examples of recent apt persistence mechanisms - SANS Computer ...
examples of recent apt persistence mechanisms - SANS Computer ...
examples of recent apt persistence mechanisms - SANS Computer ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Christopher Glyer Manager<br />
EXAMPLES OF RECENT APT<br />
PERSISTENCE MECHANISMS
2<br />
Introductions<br />
CHRISTOPHER GLYER<br />
IR engagement manager<br />
at Mandiant<br />
5 APT investigations in<br />
the last year<br />
Largest investigation:<br />
− ~250 compromised systems<br />
− ~150 unique malware<br />
− 5 APT groups<br />
− Compromised > 3 years
3<br />
Let’s Start with the “Fun” Stuff<br />
Identify legit service on 100 systems: e.g. “SAP Agent”<br />
− On new system create service with identical:<br />
Description<br />
ImagePath<br />
ServiceDLL<br />
File size<br />
Strings in Binary as the legitimate exe or dll<br />
Malware installed as Micros<strong>of</strong>t Office Add-in<br />
− When MS Word starts, malware executed<br />
Place malware in %SystemRoot% named identical to<br />
DLL in %SystemRoot%\System32<br />
− Assumption: Malware file name != “Known DLL”
4<br />
Why does %SystemRoot% Malware work?<br />
When a DLL is called, Windows checks for DLL in:<br />
1. Known DLLs (Listed in registry – for speed not security)<br />
2. Current directory <strong>of</strong> executable<br />
3. %SystemRoot%\System32<br />
Ref: http://msdn.micros<strong>of</strong>t.com/en-us/library/7d83bc18(VS.80).aspx<br />
User logs in to system, Explorer.exe executes, calls<br />
DLLs<br />
Windows will check for called DLL in:<br />
− 1. Known DLLs = not found<br />
− 2. Current directory (%SystemRoot%) = found<br />
Malware executes and then calls the legit DLL in<br />
%SystemRoot%\System32
5<br />
More Difficult to Find<br />
Create new service that sounds normal<br />
− Example:<br />
Service Name = Genuine Installer Service<br />
ImagePath or ServiceDLL = malware.exe or dll<br />
Modify “Installed Components” regkey<br />
− Example:<br />
HKLM\SOFTWARE\Micros<strong>of</strong>t\Active Setup\Installed<br />
Components\[Random Variable]\StubPath\malware.exe<br />
Modify ImagePath or ServiceDLL <strong>of</strong> unused service<br />
− Example:<br />
Service Name = Distributed Link Tracking<br />
Client<br />
ImagePath or ServiceDLL = malware.exe or dll
6<br />
Simple Stuff<br />
Malware in user’s startup folder<br />
− Used in phishing attacks<br />
− user != administrator<br />
Modify “Run” regkeys<br />
− Over a dozen possible regkeys<br />
Modify “Userinit” regkey<br />
− HKEY_LOCAL_MACHINE\SOFTWARE\Micros<strong>of</strong>t\Windows\<br />
CurrentVersion\Winlogon\Userinit\userinit.exe,<br />
malware.exe
7<br />
Contact Information<br />
christopher.glyer@mandiant.com<br />
Mandiant Oktoberfest User Conference<br />
− Alexandria, Va. October 12-13<br />
− www.mandiant.com/oktoberfest<br />
More MANDIANT info<br />
− www.mandiant.com<br />
− blog.mandiant.com<br />
− mandiant.com/products/free_s<strong>of</strong>tware<br />
Indicator <strong>of</strong> Compromise Editor (IOCe)<br />
Memoryze<br />
Highlighter<br />
Web Historian