Comparing the incomparables
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Part Number | 17 | |
| Number of Parts | 29 | |
| Author | ||
| License | CC Attribution 3.0 Germany: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/18838 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
Hacktivity 201517 / 29
1
4
6
17
00:00
Statistical hypothesis testingReliefStatistical hypothesis testingMalwareGroup actionComputer crimeNeighbourhood (graph theory)BitSelf-organizationPoint (geometry)Computer-assisted translationComputer configurationAuthorizationPresentation of a groupMetreVotingWindowAntivirus softwareArithmetic meanRule of inferenceMusical ensembleMeasurementVertex (graph theory)AreaView (database)Sound effectComputer programmingProduct (business)Standard deviationStatistical hypothesis testingInternetworkingDistanceP-groupBlogOperator (mathematics)Physical lawQuicksortForm (programming)Revision controlPopulation densityState of matter
04:19
Statistical hypothesis testingComplete metric spaceSolvable groupBulletin board systemInformation securityWide area networkComa BerenicesCodeCAN busService PackGraphics tabletBitOffice suiteSummierbarkeitWordFile viewerPoint (geometry)Server (computing)World Wide Web ConsortiumRevision controlService (economics)Process (computing)Bit rateExploit (computer security)Level (video gaming)WordPoint (geometry)Semiconductor memoryVulnerability (computing)Student's t-testPresentation of a groupPerfect groupRange (statistics)ImplementationSet (mathematics)AuthorizationNumberResultantRevision controlTerm (mathematics)Order (biology)MalwareChainAntivirus softwareQuicksortPhishingEmailTask (computing)InformationDifferent (Kate Ryan album)TheoryPhysical systemGroup actionStatistical hypothesis testingSelf-organizationTrojanisches Pferd <Informatik>AreaAbsolute valueFreewareHard disk driveService (economics)2 (number)Multiplication signMusical ensembleDescriptive statisticsWindowRenormalization groupOffice suiteProcess (computing)File formatConnectivity (graph theory)Electronic mailing listComputer wormDefault (computer science)Product (business)DeterminantSubsetBitMeasurementSound effectCommitment schemeKey (cryptography)Well-formed formulaEnterprise architectureEvent horizonStatistical hypothesis testingParticle systemSource codeFamilyVisualization (computer graphics)DemosceneArithmetic progressionEntire functionLecture/Conference
12:21
Process (computing)Information managementLevel (video gaming)Repetition3 (number)Metropolitan area networkInterior (topology)Value-added networkComputer clusterRaw image formatSurjective functionSystem callTable (information)Process (computing)Standard deviationPointer (computer programming)Semiconductor memoryMultiplication signFunctional (mathematics)Flow separationElectronic mailing listLibrary (computing)Parameter (computer programming)Maxima and minimaBuffer solutionBootingBoundary value problemACIDSpeicheradresseWater vaporNumberRight angleStudent's t-testSlide ruleSparse matrixStatistical hypothesis testingLevel (video gaming)CASE <Informatik>CodeSocial classSystem callData structureMereologyMathematicsRange (statistics)Goodness of fitTrojanisches Pferd <Informatik>Exploit (computer security)Product (business)Task (computing)Formal grammarStapeldateiBasis <Mathematik>Group actionOperator (mathematics)ChainAreaAsynchronous Transfer ModePhysical systemWeb pagePoint (geometry)Metropolitan area networkOrder (biology)Connectivity (graph theory)Computer programmingUniform resource locatorSingle-precision floating-point formatImage resolutionAddress spaceComplete metric spaceRandomizationStructural loadFiber bundleAbsolute valueSummierbarkeitComputer wormGastropod shellDifferent (Kate Ryan album)BitAuthorizationVulnerability (computing)WindowFunction (mathematics)WordPresentation of a groupMemory managementKettenkomplexMalwareBlock (periodic table)VideoconferencingDrop (liquid)Entire functionCode10 (number)Musical ensembleNormal (geometry)Computer animation
20:23
ChainComputer iconSpecial unitary groupSystem callWide area networkMaxima and minimaMetropolitan area networkArithmetic meanUsabilitySimulationCloud computingValue-added networkLevel (video gaming)Numbering schemeSample (statistics)EmailInformation managementScale (map)Execution unitGamma functionFamilyShape (magazine)View (database)Level (video gaming)Multiplication signMathematicsSound effectTable (information)Product (business)Structural loadData structureBuffer solutionTask (computing)Military baseSpacetimeExpected valueHypermediaVolumenvisualisierungFlow separationGroup representationAreaLibrary (computing)Order (biology)NumberElectronic mailing listBasis <Mathematik>Binary codeCuboidDifferent (Kate Ryan album)Complex (psychology)BitSpeicheradresseOctaveHeat transferGame controllerCartesian coordinate systemSet (mathematics)Software developerCASE <Informatik>Arithmetic meanExploit (computer security)Computer wormSemiconductor memoryPoint (geometry)Sampling (statistics)ChainLogic12 (number)HistogramShared memoryDirection (geometry)Statistical hypothesis testingBuildingComplete metric spaceQuicksortPerspective (visual)Revision controlFamilyOffice suiteGroup actionFigurate numberInformationTexture mappingComputer fileSystem callAddress spaceCodeReal numberDrop (liquid)BlogEmail1 (number)Gastropod shellField (computer science)MalwareRankingSingle-precision floating-point formatMemory managementBlock (periodic table)Function (mathematics)Scaling (geometry)AuthorizationExpert systemPresentation of a group
