cybercrime in nowadays businesses - a real case study of targeted attack
DESCRIPTION
Through a real case study, we will explore the complexity of such attacks which endanger today's businesses. All: https://www.htbridge.ch/publications/cybercrime_in_nowadays_businesses_a_real_case_study_of_targeted_attack.htmlTRANSCRIPT
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
Hashdays 2011
Cybercrime in nowadays businesses:
A real case study of targeted attack
Frédéric BOURLA
Head of Ethical Hacking Department
©2011 High-Tech Bridge SA – www.htbridge.ch
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x00 - #whoami
Frédéric BOURLA
Head of Ethical Hacking Department
High-Tech Bridge SA
~12 years experience in Information Security
LPT, CISSP, CCSE, CCSA, ECSA, CEH, eCPPT
CHFI, GCFA & GREM in progress
RHCE, RHCT, MCP
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x01 - #readelf prez
� CyberCyberCyberCyber attacksattacksattacksattacks havehavehavehave evolvedevolvedevolvedevolved:
� They became moremoremoremore sophisticatedsophisticatedsophisticatedsophisticated
� They are oftenoftenoftenoften targetedtargetedtargetedtargeted
� It is not uncommon anymore to observeattacks managedmanagedmanagedmanaged bybybyby specializedspecializedspecializedspecialized groupsgroupsgroupsgroups andinitiated by unfairunfairunfairunfair competitorscompetitorscompetitorscompetitors
� This talk is an example of such threats. It isbased on a postpostpostpost----incidentincidentincidentincident investigationinvestigationinvestigationinvestigation whichtook place inininin OctoberOctoberOctoberOctober 2010201020102010. To preserveclient’s anonymity, let’slet’slet’slet’s callcallcallcall himhimhimhim FedorFedorFedorFedor----TradingTradingTradingTrading.
� 1 round of 50’. To save time, pleasepleasepleaseplease keepkeepkeepkeepyouryouryouryour questionsquestionsquestionsquestions until the end.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Project’s context
0x03 - Mail analysis
0x04 - Client’s Website analysis
0x05 - Malware analysis
0x06 - Conclusion
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x02 - Project’s context
� Last year, the CTOCTOCTOCTO ofofofof aaaa wellwellwellwell knownknownknownknown financialfinancialfinancialfinancial
institutioninstitutioninstitutioninstitution contactedcontactedcontactedcontacted usususus.
� FedorFedorFedorFedor----TradingTradingTradingTrading thoughtthoughtthoughtthought aboutaboutaboutabout aaaa kindkindkindkind ofofofof
PhishingPhishingPhishingPhishing attemptattemptattemptattempt, and the CTO expected us
to help him reassuring the CEO that
everything was fine, and that no real attack
really occurred.
� The initial project was a quickquickquickquick investigationinvestigationinvestigationinvestigation
drivendrivendrivendriven bybybyby politicalpoliticalpoliticalpolitical reasonsreasonsreasonsreasons, and it began
with an analysis of the emails that they
received in one of their administrative
mailboxes.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Project’s context
0x03 - Mail analysis
0x04 - Client’s Website analysis
0x05 - Malware analysis
0x06 - Conclusion
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x02 - Mail analysis
� They receivedreceivedreceivedreceived severalseveralseveralseveral emailsemailsemailsemails which appeared
to have been sent from Fedor-Trading:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x02 - Mail analysis
� At a first glance, all suspicious emails
received didn’tdidn’tdidn’tdidn’t looklooklooklook likelikelikelike PhishingPhishingPhishingPhishing:
� There is nononono multiplemultiplemultiplemultiple spellingspellingspellingspelling mistakemistakemistakemistake per
line
� The content itself sounds sophisticatedsophisticatedsophisticatedsophisticated
� All emails dealt with realrealrealreal mattermattermattermatter and
entice Forex users to open a PDFPDFPDFPDF
� Instead, all those emails sounded like
targetedtargetedtargetedtargeted attacksattacksattacksattacks.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x02 - Mail analysis
� SMTP headers reveal the sending domain:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x02 - Mail analysis
� FQDN matches IP address 67.227.134.84.
� The hosting server is located inininin USUSUSUS.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x02 - Mail analysis
� Parent domain neonrain-vps.com belongs to
Neon Rain Interactive since 26 March 2008.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x02 - Mail analysis
� Remote system hosted an outoutoutout----ofofofof----datedatedatedate ApacheApacheApacheApache
engine and is weaklyweaklyweaklyweakly configuredconfiguredconfiguredconfigured:
� Talkative banners
� Some indexed directories
� Lots of Information Disclosure
� Publicly available cPanel interface
� Some outdated components
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x02 - Mail analysis
� A reversereversereversereverse DNSDNSDNSDNS lookuplookuplookuplookup shown that the IP
address 67.227.134.84 was used to host
multiplemultiplemultiplemultiple websiteswebsiteswebsiteswebsites.
� At least 82 domains were hosted on the
same server.
� The combinationcombinationcombinationcombination ofofofof thesethesethesethese factorsfactorsfactorsfactors gave us a
strongstrongstrongstrong likelihoodlikelihoodlikelihoodlikelihood that malicious emails were
sent from a compromisedcompromisedcompromisedcompromised WebWebWebWeb serverserverserverserver, thus
concealingconcealingconcealingconcealing thethethethe identityidentityidentityidentity ofofofof attackersattackersattackersattackers.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x02 - Mail analysis
� Domain host.neonrain-vps.com hadhadhadhad anananan MXMXMXMXrecordrecordrecordrecord for this host.
� This configuration permitted to bypassbypassbypassbypass mostmostmostmostantispamantispamantispamantispam protectionsprotectionsprotectionsprotections, and all Fedor-Trading’s clients who did not rely on adeeper SMTP analysis have probably receivedthose suspicious emails.
