Monday, December 13, 2010
There are several ways to maintain persistent access without having an executable-in-waiting on the filesystem. Memory-only based injection is an old concept. It has the advantage of defeating disk-based security. One common observation is that such malware doesn't survive reboot. That is true in the sense that the malware is not a service or a driver - but this doesn't mean the malware will go away. Stated differently, the malware can still be persistent even without a registry key to survive reboot. This applies to the problem of re-infection after re-imaging (a serious and expensive problem today in the Enterprise) and it also applies to the future of cloud computing (where desktop reset is considered a way to combat malware persistence).
The most common method for persistence without reboot is re-infecting the system from a neighboring, already infected system. It has sometimes been called the "Hack Finn" model - two or more malware programs that know about each other. Unless you kill both of them simultaneously the one will re-create the other. In today's world, the neighbor doesn't need to be physically nearby - it can be anything that has some access path to the other machine. This neighbor could be a social networking peer, a shared desktop (think exploited .ini), or a machine with lateral domain credentials.
Another way to maintain access is to store crafted (exploit) data in a commonly used document - think PDF exploit but for google docs. User's in a cloud based environment are going to have persistent data storage, whether this is up in the cloud or down on a USB stick. When the execution environment is constantly reset, as it might in a desktop cloud, the attacker can move method of persistence to the data itself. The malicious code must obtain execution cycles - think of the cloud based desktop simply as an execution space. The user opens said boobytrapped document every day as part of their work, and the malicious code activates. Or it can be delivered via a system used on a daily basis, such as an exploited image on an ad-banner, or the little calendar program in the corner of your timecard system.
For the window of time the user is interacting with the desktop, the code has execution cycles. This is when data is most at risk - this is when other documents are open, other social network contacts are online, and the user's access token is live and can be used to access other resources.
Remember, the attackers always adapt to new environments. The cloud just provides new ways for our adversaries to attack us.
Thursday, August 19, 2010
Sunday, July 18, 2010
Friday, May 14, 2010
I also applaud Josh’s note that APT uses existing tools. Other experts seems to think this is not the case, or that they don’t use packed malware, or that APT don't use botnets. Why wouldn’t they? It seems the more that someone tells me what APT isn't, the more it becomes clear they have no idea what APT really is. If APT use existing malware, which I’ve always maintained, then packing is par for the course, because it's a cheap way to defeat signature based detection definitions at the gateway and host alike. Perhaps the APT did some recon into the network and learned that using XYZ packer would defeat the AV solution at the desktop. The US government created the term APT to characterize a class of threats originating from Chinese and Russian state sponsored and criminal elements, not to classify a type of malware.
Since the government coined the term "APT" it has always been about Russian and Chinese attackers, BOTH criminal and state sponsored. For the government, it's very difficult to draw a line between the two. If you understand information operations, then you know that APT will use any and all means at their disposal to achieve the mission objective. If this means use of packers, so be it. The same applies to _any_ rule or definition someone puts in my face telling me what APT is and is not. An IO campaign will include a full spectrum of capabilities. In the context of cyber, each attack on a government facility, contractor, or commercial entity could be a single operation that is part of a larger campaign. Operations could be designed to assume false personas such as impersonating college students in a dorm room, or even a false-flag - impersonating the intelligence service of another foreign country. If you truly know what APT is about, you know that you can't start boxing it up and packaging it.
As Josh pointed out, the adversaries are constantly evolving and adapting. The old models are being defeated. The government has known about APT for a while and that new approaches to enterprise security had to emerge. This is one of the reasons that the USAF and DHS both funded HBGary to address this evolving threat. Our company and our technology are pushing the envelope forward.
Friday, April 30, 2010
When we talk about cyber threats, we need to conceptualize the relationship between the person and the software entity. Cyber threats are not just about malware, nor just about a human actor. You can't separate the two. It doesn't make sense to talk about human threats that don't manifest in cyberspace. And, malware that isn't backed by human intent would cease to be a threat. Our job is to explore this relationship between a human and his manifestation in cyberspace. The very word 'cyber threat' implies this relationship. It's direct and basic.
