Hacking Exposed 7
Network Security Secrets & Solutions
Chapter 6 Cybercrime and Advanced
Persistent Threats
1
Cybercrime and Advanced Persistent
Threats
• What is an APT?
– Operation Aurora
– Anonymous
– RBN
• What APTs are not?
• Examples of popular APT tools and techniques
• Common APTs indicators
2
What is an APT?
• APT: US Air Force, 2006
• Advanced: capable of crafting custom exploits and tools
for selected targets
• Persistent: long-term objective without being detected
– low-profile without interrupting normal operation
• Threat: organized, funded, and motivated
• Examples:
– Spear-phishing email
• Include malware to exploit user’s computer
• Or refer the user to a server delivering custom malware
• Email systems and exploit malware (Trojan droppers): leased or pay
per install
– Other techniques: SQL injection, meta-exploits, phishing,
social networking
3
Multiple Phases of APTs
• Targeting
– Collect info about the target and test: vulnerability scanning,
social engineering, spear-phishing
• Access/compromise
– Gain access: ascertain host info, collect credentials for additional
compromises, obfuscate intention by malware
• Reconnaissance
– Enumerate networks and systems
• Lateral movement
– Move through network to other hosts
• Data collection and exfiltration
– Establish collection points and exfiltrate via proxy
• Administration and maintenance
– Maintain access over time
4
Operation Aurora
• Code-named by investigators
• Google, Juniper, Adobe, and at least 29 others
– Lost trade secrets and competitive info in 6 months
• Gain access to victims’ network
– By targeted spear-phishing emails to employees with a link to
Taiwanese website hosting a malicious JavaScript which exploits IE
vulnerability for remote code execution
– Malicious JavaScript, CRC routine of 16 constants, undetected by virus
scanners
• IE vulnerability
– allows Trojan downloaders to download and install backdoor Trojan
RAT (remote administration tool) for SSL-encrypted communications
• Follow-up steps: network reconnaissance, compromise Active
Directory, access computers for trade secrets, exfiltrate info
• From China?
– CRC code published in simplified Chinese language
– 6 command-and-control IP addresses in Taiwan, traced to 2 schools in
China
• Other APTs campaigns with similar patterns: Night Dragon in 2010,
RSA Breach and Shady RAT in 2011
5
Anonymous
• From 2011, a loosely affiliated group or
collection of groups, to expose sensitive info
to public or interrupt services (DOS)
• A variety of hacking techniques
– SQL injection, cross-site scripting, web service
vulnerability exploits, social engineering (targeted
spear-phishing, imitating employees like help desk
personnel)
6
RBN (Russian Business Network)
• From St. Petersburg to international
cybercrime
• Operates several botnets for spamming,
phishing, malware distribution
– Identity or financial theft
– Very sophisticated malware tools to remain
persistent
– A platform for subscribers to conduct activities
• Hosts pornographic subscription websites
7
What APTs Are Not
• Not “hacks of opportunity”
• Neither a single piece of malware, a collection
of malware, nor a single activity
• Coordinated and extended campaigns with a
purpose – whether competitive, financial,
reputational, or otherwise
8
Examples of Popular APT Tools and
Techniques
•
•
•
•
•
•
Malicious email
Gh0st attack
Memory capture
File/process capture
Lost Linux host
Indicators of compromise
9
Malicious E-mail
• Phishing email with URL to click
• To trace back, use tools
– WHOIS
– Robtex Swiss Army Knife Internet Tool
– PhishTank
10
Gh0st Attack
• Gh0st RAT (Remote Administration Tool)
• From China: 2008-2010 on the office of Dalai
Lama
• Gh0st RAT
– Existing rootkit removal, file manager, screen
control, process explorer, keystroke logger, remote
terminal, Webcam eavesdropping, voice
monitoring, dial-up profile cracking, remote
screen blanking, remote input blocking, session
management, remote file downloads, custom
gh0st server creation
11
Indicators of Compromise
•
For malware to survive a reboot
–
–
–
–
–
–
–
•
Forensics techniques and incident response procedures documented in RFC 3227, in the
order of volatility
–
–
–
–
–
–
–
–
•
Using various “Run” registry keys
Creating a service
Hooking into an existing service
Using a scheduled task
Disguising communications as valid traffic
Overwriting the master boot record
Overwriting the system’s BIOS
Memory
Page or swap file
Running process info
Network data such as listening ports or connections
System registry
System or application log files
Forensics image of disk
Backup media
Toolkit on CD-ROM
–
–
–
–
–
–
–
AccessData FTK Imager
Sysinternals Autoruns
Sysinternals Process Explorer
Sysinternals Process Monitor
WinMerge
Currports
Sysinternals Vmmap
12
Memory Capture
• Memory dump to external mass-storage device and
analyze malware
– Hacking tools use process injection and obfuscation
• Memory dump: FTK Imager
• Memory analysis: HBGary, FDPro, Responder Pro,
Mandiant Memoryze, Volatility Framework
– Extract process-related info, threads, strings, dependencies,
comm., Windows OS files (Pagefile.sys – page file,
Hiberfil.sys – swap file; right click to export the files)
– The Sandman Project: approach to analyze memory files
– Steps in Volatility Framework: image identification 
retrieve processes  check connections of processes 
look into a process with PID  dump DLLs from this
process  check content of DLL with strings command 
Volatility plug-ins to check traces of malware (e.g. malfind
plug-in: detect hidden or injected processes)  upload
result files to VirusTotal
13
File/Process Capture (1/2)
• Master File Table (MFT): metadata (filename, timestamp,
file size, etc.), timeline is important