� A quick analysis of the received emailsconsequently lead us to thinkthinkthinkthink aboutaboutaboutabout aaaatargetedtargetedtargetedtargeted attackattackattackattack, and not to a blind one… Wedefinitely neededneededneededneeded totototo getgetgetget moremoremoremore informationinformationinformationinformationand asked for an FTP access to Fedor-Trading’s website.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Project’s context
0x03 - Mail analysis
0x04 - Client’s Website analysis
0x05 - Malware analysis
0x06 - Conclusion
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� The frontal website was hostedhostedhostedhosted externallyexternallyexternallyexternally,
on Infomaniak Network.
� The first thing we noticed is that the
website hosted a talkativetalkativetalkativetalkative «robots«robots«robots«robots....txt»txt»txt»txt» filefilefilefile:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� The passwd file revealed several forgotten
accounts, but no trace of a potential
compromise.
� The website contained hugehugehugehuge amountamountamountamount ofofofof logslogslogslogs.
We downloaded them to carry out local
inspection.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� Fedor-Trading’s website was oftenoftenoftenoften underunderunderunder
automatedautomatedautomatedautomated attacksattacksattacksattacks.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� In parallel with attackattackattackattack patternspatternspatternspatterns queriesqueriesqueriesqueries in
those huge logs (quitequitequitequite slowslowslowslow, as there were
nononono timeframetimeframetimeframetimeframe for this hypothetic attack), we
looked furtively at the website security
level.
� Despite a kind of Web Application Firewall
successfully prevented our first attacks,
the websitewebsitewebsitewebsite soundedsoundedsoundedsounded vulnerablevulnerablevulnerablevulnerable totototo SQLiSQLiSQLiSQLi.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� We parsed logs for usualusualusualusual SQLSQLSQLSQL injectionsinjectionsinjectionsinjections
signatures, and lotslotslotslots ofofofof occurrencesoccurrencesoccurrencesoccurrences were
also identified.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� QuiteQuiteQuiteQuite evolvedevolvedevolvedevolved injectionsinjectionsinjectionsinjections were attempted.
� First identified attacksattacksattacksattacks werewerewerewere unsuccessfulunsuccessfulunsuccessfulunsuccessful
and only reliedreliedreliedrelied onononon automatedautomatedautomatedautomated exploitationexploitationexploitationexploitation
tools.
� For example, banner & hexadecimal constant
used while trying to determine the number of
fields in the SQL query indicated HavijHavijHavijHavij tool.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� The next step therefore consisted in
simulating such automated attacks to assessassessassessassess
thethethethe levellevellevellevel ofofofof informationinformationinformationinformation whichwhichwhichwhich couldcouldcouldcould havehavehavehave
beenbeenbeenbeen collectedcollectedcollectedcollected by hackers.
� Indeed, we used thethethethe currentcurrentcurrentcurrent 1111....12121212 versionversionversionversion ofofofof
HavijHavijHavijHavij against Fedor-Trading.
� This tool hashashashas beenbeenbeenbeen provenprovenprovenproven inefficientinefficientinefficientinefficient in this
specific case.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� Nevertheless it permitted to confirmconfirmconfirmconfirm thethethethe
SQLiSQLiSQLiSQLi attackattackattackattack vectorvectorvectorvector, as the name of the
database was successfully dumped.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� In order to efficiently identify successful
SQLi exploitation in the huge web server
logs, wewewewe askedaskedaskedasked thethethethe clientclientclientclient forforforfor temporarytemporarytemporarytemporary
credentialscredentialscredentialscredentials onononon theirtheirtheirtheir Infomaniak’sInfomaniak’sInfomaniak’sInfomaniak’s webwebwebweb
administrationadministrationadministrationadministration page.
� This offered us the best view of operational
structures, and therefore permittedpermittedpermittedpermitted totototo finefinefinefine----
tunetunetunetune ourourourour queriesqueriesqueriesqueries with keywords which had a
high probability of occurrence in case of
successful SQLi exploitation.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� This was muchmuchmuchmuch fasterfasterfasterfaster.
� New attacksattacksattacksattacks werewerewerewere quicklyquicklyquicklyquickly identifiedidentifiedidentifiedidentified.
� More pernicious, those attacks clearly
shown that FedorFedorFedorFedor----Trading’sTrading’sTrading’sTrading’s websitewebsitewebsitewebsite waswaswaswas
compromisedcompromisedcompromisedcompromised, and that nearlynearlynearlynearly wholewholewholewhole backendbackendbackendbackend
databasedatabasedatabasedatabase waswaswaswas stolenstolenstolenstolen.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� Indeed, mostmostmostmost tablestablestablestables werewerewerewere remotelyremotelyremotelyremotely dumpeddumpeddumpeddumped by
hackers, and customerscustomerscustomerscustomers emailemailemailemail addressesaddressesaddressesaddresses ofofofof
ourourourour clientclientclientclient werewerewerewere stolenstolenstolenstolen.
� The sourcesourcesourcesource IPIPIPIP address 89.165.79.237 was
locatedlocatedlocatedlocated inininin IranIranIranIran and didn’t hosted any
publicly available service. It was most
probablyprobablyprobablyprobably aaaa botbotbotbot intended to hide attackers’
identity.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� The impacted web application consisted of
selfselfselfself----mademademademade codecodecodecode as well as JoomlaJoomlaJoomlaJoomla open
source CMS and several commercialcommercialcommercialcommercial pluginspluginspluginsplugins.
� The exploitedexploitedexploitedexploited vulnerabilityvulnerabilityvulnerabilityvulnerability resided in a
Joomla commercial plugin named ShShShSh404404404404SefSefSefSef.
