APT « The Day Before Zero

Posts Tagged ‘APT’

Revisiting the Advanced Persistent Threat

Friday, May 14th, 2010

Ever since the Google hack disclosures back in January this year, the term “Advanced Persistent Threat” (or “APT” if you prefer to use TLA‘s) has been tossed about in various forums and associated with security, hacking, terrorism, state sponsored attacks, botnets, advanced malware, next generation malware, etc. – the net result is that the term means quite different things to different people.

Depending upon how much of a security purist you are, your perspective of what an APT encompasses could be pretty broad or downright specific. For example, there are a clutch of security purists who, being mostly former US military, strongly associate the term with traditional state-sponsored attacks against US infrastructure. Therefore, for something to be labeled an APT, it requires the threat to be backed or endorsed by an hostile political regime and require tools, tactics and technologies outside the normal threat spectrum (and not within everyday reach of criminals).

On the other hand, you’ll find another clutch of security purists that take the term “Advanced Persistent Threat” precisely as you’d expect to interpret each word in the English dictionary.

There are of course all sorts of problems. For example, what precisely constitutes “advanced”? To the average corporate security defender, “spear phishing” may be sufficiently different to all the bulk spam their company gets each day to meet the criteria for “advanced”. Meanwhile, for a system administrator only partially familiar with the network worms of the early 2000′s, the current batch of Brazilian banker Trojans would be more than “advanced”. And, for the CEO of some large company, the prospect of being hacked and backdoored over their WiFi connection during the flight between Atlanta and San Francisco would likely lie between “advanced” or downright magical.

The point is, depending upon your experience with cyber threats and your ability to validate their technical capabilities, one man’s APT may be another’s script-kiddie hack or yesterday’s news. I think that Arthur C. Clarke said it best – “Any sufficiently advanced technology is indistinguishable from magic” (or in this case “advanced”).

To date, the term APT has been thrown about so often and used in so many different ways, that it’s probably impossible to revert it back to what most security purists would like (or insist). This obviously isn’t a new problem for the community. Another term that has been subjected to the precisely same social and media stresses is “Hacker“. You can check out the history of what “hacker” means – but today’s interpretation is completely different from what was intended – and yet people still use the term in various ways with different people.

There’s a problem though, just as the term “hacker” can have negative and positive connotations depending upon who you’re talking to, “APT” may be a door opener or a closer (for example, with close security friends and colleagues, we’re hackers – with prospective customers we’re Penetration Testers and Security Consultants – if we’re responding to press attention we’re whitehat or ethical hackers – and, in other places we’ll use the context of bug hunters and reverse engineers – all depending upon how you think the person you’re speaking to will react to the word “hacker”). This is becoming more pronounced of late. For example, here are some (paraphrased) quotes I’ve heard lately:

“I don’t need any more IPS – I’ve got tonnes of the stuff. I need to prevent APT’s”
“I’ve already got anti-virus, now I need Advanced Malware detection capabilities.”
“I have an incident response team that covers APT’s. I need protection against NG Malware.”
“I need to stop the malware from China. Get me an anti-APT gateway!”
“APT’s only affect the government and Google. No foreign government would be interested in us.”
“APT’s? I’ve got a dozen of them squirming in my network. How do I block them?”

There are several more laughable quotes and a bundle of R-rated ones that I’ll refrain from posting here. The point is that the term APT means different things to different people – and will continue to do so – regardless of any purists intentions to clarify what the term means. On a related note though, trying to clarify things by dividing the various interpretations of APT in to separate sub-definitions (each with its own TLA) is inevitably doomed to failure. As someone once mentioned to me, “the problem with standards is that everyone wants their own”.

– Gunter Ollmann, VP Research

Tags: advanced malware, Advanced Persistent Threat, APT, China, Google APT, Hacker
Posted in Threat Research | 2 Comments »

The Truth About Two Malware Families Related to Operation Aurora

Thursday, March 4th, 2010

As part of our investigation on The Command Structure of the Aurora Botnet. I took a deep look into two malware families that based on the CnC data we have, is related to Operation Aurora. Both of them fall under the Fake AV / Scareware Family of Malwares. They are Fake AV / Login Software 2009 and Fake Microsoft Antispyware Services.

