Bestand wählen

Visiting The Bear Den

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Erkannte Entitäten
top how ever and time and then uh do you do not have a and and
so welcome back from lunch I'd like to introduce the next stock called visiting the burdened by a joint committee just accomplice center logically from the set thank you OK so some
hairy 1 uh I'm tomorrow I'm a researcher at the sets of energy security company and I am here is my 2 could is just syndrome to talk about a group of attackers we have been tracking for the past 2 years so we call
this group descending group but depending on the researchers because all those names like ABT 28 and cheaper strontium so fast you Exeter of the singing group has been doing doing targeting at like since at least 2006 and then the is mainly about duplicates so in this presentation will 1st give some context on the group group then we present the case of that you aren't operations during which we will decay into that uh after that this is going to present different and strange operation also rent basis any group over the last few years and finally we conclude with some listeners and open questions so let's start with some context around the needs so what kind of people out there after for once we know very precisely some of their targets due to a mistake they made with their patients complain due parietal was used key to shorten their fishing euros but for that to is provided to products so we have access to a long 4 thousand 410 URIs during 6 months in 2015 and here is an example of in of the new in Europe for Fulton it contains uh the e-mail address of the target and its names so I yes in some cases it was easy to identify the target the is this is there are messages and ministries of more than 40 countries of the are maybe need to learn new work institutions and finally there are a lot of individuals involved in Eastern Europe critics slight petition activities accessible so to infections targets as they put out 0 0 the exploits here against your timeline of with the zero-day exploits using 2015 of course all of these variabilities as being passions since then and here we are not even talking about that we don't we don't exploits the use there are many of them as we are going to see so it's also
the kind of groups of groups that deployed meaning software over the past 10 years uh from opposed to an encryption proxy tool including different types of Bibles the thing is they develop a lot it but before going further we want to mention a few disclaimers uh 1st even if retracts indeed closely during the last 2 years of the abilities is of course limited and we are missing past all the picture of an asthma researchers we call it a rule based on the regain that they may be actually divided incidence of course the and finally we are not competent to do any attribution but our research provides means that maybe you for that so that's our journey we
uh in Sydney to cheat we sewage
sociology is actually a good name for a minute and the reason the targets he works for governments and other access to sensitive information the chain of events and the findings that we are going to present in cells that are in line with 3 are we all cases we in recent years and instigated and there we use such as text in case the presenter part of sending of this that need to be so somewhere recently it's Monday 9 30 our with the surge arrives at work grabs a cup of coffee and opens a new name so this you may suppose the game from start for which is the so called uh interventions company and which provides a regular reports and you will you take and if we look closely of
the euro we will notice that the domain needs zoologists for main but also the URI is the same as the not together on this front for site except that an idea was inserted in the media probably to identify the target so it says
cliques on the euro and that means that the city is the Senate exploits the uh it's use only for you that are text as we just saw all of its on 3 points URIs mean you to make your the exploited in fiction series start from target that fishing inmates but we also see I frame with directions to the from Oct 2 websites and we found that keeps in September 2014 for the 1st time and still in use
so as a classic exploit gates when he was you receive a landing page that we read a reconnaissance people on the matching those at the landing pages ship contains around 200 line of Javascript on the codes stays the same over the last year you can see a beautified the extract of the page um 1st it retrieves the family so they can eat enumerates the properties of a jealous streak of objects coordinate the Gato and screen which provides information on the role the on the user's screen and finally each in they eat enumerates the breaking in style in the role them as you can see there is a special case for Internet Explorer was where John and fluff are detected by special method and just mention the comments here from the developer so to give you an idea is a
report from service computer each the genes and representation so you get the contains a lot of information that's that's the server can selects the targets very precisely not only over their on their coffee but also on the language a peak all the times of however we
don't know very precisely what you pair it those are looking for we crawled the exploit keeps it we values configuration and the fear that different IP addresses sometimes it works sometimes it doesn't and right now we don't know really why so let's say
that said he's sitting there to be exploited and the reason the
Senate exposure factory is of exploit that we saw from 6 kids since its beginning as you can see 3 of them well they were they exploits at that time there were used and is is the reason exploit form ocupa which is cleaning to for all 4 or 6 made by a group company from Ukraine and probably used mainly by people from Eastern Europe and zeal that exploits revamped exploits and we often going to describe 1 of them that we recently found that uh which is that the amount that as far as we know why is 0 they exploits have been well described by all the researchers so these targets that