The latter securitysecuritysecuritysecurity modulemodulemodulemodule provides SEOSEOSEOSEO,
analyticsanalyticsanalyticsanalytics and URLURLURLURL RewritingRewritingRewritingRewriting. It is also
supposedsupposedsupposedsupposed totototo preventpreventpreventprevent XSS,XSS,XSS,XSS, floodingfloodingfloodingflooding andandandand
otherotherotherother maliciousmaliciousmaliciousmalicious pagepagepagepage requestsrequestsrequestsrequests… But
unfortunatelyunfortunatelyunfortunatelyunfortunately itititit allowedallowedallowedallowed hackershackershackershackers totototo injectinjectinjectinject
SQLSQLSQLSQL codecodecodecode. In that particular case, the
securitysecuritysecuritysecurity modulemodulemodulemodule broughtbroughtbroughtbrought insecurityinsecurityinsecurityinsecurity.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� The SQLiSQLiSQLiSQLi injectioninjectioninjectioninjection vulnerability was a little
bit trickytrickytrickytricky, and nonenonenonenone ofofofof thethethethe leadingleadingleadingleading
automatedautomatedautomatedautomated toolstoolstoolstools waswaswaswas ableableableable totototo exploitexploitexploitexploit itititit.
� Most of them even didn’t detect any security
problem on Fedor-Trading’s website.
� Facts are that only a slowslowslowslow andandandand manualmanualmanualmanual
attackattackattackattack could have permitted its exploitation.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� As a PoC, we demonstrated that the
following parametersparametersparametersparameters inininin GETGETGETGET requestsrequestsrequestsrequests
permitted to remotely dumpdumpdumpdump allallallall sensitivesensitivesensitivesensitive
informationinformationinformationinformation from the backend database:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� In this attack, informationinformationinformationinformation leakageleakageleakageleakage occuredoccuredoccuredoccured
inininin thethethethe titletitletitletitle barbarbarbar of Internet browser’s
window.
� The 1111stststst requestrequestrequestrequest simply permits to identifyidentifyidentifyidentify thethethethe
PHPPHPPHPPHP engineengineengineengine versionversionversionversion.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� RequestsRequestsRequestsRequests 2222 andandandand 3333 permit to get usernameusernameusernameusername
and databasedatabasedatabasedatabase namenamenamename.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� RequestsRequestsRequestsRequests 4444 totototo 6666 permit to listlistlistlist databasesdatabasesdatabasesdatabases.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� GSDBGSDBGSDBGSDB onlyonlyonlyonly hostshostshostshosts 3333 databasesdatabasesdatabasesdatabases, as there is no
result for the 7777thththth GETGETGETGET requestrequestrequestrequest:
?id=3-9999+union+SELECT%20schema_name%20FROM
%20information_schema.schemata%20limit%203,1--
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� RequestsRequestsRequestsRequests 8888 andandandand 9999 permits to get schemaschemaschemaschema andandandand
tablestablestablestables.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� The 10101010thththth requestrequestrequestrequest permits to enumerateenumerateenumerateenumerate
tablestablestablestables fromfromfromfrom mainmainmainmain databasedatabasedatabasedatabase.
� RequestRequestRequestRequest 11111111 enumerates columnscolumnscolumnscolumns fromfromfromfrom thethethethe
jos_usersjos_usersjos_usersjos_users tabletabletabletable.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� And finally the 12121212thththth requestrequestrequestrequest permits to
collectcollectcollectcollect names,names,names,names, emailsemailsemailsemails etetetet passwordspasswordspasswordspasswords hasheshasheshasheshashes
from the jos_users table.
� With a smallsmallsmallsmall automationautomationautomationautomation scriptscriptscriptscript, it was
possible totototo remotelyremotelyremotelyremotely dumpdumpdumpdump allallallall sensitivesensitivesensitivesensitive
tablestablestablestables, such as personalpersonalpersonalpersonal datadatadatadata relatedrelatedrelatedrelated totototo
ForexForexForexForex accountsaccountsaccountsaccounts from the TAibs_c table andandandand
tradingtradingtradingtrading platformplatformplatformplatform administrators'administrators'administrators'administrators' passwordpasswordpasswordpassword
hash from the USERS table.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� AfterAfterAfterAfter thethethethe versionversionversionversion 1111....5555,,,, JoomlaJoomlaJoomlaJoomla reliedreliedreliedrelied onononon a
randomrandomrandomrandom saltsaltsaltsalt in its password hashing
function.
� This approach permits to efficientlyefficientlyefficientlyefficiently disturbdisturbdisturbdisturb
TimeTimeTimeTime----MemoryMemoryMemoryMemory TradeOffTradeOffTradeOffTradeOff attacksattacksattacksattacks:
$hash=md5($pass.$salt)
� Since then, Rainbow Tables attacks against
accounts gathered from compromised
Joomla websites remain inefficient.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
� Nevertheless, oneoneoneone ofofofof thethethethe administrators’administrators’administrators’administrators’
accountsaccountsaccountsaccounts hadhadhadhad nononono saltsaltsaltsalt. The password was
therefore stored in a weakweakweakweak MDMDMDMD5555 hashhashhashhash. It was
most probably an old account created with a
previous version of the web application,
which remained unchanged since the
migration.
� The vulnerablevulnerablevulnerablevulnerable accountaccountaccountaccount belonged to an
externalexternalexternalexternal consultantconsultantconsultantconsultant.
Anonymised:Anonymised:anonymised@anonymised
.com:c2e285cb33cecdbeb83d2189e983a8c0
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� It was possible to breakbreakbreakbreak itititit inininin aaaa fewfewfewfew secondssecondssecondsseconds.
� HackersHackersHackersHackers nevernevernevernever loggedloggedloggedlogged withwithwithwith thisthisthisthis accountaccountaccountaccount.