I will summarize the deployment of these families below. For the full details of the analysis and how they relate to Operation Aurora, please read our full report on The Command Structure of the Aurora Botnet: History Patterns, and Findings.

Fake AV: Login Software 2009 Family

This set of malware is propagated through Fake Malware Alerts. The supposed AV installer is the actual malware dropper. Its main purpose is to drop and install the rest of the malware components. Upon execution of the dropper, it assigns a specific ID to the compromised host. It then registers it to its malware server website and downloads the rest of the malware to the compromised host.

To ensure that the malware is downloaded, the creator of this malware dropper uses redundancy in its malware serving web infrastructure. The dropper checks three different malware serving websites.

After the successful download of the main component, the main dropper generates a random name and copies the downloaded component to “C:\Documents and Settings\<User>\Local Settings” folder. It calls itself Login Software 2009. The dropped file is then executed to make it active in memory. For it to survive reboot, it uses the most common way to autostart by using the registry entry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The rest of the components are also downloaded and executed for them to be active. They are placed in the same folder as the first dropped file. These components are exact copies of themselves with names that is designed to full the unsuspecting users that they are Windows executables or legitimate third party software.

These components are hidden from the user by hiding the folder where they are dropped and also setting the attributes of the dropped files themselves as hidden. To survive reboot, these components also are set to autostart using the same technique as the main dropped file.

A DLL file is also dropped in “C:\Windows\System32” with a random filename. Aside from registering (regsvr32.exe) the dropped DLL file for it to be active, the malware dropper also modifies the registry to set it up as a Browser Helper Object (BHO). It also sets up the DLL to autostart every boot up by using SharedTaskScheduler.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

This paves the way for tracking cookies to be downloaded for ads to be served to the compromised host. Take note that this DLL is not hidden unlike the other components.

After setting up all the dropped files, the main dropper sets the stage to protect the dropped files by manipulating the settings of Windows Explorer and Internet Explorer. See Protection Mechanism section for more details.

Once all of these “malware installation” is done by the main dropper, the main dropper activates a batch file to unload itself in memory and deletes both the dropper and the batch file.

The installed malware set are now all active and is actively attempting to communicate with their CnC.

Figure 1: Memory string dump shows the C&C the EXE component is reaching out to

Fake Microsoft Antispyware Services

This set of malware is also propagated through Fake Malware Alerts. The supposed AV installer is the actual malware dropper. Its main purpose is to drop and install the rest of the malware components. It basically drops and installs three components:

EXE Component – This is the one that poses itself as Microsoft Antispyware Services
VXD Component – It downloads and installs ntconf32.vxd, ntsys32.vxd, msimsg32.vxd
SYS Component – It downloads and installs msconfig32.sys

Once the dropper is executed, it can easily bypass UAC since it is given explicit permission by the user that was made to believe that the installation is an AV product. The first thing the dropper does is to connect to its malware server domain to download its components. Unfortunately, as of this writing, the malware server domains are already down so no detail analysis of the other components were done.

The only component on hand is the EXE component.

But if we base it just on the name of the files it downloads, below are some associations of the files with known malware activity:

VXD Components – These filenames are often related to malware families that have keylogging and spyware behavior. They are also found in some IRC bots.
SYS Component – This is related to the publicly known and notoriously popular Aurora variant tied to the Google attack.

Concentrating the analysis on the EXE component, it disguises itself as Microsoft Antispyware Services. It basically sets itself to run on Startup using the tried and true method of the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Because of the absence of some key files, the main functionalities of this malware family cannot be fully analyzed but they all point to one goal and that is to steal information.

Figure 2. Attempting to connect to Amazon EC2

Figure 3: Memory string dump shows the C&C the EXE component is reaching out to

The Allure of Fake AV Websites.

The bad guys find using Fake AV websites effective and have used it extensively. The prevalence of this vector earned it a separate name: Scareware. What makes this effective is the believability of the Fake AV website. It also appeals to the fear of uneducated users. The bad guys leverage this fear to create a sense of urgency and importance that urges the user to not waste any more time and download and execute the dropper immediately. Aside from unknowingly downloading a malware, the victimized user also is fooled into paying for the Fake AV. Not only will the user be charged for the cost of the Fake AV, there’s a high probability that the user’s credit card information has been captured since the website processing the payment is rogue to begin with.