28:26
Metropolitan area networkSpecial unitary groupExecution unitAddress spaceRead-only memoryComputer fontMaxima and minimaUniform resource nameArmSummierbarkeitMenu (computing)ChainTheoryContext awarenessMusical ensembleForm (programming)Computer fileINTEGRALUniform resource locatorSource codeMathematicsDirection (geometry)Pairwise comparisonLinear subspaceSoftware developerBasis <Mathematik>HypermediaSpeicheradressePoint (geometry)Covering spaceSampling (statistics)Category of beingContent (media)CASE <Informatik>Patch (Unix)Drop (liquid)TrailFlow separationComputer wormExploit (computer security)Vulnerability (computing)Trojanisches Pferd <Informatik>Maxima and minimaLecture/Conference
32:15
Special unitary groupComputer wormUniform resource nameWebDAVZoom lensMusical ensembleText editorTrojanisches Pferd <Informatik>Computer wormSampling (statistics)MathematicsScaling (geometry)Authorization2 (number)Binary codeSoftware developerCuboidObject (grammar)Arithmetic meanExpert system
33:14
Wide area networkChainEquivalence relationBinary file3 (number)MathematicsSineSpecial unitary groupBlock (periodic table)Exploit (computer security)Metropolitan area networkSummierbarkeitArtificial neural networkRobotWebDAVCAN busUltraviolet photoelectron spectroscopyData structureGastropod shellCodeFamilyAdditionSample (statistics)Information managementOvalDew pointWordPhysical lawPort scannerStatistical hypothesis testingModule (mathematics)AuthorizationMalwareSampling (statistics)FamilyChainExploit (computer security)Presentation of a groupLevel (video gaming)Computer wormCodeDrop (liquid)Vulnerability (computing)Block (periodic table)UsabilityHexagonProduct (business)CASE <Informatik>Direction (geometry)Cellular automatonData structureShared memoryBitMusical ensembleQuicksortBasis <Mathematik>CircleTrojanisches Pferd <Informatik>Digital watermarkingDomain nameOnline helpSurfaceMathematical singularityDialectReading (process)Physical systemMereologySheaf (mathematics)DatabaseData storage deviceSocial classVideoconferencingBuildingComputer programmingBoss CorporationVideo gameSoftware developerACIDExpert systemCodeForm (programming)Game theoryComputer animation
38:32
Read-only memoryMUDSpecial unitary groupOrdinary differential equationSample (statistics)Metropolitan area networkMenu (computing)EncryptionPerturbation theoryComputer iconDrum memoryMaxima and minimaFamilyComa BerenicesFluxDisintegrationSampling (statistics)OvalCybersexCASE <Informatik>Exploit (computer security)Gastropod shellBlock (periodic table)Exterior algebraMusical ensembleComputer fileTask (computing)Shared memoryBuildingException handlingCodeOperator (mathematics)AuthorizationPlug-in (computing)Computer wormMalwareDifferent (Kate Ryan album)ChainSet (mathematics)INTEGRALMereologyVulnerability (computing)RoutingWordTrojanisches Pferd <Informatik>Condition numberProjective planeLevel (video gaming)Software development kitProgrammer (hardware)BitComputer programmingPhysicistMultiplication signMathematicsNumberArchaeological field surveyInformationProduct (business)Function (mathematics)Family of setsSummierbarkeitSample (statistics)Open setVotingRevision controlCharacteristic polynomialGroup actionNormal (geometry)Software developerComputer animation
43:50
Computer clusterPerformance appraisalSpecial unitary groupCuboidFamilyExecution unitGroup actionPersonal area networkSummierbarkeitMalwareProcess (computing)ChainOffice suiteRevision controlExploit (computer security)Statistical hypothesis testingStatistical hypothesis testingPersonal digital assistantSample (statistics)Point (geometry)Correspondence (mathematics)Product (business)Coma BerenicesStatistical hypothesis testingStatistical hypothesis testingNumberComputer crimeIncidence algebraEvoluteMatrix (mathematics)MereologyTable (information)CASE <Informatik>MalwareFamilyRevision controlSampling (statistics)WordPresentation of a groupPerformance appraisalPoint (geometry)Exploit (computer security)Group actionUniverse (mathematics)Population densityProfil (magazine)MultiplicationGraph (mathematics)Programmer (hardware)LeakOffice suiteVulnerability (computing)Self-organizationMusical ensembleElectric generatorLine (geometry)Limit (category theory)Slide ruleFile formatStandard deviationComputer-assisted translation1 (number)InformationChainProduct (business)Computer wormObject (grammar)Selectivity (electronic)Context awarenessExecution unitMultiplication signLevel (video gaming)Stability theoryFormal grammarPhysical lawRule of inferenceSpeech synthesisPower (physics)Dependent and independent variablesSound effectBlock (periodic table)Address spaceMetropolitan area networkSkewnessFiber (mathematics)Uniform resource locatorAreaMaxima and minimaDegree (graph theory)Stress (mechanics)Electronic visual displayComputer animation
Transcript: English(auto-generated)
00:00
Now I could ask you how was the party last night, but I can't see the casualties so I Could be gentle with you. I make this presentation light and entertaining for you, but I'm not a nice person So I will make it in an easier So let's just try to jump right into this What am I going to do? Who are these incomparables in the landscape where me where we are moving?
