140 likes | 333 Vues
Advanced Persistent Threats. CS461/ECE422 Spring 2012. Traditional Malware. Infect as many machines as possible Non-discriminating Goal is the machine resources. Less the information on the machine Use CPU resources Sell DDoS abilities Sell SPAM abilities Use machines for storage
E N D
Advanced Persistent Threats CS461/ECE422 Spring 2012
Traditional Malware • Infect as many machines as possible • Non-discriminating • Goal is the machine resources. • Less the information on the machine • Use CPU resources • Sell DDoS abilities • Sell SPAM abilities • Use machines for storage • Stash stolen or illicit information on infected machine • Use network resources • Launch attacks or indirect through infected machines • Even where information is the goal, the specific owner of the information is not important • Gather credit card numbers • Perform extra bank transactions
Advanced Persistent Threat (APT) • Has been there all along. Just has gotten more attention recently • Attacker is concerned with the specific target • Discriminating, narrow, focused attack • E.g., attacker wants to find specific information from a specific organization • May perform some more generic infection techniques, but the ultimate goal is very specific
Successful APT • Lower volume • Unlikely to be part of standard virus scanner/IDS signature base • Generally the ones that are discovered are not particularly interesting • Evolving • Perhaps changing on each campaign • Focused • Just being more secure than your neighbors may not be good enough
Tibet Ghostnet • http://en.wikipedia.org/wiki/GhostNet • Discovered March 2009 • Infection initiated via targeted infected emails • Infected attachment installs Trojan • Trojan contacts control server and ways for commands • One command installed Gh0st Rat which allows complete control on windows system
Shady RAT • RAT = Remote Access Trojan • Report released by McAffee in August 2011 • www.mcafee.com/us/resources/white.../wp-operation-shady-rat.pdf • Reviewed the logs of one CNC botnet staring from 2006 • The botnet infiltrated many government and commercial organizations • Claimed sophisticated attack and targeted information gathering • Concretely identified 71 infiltrated organizations
How is the target computer infected? • Send emails to people at the target organization • Infected attachments, e.g. MS word, Excel, PDF, powerpoint • Victim opens infected attachment. Results extra code executing which installs a Trojan • Trojan attempts to contact some hard codes sites • Generally html or jpeg which don’t arouse much attention from the firewall or other network defenses • Commands are encrypted in the comments of the html file or embedding in the jpeg using steganographic techniques. • Example commands • Run: {URL/Filename} – Download and execute file • Sleep:{number} – Sleep for specified time • Info from Symantec review • http://www.symantec.com/connect/blogs/truth-behind-shady-rat
Using the machine once it’s infected • Using the {IP Address}:{port} command the Trojan connects to the remote server • Copies cmd.exe to svchost.exe and launchs the new version of cmd shell to listen on the port • Lots of instances of svchost run on a windows machine • This gives the attacker almost complete freedom to launch their attack from the infected machine • Does not use very sophisticated techniques
Stuxnet • Came to public attention June 2010 but in hindsight appeared in November 2008 • Symantec analysis http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf • Truly more sophisticated • Replicates via removable drives (jumping the air gap) • Also leverages SMB and printer spooling vulnerabilities plus much more • Sophisticated binary hiding and execution • Targeting a specific industrial control system (a Siemens PLC). Ultimately rootkits that PLC. • Supposedly the code altered behavior of centrifuges in a subtle way. Enough to alter the results of the centrifuging, but not enough so the operator would notice right away.
W32.Duqu • Probable evolution of the Stuxnet code base • Reports released around October 2011 • Symantec report http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf • Still figuring out the original infection vectors • One appears to be a zero-day MS doc issue http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit • Infected execution starts through a registered device driver • Device driver loaded on system boot • Device driver is signed with a legitimately signed certificate, so it does not raise attention • The driver injects a main dll into services.exe • The main dll is encrypted on disk. The key is stored in the registry
Duqu loading • Performs basic anti-debugging checks • Are debugging types of processes running? • Uninstall if it has been running for 36 days • The next phase is loaded from an encrypted resource in the main dll • The resource is decrypted into memory • The new DLL is injected into a standard process such as explorer.exe • The newly injected code is a payload loader • It gets information from CNC • It uses rootkit techniques to execute the payload bytes (load library) without ever writing the bytes to disk • Ultimately, it appears that the malware installs infostealing software • Appears to exchange data via information embedded in jpeg files.