this is exploit targets the the 2014 6 3 3 2 as the theory is an integral overflow in Internet the discrete on drying and it's arose arbitrary read writing a marine we Soseki he because this is 6 . 4 this is the uh 1 of the work 715 15 for the 1st time and he did in this case we just reuse the of the proof of concept to disable the Safe Mode and unload the next stage binary is uh portion the but recently we found a very different versions of these exploits more complex um into into it was used in the February 2016 and this is exploited and disabled safe mode that directly execute eruption occurred the good news pretty intermediate around 400 sliding of the discrete and interestingly its system and we didn't find any similarities on the internet
so he's the beautified the code of the function to be the rope chain and the change will be extinct in uh things to move in the rarity of well not too we not going to be here into the exploit itself as we are still finalizing its but there is something striking here in the in the code contains a lot of help us function it's actually looks like a framework for exploitation for exploits in the discrete and for
example you can see a function to retrieve records of section of the address of Fidelio on Windows 7 as you can see it's a lot of evil but please do not try to read resist industry in so to summarize each
looks like an expectation framework it's maize like an expression and exploitation framework so we believe it's an expectation thing he has some of the function names of you would expect to find whose functions on the internet somewhere but there is no sign of them so guys uh if you ever seen this please let us know so back to a search space is uh the exploit downloaded on each computer loads patent and meets said about the set up of the is usually don't know that by Keats as these components actually includes 2 binary is a robot on its somebody payload and it's a generates the 1st component deployed on the victims we dates in the operation of the broader in March 715 and new so is that we said approve don't draw uh as you can see it's workflow quite straightforward but it contains some interesting features the 1st 1 is a way of under on the analysis trick is this snippet
extracted from each race so 1st uh it allocates 10 by before and since the last nite to the value 42 2nd eats creates dump refined named you believe that then that is a good rights 1 young times in of is fighting and then region 0 1 million times in its and finally the checks the as the last rights of that then by the 1st C contains the value 42 if it's not the case said a broader will dominates its execution so this was looks strange and we believe it's a it's a kind of on simulation tree 1st it creates instances of write operations that delayed in literature and art so it may detect individuals 1 reimplementing memory management uh which are not invariant to aid able to maintain uh obtained by the states due to the amount of free Dwight's operations the next step is the writings of
payload and they can bring the these uh these corporations are incrementing immunosuppressed this class name broader buys a developer and the next
class is the C 1 is a group of users look at relation escalation exploits the bonding on this number 1 of these 2 cities can be exploited the first one is was the world they other times that's in it's used it and the 2nd 1 is another gift from my thinking leaks finally uh the program makes available as is done on the system interesting a we so many different techniques use uh over the past month some of them are only used when the doorbell rents we system freely G is and here you can see so just a few of them like Windows commodity i jacking all JavaScript code indicative in data the 2 and just to to to mention that these 2 techniques were 1st seen in all of the my and then integrating instead of adult Drupa so this seeking inspiration in crime where is something usual forces this image will so at this moment as a means of payload is running on SOS computer and so the blow up they know that it's it's a kind of a reconnaissance my where and you can see the thing the fight were from so the 1st part is establishing isn't it took a nation to this resistance is it's for a reason most remarkable part of the because each changes several times in the last few months and there is a the fragmented is the basic 1 it tries to contact uh ciency server and if it works you just move on however if it doesn't work uh that each which reads as a proxy for for it as for example fire follows the payload we 0 we mean looks all the provide file and passes it if it succeeded it's we contacted since the yeah uh the proxy using these credentials and last but not least if all previous techniques didn't work in between that way for the user To ensure over another to injecting the next step is
to send the 1st stage you report to the since several this report begins with an idea generating between them find the computer a process disk formation and the number which is of that it is a binary and then it send all of its encrypted through the interlocking that was you previously established in and you can see it's a it's it's a small report probably to the job security researchers 0 final state is
trying a coffee from the CNC several he's different values Honda buys the last version of the problem payload I when the bathroom them there are quite explicit but the main propose here is to download the specific 5 from the CNC and executed as did alternative to so to conclude
just adequate anecdotes uh instead of brutal some birds uh there we don't go out of each API call printed into a fight is the beginning of this fine uh that's kind of API execution trace and each line corresponds to 1 Windows API call and begins reason that remind dating which type of HEI core was developed so about varies and use that to the dividend so minor the this 20
