Análisis de ataques APT

•

2 gostaram•1,118 visualizações

The document discusses targeted attacks from sophisticated, coordinated groups. These attackers are highly skilled, well-funded and can research and exploit new vulnerabilities to accomplish missions over months. Specific examples discussed include the Kalachakra attack and details on its spearphishing techniques, dropped executables, and command and control traffic. Methods of antivirus evasion, real world samples, exploit techniques and command and control servers used by advanced persistent threat groups are also covered.

Tecnologia

Understanding targeted
attacks

Saturday, February 4, 2012

Who am I?

• Jaime Blasco
• Alienvault Labs Manager

Saturday, February 4, 2012

What are we talking
about?
• Group of sophisticated, coordinated and
political/ﬁnancial/military motivated
attackers .
• The intruder can exploit publicly known
vulnerabilities but the attackers also are
highly skilled and well funded and can
research and exploit new vulnerabilities.
• The attacker wants to accomplish a mission
that can take place over months.
Saturday, February 4, 2012

Agenda

• cat /dev/urandom

Saturday, February 4, 2012

Example: Kalachakra

• Camp information at Bodhgaya.doc
• CVE 2010-3333

Saturday, February 4, 2012

SpearPhishing

Saturday, February 4, 2012

Shellcode

Staged XOR Loader

Saturday, February 4, 2012

Shellcode

• Resolves imports by hashes
• Ror to generate hashes (ror ebx 7)

Saturday, February 4, 2012

Dropped EXE

• Language of compilation system: Chinese
• Dropped Files:
• C:Documents and SettingsAdministrator7240672406.dat

• C:Documents and SettingsAdministratortemp.dat

• Mark the presence on the system:

Saturday, February 4, 2012

7240672406.dat

Saturday, February 4, 2012

Injected Code
• User Mode Process Dumper
• WinDBG to the rescue:

Saturday, February 4, 2012

C&C Trafﬁc

GET / HTTP/1.0
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 6.0)
Host: update.microsoft.com/windowsupdate/v7/default.aspx?ln=zh-cn
Connection: Keep-Alive

Saturday, February 4, 2012

kalachakra32.doc

Saturday, February 4, 2012

Dropped EXE
• Created Files:

AhnLab-V3, DrWeb, Jiangmin
Saturday, February 4, 2012

Embedded Resource

Saturday, February 4, 2012

Debug Info
.InstallerMFC.cpp-CInstallerMFCApp::InitInstance-56: Installer Hello!

.InstallerMFC.cpp-CInstallerMFCApp::InitInstance-75: dwConﬁgDataSize = [40]

.InstallerMFC.cpp-CInstallerMFCApp::InitInstance-171: ReleaseResource done!

.install.cpp-InstallSrvPlugin-51: InstallSrvPlugin!

.install.cpp-InstallSrvPlugin-125: szHost = [218.106.193.184] szPort = [81]

.install.cpp-InstallSrvPlugin-261: Install Service by WinAPI!

.install.cpp-InstallSrvPlugin-295: StartServiceEx!

.SrvPlugin.cpp-ServiceMain-291: g_szServiceName = [5a1bcffe]

.SrvPlugin.cpp-ConnectClientThread-528: ConnectClientThread

.SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]

.SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81]

Saturday, February 4, 2012

Create Service
"20120131205652.906","2020","82799b64ca7f2e8cd218223da9d146c3.exe","CreateServiceA","FAIL
URE","0x00466f40","lpServiceName->5a1bcffe","dwServiceType->0x00000110","dwStartType-
>SERV
ICE_AUTO_START","lpBinaryPathName->C:WINDOWSsystem32rundll32.exe "C:Archivos de
programaArchivos comunesMicrosoft SharedTriedit5a1bcffe.dll",ServiceEntry"

Saturday, February 4, 2012

Av Aware
• Check for kisknl.sys (Kingsoft Antivirus)