� Fortunately, a noisynoisynoisynoisy defacingdefacingdefacingdefacing would have
been out of scope and totally
counterproductivecounterproductivecounterproductivecounterproductive.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x04 - Client’s Website analysis
� Internal admin accounts were salted and
strong enough to resist most dictionary
attacks.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Project’s context
0x03 - Mail analysis
0x04 - Client’s Website analysis
0x05 - Malware analysis
0x06 - Conclusion
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� After having stolen MySQL databases
through an SQL Injection on the trading
platform, hackers ran into a Social
Engineering phase which targeted Forex
users. Most of them received a credible fake
email which enticed into opening an embedded
PDF file.
� Therefore, thethethethe lastlastlastlast partpartpartpart ofofofof thethethethe attackattackattackattack which
required a deep analysis dealtdealtdealtdealt withwithwithwith thethethethe PDFPDFPDFPDF
files attached to the fake emails.
� SeveralSeveralSeveralSeveral emailsemailsemailsemails were sent, but all of them
included aaaa renamedrenamedrenamedrenamed versionversionversionversion ofofofof thethethethe samesamesamesame PDFPDFPDFPDF.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� PDFPDFPDFPDF isisisis oneoneoneone ofofofof thethethethe mostmostmostmost prevalentprevalentprevalentprevalent methodmethodmethodmethod forforforfor
remoteremoteremoteremote exploitationexploitationexploitationexploitation:
� Victims can be easily sent targeted
sociallysociallysociallysocially engineeredengineeredengineeredengineered emailsemailsemailsemails with such
attachments
� PDF links are common on websites and may
permit drivedrivedrivedrive----bybybyby exploitationexploitationexploitationexploitation
� This filefilefilefile formatformatformatformat isisisis widelywidelywidelywidely spreadspreadspreadspread among
companies and mostmostmostmost oftenoftenoftenoften authorizedauthorizedauthorizedauthorized bybybyby
perimeterperimeterperimeterperimeter protectionsprotectionsprotectionsprotections
� It is still quitequitequitequite hardhardhardhard forforforfor antivirusantivirusantivirusantivirus to
detect malicious content
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� The 9999thththth OctoberOctoberOctoberOctober 2010201020102010, only 4444 antivirusantivirusantivirusantivirus onononon
43434343 detecteddetecteddetecteddetected aaaa threatthreatthreatthreat in this PDF, which is a
9999....3333%%%% detectiondetectiondetectiondetection raterateraterate:
� AntiVir
� Emsisoft
� Ikarus
� Microsoft
� One year later, the 13131313rdrdrdrd OctoberOctoberOctoberOctober 2011201120112011, only
16161616 antivirusantivirusantivirusantivirus onononon 43434343 efficiently detect a
threat. This is still a low detectiondetectiondetectiondetection raterateraterate ofofofof
37373737....2222%%%%.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
� Indeed, PDFPDFPDFPDF supportssupportssupportssupports differentdifferentdifferentdifferent compressioncompressioncompressioncompression
formatsformatsformatsformats which helphelphelphelp hidinghidinghidinghiding codecodecodecode:
� FlateDecode
� ASCIIHexDecode
� LZWDecode
� ASCII85Decode
� RunLengthDecode
� It also supportssupportssupportssupports encryptionencryptionencryptionencryption:
� 40+128 bits RC4
� 128 bits AES
0x05 - Malware analysis
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� And PDF format also natively supportssupportssupportssupports
Unicode,Unicode,Unicode,Unicode, HexHexHexHex asasasas wellwellwellwell asasasas fromCharCodefromCharCodefromCharCodefromCharCode. All
of them are widely used forforforfor obfuscationobfuscationobfuscationobfuscation
purpose.
� Internal logical streams cancancancan embedembedembedembed otherotherotherother
objectsobjectsobjectsobjects which support further client side
scripting, suchsuchsuchsuch asasasas Flash’Flash’Flash’Flash’ ActionScriptActionScriptActionScriptActionScript.
� It offers an efficientefficientefficientefficient waywaywayway totototo carrycarrycarrycarry outoutoutout HeapHeapHeapHeap
SprayingSprayingSprayingSpraying andandandand EggEggEggEgg HuntingHuntingHuntingHunting.
� For all those reasons, PDFPDFPDFPDF isisisis anananan attackattackattackattack
vectorvectorvectorvector ofofofof choicechoicechoicechoice forforforfor hackershackershackershackers.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� In our case, the maliciously crafted PDF fileexploited a critical vulnerability whichaffected all AdobeAdobeAdobeAdobe ReaderReaderReaderReader applicationsapplicationsapplicationsapplications priorpriorpriorpriortotototo versionversionversionversion 9999....4444 onononon multiplemultiplemultiplemultiple OSOSOSOS (CVE-2010-2883).
� Opening this file within Adobe Reader v9.3.4or any older version could alter itsexecution flow and runrunrunrun arbitraryarbitraryarbitraryarbitrary codecodecodecode.
� This vulnerability was actively exploited onInternet when the attack occurred. SinceAdobeAdobeAdobeAdobe ReaderReaderReaderReader vvvv....9999....4444 waswaswaswas publiclypubliclypubliclypublicly availableavailableavailableavailable onononon5555thththth OctoberOctoberOctoberOctober 2010201020102010, this attack implied a 0000----daydaydaydaywith a high rate of successful compromise.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� A quick searchsearchsearchsearch forforforfor riskyriskyriskyrisky keywordskeywordskeywordskeywords withinwithinwithinwithin
PDFIDPDFIDPDFIDPDFID revealed client-side code.
Quite unusual in malicious PDF
Action automatically performed
executed on form load
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� The proportionproportionproportionproportion ofofofof randomnessrandomnessrandomnessrandomness in the file can
also telltelltelltell usususus moremoremoremore about this PDF.
