+01:00
![Page 18: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/18.jpg)
SUSPECT #4
• FILESIZE: 792064
• COMPILETIME: 2011:10:25 20:28:39+01:00
• API NAME HASHING KEY AB34CD77H
• HTTP://1.9.32.11/BUNNY/TEST.PHP?REC=NVISTA
ANTI-ANALYSIS | THREADS & FILES | CPU DATA | C&C COMMANDS | LUA
![Page 19: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/19.jpg)
Not funny.
![Page 20: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/20.jpg)
AV PRODUCT ENUMERATION
FIREWALL PRODUCT ENUMERATION
SANDBOX CHECK "KLAVME", "MYAPP", "TESTAPP",
"AFYJEVMV.EXE“, TIMING CONDITION
SUSPECT #4
SELECT * FROM ANTIVIRUSPRODUCT
SELECT * FROM FIREWALLPRODUCT
![Page 21: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/21.jpg)
SUSPECT #4
Big Boss
Worker2
Worker1
Worker0
Worker3
MainThread
PerfMon
CommandParsing
ScriptExecution
Manage
Worker
Threads
FileMan/Inet
![Page 22: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/22.jpg)
• CONFIG STORED IN HKLM\SOFTWARE\MICROSOFT\IPSEC
• HTTP://LE-PROGRES.NET/IMAGES/PHP/TEST.PHP?REC=11206-01
• HTTP://GHATREH.COM/SKINS/PHP/TEST.PHP?REC=11206-01
• HTTP://WWW.USTHB-DZ.ORG/INCLUDES/PHP/TEST.PHP?REC=11206-01
SUSPECT #4
![Page 23: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/23.jpg)
LUA Thread
Cmd
Parsing
Execute
Command
Start
LUA Thread
SUSPECT #4
Advanced
Command
and Script
Parsing
![Page 24: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/24.jpg)
SUSPECT #4
Advanced
Command
and Script
Parsing
4 WORKER THREADS
EXECUTING LUA SCRIPTS
LUA 5.1 + C/INVOKE CODE
CALLBACK FROM LUA TO C++
![Page 25: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/25.jpg)
SUSPECT #4
GETCONFIG
FTPPUT
FTPGET
SENDFILE
GETFILE
UNINSTALL
RESTARTHEARER
RESTART
CLEANHEARER
CRONTASKA
CRONTASKR
CRONTASKL
MAXPOSTDATA
SETURL
STOP
SETCPULIMIT
TIMEOUT
WAITFOR
UPDATEDIETIME
![Page 26: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/26.jpg)
Vulnerability Summary
for CVE-2011-4369
Original release date: 12/16/2011
Last revised: 01/29/2013
Source: US-CERT/NIST
http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/
![Page 27: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/27.jpg)
SUSPECT #5
• FILESIZE: 966144
• CODESIZE: 128512
• COMPILETIME: 2011:10:25 19:28:00+01:00
• DROPPER FOR SUSPECT #4
• SAME C&CS AS SUSPECT #4
![Page 28: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/28.jpg)
ACRORD32INFO.EXE
Location Remote Host Port Number
Oakville, Canada 69.90.160.65 80
Montréal, Canada 70.38.107.13 80
Montréal, Canada 70.38.12.10 80
http://www.threatexpert.com/report.aspx?md5=c40e3ee23cf95d992b7cd0b7c01b8599
SUSPECT #5
![Page 29: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/29.jpg)
SRSLY?
![Page 30: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/30.jpg)
http://bunny-shooter-best-free-game.en.softonic.com/
v 2.3.2
![Page 31: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/31.jpg)
• DROPS PAYLOAD IN %WINDIR%\MSAPPS\NETMGR.EXE
• STORES CONFIGURATION IN REGISTRY
• CREATES ENTRY IN
HKLM\..\CURRENTVERSION\RUN FOR NETMGR.EXE
• REACHES OUT TO REMOTE SERVERS
SUSPECT #5
![Page 32: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/32.jpg)
SWISS CHEESE ATTRIBUTION
• PROJECT NAMED BUNNY, VERSION 2.3.2
• DDOS BOTNET OPERATORS
• ACCEPT-LANGUAGE: FR
• C&C SERVERS HOSTED IN CANADA
• C&C DOMAINS RESEMBLE FRENCH/IRANIAN WEBSITES
• AUTHOR NO ENGLISH NATIVE-SPEAKER ...
• LUA? MUST BE FLAME
![Page 33: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/33.jpg)
Wars not make
one great.
![Page 34: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/34.jpg)
https://whispersystems.org/
![Page 35: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/35.jpg)
http://www.theverge.com
![Page 36: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/36.jpg)
SUBGRAPH OShttps://subgraph.com/
![Page 37: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/37.jpg)
![Page 38: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/38.jpg)
HTTP://WWW.WOODMANN.COM/COLLABORATIVE/TOOLS/INDEX.PHP/CATEGORY:RCE_TOOLS
HTTP://WWW.WOODMANN.COM/COLLABORATIVE/KNOWLEDGE/INDEX.PHP/CATEGORY:RCE_KNOWLEDGE
![Page 39: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/39.jpg)
Viper is a binary management and analysis framework
dedicated to malware and exploit researchers.
http://viper.li/
![Page 40: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/40.jpg)
ACKNOWLEDGEMENTS
• MR. WHITE, MR. ORANGE, MR. BLONDE & MR. PINK
• MORGAN MARQUIS-BOIRE
• INBAR RAZ
• NICOLAS BRULEZ
• @EMERGENCYKITTENS
![Page 42: TS/NOFORN](https://reader036.fdocuments.us/reader036/viewer/2022081413/547e52b2b379596a2b8b5454/html5/thumbnails/42.jpg)
ANALYZE IT
• 2A64D331964DBDEC8141F16585F392BA
• 40E0F0681C79D70AC0329E68A94294CB
• 8132EE00F64856CF10930FD72505CEBE
• E8A333A726481A72B267EC6109939B0D
• 3BBB59AFDF9BDA4FFDC644D9D51C53E7
• C40E3EE23CF95D992B7CD0B7C01B8599