so long as the about torsion of events will still be 1 and sells computerized to infected with saying they felt know that the orbitals offshore always cells in the tumor results show so the core is the modern but found such computer most of the problem so some requires all tested don't with the most commands and it has the ability to extend is dead or by loading extant ligands and it is usually deployed a successful infection like in substance when this component might be all we know for a fact that is it is still active and use nowadays so usually satirical rides on the printed out in the drop and it should install the parents configuration inter the configuration to a different location than this 1st to write the configuration the firemen and is and then it will also right the exact same data in the Windows Registry so the configurations installed by the drop of that means that if you only find the bill and you won't be able to determine which comparisons configuration was used with its the so let's talk a
bit about this configuration consider encrypted the version and it comes with a small header and a bit like this all with the 6 my the kid is located in the beginning of the configuration and is randomly generated by the book and following the key you how 20 bytes and it's bytes represent the size of 1 of the field in the data everything else is the encrypted data so his his accountant once the curtain and here is that the representation of the extracted field so those values all just some bystander answers by the bills but I won't describe them because are not very interesting here we have the culture domain of cells also here we have a dual like specifically with all the little girl should enable during we have the true since it is the result of a syllable right now right here and the 1st since is the main 1 1 2 of our just fall here we have what we believe to be the operation and we have found so far for the from the Persian is built from the screen and here the mentioned before also that's recall have the ability to release some invariance sold at the end of the configuration the wouldn't path with the storm the demoscene right now because the drop the pebble doesn't come with any in and wrote so let's talk about the on that uses this
configuration the initial below usually go with 26 commands and it's viral unit number those commands oranges dominant export called register new commands and here you can see the registration of flow the few of them so cynical capabilities on numerous political agenda read all right and from the system you can list all running processes also can manipulate the registered but more interesting it can also enumerate network resources the prime again at that and some of its configuration all node or a node and the plug in so
speaking of playing become as the and they will be lower than the same address space that belong and thanks to them they all able to use the function of the mental so assuming the picture is what is what happened when the village initializes planning and goes the planet but in export pursue some function verses to the to the planning as and a prostitute I to provide the addresses of the function only in the output format like him but also it robust the address of the fusion handling the registration of new terms so the protein can register version kinds of and here is an example of a begin we
found using by reciprocal this model was just registering and you can this time opening and it's it's the channel conductance that shut up we consider that not every argument is used and also we can see what kind of possibility is just kind of mechanism can all file also to finish with that when Cedric oystermen at a neutral called the context both of the planning and this is part in this case only the register of the common so
let's go back to a chain of events yesterday 1 cynical was deployed for 2 minutes after the initial infection may the expected 4 hours later search meets exigent which was number that buys set up for the exactly like recall so X agent is a modular backdoor pretending super sparse and for which there exists at least the Windows Linux and I recession the exigencies really reflection but the of they use it in most of our operations Israeli after reconnaissance phase like in the case of certainty here but also sometimes as a 1st stage malware we dated the operation of fix agent in the lumber to funds and 12 and it is still in use so at this point in this plantation you're going to expect some reverse engineering unsuppressed was binaries except that you to a mistake from the operators we
recently got access to the source code of extinction so that we to some suppose this code various Indian there is an extract of the fires we found
itself we working suppose this project of the Linux version of X agent and it was combined into lighter for 15 which we know because there is a been for data with a binary from this data inside the project contains around 18 K lines of code in 59 classes so it's pretty big and we believe this Linux so Scott derives from the Windows version of its agent because at several places in the code the developers commanded out some the wing 42 API costs and replace them with some unique specific API court like in this case for pretending nation finally there are several national fix agents and the source code is major version to wider trenty distributed binaries are version 3 but the source code the much is the quality of aggression free binary as you would expect in such a big project there are this was could easily commanded and the comments of basically a mix of badly written English with some Russian and some ASCII art to describe a data structure so that being said let's dig into a code the logic of fixated on starting a function got stop agent located in Maine that's a be and you can see here an extract we've the main steps 1st on agent can an object is associated by the execution manager of exigent the canon on and I jumped at channel object is instantiated that's the means of communication since server and as you can see in the project to China's when using the HTTP protocol called http channel and 1 using the mayor's scholar made China but as you can see that they repress commented out the mentioned association it will exigent is completely covered to manage both of them at the same time 3rd to idea jump module object I stated in those modules implement the functionalities of effects remote shipper like the share access to the operators while FS module is a wrapper for file system operations and as you can see the developers commented out that you go module associations then there are some cost to economy toddlers touch on and register moderate and we're at the cannon staff managing