� The totaltotaltotaltotal entropyentropyentropyentropy andandandand thethethethe entropyentropyentropyentropy ofofofof bytesbytesbytesbytes
insideinsideinsideinside streamsstreamsstreamsstreams objects are closeclosecloseclose totototo thethethethe maxmaxmaxmax
ofofofof 8888, which suggestsuggestsuggestsuggest aaaa normalnormalnormalnormal PDFPDFPDFPDF document.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Nevertheless, the entropyentropyentropyentropy outsideoutsideoutsideoutside streamsstreamsstreamsstreams
objectobjectobjectobject isisisis alsoalsoalsoalso quitequitequitequite highhighhighhigh. In a normal PDF, it
is usually between 4 and 5. This may leadsleadsleadsleads
usususus totototo thinkthinkthinkthink aboutaboutaboutabout aaaa malformedmalformedmalformedmalformed PDFPDFPDFPDF
document,document,document,document, wherewherewherewhere datadatadatadata isisisis addedaddedaddedadded withoutwithoutwithoutwithout
streastreastreastreammmm objectsobjectsobjectsobjects.
� We can also notice that there is onlyonlyonlyonly oneoneoneone
%%%%%%%%EOFEOFEOFEOF inininin thethethethe documentdocumentdocumentdocument, despite there are
lotslotslotslots ofofofof bytesbytesbytesbytes afterafterafterafter thethethethe lastlastlastlast %%%%%%%%EOFEOFEOFEOF, which
alsoalsoalsoalso suggestssuggestssuggestssuggests thatthatthatthat datadatadatadata hashashashas beenbeenbeenbeen addedaddedaddedadded.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� So a good idea should be to dig a little bit
further through OrigamiOrigamiOrigamiOrigami. Unfortunately the
WalkerWalkerWalkerWalker GUIGUIGUIGUI waswaswaswas trickedtrickedtrickedtricked intointointointo errorserrorserrorserrors.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� CommandCommandCommandCommand linelinelineline extractionextractionextractionextraction alsoalsoalsoalso gotgotgotgot problemsproblemsproblemsproblems,
but at least confirmed some results.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� In fact, eveneveneveneven AdobeAdobeAdobeAdobe thoughtthoughtthoughtthought itititit waswaswaswas damageddamageddamageddamaged.
Unfortunately he managedmanagedmanagedmanaged totototo readreadreadread itititit.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Logical flaw Logical flaw Logical flaw Logical flaw remained easy to identifyeasy to identifyeasy to identifyeasy to identify.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Nevertheless, we were stillstillstillstill notnotnotnot ableableableable totototo
extractextractextractextract embedded JavaScriptJavaScriptJavaScriptJavaScript code.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� ObjectObjectObjectObject 3333 contains the string “/JavaScript”
and was configuredconfiguredconfiguredconfigured totototo executeexecuteexecuteexecute codecodecodecode fromfromfromfrom
objectobjectobjectobject 7777. ObjectObjectObjectObject 30303030 alsoalsoalsoalso containedcontainedcontainedcontained the
string “/JS” and holds codecodecodecode.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Nevertheless, the payloadpayloadpayloadpayload was quite heavily
obfuscatedobfuscatedobfuscatedobfuscated.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� MostMostMostMost craftedcraftedcraftedcrafted PDFPDFPDFPDF relyrelyrelyrely onononon simplesimplesimplesimple XORXORXORXOR with a
single byte long key orororor useuseuseuse ROL/RORROL/RORROL/RORROL/ROR
operations for obfuscation purpose…
� But notnotnotnot theretheretherethere. As a consequence, tools like
XorSearchXorSearchXorSearchXorSearch didn’tdidn’tdidn’tdidn’t getgetgetget anyanyanyany resultresultresultresult.
� The only one solutionsolutionsolutionsolution seemed to be the
reverse engineeringengineeringengineeringengineering approachapproachapproachapproach.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Indeed, interesting content was encrypted
with a 4444 bytesbytesbytesbytes XORXORXORXOR operationoperationoperationoperation.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� After the identification of the 4 bytes key
0x4114D345, we were able to extractextractextractextract thethethethe
“mea“mea“mea“mea....dll”dll”dll”dll” filefilefilefile embedded in the malicious PDF.
� This one was notnotnotnot encryptedencryptedencryptedencrypted, and revealedrevealedrevealedrevealed
thethethethe finalfinalfinalfinal URLURLURLURL which hosted the ultimate
payload, as confirmed by following analysis.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Opening CoolTypeCoolTypeCoolTypeCoolType....dlldlldlldll in Adobe Reader with
IDA revealed the abusedabusedabusedabused “strcat“strcat“strcat“strcat””””. The
“uniqueName”“uniqueName”“uniqueName”“uniqueName” fieldfieldfieldfield fromfromfromfrom thethethethe SINGSINGSINGSING tabletabletabletable
structure was being used in that function.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� The exploit relied on /AcroForm/AcroForm/AcroForm/AcroForm JavaScript
totototo detectdetectdetectdetect thethethethe versionversionversionversion ofofofof AdobeAdobeAdobeAdobe ReaderReaderReaderReader and
switchswitchswitchswitch totototo thethethethe appropriateappropriateappropriateappropriate payloadpayloadpayloadpayload.
� Then the heapheapheapheap sprayspraysprayspray was used totototo putputputput ROPROPROPROP
datadatadatadata intointointointo memorymemorymemorymemory at a guessable address.
This heap spray followed a huge RED sled,
which acted as a more classical NOP string
while transitioning between the stack Buffer
Overflow and the ROP payload.