• Look for KSafeTray.exe and disable it: OpenThread ->
SuspendThread

• Check for TmComm.sys (TrendMicro)

• Check for HookPort.sys (QQ 360)

• Depending of the AV present use the native API to install the
service or the following method:

• FindWindowA("CabinetWClass", WindowName);

• FindWindowExA(v15, 0, "WorkerW", 0);

• SendMessageA, RegOpenKeyExA, SYSTEM
CurrentControlSetServices

Saturday, February 4, 2012

Certiﬁcate Access

Saturday, February 4, 2012

Smartcard Access

Saturday, February 4, 2012

OpenIOC
• Indicators Of Compromise

• XML format to describe:

• File Attributes

• Registry entries

• Process attributes

• Network Attributes

• ...

• http://openioc.org/

Saturday, February 4, 2012

Thank you

• Follow me on twitter:
jaimeblascob

Saturday, February 4, 2012

Mais conteúdo relacionado

Semelhante a Análisis de ataques APT

Web Page Test - Beyond the BasicsAndy Davies

On non existent 0-days, stable binary exploits andAlisa Esage Шевченко

doing_it_right() with WordPressryanduff

How to guarantee your change is integrated to Moodle coreDan Poltawski

Unit Test for ZF SlideShare ComponentDiego Delon

Esage on non-existent 0-days, stable binary exploits and user interactionDefconRussia

How To Use Selenium SuccessfullyDave Haeffner

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services

Hacking on WildFly 9Virtual JBoss User Group

tut0000021-heverytutorialsruby

Mastering Test Automation: How to Use Selenium Successfully Applitools

Introduce iRedMail Open Source Mail Server SolutionZhangHuangbin

How To Use Selenium Successfully (Java Edition)Sauce Labs

Rapid Android Application Security TestingNutan Kumar Panda

Semelhante a Análisis de ataques APT (20)

Web Page Test - Beyond the Basics

On non existent 0-days, stable binary exploits and

doing_it_right() with WordPress

How to guarantee your change is integrated to Moodle core

Unit Test for ZF SlideShare Component

Esage on non-existent 0-days, stable binary exploits and user interaction

How To Use Selenium Successfully

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Hacking on WildFly 9

tut0000021-hevery

Mastering Test Automation: How to Use Selenium Successfully

Introduce iRedMail Open Source Mail Server Solution

How To Use Selenium Successfully (Java Edition)

Rapid Android Application Security Testing

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

Finology Group – Insurtech Innovation Award 2024The Digital Insurer

08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls

Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko

Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2

IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge

Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal

What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo

Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun

A Domino Admins Adventures (Engage 2024)Gabriella Davis

08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls

08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science

How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes

04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG

Partners Life - Insurer Innovation Award 2024The Digital Insurer

GenCyber Cyber Security Day PresentationMichael W. Hawkins

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia

Análisis de ataques APT

1. Understanding targeted attacks Saturday, February 4, 2012

2. Who am I? • Jaime Blasco • Alienvault Labs Manager Saturday, February 4, 2012

3. What are we talking about? • Group of sophisticated, coordinated and political/ﬁnancial/military motivated attackers . • The intruder can exploit publicly known vulnerabilities but the attackers also are highly skilled and well funded and can research and exploit new vulnerabilities. • The attacker wants to accomplish a mission that can take place over months. Saturday, February 4, 2012

4. Agenda • cat /dev/urandom Saturday, February 4, 2012

5. Example: Kalachakra • Camp information at Bodhgaya.doc • CVE 2010-3333 Saturday, February 4, 2012

6. SpearPhishing Saturday, February 4, 2012

7. Shellcode Staged XOR Loader Saturday, February 4, 2012

8. Shellcode • Resolves imports by hashes • Ror to generate hashes (ror ebx 7) Saturday, February 4, 2012

9. Shellcode Saturday, February 4, 2012

10. Dropped EXE Saturday, February 4, 2012

11. Dropped EXE • Language of compilation system: Chinese • Dropped Files: • C:Documents and SettingsAdministrator7240672406.dat • C:Documents and SettingsAdministratortemp.dat • Mark the presence on the system: Saturday, February 4, 2012