balls motors and possible communication truthful register China as you can see the repressed Monday out the registration of a left out channel and when you and finally there's a code to the canon middle stop work with great execution treads on each module and China's so something I would like to point out here is that the strategy of commanding out sediment users have been challenged is something we previously observed in the binaries it's exciton sunburst come with a combination of motives and channel specifically chosen for a targets and the developer Schenectady later on doing these accretion deployed new borders and new China's by sending a specific command to the can help and basidiospores objects they want to deployed as a modulo as a channel so you get an idea about that that designed the on X agent which is quite elegant so now let's focus on the communications we this since there is a simplified view of a communication workflow at the center on the X. agent infected computer there is a canon of climate out which is in an infinite loop and 1st it such messages from the modules and that is that the canon itself is a module it was mistake is often encrypted suppose subjects which events say lies and 2 dead by the canon and then given to the child contour which is the interface to conduct the synthesis and China comparison before what the message to the server In the other direction the technical were regularly ask this into several for encrypted message for a specific module and then gives a message to the canon but and say like which stylized business state and they could sit and then gives it to be that mode you so what 1 of the duty be understand simple design is that the channel Conqueror is completely unaware of the after channel implementation and as I said before it can be over HTTP over units and the channel comparable news both of and transparency and in fact it will automatically switch to a different implementation if a confuse 1 is not working anymore and if it doesn't to implementation at his disposal speaking of a channel let's focus on the know how is it working
the what price but simple when the child conqueror as a mistake for the synthesis of the major and then sends an e-mail with message as an attachment 20 marks and missing both can be of free made address ascended customer address or even hacked amid Harris this 1 is just an example of course and then the census ever which is the e-mail and process the attachment from the inbox in the other direction when this into several other message for 1 excision it sends an e-mail with an estate establishment to a different invokes invent major narratives the e-mail and process the attachment so that sounds easy right but a thing is when you are using you managed to build a common control channel 1st you need to have a way to distinguish your immense the CNC you mess from unrelated e-mails that could be in the in box like spam and secondly you need to have a way to bypass the standard there's but to be on your way to work in box on the SMTP servers to do so listening developers and among dead what they called that the 2
schemes which they describe as individual protocol and this protocol defines our exigency e-mails of bits and you can see the animated matching the protocol the subject of the e-mail is a base 64 on cutting off value following this format it begins with a 5 by 2 random key than a value concepts took an exorbitant then the agent ID result we've a key and as such took and value here is known by both the since several Annex agent and that's all they are going to distinguish very you mess from unrelated immensely because the immense subjective and check if such a good news here in practice in most exigent somebody perception can the 7 byte value stranger containing the string China and the beta the protocol also defines the body of the man and the attachment name because remember from the cities in the attachment and those are simply the base 64 on encodings of some random values so that's the Peter scheme but actually in our line source code the developers command are that the 2 schemes and replace it with some after that values got the judge and put a God because those values are what's in the Georgian language so that the man of the subject is said to be readying a married which refers to a gender Georgia National ID number why the body of the e-mail is set to go much about which means a low in Georgia and yet that's name starts with the Telluride which means detailing in Georgia and followed by a timestamp so those value at provide chosen to not in hacked their 1st it in the Georgian infrastucture emitting a hacked Georgian in books so that being said to conclude Linux agents that just want to say a few words on their sincere infrastructure because once again we got access to some source code and
uh the source code in question was left in an open directory on the Senate's error which was for some reason and by Google so by just by doing some search queries for the P 2 scheme I just described we found in so was hosted that earlier
proxy server for back in since interstellar of thinks agent as you can see from the finds it does being developed in bite on and it was used between April and June 2015 which we know because there are some notifies with timestamp inside the cut contains around 12 K lines of code because it's actually more of than a simple really of communication what it does is translating the e-mail protocol that be to scheme Niger described from X a infected computers into HTTP requests for the back end since he said and what they should be request for old under the Protocol they coded to free political really Freeport and by the way we believe they use the exact same kind of set up for agents using HTTP China of on nature and so that
being said enough with oxygenase go back to a chain of events they 1 after the initial infection civic was deployed than 4 hours later excision was deployed so at this point said need got there to spying by dose on such computer such that if 1 of them is detected they don't was the access to the computers the next days are going to be about information a situation and lateral movement in search network so during the next 3 days