00:25
meaning The Modern authors smaller group writing groups And the malware protection programs especially BT protection programs every major constituent is thoroughly tested and
00:42
Their qualities are measured the antivirus Protection products are regularly tested by third-party testers Even they the special APT protection devices which otherwise claimed ourselves to be untestable already are and
01:02
Can be tested you could hear about it from yesterday presentation by Zoltan Balazs or later today by Baldi a little more detail about how to test these APT defenses Even the test themselves are measured against the objective criteria by the anti-malware testing standards organization
01:22
There is one single player who is never tested and those are the malware authors, and that's not fair We should be aware of their capabilities Not only for fun But it but also because actually there is an actual war going on between them and us and the first
01:42
Rule of war is that you have to know your enemy If you don't know your enemy your defenses will be inadequate if you underestimate them. They are going to get you if you overestimate their capabilities then
02:01
Your efforts in protection will be misplaced and you will waste your efforts in areas then shouldn't waste and you should Concentrate your efforts elsewhere just as an example if you have a house, which is full with valuable stuff and gadgets and
02:23
You want to protect it and you're afraid of the burglars in the neighborhood There are a couple of options you can choose you can be at the ball wall around your house a three meter high wall Electric fence on the top that would effectively stop the ninjas who have as we all know only
02:42
2.5 meter vertical leap But that's a bit expensive It also blocks with your view for the outside. It has also there are stating effects on the vegetation around the wall So if you would happen to know
03:00
That the typical burglars in your neighborhood Are just cat burgers who Are really good at lock-picking because yesterday they attended the lock-picking workshop here at activity Then you would know that the the wall is useless. It's not necessary
03:21
you should strengthen your locks and Windows and doors that would be an adequate measure for you much cheaper and it would be still protected Now it would still wouldn't defend you against Nation-state sponsored
03:41
Attackers like NSA and the likes but chances are before NSA would attack you There will be about five Russian cybercrime groups three Chinese APT groups, maybe one Israeli and France APT group attacking you So you have to prepare for the vast majority of the attacks for that
04:02
you have to know the capabilities of the attackers and that's the point of evaluating all these Modern outdoors the APT groups and the common cyber crime groups and that's the point of my presentation now
04:21
How do you evaluate these groups, how do you measure the skill set of them there are a couple of Problems with the testing them the first of all the test subjects and these Malvarator groups work on different principles. They have different purposes some of them want your
04:44
Banking Access information so that they could steal your money from the bank others want some sensitive Documents from your hard drives while others want to just destroy your nuclear facilities physically So they have different purposes. They have different targets. Some are targeting home users. Others are large corporations
05:08
Yet the other APT groups are targeting non-governmental organizations. So the target range is also wide And Because of that they have to defeat different defenses for home users
05:23
There is only probably a free antivirus solution for for large corporate users all sorts of In-depth defenses in place even some advanced protection devices and for that the attackers use
05:42
Very different approaches and tools some are very happy just sending a Phishing email with the text. Hey, here is some nice contact click here and you'll be fine Others are using Common exploits yet others are using zero-day exploits. There is a wide range of tools that they are using
06:07
so The the task is how to measure and and qualify players who work on a very wide range of activities and
06:24
The solution is something like Professors are doing in In university classes where they have a wide they have a lot of students with a wide range of capabilities They are going to give them a problem to solve and based on the the level of their
06:45
Understanding of the problem and the skill they show in the solution They are going to rate these students. That's what I'm going to do. I'm Impersonating a teacher APT groups are going to be the students now for that test work
07:02
The problem has to be solvable if it is not solvable. It's not there is no point in the test It also has to be difficult enough. So if anyone scores Perfect on the test then it is not a good comparative test also the test problem has to be granular enough to differentiate between wide range of skill sets and
07:27
lastly Every student in the classroom has to be motivated to solve the problem if it is a problem that only 10% of them is interested in solving then the test the results will not be
07:44
Usable for our purpose and measuring a large number of these algorithms, so what is going to be the test problem? The test problem is going to be a Word vulnerability, it's a It was discovered last year. It's a rich text format file format vulnerability
08:06
that leads to a Memory corruption now if you attended yesterday Zoltan Emmet's presentation a lot of the the terms and methods I'm going to talk about should be familiar for you that was a
08:25
Very extensive and good overview of the general principles, and this is the this is going to be a practical implementation and this is What I refer to in the introduction that I'm going to be tough with you Because in order to understand the results of the test you have to understand the methodology of the test and the methodology of the test
08:47
