Wesley Shields & MuradKhan - … and Control Analysis • Malware protocols change • Protocols...

© 2013 The MITRE Corporation. All rights reserved.

Wesley Shields & Murad Khan

Approved for Public Release; Distribution Unlimited. 13-0108

Does This Sound Familiar?

• You’re responding to an incident

• You find malware that talks on a network

• What happened?

– Who said what?

– Any information stolen?

– Additional malware uploaded?

– Any unknown C2?


You Need Data!

• Collect data from the hosts

– Scale problems (lots of hosts, what data?)

– Compromised hosts can not be trusted

• Collect data from the network

– Less scale problems (still lots of data)

– Chokepoints make things manageable

– Unless you’re Travis Goodspeed et al. packets don’t lie (ground truth)

• We like network data!


Command and Control Analysis

• Malware protocols change

• Protocols hide in plain sight

– So much HTTP based malware!

• Need to understand layer 7

– Existing tools for this: tcpdump, wireshark, vortex,

commercial tools, etc.

– All have various tradeoffs


Introducing ChopShop

• Protocol analysis/decoding framework

• Python

• Open source

• Modular & extensible


WAT?


12 copies of the same function in 12 different files.

WAT?


WAT?


Yes, someone™ actually concatenated a bunch of payloads into a string!

“So I have this decoder for network traffic, except it doesn’t read PCAP files.”

Stop The Insanity!


One base64 implementation

Multiple packet_time formats

Common timestamp printing function.

Likely won’t need packet_time family.

• Share common code in libraries!

ChopShop Design Goals

• Stop reinventing the wheel

• Modular

• Standardize

• Simple to use

• Simple to write

• Share the core

– The secret sauce is in the modules


Increase Adoption

Sadly, C is a bit newbie unfriendly. Need to use something else…

Python sounds perfectly reasonable (and arbitrary)…


https://twitter.com/codinghorror/statuses/904415232

Libnids (pynids)


Framework?

Core• Process data

• …

• Profit!

• Load modules

• Reassemble streams

• Hand streams to modules

• Process module position in

stream

• Handle bookkeeping

Modules


• moduleName

• Required Functions:

– init(module_data)

– taste(tcp_data)

– handleStream(tcp_data)

• Optional Functions:

– module_info()

– teardown(tcp_data)

– shutdown(module_data)

The Anatomy of a Module


Data Structures

AKA: Bookkeeping

(TCP Data Object)

• The core of the core of chopshop!

• From a module author’s perspective. ☺

• Important stuff it contains:

• addr – Quadtuple (src, sport, dst, dport)

• timestamp of the packet being processed

• Information about the client

• Information about the server

• Information relative to the stream as seen by a specific module

• Information about a specific module

• Functions it contains:

• discard() – How many bytes in the buffer this module has processed

• stop() – This module no longer cares about this stream


• Things they contain you should care about:

– data: array of stream contents reassembled so far

– count: amount of data reassembled

– offset: where in the stream you currently are

– count_new: amount of data new in this call

Client and Server Objects?


• Initialization (Required)

– Process your arguments

– Setup module_data?

• Process data

– taste() (Required)

– handleStream() (Required)

– teardown()

• Shutdown

– Flush buffers, print statistics, etc.

The Life of a Module


Stop Reinventing The Wheel

Make it easy to write© 2013 The MITRE Corporation. All rights reserved.

Understanding RATs

• You can understand what a RAT can do by

RE’ing it

• You can understand what an operator of a RAT

did by decoding the protocol

• Don’t confuse actions taken by an operator

with actions taken automatically by the

malware!


What Is This?


Gh0st

• Leaked source malware

• 33,400 results for “gh0st rat” on Google

• AV companies write about it a lot

• Attributed to Chinese hacking group

• Great example for this talk– If your malware is on wikipedia it isn’t a secret!

• The VOHO Campaign: An In Depth Analysis (RSA)

• Know Your Digital Enemy: Anatomy of a Gh0st RAT (McAfee)

• The Many Faces of Gh0st Rat (Norman ASA)


Gh0st Protocol

• Flag: Usually 5 bytes (Gh0st, LURK0, Heart …)

– Usually human-readable, doesn’t have to be!

• DWORD: Compressed message length

• DWORD: Uncompressed message length

• WORD: zlib header

• Data


Decoding Gh0st

• Goal: Figure out the size of the message.

• Search every DWORD in the first N bytes of a

stream.

• If the DWORD matches the packet length,

jump past the next DWORD and look for

\x78\x9c

• If zlib header exists, go back to length DWORD

and everything before it is the flag.© 2013 The MITRE Corporation. All rights reserved.

Decoding Gh0st

• Buffer up the entire message

• Decompress it

• Parse the token/command

• Profit…


Problems With Decoding Gh0st

• Available source = Variants

• zlib technically not required

• New tokens and commands throw off the

enum

• Your mileage may vary in the wild

– Still need to RE malware!


Demo Time

TapTap

ChopShopChopShop

Client*

(Evil Operator)

Client*

(Evil Operator)

Server*

(Victim Laptop)

Server*

(Victim Laptop)


Tri-part Design

UI (ChopUi) Library (ChopLib)

ChopShop

Queue

Modules

stdout gui json


Why ChopShop?

• Standard API, input and output, common

libraries

• Streaming not buffering

• Easier than writing wireshark plugins or

dissectors

• Rapid development

• Be as open about your decoders as you want


Open Source

• https://github.com/MITRECND/chopshop

• http://www.mitre.org/work/cybersecurity/

• Create your decoders (modules)

• Contribute them back if you want

• Share them with your peers


Questions?

rot13(ChopShop)


http://blogs.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf

http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf

http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf

[email protected]

[email protected]

Wesley Shields & MuradKhan - … and Control Analysis • Malware protocols change • Protocols...

Documents

Transcript of Wesley Shields & MuradKhan - … and Control Analysis • Malware protocols change • Protocols...