1st Senate it is going to drop some password extract of woods and very often they use a set of tools called security exploded which are freely available on the Internet was tools are able to extract roles from the right of software including browsers and e-mail clients the things that they are well known so usually detected by antivirus software as acting to rows something so Synote develop their own set of tools that custom tools to extract passwords and in particular there was 1 for Windows like may pass that is dropped on such computer and this particle binary is combined specifically for search as search for best work in the past but exist on such computer of course the operators also want to
extract windows past walked from such computer fall but they got accustomed to student the bus with must pass what from registry hives and of course no surprise they use many gaps and not very often the output of the cats use by Sydney is but in a fine name the and August who's been deployed we've look at privilege escalation exploits the binding on the target
said also meets the screenshot over to the Customs Sydney tour to take screenshots on the computer when it is executed it takes 15 screenshot in rapid succession it's time the mouse moves and he does that 50 times in a row and finally search meets externality which is a
custom that for proxy to tumor that machines no money and which were from the Internet using the infected computer as it developed x net appeared in May to for 13 and it is still in use but so is work there is the initial situation because the Senate's into several on Internet we got such computer in its organization networked it's infected with extant computer in computer b i in the same network such computer they are not under the control of the need and they're not reachable from Internet but our reachable from such computer so the 1st thing that exon and that is encryption and shake with it since center and the proposal the handshake is to share honesty for key at 20 the communication between the 2 of them to do so then and both x and this into several other copy of a big table filled with random looking values let's name it T and then extant randomly picks an offset 0 in the table T and the 32 byte rules starting at setting the table is the S 4 key but x net wants to share with the census error but of course it does not indicate says but the offset in the table and also approved but X-Men really knows the table T and provision of a row of T look at at at a fixed offset and into deadly the chosen key so when the census ever checks the proof and if it's correct but is the decrypted value is expected 1 it answers OK and sets its own key to write 32 byte values starting at the offset 0 so at this point all the data exchange between externalities and the census ever would be as if untreated Weaver chosen key note is that sending the offset and not the key of course then decryption of the traffic by eavesdroppers Starting means to for them 14 uh the encrypted at that link was encapsulated into which is not about the except that extend does not verify the certificate even by the sensors ever so now the next step once these anchored that link as being established the census several can order extant Gubin at you know with the target computer using its IP address or domain name because a TCP port number and then opens its city connection with the target computer that's a computer a and it was starts relating all the data between computer a and the Anderson several in both directions notice that the link between X Snellen computer a is not encrypted and any kind of TCP data can be forwarded in the 2 we don't know exactly what kind of traffic base central route to which know and in practice but it has been reported that the stories often use we've GIS exec copious exact like towards affecting SysInt amount due to the cute commands on a remote when the system without having an agent running on the system so finally reached that is identified by an ID and using this ID x now can actually manage is at the same time so further but on the virgin with a different ID can be opened with computer B and X near we take care of footing the traffic in the into a trip to net and
interestingly an starting in dry fold and 15 and X never goes was obfuscate and externalities as far as we know we don't listen Synote component was God was of his July 2 files and 15 is 2 months after the attack of Sydney against the German parliament that when this tag where exten it was found and then publicly exposed so broadly what happened is that the diction ratios of fixed in an increase a lot after the exposure and they decided to apply some obfuscation to make detection under the Office question in question is a mix of classic techniques like Agincourt and session in a big predicates to give you an D. there is the control
for graph of a smart x no function before the obfuscation and then after the obfuscation so by the way if you are building some automatic use of his station toward uh xmin might be would die example because we got some post office dead and then obfuscated with the exact same behavior and we don't know which to they use to implement the obfuscation but knowing said need it may be something completely customer so enough with X then let's go
back to a chain of events we just add 3 days of information integration and that their movements the last action from the Operator as being this 1st week will be to set up an additional persistence made out on such computer for long-term monitoring so friday around 11 AY
this long-term persistence consisting especially excision binary but is copied in the Microsoft of his for their and of a name and a side that the and this could be operation is my on over a binary dropped on the matching these binary needs to other administrative rights in order to write into a Microsoft Office for the so full that they use to calculate legislation exploit and then the binary copies the agent an aside the DLL into the Microsoft of his Ford Donna somewhat up next 1st you need to know that there is a
legitimate Windows DLL named an aside that didn't uh storing system for 2 2 and using particle by office applications and also
you need to know about the agent but didn't exploit the exact same function names when the legitimate and aside the data so you have guessed what happened next
