examples of recent apt persistence mechanisms - SANS Computer ...

computer.forensics.sans.org

examples of recent apt persistence mechanisms - SANS Computer ...

Christopher Glyer Manager

EXAMPLES OF RECENT APT

PERSISTENCE MECHANISMS


2

Introductions

CHRISTOPHER GLYER

IR engagement manager

at Mandiant

5 APT investigations in

the last year

Largest investigation:

− ~250 compromised systems

− ~150 unique malware

− 5 APT groups

− Compromised > 3 years


3

Let’s Start with the “Fun” Stuff

Identify legit service on 100 systems: e.g. “SAP Agent”

− On new system create service with identical:

Description

ImagePath

ServiceDLL

File size

Strings in Binary as the legitimate exe or dll

Malware installed as Microsoft Office Add-in

− When MS Word starts, malware executed

Place malware in %SystemRoot% named identical to

DLL in %SystemRoot%\System32

− Assumption: Malware file name != “Known DLL”


4

Why does %SystemRoot% Malware work?

When a DLL is called, Windows checks for DLL in:

1. Known DLLs (Listed in registry – for speed not security)

2. Current directory of executable

3. %SystemRoot%\System32

Ref: http://msdn.microsoft.com/en-us/library/7d83bc18(VS.80).aspx

User logs in to system, Explorer.exe executes, calls

DLLs

Windows will check for called DLL in:

− 1. Known DLLs = not found

− 2. Current directory (%SystemRoot%) = found

Malware executes and then calls the legit DLL in

%SystemRoot%\System32


5

More Difficult to Find

Create new service that sounds normal

− Example:

Service Name = Genuine Installer Service

ImagePath or ServiceDLL = malware.exe or dll

Modify “Installed Components” regkey

− Example:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed

Components\[Random Variable]\StubPath\malware.exe

Modify ImagePath or ServiceDLL of unused service

− Example:

Service Name = Distributed Link Tracking

Client

ImagePath or ServiceDLL = malware.exe or dll


6

Simple Stuff

Malware in user’s startup folder

− Used in phishing attacks

− user != administrator

Modify “Run” regkeys

− Over a dozen possible regkeys

Modify “Userinit” regkey

− HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Winlogon\Userinit\userinit.exe,

malware.exe


7

Contact Information

christopher.glyer@mandiant.com

Mandiant Oktoberfest User Conference

− Alexandria, Va. October 12-13

− www.mandiant.com/oktoberfest

More MANDIANT info

− www.mandiant.com

− blog.mandiant.com

− mandiant.com/products/free_software

Indicator of Compromise Editor (IOCe)

Memoryze

Highlighter

Web Historian

More magazines by this user
Similar magazines