relies on you understanding how this exploitation works now this vulnerability Is the has the unsexy name of CV 2014 1761 I'm going to refer to this one of it. Yes 1761. I estimated it. You saved me 35 seconds of presentation time overall
09:07
Anyhow, this is a new word one of the team and the exploit and Every possible malware author group is just very happy to get their hands about a new word
09:22
One of it and exploit so they are very much both motivated in using it Because it is a powerful tool in infecting users So if you read the original Microsoft description of this exploit Of this vulnerability it will say that it affects all possible
09:43
Word Word versions that were out there at the time. So All of them which are listed on this on this list are vulnerable and possibly Exploitable by this vulnerability now, we all know that in theory there is no difference between theory and practice
10:04
However in practice, there is a huge difference. So If you would guess What would be your guess how many of these Word versions were actually affected by this vulnerability
10:21
The silence I take it as zero it was a slightly more than that Actually one version was ever affected by this vulnerability and it was of his 2012 service back to 30-bit version and the reason is that Even though all the other versions were
10:42
Exploitable and could have been exploited successfully the practical implementation of the exploit Have you relied on absolute memory of sets taken from a particular? Windows components and as comes to yellow seeks a particular version of it
11:00
and That one was only by default installed by this office 2010 service back to It would have been a straightforward process to To pour this vulnerability to all of the other office versions. It didn't happen
11:21
Why you will probably understand? Around the middle of this presentation. So let's talk about a little bit about the exploitation process itself From From a very rough overview there is a
11:43
rich-text format exploited documents the vulnerability trigger a Sharecode gets executed and at the end a payload is dropped into the system some sort of Trojan now There is one thing a slight problem in this chain and that slight problem is called data execution prevention
12:10
Which means that It is Relatively easy to To fool word into into writing shellcode into a memory area
12:26
On the heap it is quite easy also to convince to jump into that memory area However, what is difficult as is now and not possible with depth in present is to actually execute that code
12:41
Because These data areas Either on stack on heap are declared at least on the contemporary Windows operating system as non-executable You can inject your code there. You cannot execute that So before you can execute your shellcode that would drop and execute the the final Trojan on the system
13:04
You will have to make sure that the shellcode is Executable it's it's not like executable page. So the whole exploitation start with a bootloader Component that bootloader component allocates a new memory block
13:20
Make that an executable memory block just copies the shellcode and executes from there. That's pretty easy there is one slight problem in order to Make this allocation. You have to execute the bootloader code How do you execute a code if you cannot execute a code because of data execution prevention and
13:41
Here comes the concept of the drop exploitation return oriented programming Which means that you cannot execute the code that you placed in memory But you can execute codes that are already placed in the memory by the system libraries at the time the exploitation
14:01
occurs there are about dozens of Windows system libraries already loaded into the memory for your convenience this means there is there are Tens of megabytes of code Laying in memory that you can use now all you all that the actor care has to do is to pick small
14:24
snippets of these codes Think about them as puzzles Get these puzzles from Windows system libraries and just Chain them together so that they would accomplish the functionality that you will need so during the exploitation
14:44
When the memory correction occurs you just divert the normal execution of work to jump to the first puzzle of your code and it will The word gets so disoriented that it will jump from puzzle to puzzle if they are chained together very carefully
15:05
Then They will accomplish the task you want. These puzzles are of a very limited Capability sets so you will need a lot of puzzles to accomplish even at the the smallest task that you need
15:22
There is another one Problem which is a SLR the address space layout randomization Which means that if you want to use these puzzles you have to know that they are in memory 99% of the windows libraries are placed randomly in the memory there are only a few of them which have fixed load offset and
15:45
these libraries are of extreme value for the two exploiters and attackers and Mscom city hallows thing that is used by the one of it is one of those libraries so the exploitation starts with Confusing word taking making him a detouring execution divert him and then starts the drop chain
16:08
Which would allocate a memory for at executable memory for the shell code and executed There is another slight problem in this particular case which means there which in which which means that
16:24
Then third word first gets dire and diverted it gets diverted to a small memory region And the small memory region cannot host an entire rope chain There is another memory region that the attackers can control which can host a large group of data
16:41
But it is not where the first gets Diverted to so the bootloader of this exploitation process is Further divided into two parts. There is a bootloader of the bootloader The initial of chain which will make sure that the execution gets diverted to that larger booth
17:02
Which already hosting the entire rock chain that the rock chain then allocates an executable memory range Copies the shell code the shell code executes in one or two stages Locates the payload decrypts it drops it executes it and
17:21