it's time search starts his application the agent in site and get it is low that because it is in the account of his for order and this this phone before a system for the 2 version when it loads village validity mediated from system for to face it's on export table with the addressees of a function in the legitimate their such that any code to exceed of export actually goes to legitimate ones and the application works normally and then suffer managers logic so it's a simple search of the hijacking lies in the fact that can write into the max so Microsoft Office Florida and so by the way we have recently seen the same technique used with the X agent named linking for that year and dropped in the windows for the so that concludes
the story of search is a textbook case of whatever is to Sydney targets during the 1st days of infection and now for something quite
different Mr. Justice it the so now that we have a pretty good overview of what the Senate ecosystem looks like I wanna talk about ranches is we had a lesson right this at
a lot of just preserve the usual sample and it was a ball produces by BisoNets and fostering this document doesn't occur as a considered so legitimate fall Jupiter's conference happening over multiple interest and it is actually committed available on Internet so that there
aren't doing could like anything related to send itself along and we decided to to cut the the Hope you evolve something called but
sadly it was a assumed even was was written in the an since Florida naming things through we name the bond of it but the what Freud is pretty simple the the film will Beaumont configuration file and on its and then based on this configuration it will in done well and if the truth of a also the presence of the assistance methods use a very origin or 1 the good all run restriction so nothing really exciting so far but it took like undeveloped in document and live the so we're starting do you fall we started the informal samples and we found another node on the deployment this time in 2013 thoughts and and is registrant deployment of the blind as instances done the came and that the the same drop but this time with a small helper and which it is so down the also came with but with its and even if this would get on it infects joke bias based systems it has the ability to infect multiple version of Windows running in the exit 6 you on both 32 and 64 bit architecture so finally we do this book it and that has evolved in document that tune to the vessel knowledge right so don't have
started to become more and more interesting at this point and let's have a look at the installation process of that but it's to know here you have both
us at all your hard drive before infection you have the origin and the Felsenthal and here is what you all the
same and looks like after infection so in the 1st and I would have the malicious and MDL and then you harm and the 2nd thing about the origin and say ends all with the 1 by 10 and after that starting from the fencing tell you how the called the which code is all the same 1 by 2 and after that you will have a of c for encrypted driver is always the same wide by 1 byte also this that I will install to do we hiked were generally in the registry but I won't talk about them later so that describe a very
simplified version of the Windows 764 that would process so 1st original MDL will be executed and it will look for orbital partition then 1 the partitions phone button Jawad executed and its role switch to protect and then it's really not that 16 after all that 360 will do some it checked into rigid checking on the channel and then all of the canon and the calendar can reloaded space rivals and then the system was start and known a so up those which is what from the so 1st those images and our decision and advantages
acquired it will foster homed in terms of all it's the Sultan and this and that and also all of the all of the read write operation on the and by doing that's the which it will be able to an Intelsat every bytes right from the disk and thanks to
that would it resource the memory of false on the specific bytes in a lot of buzz than those buys belonged to with general which is the next open the which so this point with enjoys
past and the which it for the day but the control of the execution so it was
just the memory fossil model-specific but this time they belong to the function or a set of options that John and this function is located in room and that's the extent to which is the next and the which and at this moment and like the name suggests this function recall a camel and 4 points so we know will be passed and which it
through that again the control of the execution right before the company's executive the so now at this point we need to understand that the channel will be mapped into the memory and all the integrity checks already performed so what would you do
now is it's remote this 1 function call them and not by space and will say some code the supplier resource sector was secured rival resource section it will it will also make the section circuit along and then it will hold the or is not entry point of this agenda item we also propose
to me that when they sit there will long and when it to understand that that which it is done mostly won't the axis of all animal so the which admits to save all those others someone and truth say that in the canon had so what you can see in the in the picture you have the which is generous here you also have the of of this of the function and I'm a space just Richard and also you of the original cause of this agenda and should point so now I sit there is sparse the
writer will be loaded really during time initialization and the hope will be as it shouldn't so the hit the hidden in the results
section really fast right by the origin or at OPRoS on the is a generator and your points then it will not the which its physical address intuitive service space with the function and then the post this just before and after that it will be able to find them different the hidden so now this tree components