Monday, April 5, 2010
I first presented active reversing in 2007 at the Blackhat show in Vegas. At that time, the concepts were mostly theory, backed by a few prototypes I demo'd during the talk. It's taken us three years but I am very proud to say we have stayed the course and delivered something that is a true game changer for reverse engineers. It works so well that it's cheating.
Active reversing is when you obtain program understanding via runtime instrumentation, data collection, and statistics. Active reversing puts the focus on volatile runtime behavior as opposed to static disassembly. This transforms the tradecraft of reversing in many ways. For one thing, it promotes reversing to a larger professional audience. People who are already comfortable reading packet sniffer logs can now reverse engineer software. The data collected from a point in memory resembles the kind of data collected by a packet sniffer, the only difference being the data structure of the packet is actually an internal structure within a software program. Observing just a string can reveal what a function is responsible for.
Active reversing empowers you to reverse engineer by exercising a software program's capabilities and features. Consider that runtime code coverage reveals which functions are executing and when. This allows you to simply observe which functions execute in response to an action you have taken with the software. For example, if you want to find the password handling function, just review which functions executed after you typed in the login information. Filtering can be used to remove code that has executed more than once, or code that has already executed in response to another action. This so-called background noise may represent utility functions and general purpose packet handling. Once filtered, you are left with only the newly executed password handler functions. This approach can identify functions when searching for data might be difficult - for example if the data is numeric and not easily predicted. More than anything, this approach is fast. In just a few minutes you can have most of the major features of a program mapped to code.
HBGary just published a very technical whitepaper on software exploitation using REcon, with lots of screenshots and step-by-step how-to. Check it out: Software Exploitation with HBGary's REcon.
Friday, March 12, 2010
Monday, February 8, 2010
For fun, here are some sneak peeks of Responder 2.0
Above is the REcon recorded execution timeline from a particularly nasty APT malware that plagues the DoD by constantly hopping from NIPRNet to SIPRNet and vice versa, primarily through the dreaded USB stick.
The above diagram is a second malware. This malware puts the capital 'P' in APT. We were first introduced to this one back in 2005 during a DoD infection. The above sample we obtained just a few weeks ago, and clearly it's a variant of the original - that's almost 5 years and still going strong! The diagram shows the code and dataflow for a function that enumerates machine-specific data after an infection drops, this is then sent via the C&C channel when the malware reports in. This kind of behavior is very common in persistent malware, as the bad guys need to keep track of their machine-infection inventory. A little story goes like this: location 1) this queries the uptime of the machine.. 2) checks whether it's a laptop or desktop machine... 3) enumerates all the drives attached to the system, including USB and network... 4) gets the windows username and computername... 5) gets the CPU info... and finally, 6) the version and build number of windows. Quite thorough eh?
In a nutshell, Responder 2.0 cuts through APT like butter. More Info.
Thursday, February 4, 2010
Tuesday, February 2, 2010
Many of us have been analyzing malware for years and functionally the malware today is just the same as it was three years ago, but back then we didn't call it APT. In general, this got me wondering why people change the terms used to describe something (for anything in life)? For this malware and APT thing the best I could come up with is that many existing security companies adopted the term 'malware' many years ago, and thus their product offerings become tightly associated with the word 'malware'. Over the last few years or so, as people within the DoD and elsewhere realized that existing security investment wasn't adequate to protect their network, instead of calling the investment a failure for missing the malware, they instead decided to call the missed malware by a new name. Think: "This isn't malware; it's something new, so of course the millions we've spent doesn't address it!". A stretch?
The fact is this - malware has always had the ability to be updated in the field, it has always been able to be remote controlled, and it has always had the ability to spawn a remote shell to a live attacker. And, it has always had the ability to scan the file-system for files like source-code and CAD drawings, and it has always had the ability to exfiltrate those files. At all times and without exception, these malware programs have been operated by real and persistent humans at the other end. The malware doesn't operate itself, it's not an automaton. For the last 365 days, I just called that malware.