On the technical side, using this vector saves the bad guys time in finding ways to bypass host protection such as UAC since the user gives the malware dropper explicit permission to execute.

- Christopher Elisan, Senior Research Analyst

Tags: APT, Aurora, Aurora Botnet, botnet, bots, Google APT, Google Attack, Google China, Google Hack, Login Software 2009, Microsoft Antispyware Services, Operation Aurora
Posted in Threat Research | 3 Comments »

“Preemptive Protection” Isn’t – If You’re Battling APT’s

Thursday, January 21st, 2010

There’s been no shortage of press covering Advanced Persistent Threats (APTs) this week. While there have been plenty of post-hack discussions over the past few years following the big public breaches, this one’s different – there’s almost a kind of relief that this one’s made it out in the open. I can liken it the relief and revelations that followed that first major tobacco manufacturer’s decision to admit that smoking actually probably wasn’t so good for you after all…

Unfortunately, the revelation of several dozen major organizations being the victim of this particular APT example has just about every security vendor on the planet clamoring to extol and position their latest nicotine patch equivalent. Or, perhaps more appropriately, a lock-box to prevent you from reaching for another cigarette.

In the hussle-bussle of vendors claiming “First” or “Preemptive”, there’s a lot of weighted wordage flying about. But if that’s all true, if a particular vendor was “First” in its discovery, why didn’t they stop the threat or protect the currently known victims? Didn’t they understand the significance of what they had already discovered? Did they choose to keep the information to themselves for competitive advantage? I can’t answer those questions – and frankly any answers I’d likely receive in return from these “First” vendors would probably be carefully word-smithed by a gaggle of marketing folks.

What about “Preemptive”? I like that word – it’s important. Having developed and invented many security technologies that fall in to that bucket over the last decade, I can categorically state that “Preemptive” is good. But (and you know there’d be a “but”), it’s not good enough…

Those nicotine patch equivalent vendors are going on about how they could/would/will/have/might preemptively…

…detect the fact that the user is visiting a URL that’s probably dangerous
…detect the malicious JavaScript or HTML that delivered the exploit
…detect the exploit shellcode
…detect the buffer overflow
…detect the memory manipulation of the exploit
…detect the malicious payload
…detect the malware component
…detect the malicious behaviors of the compromised application
…detect the inappropriate behaviors of the compromised host
…detect the malicious network behaviors

…and by “detecting” the APT, they’d have been able to protect against it (or an aspect of it). But at the end of the day, all those technologies, for one reason or another, failed to protect these organization from being a (very public) victim of the APT.

Why? Because APT’s aren’t like average-Joe malware, botnets, script-kiddies, hackers, fraud artists and cybercriminal attacks. The thing that makes APT attacks different from the other forms of cyber-attack can best be summed up with the mantra “if at first you don’t succeed – try, try and try again.”

The vast majority of Internet attacks – especially mass Internet botnets – are opportunistic attacks. The bad guys have a broad objective in mind along with a number of tools they specialize in and have a ceiling to the amount of effort they’re willing to expend. They will optimize a particular attack vector, select the preferred delivery method, and pound the Internet (and everyone on it) with that toolset until they’re acquired enough victims. So, while many of the attacks may appear to be “targeted” (e.g. Spear Phishing), their objectives are rather limited (e.g. immediate financial fraud), and if they don’t succeed against the currently highlighted target they’ll simply move on to the next.

APT’s don’t follow this model. If a particular attack vector, tool, technology or exploit didn’t (or is unlikely to) work, they switch to another – never changing targets nor focus.

What does that mean in practice? Regardless of the perimeter or host security technology you deploy, and how “preemptive” it is, it isn’t going to stop an APT. Sure, each “preemptive” technology worked just fine – stopping each and every attack vector, malicious payload or strange behavior it was supposed to – but the criminal operators targeting your organization just move on to the next tool or vector until they find one that works. And lets not forget (or kid ourselves), this probing of network defenses and “preemptive” protection doesn’t happen as an overnight barrage of simultaneous attacks from a small cluster of IP addresses tracked down to the Chinese Army. No, this is low and slow stuff spread over many days, weeks or months, routed via a variety of sources and proxies from around the world – or even through your business partners.