That occur is there with a video video installed Trojan now It is a good test problem for the malware authors because it is granular Modifying the final payload it is a everyday task for these smaller authors
17:41
modifying the shell code It's not every day but it is they do it on a regular basis touching the rope chains now that That's a highly skilled operation and not many of them asked you to do that. So here we have we have a granular
18:00
problem for the malware authors to solve if We are looking a bit in detail Into the exploit itself. It is a Memory corruption a vulnerability A V table a pointer to a function table gets over with them during the exploitation
18:23
The way it happens the RTF documents can contain least override tables, which have several different parameters for lists embedded in in a text of the document now the The data in this list over our tables is stored in
18:44
Buffers in memory and the it means structures in memory and the the addresses of these structures are stored in a pre-allocated memory region now if there would happen to be a somewhat more of these
19:02
Over right structures than word expects then it will Stretches over the boundary of the pre-allocated memory area and it will overwrite whatever comes after that and that's the memory corruption at least today the execution in particular
19:21
At a certain memory address. There is a pointer to a Vtable in MSODLR It's a pretty meaningless that is for me function table not to fancy functions and in the process of
19:42
parsing the the malformed RTF document the addresses of the list override tables stretch over The allocated region and overwrite this dysfunction table address So at some unrelated point later in the code execution of word a call would be made to into this function table
20:06
but instead of taking the the appropriate function from MSODLR this call would take the the address from from one of the list overwrite tables and This address would be an absolute memory location in inside the ms.com CTL or CX
20:28
Yes, and The initial rope chain as I said Does nothing but transfers the execution to a larger buffer which is controlled by the attacker. I mean
20:43
there is a Inside the list override structure. There is this level text buffer which can hold a large chunk of binary data This large chunk is going to be the main Rope chain and the share code first a share code now
21:02
the list overwrite table Contains the address of this buffer. So really the initial rope chain has nothing to do but execute this single Call into the List override into the level text buffer. Like I said the rope
21:25
Drop gadgets or the puzzles that you can use from From the the preloaded system libraries are of very limited capabilities. So this single single call single assembly instruction
21:40
You need six different puzzles to to execute this code and Just as an illustration of the complexity of the task the first address the others of the first rope gadget Is stored in a list overwrite table, but within the RTF file
22:00
It's actually as actually stored in four different places. It combined from four different places For example, the first byte e8 is the value of the the level enough and CN tag in the RTF 232 decimal equals to e8 in a hexadecimal so the the first byte 48 it's actually a bit field and
22:24
several of the Text within the RTF combining to it. For example, this level GC new level GCN zero and Level no restart and level world and this level no restart is Setting 40 the other setting 8 in this bit field. That's how it is combining together
22:45
Finally the last two bytes are in the level numbers tag within the RTF file This Slash apostro 5a Note the the hexadecimal value of 5a the following apostrophe is the the ASCII character of
23:05
27 which is follows there. So in order to control one single address In in the drop chain, you will have to modify at least at four different places for different distinct places at the RTF file
23:21
To use this exploitation you can imagine requires an intimate knowledge of the RTF structure Representation so that in all effect and effect and this address in MS consider Oh six, you will find a small call code fragment this will be is going to be the first puzzle in solving the
23:43
code transfer After that execution goes on to the larger level text buffer the the real rope chain that is stored Which is the memory allocation now, that one is a bit longer and As the expert that I mean
24:02
The data cast have no absolute control over the code within the rope gadgets So they do what they want and they do a bit more than that in some cases apart from doing whatever data cast want to do they Perform like some pops from the set stack, which is not needed for the actual execution
24:26
But because there is a pop and it's not avoidable There has to be something on the stack that is popped into register, which is that they are never used So during the rope chain, there are a few unused bytes
24:41
Which has no Significance for the exploitation they have to be there so that something could be meaninglessly popped into a register So these bytes are not used. It could be anyway anything right there the The main rope chain The main logic is very simple. It allocates a new memory copies the share code there and jumps there
25:03
But because the drop gadgets are of limited capabilities, it requires about 10 to 12 building blocks to accomplish this task If you look from the the RTF perspective into this The exploit RTF 5 starts with some sort of header followed by some sort of irrelevant information
25:27
the exploit trigger The initial rope chain is scattered throughout the the texture of the RTF file The first stage rope chain is stored in the in the level text buffer Along with the first stage share code second stage share code and the payload is usually
25:45
Appended as some binary chunk at the end of the RTF file Now from the attacker point I mean from the test point of view it are half it adds an additional granularity to the test like Every decent malware out or could modify the appended binary shell code and the payload. That's not a problem