Thursday, January 28, 2010
Post-execution debugging is a paradigm shift from traditional interactive live debugging. Traditional debugging is cumbersome and requires micromanagement to collect data. The traditional debugging environment is designed for CONTROL of the execution, as opposed to OBSERVATION ONLY. Typically, the malware analyst does not need to control the execution of a binary at this level, and instead only needs observe the behavior. HBGary's REcon approach to debugging is far superior because the analyst can see and query so much more relevant data at one time without having to get into the bits and bytes of single-stepping instructions and using breakpoints. It's like having a breakpoint on every basic block 100% of the time, without having to micromanage breakpoints.
Tuesday, January 26, 2010
Monday, January 25, 2010
One of the challenges we face at HBGary while developing Responder is the sheer volume of information available in physical memory. We have to reverse engineer a large volume of underlying data structures within the Windows operating system, not just for one operating system but for every single version of Windows (that includes service packs). In other words, a lot of time spent in windbg. One of the more interesting information sources available from the kernel is the handle table. Handle tables are extremely powerful and allow you to determine, for example, what files and registry keys are open by a given application.
Consider the way malware drops and installs itself. Many times, malware will inject itself into other processes as part of its "installation and deployment". At HBGary, we divide all the various behaviors of malware into categories we call "malware development factors". One of those malware development factors is called "installation and deployment" and it's all the stuff that malware does to survive reboot. In our Digital DNA(tm) we have well over 400 rules to detect just this kind of behavior. For example, malware may install itself as an extension to Internet Explorer and sniff online banking credentials. There are many ways to detect the presence of these capabilities. File handles can be used to detect when malware has been injected into secondary processes.
Malware injected into Internet Explorer opens a suspicious log file. This data is obtained from the kernel handle table.
Another anomaly that you can look for is a strange file path or executable name. Simply compare all the paths that are available in all the modules. In Responder, you can double click the drivers folder,m or the 'All Modules' folder, to view all drivers or modules along with their paths, respectively. Most modules are in consistent locations. When you examine all the module paths together in a single view, the anomalies will stand out. You don't really notice this until you see it in reference to all the other paths on the system. Seeing everything at once helps you detect an outlier quite quickly. This is just one of the types of things you can do when you have all the information at your fingertips.
Executables that are located in a suspicious temp directory. Also, one of executables has a non-standard file extension (.tmp).
A very suspicious kernel-mode device driver. This driver has no path, just an odd name with no file extension. This is a rootkit that was later identified as a variant of the "Black Energy" rootkit family. Notice that Digital DNA has automatically identified this driver as highly suspicious.
Executables that are running in a process that don't have a corresponding module name or path. These are very suspicious and we determined these were injected DLL's that were unlinked from the module list. Notice that Digital DNA has automatically identified these as highly suspicious.
One thing I really like about Responder is that you can sort the information in columns alphabetically and bring the outliers right to the top. Another thing that I like about Responder is that you can also write plug-ins that extend the functionality of the user interface at any point. For example, I could write a regular expression that would search all the file handles for certain patterns and that could include executables used in multi-stage installation, such as CMD.EXE or RUNDLL32.EXE, or files that appear to be in suspicious paths.
Regex r = new Regex(".*\\\\temp\\\\.*\\.exe$", RegexOptions.IgnoreCase);
Match m = r.Match(stringData.Name);
if (true == m.Success)
// add an item to the report, associated with the DLL
IReportObject wo = theDLLPackage.CreateReportObject(
"suspicious exe in temp path",
"This path looks suspicious, examine further");
Responder scripts are written in C#.
I could even automatically add those to my report. The upcoming 2.0 release of Responder has an interactive report where you basically just drag and drop any specific data item to your report and drop it where you want the report item to appear. The dropped data actually just appears right there in the report at that location, including a description of what it is. Of course, this is editable by you, and you can expand upon it, but it makes it very easy for you to assemble a collection of those things that you find important in the memory snapshot. In summary, the report is a way to export and print the data I care about. I guess it also gives me a way to come back and reference those report items later (if you find yourself re-exploring old memory images). This is a short summary of some things you can do using the handles and the paths that are available to you in a physical memory snapshot.