So, can all of these nicotine patch sellers protect your organization against APT’s? No, of course not. They can protect against many of the vectors that may be tried and probably identify the particular exploit or malware they end up using, but at the end of the day APT’s will win.

Which brings me to my final point. I don’t care how you got infected or became the latest APT victim – because you will be – so get over it and do something already. If a criminal operations team is willing to spend the time, effort and monies to target your organization, they will win! So, how do you defeat APT’s? Simple, you detect their presence as fast as you possibly can and remediate the victims almost as fast.

OK, so “preemptive” protection is important – but being able to know when that “preemptive” protection has failed is even more important!

FailSafe

Let me put on my Damballa hat for the moment. I’ve been getting a bunch of queries about whether the Damballa FailSafe solution detects the “Google APT thing in the news”. The answer is Yes, and many of the other APT’s that you haven’t heard about (and are unlikely to hear about). You see, from our technology perspective, we don’t care how you became a victim either (you can debate that’s my influence or cynicism leaking through). Lying at the heart of our technology is the ability to identify the suspicious and unauthorised remote control of systems within the enterprise. All this is done at the network level and an APT’s command and control (CnC) is generally no different from a successful mass-Internet botnet, an insider threat or even a remote access trojan hand placed by a criminal operative. The motivations behind a botnet, insider threat and APT may be wildly different – but the CnC communications do not.

It gets a little tougher distinguishing between a brand new targeted botnet, an insider threat or an APT purely from their CnC traffic. But in reality the trick is to identify those threats that have already navigated your layers of corporate defenses and shut them down. Deciding which particular threat was politically/financially/ethics motivated comes afterwards.

Was this “Google APT thing in the news” the first APT to place Google under it’s cross-hairs? No. Is it the only APT targeting Google? No. Will it be the last APT to be targeting Google? No. Will targeted enterprises be able to prevent APT’s from getting in? No. Is it possible to detect when an APT has successfully bypassed all your “preemptive” protection technologies and compromised your systems? Yes.

– Gunter Ollmann, VP Research

Tags: Advanced Persistent Threat, APT, China, Google
Posted in Threat Research | 2 Comments »

Corporate Espionage and Tethered Criminal Actions

Wednesday, January 13th, 2010

The media is buzzing with the latest news concerning Google and Adobe and the targeted attacks directed at their corporate systems. While it’s news, it’s important to understand that this isn’t something that’s only just happened – rather it’s been something that both these organizations (and dozens more) have been subjected to for quite some time; it’s just become public, and they’re admitting to be the victims. But this is important.

I’ve been providing security consultancy advice for a couple of decades. I’ve been pulled in to do post attack forensics along with specialized pentesting, bug-hunting and reverse engineering for the majority of the Fortune 500 companies and in all that time, unless they were required to by law, not one have gone public about the attacks they were subjected to and the losses they have incurred. That’s why this Google/Adobe/etc. news is so significant – some Fortune-500 companies are actually saying “hey, enough already, we’re under constant attack – we need to do something collectively about this!”

Whats the primary vehicle for these (ongoing) attacks? You’ll hear plenty of discussion portraying viruses and malware as being the problem, and plenty of implications that the Chinese government lies behind the attack(s). But let’s be clear – that’s a fantastically simplistic view of the threat. Implying that the threat lies with targeted malware and China is like saying that drunk driving deaths are due to poor car design, and that the underlying cause is a particular beer brewery.

Malware is just a tool. The fundamental element to these (and any espionage attack) lies with the tether that connects the victim with the attacker. Advanced Persistent Threats (APT), like their bigger and more visible brother “botnets”, are meaningless without that tether – which is more often labeled as Command and Control (CnC).

The methods for getting a malware agent into an organization and on to key/critical hosts are incredibly diverse but, most importantly, can best be phrased as “trivial”. If someone wants to infect systems within a targeted organization and is willing to spend more than a few thousand dollars worth of effort to do so, it’ll happen – simple as that. Just as importantly, the malware being distributed and used in these kinds of attacks can be thought of as a Swiss Army knife with Klingon cloaking capabilities.