12. 7240672406.dat Saturday, February 4, 2012

13. Injection Saturday, February 4, 2012

14. Obfuscation Saturday, February 4, 2012

15. Injected Code • User Mode Process Dumper • WinDBG to the rescue: Saturday, February 4, 2012

16. C&C Trafﬁc GET / HTTP/1.0 Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 6.0) Host: update.microsoft.com/windowsupdate/v7/default.aspx?ln=zh-cn Connection: Keep-Alive Saturday, February 4, 2012

17. kalachakra32.doc Saturday, February 4, 2012

18. Dropped EXE • Created Files: AhnLab-V3, DrWeb, Jiangmin Saturday, February 4, 2012

19. Embedded Resource Saturday, February 4, 2012

20. Debug Info .InstallerMFC.cpp-CInstallerMFCApp::InitInstance-56: Installer Hello! .InstallerMFC.cpp-CInstallerMFCApp::InitInstance-75: dwConﬁgDataSize = [40] .InstallerMFC.cpp-CInstallerMFCApp::InitInstance-171: ReleaseResource done! .install.cpp-InstallSrvPlugin-51: InstallSrvPlugin! .install.cpp-InstallSrvPlugin-125: szHost = [218.106.193.184] szPort = [81] .install.cpp-InstallSrvPlugin-261: Install Service by WinAPI! .install.cpp-InstallSrvPlugin-295: StartServiceEx! .SrvPlugin.cpp-ServiceMain-291: g_szServiceName = [5a1bcffe] .SrvPlugin.cpp-ConnectClientThread-528: ConnectClientThread .SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81] .SrvPlugin.cpp-ConnectClientThread-638: szHost = [218.106.193.184] szPort = [81] Saturday, February 4, 2012

21. Create Service "20120131205652.906","2020","82799b64ca7f2e8cd218223da9d146c3.exe","CreateServiceA","FAIL URE","0x00466f40","lpServiceName->5a1bcffe","dwServiceType->0x00000110","dwStartType- >SERV ICE_AUTO_START","lpBinaryPathName->C:WINDOWSsystem32rundll32.exe "C:Archivos de programaArchivos comunesMicrosoft SharedTriedit5a1bcffe.dll",ServiceEntry" Saturday, February 4, 2012

22. Av Aware • Check for kisknl.sys (Kingsoft Antivirus) • Look for KSafeTray.exe and disable it: OpenThread -> SuspendThread • Check for TmComm.sys (TrendMicro) • Check for HookPort.sys (QQ 360) • Depending of the AV present use the native API to install the service or the following method: • FindWindowA("CabinetWClass", WindowName); • FindWindowExA(v15, 0, "WorkerW", 0); • SendMessageA, RegOpenKeyExA, SYSTEM CurrentControlSetServices Saturday, February 4, 2012

23. WTF! Saturday, February 4, 2012

24. Real World Saturday, February 4, 2012

25. Sykipot Saturday, February 4, 2012

26. Exploits Saturday, February 4, 2012

27. Samples Saturday, February 4, 2012

28. Features Saturday, February 4, 2012

29. C&C Servers Saturday, February 4, 2012

30. Certiﬁcate Access Saturday, February 4, 2012

31. Smartcard Access Saturday, February 4, 2012

32. OpenIOC • Indicators Of Compromise • XML format to describe: • File Attributes • Registry entries • Process attributes • Network Attributes • ... • http://openioc.org/ Saturday, February 4, 2012

33. Example Saturday, February 4, 2012

34. Example Saturday, February 4, 2012

35. Thank you • Follow me on twitter: jaimeblascob Saturday, February 4, 2012

Análisis de ataques APT

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Análisis de ataques APT

Semelhante a Análisis de ataques APT (20)

Último

Último (20)

Análisis de ataques APT