26:06
The first stage share code is easily recognizable Relatively easily recognizable in the level text buffer. I mean it looks like a buffer of bytes that a decent
26:23
malware writer can Comprehend and and modify the initial rope chain For that you have to really really deeply understand the RTF structure. So apart from the The granularity in the exploitation itself. There is a granularity in understanding the RTF
26:43
structure itself, so it is a Well-defined and granular test task for the for the attackers and people are going to live with it. So We are going to Rank the attack guests on the on the skill set they are showing to us
27:02
So starting from from a zero knowledge data knowledge means that they are buying on in the underground Marketplaces a generator and they are going to generate a sample with it a basic skill set involved replacing the payload in like 16 sample intermediate knowledge
27:23
Attackers can modify already the shell code Skilled ones try to make some trivial modification in the rope chain itself advanced and protesters Can make significant modifications in the rope chain
27:41
Or the export figure and and The real good ones can control every single aspect of the exploitation that is going to be the scale that I will place the APT authors so the the first version of this research was published in February
28:03
at our blog I'm not going to touch all of the families and groups mentioned in that Because that would be an even longer presentation You can go there and check that but I'm going to mention a few additional ones because we which were not known at the time
28:23
of writing that paper So let's start with suspect zero the first ever sample that we could identify using this well, this is going to be the base point of Of comparison as it turned out All of the further samples were derived from this one
28:42
There was no independent development going on in this exploit. This was a destructive Trojan Appeared last April and it dispelled a decoy with some Mayor partners seeking advertisement
29:07
Clearly Because of this kind of decoy and a destructive payload It was not used in a targeted attack as you would expect from from an APT player who?
29:21
Would deploy a zero day. I think it was deliberately released a little before Microsoft patch this full novelty the reason is unknown perhaps the But perhaps the cover tracks because if there is only one single entity who knows and uses this one and ability every every
29:45
Evidence points into the direction if other starts using it. It will get scattered Anyway, in this case the document starts with a large chunk several kilobytes of Really junk contents context not used
30:01
not displayed But it is very convenient for identifying everyone else who was copying this content Clearly I had this guy whether developed it was a highly skilled one. There were some rebirths One week after this the initial sample was released a couple of targeted attacks were
30:27
Performed using this vulnerability Mainly by the Duke group That was recently blocked by by F secure a great overview by them
30:43
It was Targeted against the diplomatic targets and they made Very significant modifications to the the exploited document for example They cut all of the junk that was at the beginning of the file They stripped down
31:02
nearly to the minimum to the the the RTF context and Also changed memory location within the drop chain. So they made Very significant changes in the the exploited documents I'm not saying it is not possible to do all that in a week and
31:22
But it's very unlikely that happened some my guess would be that they had prior or prior knowledge of this exploit Before they started working it if I had to guess I would say that This is the group that is most closely connected to the source of the exploit
31:42
now the the Dukes have a reputation of Being supported by the Russian government They have huge financial resources and they have a history of using zero-day export So it is not an unreasonable assumption that they were the first one to use this exploit, but there is no
32:02
Strict evidence pointing into that direction Anyhow, because of the the changes they made to the rock chain clearly dangerous and pro criminals There are some direct descendants That Were using the original sample and they didn't do anything else
32:22
But swap the export step the payload the binary Trojan at the end. That's clearly a very basic Modification these samples appeared about one week of a month after the the original really really is and They are they were used by the pretty tiger
32:41
APT group When I said they didn't change anything that's not entirely true they changed the the author name from is my is my to is my which is Something you could do in two seconds in a text editor So that doesn't constitute as a as a major scale anyway
33:03
But this is this group showed the very basic skills of exploit ability and then comes an interesting strain Which is metasploit and and a direct descendants from it Metasploit is a great tool for researchers for
33:21
for penetration testing understanding the The exploit and so it is also a great tool for malware authors and they are using it extensively to generate new samples free like In the cases, I'm going to show you the the metasploit module appeared about a week after the original release of the first
33:45
document and Clearly the whoever created that module understood some of the the Europe exploitation at least to the level that as I mentioned in the Main drop chain. There are some unused
34:01
Filler bytes which are there only for that to be popped into meaningful meaningless register now these were filled in the original sample with the 41 hex bytes now in the metasploit module they were filled with random values
34:21
These these bytes that could make us Possible to identify whoever was ripping metasploit for samples Anyway, whoever developed metasploit model was a skilled exploiter one of the direct
34:42
