Embed Size (px)
Citation preview
Going Kine)c on Electronic Crime Networks
THOTCON0x06
John Bambenek, Fidelis Cybersecurity
Introduc)on
• Sr. Threat Researcher with Fidelis Cybersecurity• Faculty at the University of Illinois at Urbana-
Champaign• Producer of open-source intelligence feeds• Run several takedown-oriented groups for various
malware families
Problem Statement
• Right now we are on the losing end of an arms race
• The adversaries produce more malware than we can possibly analyze.
• We have to operate in the open while they operate in secret.
• Their core business is exploitation, security for us is a cost center.
• We operate in a global economy without an effective means of global law enforcement.
TL;DR
Bad News: We’re Doomed
Good News: Unlimited Job Security
What to do…
• You could keep playing defense:• Firewall Rules• IDS/IPS Rules• AV Signatures• IoCs• Etc etc etc
The problem of “sufficiency”
• Once we “detect” a threat work occurs until some “defense” is developed.
• Once a threat is “blocked”, the work tends to stop.
• The threat actor can operate with impunity and just has to tweak tactics occasionally.
• Those in most need of security are least likely to have it / afford it.
What to do…
• Or you can take the fight to the adversary and go kinetic?
• Why kinetic?• No, I’m not talking about predator
drones…• Or hacking back…
What to do…
What is a takedown?
• An attempt to disrupt an ongoing electronic crime operation with the intent of ending it entirely.
• Successful takedowns: Operation Tovar, Conficker
• Unsuccessful takedowns: Kelihos (all 4)
• Complete disasters: No-Ip
Aren’t takedowns just media ploys?
Aren’t takedowns just media ploys?
• Right now there is far too much media pimping in our industry by <insert company name here>.
• There have been plenty of takedowns for PR purposes. And white papers. And blog posts… etc.
• Doesn’t mean to stop trying to have an impact.
How to tell difference?
• Takedowns, like all security related activity requires OPSEC.
• What’s the first rule of OPSEC?
Do takedowns do any good?
• Some argue because crime doesn’t stop takedowns don’t do any good.• Sure, stupid takedowns don’t do much
good.
• But arrests haven’t stopped rape, murder and theft in a few thousand years either.
Do takedowns do any good?
• Writing detection rules don’t stop criminals from adapting either.
• Key is to do things in a thoughtful way to maximize impact and minimize risk.
• Hopefully along the way an indictment can be had.
How to do takedowns…
• Largely depends on the threat and the complexity.• Can be as simple as asking a provider
to shut someone down.
• Can be as complicated as involving dozens of organizations, law enforcement across multiple countries.
The Easy Way
• Getting things taken down for criminal activity can be time-consuming.
• Getting things taken down for “brand damage” / DMCA is generally easy.• Seriously, ICANN has minimal
security rules for domains, but they are all over brand damage / impersonation.
The Easy Way
• That only works for “small” threats… the kind of threats that are easy to come back anyway.
• Most threats are too big for one organization to handle.• There are shared threats and unique
threats. Most are shared threats.
Building the Intel for Takedowns
• Have to build the “what” before you can answer the “how”.
• Almost all malware wants to talk “somewhere”.
• Enumerate *ALL* avenues an adversary can contact an infected machine.
Example #1
• Example #1: Domain Generation Algorithms
• Based on some math, a pseudo-random but predictable list of domains are generated.
Example #1
• If you can RE a DGA, you can use it to build intel.• See Johannes Bader’s blog:
johannesbader.ch
• Create a domain list, use adns-tools to resolve large numbers of them on a routine basis, instant SIGINT tool
Example #1
tmabjkeyftudpk.com , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 eiavquoeipblqq.net , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 rvyqndcrbqsxqu.biz , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 fjccjegtytxxsh.ru , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 swbwgmthrupkju.org , Domain used by Cryptolocker - Flashback DGA for 11 May 2015 gqfoopfpkaxjjf.co.uk , Domain used by Cryptolocker - Flashback DGA for 11 May 2015
Example #1
• You could use this list to find what resolves and where the adversary is sitting…
50.63.202.25 , IP used by matsnu C&C 54.228.194.98 , IP used by matsnu C&C
Example #1
• Or you could take all the domains current and future in a legal action.• If there is no other path to access, you have
severed the adversary’s ability to control. (Operation Tovar did this).
• You could also buy all the domains…• Expensive, unless you are a registrar which is
cheaper than you think to do.• Or you could ask registrar to suspend. Many will
take action (some won’t).• AlienSpy example
Example #2
• Example 2
• Mine malware for C2 information
• https://github.com/kevthehermit/RATDecoders
• Python scripts that will statically rip configurations out of 32 different flavors of RATs.
• Disclaimer: I had nothing to do with the development of these tools; they just fit my need and Kevin Breen deserves mad props.