� GadgetsGadgetsGadgetsGadgets usedusedusedused inininin thethethethe ROPROPROPROP payloadpayloadpayloadpayload come from
module “icucnvicucnvicucnvicucnv36363636....dlldlldlldll”, which was notnotnotnot
compiledcompiledcompiledcompiled withwithwithwith ASLRASLRASLRASLR, as discussed soon.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Attackers used ROPROPROPROP techniquestechniquestechniquestechniques. Instead of
redirecting the execution flow on the heap,
it jumpsjumpsjumpsjumps totototo aaaa CodeCodeCodeCode sectionsectionsectionsection inininin aaaa DLLDLLDLLDLL which
indeed has the Execute rights. This is
achieved bybybyby overwritingoverwritingoverwritingoverwriting thethethethe SavedSavedSavedSaved EIPEIPEIPEIP onononon thethethethe
stack,stack,stack,stack, andandandand bybybyby chainingchainingchainingchaining callscallscallscalls onononon thisthisthisthis DLLDLLDLLDLL at
specific places through a RET sled crafted
on the stack.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� The exploit created an emptyemptyemptyempty isoisoisoiso88591885918859188591 filefilefilefile
and mappedmappedmappedmapped itititit totototo memorymemorymemorymemory in order to get an
executableexecutableexecutableexecutable spacespacespacespace, where shellcode could be
copied and executed.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� The AcroRd32.exe process was also abused
to loadloadloadload icucnvicucnvicucnvicucnv34343434....dlldlldlldll module, a DLL which
was notnotnotnot compiledcompiledcompiledcompiled withwithwithwith ASLRASLRASLRASLR and is therefore
always loadedloadedloadedloaded atatatat thethethethe samesamesamesame addressaddressaddressaddress in
memory. ItItItIt isisisis thenthenthenthen possiblepossiblepossiblepossible totototo useuseuseuse itsitsitsits ownownownown IATIATIATIAT
totototo getgetgetget thethethethe addressaddressaddressaddress ofofofof KernelKernelKernelKernel32323232 ASLRedASLRedASLRedASLRed
APIsAPIsAPIsAPIs.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� As a consequence, bothbothbothboth DEPDEPDEPDEP &&&& ASLRASLRASLRASLR werewerewerewere
bypassedbypassedbypassedbypassed!
� Finally, the exploit alsoalsoalsoalso workedworkedworkedworked onononon VistaVistaVistaVista andandandand
7777, as it didn’tdidn’tdidn’tdidn’t useuseuseuse hardcodedhardcodedhardcodedhardcoded XPXPXPXP syscallsyscallsyscallsyscall.
� So basically itititit waswaswaswas alreadyalreadyalreadyalready thethethethe endendendend of the
game…
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� MalwareMalwareMalwareMalware alsoalsoalsoalso usedusedusedused somesomesomesome trickstrickstrickstricks totototo preventpreventpreventprevent
itsitsitsits analysisanalysisanalysisanalysis. For example, each time we used a
MemoryMemoryMemoryMemory BPBPBPBP, we arrivedarrivedarrivedarrived inininin aaaa longlonglonglong looplooplooploop which
always endedendedendedended bybybyby anananan exceptionexceptionexceptionexception.
� After having dropped another binary from
itself, the “mea“mea“mea“mea....dll”dll”dll”dll” overwritesoverwritesoverwritesoverwrites partpartpartpart ofofofof itsitsitsits
ownownownown TextTextTextText sectionsectionsectionsection totototo preventpreventpreventprevent memorymemorymemorymemory dumpdumpdumpdump.
� Malware also skipped part of its code while
running within Immunity Debugger. For
example, the “adobe1.exe” file was not
dropped, even if hidedebug plugin was used.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
� AnotherAnotherAnotherAnother tricktricktricktrick waswaswaswas totototo parseparseparseparse processesprocessesprocessesprocesses namenamenamename.
When Process Monitor was running, we
didn’t see anything… We had far more
results by just renaming the tool, we
showedshowedshowedshowed thethethethe creationcreationcreationcreation ofofofof aaaa newnewnewnew binarybinarybinarybinary.
� File access monitoring confirmed the
creation of the new “adobe1.exe” binary.
0x05 - Malware analysis
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
� This new binary was an unencrypted dropperunencrypted dropperunencrypted dropperunencrypted dropper.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� This was also confirmedconfirmedconfirmedconfirmed throughthroughthroughthrough aaaa behaviourbehaviourbehaviourbehaviour
analysisanalysisanalysisanalysis.
� Here we simply used a roguerogueroguerogue DNSDNSDNSDNS serviceserviceserviceservice to
redirectredirectredirectredirect traffictraffictraffictraffic to an analysis server.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� This process downloadeddownloadeddownloadeddownloaded thethethethe “update“update“update“update2222....exe”exe”exe”exe”
binarybinarybinarybinary on www.bringithomedude.com.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� And here we are! The finalfinalfinalfinal aimaimaimaim ofofofof hackershackershackershackers
waswaswaswas totototo silentlysilentlysilentlysilently getgetgetget andandandand executeexecuteexecuteexecute aaaa bankingbankingbankingbanking
TrojanTrojanTrojanTrojan derived from SpyEyes code.
� So let’s summarize what’s happened here.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� The file adobeadobeadobeadobe1111....exeexeexeexe isisisis aaaa simplesimplesimplesimple loaderloaderloaderloader of
2’560 bytes. It was notnotnotnot encryptedencryptedencryptedencrypted.
� On the other hand, the final updateupdateupdateupdate2222....exeexeexeexe
malware was a C# based binary of 668 Kb
which includedincludedincludedincluded severalseveralseveralseveral protectionsprotectionsprotectionsprotections aimed at
preventing its reverse engineering.
DisassemblyDisassemblyDisassemblyDisassembly revealedrevealedrevealedrevealed BASEBASEBASEBASE64646464 encodingencodingencodingencoding for
raw data asasasas wellwellwellwell asasasas encryptionencryptionencryptionencryption algorithmsalgorithmsalgorithmsalgorithms
basedbasedbasedbased onononon MDMDMDMD5555 (System.Security.Cryptogra
phy.MD5CryptoServiceProvider), 3333DESDESDESDES (Sys
tem.Security.Cryptography.TripleDESCryptS
erviceProvider) and AESAESAESAES (System.Security.