Descendants from metasploit was the The havoc smaller which was mentioned also mentioned yesterday in presentation as targeting energetic sector Looking for industrial control systems, but when I created these slides, I didn't know that it is well It was going to happen. So I picked another one and another example and that was the inception
35:05
Group, it was reported by blue coat and later on by Kaspersky under the name cloud Atlas and they directly connected that with the famous fed October campaign anyhow, but they did they generated a A sample by metasploit then swept the share code and the payload and they just replaced it
35:27
Plus additionally in case of inception. They prepended another exploit block at the beginning exploiting an older vulnerability however doing that They messed up to the RTF cell structure. This is a very delicate
35:41
vulnerability if you mess up the RTF structure if you break the exploit and that happened in the case of the Inception group they generated about three thirteen documents With this exploit and still in eleven of them. The exploit was actually broken. So they generated a
36:01
Sample with metasploit just to use this vulnerability and they broke it in about 90% of the cases That's really on one hand They are skilled because they touch the share code and the payload on other hand It is shadowed a little by the fact that whatever they created was not working
36:23
Anyhow, there is a huge Group of samples using this exploit that were using some sort of generator sample generator One could argue that metasploit is also a generator. But now here I'm talking about Commercial tools
36:41
Released in the underground circles one of them. I don't know what the generator is. I don't know the name for it It has not been Reported yet. We just see that hundreds of samples are generated by a lot of Common banking Trojan families are being distributed and is right now dominating the the exploitation
37:04
Seen so the largest chunk of exploited documents that we are seeing right now on a daily basis are generated by this tool It has Apart from the the the main block main level attacks blog that was the rope chain and the share code an additional
37:25
two additional blocks that Have the same filler value all over them it is not used it is pointless But it can use it can be used as a watermark to point out all the samples that were created by this toolkit anyhow
37:44
Because they did touch a little bit of the the The level attack structures and the exploitation stuff is sort of an intermediate skill set Was whoever was writing this this generator another one?
38:02
Microsoft 13 through there It was blocked by Fire eye And later this year just a few weeks ago. We have released the white paper about this one That's the other large chunk of Exported samples that using this vulnerability
38:22
Also hundreds of documents created with it I Very interesting and I don't have The time to go into details into it anyway. It has very distinctive characteristics, and it is
38:43
One of the very very few cases when the the malware authors actually touched the rock chain and They built an alternative rock chain instead of the original one
39:00
So it is performing the same task It it requires two more Building blocks it is a bit alternative route But documents generated by this toolkit Exploit three different vulnerabilities within the same RTF file and
39:22
also dozens of mostly banking trojans were distributed by Documents generated by this toolkit anyhow the level of Skills that's that the author of this kit showed because he actually they have to touch the rock chain
39:42
It's really a someone who understands exploitation at a high level a very interesting case was the rotten tomato case now I I I'm a physicist By education. I'm a lousy programmer. I
40:03
When I have to do programming I do as a physicist I take an example program modified to my needs and beat it with a stick until it works It was surprising to see that an APT group Chinese APT group followed just about the same path of
40:21
development except for the until it work parts So what they did They wanted to use this exploit in their campaigns so they took a sample generated by wording through there which was mentioned just one slide before and There was a third
40:41
Exploit block at the end. They just got rid of it perhaps it was Too complicated to modify that in place for them. They replaced the first exploit ball block Appended their own payload and started to use it in a campaign now the problem with this picture it exploit to
41:00
vulnerabilities if the first one is Activated and the Trojan the APT Trojan by this group some other projects backdoor is get egg gets executed If the first one is triggered Then the the original z-bot sample from the original sample that they ripped from world intruder gets executed
41:22
So Depending on the condition. It's either an APT or a Cyber crime, it's really in an unwanted situation for this group Mostly because they Grab the sample so that they could use actually the exploit. So What they took they grabbed another sample where this
41:43
761 exploit worked and They cut out the original one for the from burden to the copied into it from that Other example and there it goes one problem. Like I mentioned until it works part
42:01
Verding through there has a slight problem at least In half of the samples the exploit doesn't work. So this Chinese APT group didn't get lucky They picked the sample, but it the exploit didn't work actually But when they copied the block from this another example
42:21
They overwrite they did overwrite the non working exploit with a working one and they broke it immediately Because in this case this shell code looks for the payload at the fixed file offset Because and then they copied it into their own document
42:41
There was this unused encrypted Z-bot executable at the beginning another exploit book So this fixed file offset was shifted back into the dead file, but this Chinese authors never Corrected the share code for this offset. So They created samples and they used it in targeted attacks where this exploit never ever actually worked
43:04