• Network/process/registry: netstat to find connections and
process PID
• Host file: check any changes
• Currports: look into a current open port and its DLL
• Process Explorer: lookup a process, its DLL references, and
cmd.exe shell executions
• Process Monitor: lookup process-kernel interactions 
understand how malware modifies a compromised system
and provide indicators for detection tools
• VMMap: show virtual/physical memory map, check DLL
strings  malware strings to imply RAT
• DNS Cache: find other possible infection hosts
• Registry Query: reg query to check for suspicious Registry
entries of Run keys
14
File/Process Capture (2/2)
• Scheduled Tasks: at to find scheduled tasks
• Event Logs: psloglist to retrieve System and Security Event logs 
commands issued by attackers
• Prefetch Directory: last 128 unique programs executed
• Collecting interesting files: ntuser.dat (user profile), index.dat
(requested URLs), .rdp files (remote desktop session info), .bmc files
(bit map to clients), antivirus log files (virus alerts)
• Analyzing RDP files: servers accessed, login info, etc. in XML 
attackers use RDP to connect to other servers
• Analyzing BMC files: cached bitmap image for performance  BMC
Viewer to find attacker’s access to applications, files, network,
credentials
• Investigating System 32 Directory for anomalies: diff system32
directory with cache directory to find files changed since installation
 .dll, .bat, .rar, .txt
• Antivirus logs: check configurations that exclude detection of
certain PUP (Potentially Unwanted Program), e.g. netcat/nc
• Network: analyze traffic between compromised host to C&C server
 other targeted hosts  signatures for IDS
15
Summary of Gh0st Attack
•
•
•
•
•
•
•
•
•
•
Phishing email
Backdoor placed when malicious link clicked
Backdoor hides itself to survive a reboot
Connection to C&C
Check internal domain, create accounts, use
Terminal Server to hop to other hosts (Event Logs)
Add/modify some files (diff \System32)
Look for documents and zip for exfiltration
Create a 2nd backdoor using netcat
Create user account and execute FTP (Windows
Security Event Log)
Schedule a new job to clean logs everyday
16
Linux APT Attack
• Scenario: Apache Tomcat server with weak credentials
• Metaexploit Framework to penetrate and get a shell
– Connect to Tomcat, find \shadow.bak, crack passwords
– With root account, Sudo su – to run all commands
– Upload PHP backdoor, create a SUID root shell for getting
root back in case a password gets changed
– Use host pivot to other hosts: leave little on the host
• To diagnose the host
– Block access by firewall
– Check root account history, check added/modified files,
check logs for sudo su – commands
– Check listening ports and connections with netstat and lsof
– Check hidden files in RAM drives, drive slack space, /dev,
hard-to-see file or directory like “.. ” (dot-dot-space), /tmp
and /var/tmp
17
Summary of Linux APT Attack
• Root access through Tomcat server with weak
credentials
• Evidences of scripts and SUID shell binaries
– Several ways to get back: accounts, PHP shell, SUID
shell, etc.
• Attackers explore environment and look for other
targets
• With Metaexploit Framework, compromised host
used as a pivot host (without tools installed)
• Run shells like Meterpreter in memory without
disk writes
18
Poison Ivy RAT
• A ubiquitous tool used by many APT campaigns
(Operation Aurora, RSA Attacks, Nitro)
– Similar to gh0st RAT
– Source code available for custom-purposed Trojans
– Deployable by phishing email with a Trojan dropper
suffixed with a self-executing “7zip” extension
– Detected by Malicious Software Removal Tool (MSRT)
– Often seen on “snatch-and-grab” compromises of
computers
• A tool itself is not an APT, the persistent
campaign is!
19
TDSS Malware
• A botnet of hosts compromised by TDSS
– “Malware as a service” for subscribers
• DDoS attacks, click fraud for advertising revenues, backdoor
installation and execution, etc.
• Subscription through websites such as AWMProxy.net
• Targeted at compromised networks of hosts in selected
companies
• Utilized in more APT campaigns since 2011
• TDSS
– A rootkit with encrypted files and communications,
C&C communications over compromised hosts,
proxies, and P2P networks
– Numerous infection vectors
• Application and server zero-day exploits, Black Hole Exploit
kit, spear-phishing emails, viral worms via P2P/IM/NetBIOS,
rogue DHCP servers, etc.
20
Common APT Indicators
• Indicators
– Network comm. utilizing SSL or private encryption methods, or
sending/receiving base64-encoded strings
– Services registered to Windows NETSVCS keys in SYSTEM folder
with DLL or EXE extensions
– Copies of cmd.exe as svchost.exe or other file names in TEMP
folder
– LNK files referencing executables that no longer exist
– RDP files referencing external IP addresses
– Windows Security Event Log entries with external IP addresses
or computer names that do not match organizational naming
conventions
– Windows Application Event Log entries of antivirus and firewall
stop and restart
– Etc.
• Recent APT procedures: 14 steps (expanded from the
previous steps)
21
APT Detection
• Administrative procedures
– Create a file system index to audit changes
• A simple diff analysis of index files
– Alert admin logons
– Firewall or IDS to monitor inbound RDP/VNC/cmd.exe
• Products
– Endpoint security products (AV, HIPS, file system integrity
checking)
• Sandbox based or reverse engineering based anti-APT products
– File system auditing products for change control and
auditing
– Network intelligence/defense products (IDS/IPS)
– Network monitoring products (Tcpdump)
– Security information/event management products with
correlation and reporting databases
22