Cryptography.RijndaelManaged).
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� When this attack occurred, Those files were
undetectedundetectedundetectedundetected bybybyby mostmostmostmost antivirusantivirusantivirusantivirus.
� A few European antivirus detected a
potential threat, but allallallall EasternEasternEasternEastern solutionssolutionssolutionssolutions
such as Kaspersky, NOD32, DrWeb32 or
VBA32 didn’tdidn’tdidn’tdidn’t detectdetectdetectdetect anythinganythinganythinganything.
� It is therefore possiblepossiblepossiblepossible thatthatthatthat thethethethe RussianRussianRussianRussian
marketmarketmarketmarket waswaswaswas thethethethe initialinitialinitialinitial targettargettargettarget of our malware
writers.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� The 8888thththth OctoberOctoberOctoberOctober 2010201020102010, 16 antivirus on 43
detected a potential threat in the final
binary. DetectionDetectionDetectionDetection raterateraterate waswaswaswas aboutaboutaboutabout 37373737%%%%.
� The 15151515thththth OctoberOctoberOctoberOctober 2010201020102010, 19 antivirus on 43
were efficient. DetectionDetectionDetectionDetection raterateraterate isisisis aboutaboutaboutabout 44444444%%%%.
� Around 8 months later, the 2222ndndndnd JuneJuneJuneJune 2011201120112011,
34 antivirus on 43 detected a potential
threat. This is a detectiondetectiondetectiondetection raterateraterate ofofofof 79797979%%%%.
� Kaspersky, McAfee, Sophos and Microsoft
were the most reactive.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Gdata, Panda and Sophos were the nextones.
� ClamAV, eSafe, F-Secure, Fortinet & PrevXhave proven far less effective.
� The finalfinalfinalfinal payloadpayloadpayloadpayload behavebehavebehavebehave likelikelikelike ZbotZbotZbotZbot. It wasbasedbasedbasedbased onononon aaaa mutationmutationmutationmutation ofofofof SpyEyesSpyEyesSpyEyesSpyEyes. It is aTrojanTrojanTrojanTrojan aimedaimedaimedaimed totototo targettargettargettarget financialfinancialfinancialfinancial sectorsectorsectorsector andit is able to disable Windows Firewall andsteal financial data, such as credit cardnumbers, eBanking information or tradingcredentials. Common Trojan features werealso available, such screen capture,additional malware download or remoteadministration capabilities.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Upon execution, the TrojanTrojanTrojanTrojan createscreatescreatescreates aaaa folderfolderfolderfolder
namednamednamednamed svhostxxupsvhostxxupsvhostxxupsvhostxxup....exeexeexeexe inininin thethethethe cccc::::\\\\ drive. Then it
createscreatescreatescreates filesfilesfilesfiles configconfigconfigconfig....binbinbinbin andandandand svhostxxupsvhostxxupsvhostxxupsvhostxxup....exeexeexeexe
in that folder.
� The latterlatterlatterlatter binarybinarybinarybinary is then called. It is
responsibleresponsibleresponsibleresponsible forforforfor creatingcreatingcreatingcreating newnewnewnew memorymemorymemorymemory pagespagespagespages
inininin severalseveralseveralseveral systemsystemsystemsystem applications’applications’applications’applications’ addressaddressaddressaddress
spacespacespacespace, and therefore permits attackers to
injectinjectinjectinject theirtheirtheirtheir maliciousmaliciousmaliciousmalicious codecodecodecode intointointointo privilegedprivilegedprivilegedprivileged
programsprogramsprogramsprograms.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Trojan then modifies a few registry keys and
becomebecomebecomebecome persistentpersistentpersistentpersistent.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� The ReverseReverseReverseReverse----TrojanTrojanTrojanTrojan alsoalsoalsoalso verifiesverifiesverifiesverifies thethethethe pathpathpathpath
fromfromfromfrom whichwhichwhichwhich itititit waswaswaswas runrunrunrun, and it checks that
file “C:\Documents.exe”, “C:\Documents and
Settings\user\Desktop.exe” or “C:\Documents
and Settings\user\Desktop\update2.exe” does
exist in order to authorize or deny its own
execution.
� It also check for the registry key
“HKEY_CLASSES_ROOT\AppID\update2.exe”.
� These are commoncommoncommoncommon practicespracticespracticespractices among malware
writers totototo helphelphelphelp disturbingdisturbingdisturbingdisturbing ReverseReverseReverseReverse
EngineersEngineersEngineersEngineers.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Trojan then gets the compromised computercomputercomputercomputer
namenamenamename bybybyby queryingqueryingqueryingquerying LSALSALSALSA and listslistslistslists thethethethe CCCC::::\\\\ drivedrivedrivedrive
before doing a recursiverecursiverecursiverecursive searchsearchsearchsearch ofofofof livinglivinglivingliving
filesfilesfilesfiles withinwithinwithinwithin itsitsitsits parentparentparentparent directorydirectorydirectorydirectory.