and they were Using it for months in different targeted attacks. They started it using in Russia Distributing plugins and Then they moved their operation against India and Pakistani targets
43:22
Anyhow, they show a really basic set of exploitation understanding and I'm I'm being very generous to them with this classification. Anyhow, there was one case of successful integration I don't think it was used by the same group it was deployed in
43:42
In Arabic countries when they actually fixed the the shell code offset and it actually dropped a z-bot anyhow Let's switch to the the evolution part so In this table I just blindly copied all the the malware families that I have seen created
44:06
I have seen using this exploit and Just by looking at the samples I was placing them Into the skill set matrix. However, here comes the fun part. If you're a university professor, you can do nasty things
44:24
One of the nasty things is to see if they actually work Like I said in many cases in fact in the in the case of this exploit over Over half of the cases the exploit actually didn't work
44:41
I mentioned it with the inception. I mentioned it with word intruder the generated or used samples they just contained broken versions of this exploit and the supposedly highly skilled Cyber criminals they just fail to realize this fact. So that just
45:04
Takes back a little value from the evaluation and The other thing is the relations Really? One of my university professors had this really bad habit after test. He started to create this in density
45:22
Graphs who was copying from whom and modified the marks accordingly. So I'm doing the same with these malbrators For example a large chunk of samples or a large chunk of cybercrime groups Although the samples they are using show
45:42
Larger great understanding of the exploit. It's not their merit it's because they are using the verdine through there or some other generation generator, so the The the merit goes to whoever created those tools They are the actual users of the exploited documents their skill set
46:04
extends only to the point of executing a Generator and using whatever is spit out of it. So In this picture you can identify a couple of high-profile
46:20
APT groups, for example the pity tiger origin energetic beer group, which I mentioned number Panda or nightshade Panda they were responsible for the rotten tomato cases Hangover team also showed their mark here in this in this table Karma Panda and the Dukes which I mentioned earlier
46:44
So really this is the evaluation part Of the test and this place is all the appropriate of the groups in their appropriate places So here is this dividing line anyone left? on the in the table
47:02
understands Whatever happens after the exploit happened so they can Deploy their malware they can modify the payloads, but they really don't understand the exploitation itself They don't have in-house expertise in exploitation
47:20
Whoever are on the right side in this table. Those are the really dangerous players. Those are the ones who? understand exploits exploitations Five formats and they apparently have in-house Expertise now what this table doesn't show are the numbers the vast majority of the incidents that we can see
47:44
99.9 point whatever percent belong in this region where Used by players who show little to none understanding of the exploitation and only a few Incidents belong to the real dangerous guys and even these are shadowed by the fact
48:05
that Even though in solving the problem they show high High skills Whatever they created was not working so they may be
48:22
Good programmers there. They may seem to be good at exploitation By but they clearly league decay and leak lack the capabilities of determining that whatever they created was actually working or not so the conclusion is That all the routers in general even the the the highest profile
48:44
APT or cyber crime groups are clearly lacking in in QA They don't they are not checking whatever they are using in actual attacks if They are working or if these are multi exploit samples that every individual exploit is working in those samples
49:04
The the common cyber crime group groups who are deploying banking Trojans have a better supply chain Because someone is doing the the generators for them and they are buying it But even though however skilled these groups are they don't show enough
49:24
knowledge and skills to port this vulnerability to other office versions, so There is a certain limit in their in their capabilities But They are very eager to use any new vulnerability that is available and
49:42
Immediately as they can get their hands on it And they are going to use it in a text or try to use it in attacks So but a final warning for you, even though they are not Really the ninjas you you should be afraid of just cat burglars Once they get into your house, they show very high capabilities and skills in
50:07
Emptying out your house and cleaning out all your assets So they may not be good at exploiting but once they get Hannah and they get their food into your organization They are very talented and resourceful. So be aware, but
50:24
You should know that if you keep up with the exploit information They are not really much ahead of you And That oh I have some final slide. I thought it was going to be a test
50:42
So, let's see if it is really a test and here are the the objective criteria by a MTS So I don't have a testing standard organization. So I'm just going through some of the criteria I don't think I'd endanger the public by this test I'm certainly not biased towards any of these groups. In fact, I'm equally biased against all of them
51:05
I think the test was reasonably transparent the testing methodology I mean I spent the first 25 minutes explaining you the testing methodology. So I was pretty clear about that
51:20
And Finally the test should have an active contact point which in that case should be me, I guess So that concludes my presentation I Think as I look around I don't see too many people sleeping. So I guess I
51:42
Reached my goal and kept you awake that take it as an accomplishment. Thank you