involve at this point 1st there were 2 driver will different befalls general hidden in the registry this year that is called by the the rope around the Lomet component of this but it's and it will be manually mapped into the it's products suppresses memory and then this is on component will the trip and other times along this time is bundled of and through just loaded into explore to but something went on with this fall flow they used to generate instead of energy injecting on the end the it and explore the process memory and we can think down there actually of fits with the with it and we have found Mall Mall there are evidences that none of was not intended to be used with with that fast more precisely
1st Winter to of it said this export advantage from but this viable is it it doesn't exist in an ensemble of Don so we believe that for them the original film of duplicates also we believe that duplicates this driver is going to the to the black model the because we have found so also officials between the 2 families like when the user meant components is manually mapped into explore Boston memory is there would be a better for attention fencing in some of all things and all this cold is shown between the bundle some balls and the black cancer samples are also to is that the use of a component into exploratory rely on 3 exports respectively entry data and the mean and both tree explore off-shell and you can find them in the black and to sample them in the bond symbols and values in the exact same way so is this might indicate that the developer have access to the black so Scott source code to but enough for the but you know let's go back to bundle will fall more samples and we found another
deployment this time into following Fulton and of then we return them over to the so at this point on the the
future more interesting than you thought can list
out this Wikibook about this so its main purpose is to ensure number of persons that system from the system and to do full the true just inject the general number of and the X politics is once again this time using the interesting mechanism and also it will hide everything related to bundle of to the user and the system so you can see in if I registered your on the disk thanks of the above they just left all kind of the information in the samples soul here is the exact output during those rival loading the and you can send the virtual defiance the registrant Chisholm for to hide as well as the region's German passed to in the path of the general inject so
we have found to implementation of this what that's the first one was targeting Windows XP cont'd bells and it was doing some visit the thing while the other 1 was administered on rival of targeting this time more recent version of Windows and it is based on an open-source example made by Microsoft so let's have a
country 1 of the functionalities of this footage I won't to dip into the minute of details I just want to give an example of the work at the polluters is so have a dime of de Victoria file will be accessed by an application this could be instituted and foster which is recorded the file then it will check if the find them all past matches 1 of the rule with simply fall and then if it matches the true just for them was that your smartphone to their petitions soul that additional notified and this is fun and once
again these were believed this what's it has never been the relation document that and we also found that 64 bit sample of this but of this with you but suddenly 1 missing the drop us so we don't really know how it manages to bypass the driver signing policy and interestingly it looks like the sample was targeting conquered all running just security so to summarize we
form only a few sample of bond of the all you did was used during the past 3 years and this is not a lot of samples so they will point very careful with it and the are used it to target to retire some specific victims this is is the synthesis of a of them therefore was active during the robust wheels this is quite a long time it was kind of and promote trend and all the and that is that would you talk in Windows XP and Windows Server and they also use for walking on the same version of the operating system to ensure the world very hominid busses methods which is the unusual in such cases so why do just that would be work so hard to hide such a proper components and also none of them what the regulatory and and to to finally to finalize a we know that the other 4 is used in the past to download exigent as said recall we mentioned earlier so it's no time to conclude
with some speculative mumblings because after a king at so many city batteries over last 2 years and the completion is be to try to draw some general conclusions and I'm not talking about attribution I'm talking about the software the way they walk anybody can I raise the question they
are often arguing about betweeness as we try to show in this design patient the diversity of Sydney software is quite impressive if you think about it there is that you don't know the the windows with keep modular suppose this backdoor unexplored keep an infrastructure with a bunch of custom exploits and that is goes on and is diversity is of course good for them because make detection and tracking are therefore the defenders so the question is all did they come up with such a vast software ecosystem and did a development set of the they are tools for development so we have a few inspir dying these questions
1st centered binaries are often combined specifically for target and after the target as being infected and the perfect basic example of that is this agents containing building in past worlds of employees of the Ministry of Internal Affairs of Georgia used by dimension affects agent and so sample was made specifically to be run inside this organization modularity centered matter where I am constant evolution anybody could X knows put the agent they change a lot since the 1st version In other words the developers are part of the team they are not outsiders paid for a one-time John at also