� GettingGettingGettingGetting computercomputercomputercomputer andandandand useruseruseruser namesnamesnamesnames is also a
commoncommoncommoncommon practicepracticepracticepractice forforforfor TrojansTrojansTrojansTrojans, as they most
often need to declare unique zombies on
their C&C server to permit accurate
communication with Bot Herders.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Trojan tried to send HTTPHTTPHTTPHTTP packetspacketspacketspackets totototo 2222
differentdifferentdifferentdifferent serversserversserversservers:
� After having redirectedredirectedredirectedredirected thosethosethosethose IPIPIPIP addressesaddressesaddressesaddresses
withwithwithwith ARPARPARPARP PoisoningPoisoningPoisoningPoisoning and simulatingsimulatingsimulatingsimulating anananan HTTPHTTPHTTPHTTP
serviceserviceserviceservice, we can see Trojan saying a kind of
“Hello,Hello,Hello,Hello, I’mI’mI’mI’m herehereherehere” to those web applications.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� The firstfirstfirstfirst serverserverserverserver was probably aimed to offer
an alternatealternatealternatealternate routerouterouteroute in case the second one
was taken down. It actuallyactuallyactuallyactually forwardedforwardedforwardedforwarded itsitsitsits
packetspacketspacketspackets to greenchina.com.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� Involved domainsdomainsdomainsdomains existexistexistexist sincesincesincesince quitequitequitequite aaaa longlonglonglong
timetimetimetime.
� serv.com and greenchina.com domains were
respectively registered in NovemberNovemberNovemberNovember 1994199419941994
and AprilAprilAprilApril 2001200120012001. The IP addresses which
received the suspicious GET requests,
211211211211....119119119119....134134134134....197197197197 and 218218218218....145145145145....65656565....200200200200,
respectively hosted 1111''''644644644644 andandandand 11111111 websiteswebsiteswebsiteswebsites.
� Despite its parameters, the URLURLURLURL
http://www.greenchina.com/?guid=UserName!COMPUTERNAME!
00CD1A40 diddiddiddid notnotnotnot looklooklooklook likelikelikelike sosososo aaaa dangerousdangerousdangerousdangerous...
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x05 - Malware analysis
� It visually reachedreachedreachedreached aaaa standardstandardstandardstandard webpagewebpagewebpagewebpage…
� But theretheretherethere werewerewerewere hiddenhiddenhiddenhidden informationinformationinformationinformation.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Project’s context
0x03 - Mail analysis
0x04 - Client’s Website analysis
0x05 - Malware analysis
0x06 - Conclusion
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x06 - Conclusion
� Finally, the targettargettargettarget of this complex attackwaswaswaswas notnotnotnot directlydirectlydirectlydirectly ourourourour client,client,client,client, butbutbutbut hishishishis ownownownowncustomerscustomerscustomerscustomers.
� For sure, it has alsoalsoalsoalso impactedimpactedimpactedimpacted FedorFedorFedorFedor----TradingTradingTradingTrading.
� Once the website was compromised,everythingeverythingeverythingeverything happenedhappenedhappenedhappened reallyreallyreallyreally fastfastfastfast.
� AttacksAttacksAttacksAttacks werewerewerewere initiatedinitiatedinitiatedinitiated bybybyby anananan unfairunfairunfairunfaircompetitorcompetitorcompetitorcompetitor who afforded the services ofundergroundundergroundundergroundunderground marketmarketmarketmarket.
� Both financialfinancialfinancialfinancial companiescompaniescompaniescompanies are present inSwitzerlandSwitzerlandSwitzerlandSwitzerland andandandand abroadabroadabroadabroad.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x06 - Conclusion
� So globally the attack implied:
�Malware Code Malware Code Malware Code Malware Code WritingWritingWritingWriting
(dropper, downloader, Banking Trojan)
�0000----day Uncoveringday Uncoveringday Uncoveringday Uncovering
(Adobe Reader stack buffer overflow)
� Social EngineeringSocial EngineeringSocial EngineeringSocial Engineering
(Forex Regulation)
� Web AttacksWeb AttacksWeb AttacksWeb Attacks
(Sh404Sef SQL Injection)
� And most probablyprobablyprobablyprobably moneymoneymoneymoney transfertransfertransfertransfer
� In fact, we are typically in a modernmodernmodernmodern scenarioscenarioscenarioscenario
ofofofof undergroundundergroundundergroundunderground skillsskillsskillsskills rentingrentingrentingrenting....
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x06 - Conclusion
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x06 - Conclusion
� This offers many business opportunities.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x06 - Conclusion
� Organised cybercrimes exist in lots of
countries, and aaaa sophisticatedsophisticatedsophisticatedsophisticated undergroundundergroundundergroundunderground
economyeconomyeconomyeconomy hashashashas rapidlyrapidlyrapidlyrapidly flourishedflourishedflourishedflourished those last
years. But the hugehugehugehuge majoritymajoritymajoritymajority ofofofof attacksattacksattacksattacks
involvedinvolvedinvolvedinvolved China,China,China,China, RussiaRussiaRussiaRussia andandandand BrazilBrazilBrazilBrazil.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
0x06 - Conclusion
� There is muchmuchmuchmuch lesslesslessless HackingHackingHackingHacking ForForForFor FunFunFunFun, andmuchmuchmuchmuch moremoremoremore HackingHackingHackingHacking ForForForFor ProfitProfitProfitProfit. CybercrimeCybercrimeCybercrimeCybercrimehashashashas thereforethereforethereforetherefore becomebecomebecomebecome anananan enterpriseenterpriseenterpriseenterprise with athriving underground economy.
� New cybercriminals don’t have to developtheir own code… They cancancancan rentrentrentrent botnetsbotnetsbotnetsbotnets andeven purchasepurchasepurchasepurchase licensedlicensedlicensedlicensed malwaremalwaremalwaremalware that comeswith its ownownownown techtechtechtech supportsupportsupportsupport.
� CybercrimeCybercrimeCybercrimeCybercrime isisisis nownownownow developingdevelopingdevelopingdeveloping andandandand spreadingspreadingspreadingspreadingfaster than ever.
� So welcome in the WorldWorldWorldWorld WildWildWildWild WebWebWebWeb… Andhappyhappyhappyhappy Forensics!Forensics!Forensics!Forensics! :)
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2011 High-Tech Bridge SA – www.htbridge.ch
\xC29900: RETN 99
Your questions are always welcome!