Sample DarkComet config
Key: CampaignID Value: Guest16Key: Domains Value: ######.ddns.net:1234Key: FTPHost Value: Key: FTPKeyLogs Value: Key: FTPPassword Value: Key: FTPPort Value: Key: FTPRoot Value: Key: FTPSize Value: Key: FTPUserName Value: Key: FireWallBypass Value: 0Key: Gencode Value: 3yHVnheK6eDmKey: Mutex Value: DC_MUTEX-W45NCJ6Key: OfflineKeylogger Value: 1Key: Password Value: Key: Version Value: #KCMDDC51#
Sample njRat config
Key: Campaign ID Value: 1111111111111111111 Key: Domain Value: #####.ddns.net Key: Install Dir Value: UserProfile Key: Install Flag Value: False Key: Install Name Value: svchost.exe Key: Network Separator Value: |'|'| Key: Port Value: 1177 Key: Registry Value Value: 5d5e3c1b562e3a75dc95740a35744ad0 Key: version Value: 0.6.4
Processing DNS/IP Info
• Config takes FQDN or IP in free-form field.
• The only configuration item any processing is done on is here.
• If RFC 1918 IP, then drop config.
• If FQDN resolves to RFC1918 IP, keep it.
• If it doesn’t resolve, keep it.
Sample Output
0739b6a1bc018a842b87dcb95a73248d3842c5de,150213,Dark Comet Config,Guest16,######.ddns.net,,1604,,,,o1o5GgYr8yBB,DC_MUTEX-4E844NR
0745a4278793542d15bbdbe3e1f9eb8691e8b4fb,150213,Dark Comet Config,Guest16,######.noip.me,,1604,,,,aWUZabkXJRte,DC_MUTEX-TX61KQS
07540d2b4d8bd83e9ba43b2e5d9a2578677cba20,150213,Dark Comet Config,FUDDDDD,######.no-ip.biz,204.95.99.66,1604,,,,qZYsyVu0kMpS,DC_MUTEX-8VK1Q5N
07560860bc1d58822db871492ea1aa56f120191a,150213,Dark Comet Config,Victim,######.no-ip.biz,,1604,,,,sfAEjh4m1lQ7,DC_MUTEX-F2T2XKC
07998ff3d00d232b6f35db69ee5a549da11e96d1,150213,Dark Comet Config,test1,,192.116.50.238,90,,,,4A2xbJmSqvuc,DC_MUTEX-F54S21D
07ac914bdb5b4cda59715df8421ec1adfaa79cc7,150213,Dark Comet Config,Guest16,######.ddns.net,31.132.106.94,1604,1.#######.z8.ru,######60,######2012,zwd8tEC0F0tA,DC_MUTEX-W3VUKQN
NOTE – Redacted entries are username and password for FTP drop for keylogs.
So you have data. Now what?
• You have four options for takedown related actions:• Use the criminal justice system• Use civil litigation• Work with providers directly (AUP/
ToS/Contract enforcement)• Other “less legal” means which we
will not discuss here.
Criminal Jus)ce System
• The ideal result… someone gets arrested.
• Generally, work for big online crime cases starts with private sector research.
• Very time consuming but low cost.
• LE in almost every country willing to work with anyone who can help build cases.• Yet cooperation between countries can be
problematic.
Criminal Jus)ce System
• Important tool to motivate law enforcement is to enumerate harm.
• Sinkhole domains (if possible) to build victim information.
• Before LE will act they want to know how their citizens are impacted.
• Possible to get cooperation even in “hostile” jurisdictions.
Civil li)ga)on
• Involves an aggrieved party (or regulatory body) going to court for some remedy.
• Generally not available to most people for lack of “standing”.
• Can also lead to some collateral damage.
Work with providers directly
• Some are more cooperative than others.
• Many go from uncooperative to cooperative.
• Takes time to build a relationship and trust.
• Bypasses “foreign policy” issues and gets results.• As example, I’ve gotten cooperation inside
Russia and China on security issues.
Risk assessment
• Before any takedown is taken, a “risk assessment” should be done.• What collateral damage could be done?• Is action being taken against a third-party
and not the target?• Will less aggressive means accomplish the
mission without resorting to heavy-handed tactics?
Post-‐Takedown ac)vity
• Just because you takedown the C2 network, it doesn’t necessarily mean you have cleaned up infected machines.
• Operative Tovar created a mechanism for people to recover files and to see if they were infected to make private individuals “whole”.
• This is the most neglected part of takedowns.
The Key to All of This…
• Most threats are too big for one organization to tackle.
• Many organizations have unique data or skillsets.
• Key is to have a group of people across organizations all contributing to a reasonable amount to the goal.
The Key to All of This…
• Private working groups aren’t exclusive to big companies or security companies.
• Takes willingness to contribute something to get something in return.
• Added benefit is access to information to protect your organization you wouldn’t have otherwise.
Venues to par)cipate in takedown ac)vity
• Microsoft CME Program
• Private working groups (some are more open than others)• I run 4.
The Upshot
• There is more work than could possibly be done.
• If you want to contribute effort, find a venue to do so.• Reverse-engineering• Tooling• OSINT research• Etc.
• Much of the work is not as high-skill as you would think, just takes time, motivation and a willingness to learn.
Call to Ac)on
• There is more work than could possibly be done.
• If you want to contribute effort, find a venue to do so.• Reverse-engineering• Tooling• OSINT research• Etc.
• Much of the work is not as high-skill as you would think, just takes time, motivation and a willingness to learn.
Bocom Line
“The infosec industry doesn’t need another white paper.
What we need is bodies in the streets.”
This is here just because it amuses me