among the variety of syn itself where there are some shared techniques like building in the forties and the concatenation of the output it and a randomly generated values or using AppleTalk tokens in Metropolis stages these are just 2 examples of techniques present in several Senate software but that developed in different languages so it's not copy based that code it's the implementation of the same idea so this may indicate that the same out beyond already software of a remark in the development process of Sydney is that sent itself where condensed some basic programming the states there is 1 the its excision code where a tread on their name on them get back at his dominated using the ejected trade exists but it should be on the same packet as you can see from the condition before and from the command at Windows code so it's wrong copy-paste invading expression
obvious 1 in X X men where a report message is beautiful this into server when Internet has been open with the packet computer Soviet the address of the target computer and a board number are written in the 6 by before except that memory pointer is not incremented between the 2 rights and the support of the rights of 1st 2 bytes of the IP address so we can assume it's into several does not then check the report and that's our mistake gone unnoticed so these are just 2 quick examples of basing state and you can find Senate code there are more so clearly the developers do not have a code review process and although our synagogue often fees really act each on the same
ID sameness software and sometimes inspired by classic crime where for example set up for the reuse the assist-as-needed that were 1st funding crimeware and shares parts of his god we recover my where also as this explained that Don that with deep God bears some similarities with black energy go so we may some to conclude that the developers are connected in some way with with some traditional crime where community finally the express the
developers to use for any names like fraud or for estimate died or alone and also may see that the man for a binary to download from and exploit and in case you don't know you know this is a famous soccer player so we can guess that if they're able to use was names in Proc in a predictor prediction explicate they are not working in a very from environment to say the least so to
summarize this speculation we believe that this is group as something else skilled developers working with little or no supervision and both guys have dies with crime underground and it would be very happy to discuss about it if you disagree enough circulation bind to conclude so Synote activity in Kras a lot during the last 2 years they are doing a targeted attacks but they got very a lot of targets by the way if you have heard about the DNC act in the US last week as said it was supposedly involved in and also that attitude is in constant evolution so there certainly more fun to come from our researchers thank you very much for your
attention showing question the free to contact us and there would be white paper published with or discontent and more uh of reading this summer so thank you guys take care of any
questions thanks but the you mean the timeline of search of the action uh so it's based on several real cases we investigated so where we do we did some forensic on some computers that where attacked by sitting at and so we had the timings precisely of what happens during the attacks and we kind of match several cases to be this the idea of disability cases but maybe we should mention that we don't have visibility on there are real reality traffic the traffic they exchange between the where and the sense instances ever and so what we ideas binaries drop at certain times on the computer and we measure cases thanks
Spiegelung <Mathematik>
Schreiben <Datenverarbeitung>
Vorzeichen <Mathematik>
Reverse Engineering
Gruppe <Mathematik>
Ordnung <Mathematik>
Kette <Mathematik>
Vervollständigung <Mathematik>
Ordnung <Mathematik>
Computerunterstützte Übersetzung
Tabelle <Informatik>
Lesen <Datenverarbeitung>
Selbst organisierendes System
Mathematische Logik
Demoszene <Programmierung>
Virtuelle Maschine
Weg <Topologie>
Reelle Zahl
Äußere Algebra eines Moduls
Konvexe Hülle
Anwendungsspezifischer Prozessor
Binder <Informatik>
Offene Menge
Faktor <Algebra>
Wort <Informatik>
Information Retrieval
Prozess <Physik>
Natürliche Zahl
Familie <Mathematik>
Computerunterstütztes Verfahren
Komponente <Software>
Schnitt <Graphentheorie>
Lineares Funktional
Physikalischer Effekt
Konfiguration <Informatik>
Arithmetisches Mittel
Projektive Ebene
Varietät <Mathematik>
Web Site
Zellularer Automat
ROM <Informatik>
Physikalische Theorie
Front-End <Software>
Operations Research
Bildgebendes Verfahren
Einfach zusammenhängender Raum
Orbit <Mathematik>
Physikalisches System
Objekt <Kategorie>
System F
Hydrostatischer Antrieb
Innerer Punkt
Kernel <Informatik>
TUNIS <Programm>
Faktor <Algebra>
Metropolitan area network
Kategorie <Mathematik>
Gebäude <Mathematik>
Güte der Anpassung
Wurm <Informatik>
Schwach besetzte Matrix
Kontextbezogenes System
Prädikat <Logik>
Dienst <Informatik>
Wurzel <Mathematik>
Rechter Winkel
Grundsätze ordnungsmäßiger Datenverarbeitung
Klasse <Mathematik>
Automatische Handlungsplanung
Patch <Software>
Attributierte Grammatik
Protokoll <Datenverarbeitungssystem>
Elektronische Publikation
Zirkulation <Strömungsmechanik>
Gemeinsamer Speicher
Hintertür <Informatik>
Formale Sprache
Snake <Bildverarbeitung>
Imaginäre Zahl
Kartesische Koordinaten
Arithmetischer Ausdruck
Einheit <Mathematik>
Prozess <Informatik>
Mixed Reality
Clique <Graphentheorie>
Funktion <Mathematik>
Nichtlinearer Operator
Prozess <Informatik>
Klassische Physik
Verkettung <Informatik>
Landing Page
Funktion <Mathematik>
Twitter <Softwareplattform>
Geschlecht <Mathematik>
Registrierung <Bildverarbeitung>
Strategisches Spiel
Proxy Server
Kombinatorische Gruppentheorie
Framework <Informatik>
Wurm <Informatik>
Wrapper <Programmierung>
Zusammenhängender Graph
Zeiger <Informatik>
Digitales Zertifikat
Matching <Graphentheorie>
Bus <Informatik>


Formale Metadaten

Titel Visiting The Bear Den
Serientitel REcon 2016
Teil 03
Anzahl der Teile 20
Autor Calvet, Joan
Campos, Jessy
Dupuy, Thomas
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32737
Herausgeber REcon
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract During the last two years, three cheerful chaps tracked one of the most prolific espionage group out there. The group in question created a complex software ecosystem–composed of tens of different components–and also regularly pulls out 0-day exploits. This talk presents the results of the hunt.

Ähnliche Filme