I jest only in part about the Klingon cloaking part – but it actually works well as a visual metaphor. Just as the Klingon Warbirds must decloak in order to launch their attack with photon torpedoes etc., APT’s and botnets must decloak themselves at the network level in order to maintain their CnC connections and be successful in harvesting espionage data. While APT’s are more surreptitious when it comes to CnC connectivity, their weakness lies in their network communications. At the host level, the probability of detecting an installation prior to actual financial/legal damage lies largely in the realm of dragons and mermaids.

Looking at the botnets we identify and track at Damballa that target enterprise networks, many of them fall in to the classification realm of APT’s. The malware component is under constant change – often being updated on a daily basis. Meanwhile the low-and-slow stealthy CnC traffic navigates the corporate network, weaves it’s way through fast fluxing networks and stratified levels of command relays, and makes it back to the team who’s really in control of the compromised assets – a bunch of contracted criminals located somewhere safe and far away. I use the term “team” on purpose because this is an organized collective of professional operators – each with their own skills and specialties.

I see a lot of discussions about preventing systems from being compromised – in fact most of the security business today is exclusively focused on threat prevention. But, you know what, every year (for the last two decades at least) as antivirus vendors release their annual threat reports the percentage of hosts known (or suspected) of being a victim and running malware has increased. As we launch in to 2010, I think the percentage most industry experts and veterans would throw about would be 35-40 percent of all Internet connected systems are compromised and currently running malware. Despite the terrific advances in detection, mitigation and cleanup – the numbers continue to go up. Despite the new detection technologies, the bad guys retain their lead. APT’s related malware lie in a particular niche, but they aren’t being prevented from getting in to an targeted organization. Let’s just face facts – if someone wants in on your organization and are willing to invest time and resources to do so, the probability that they will be successful in doing so certainly favors them.

Detecting and mitigating the CnC – breaking that tether of control – lies at the heart of dealing with this threat. By blocking those CnC channels, the bad guys can’t remotely control your enterprise systems, and they can’t extract the secret data they want. Tracing back who lies at the end of the CnC communication ultimately leads to he contracted criminals running the operation. The fact that those criminals happen to be located in a particular country is only part of identifying the instigators of the threat – but it’s probably as far as we’ll get.

Like I said earlier, I’ve had to deal with many of these threats before. In the UK, it appeared that many of the corporate espionage attacks were masterminded by French or US entities. In Taiwan it appeared to be China and South Korea. In China it appeared to be Taiwan and Australia. In Greece it appeared to be Turkey and Egypt. And so on… but those are only my specific experiences. [unfortunately, not a single corporate victim ever went public about the attacks they fell victim to - and probably never will... sigh]

With regards to the APT’s and botnets that Damballa tracks, detects and mitigates… well, those CnC’s are spread around all over the world and most likely reflect the locations of the professional teams that contract out there services, rather than the location of their their ultimate customers.

My advice to organizations being targeted with APT’s, botnets and unauthorized remote control of corporate resources? Focus on the network CnC – and mitigate there. By all means protect your perimeter and clean up your hosts – that’ll keep the unsophisticated script-kiddies and rif-raf off your systems – but it means very little to the pros. Success in dealing with this threat – the threat that Google, Adobe, and most global businesses (and governments) face constantly – is to identify which assets are currently compromised and “nuke-and-pave” them asap. I.e. identify systems that are trying to connect to their remote CnC, immediately cut that tether, and rapidly rebuild that system from a known good state (which is increasingly looking like a bare-metal state). If you can get that notification-to-rebuilt process down to 20 minutes or less, you’ll be in a good position to deal with this class of threat long term. Until then, you’re just messing around at playing detective.

– Gunter Ollmann, VP Research

Tags: Adobe, APT, botnets, Google, malware, security
Posted in Threat Research | 2 Comments »

The Day Before Zero

Posts Tagged ‘APT’

Revisiting the Advanced Persistent Threat

“Preemptive Protection” Isn’t – If You’re Battling APT’s

Corporate Espionage and Tethered Criminal Actions

Recent Posts

Categories

Archives

Blogroll