examples of recent apt persistence mechanisms - SANS Computer ...
13.07.2013 Views
Share Embed Flag

examples of recent apt persistence mechanisms - SANS Computer ...

examples of recent apt persistence mechanisms - SANS Computer ...

examples of recent apt persistence mechanisms - SANS Computer ...

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
computer.forensics.sans.org

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Christopher Glyer Manager<br />

EXAMPLES OF RECENT APT<br />

PERSISTENCE MECHANISMS

2<br />

Introductions<br />

CHRISTOPHER GLYER<br />

IR engagement manager<br />

at Mandiant<br />

5 APT investigations in<br />

the last year<br />

Largest investigation:<br />

− ~250 compromised systems<br />

− ~150 unique malware<br />

− 5 APT groups<br />

− Compromised > 3 years

3<br />

Let’s Start with the “Fun” Stuff<br />

Identify legit service on 100 systems: e.g. “SAP Agent”<br />

− On new system create service with identical:<br />

Description<br />

ImagePath<br />

ServiceDLL<br />

File size<br />

Strings in Binary as the legitimate exe or dll<br />

Malware installed as Micros<strong>of</strong>t Office Add-in<br />

− When MS Word starts, malware executed<br />

Place malware in %SystemRoot% named identical to<br />

DLL in %SystemRoot%\System32<br />

− Assumption: Malware file name != “Known DLL”

4<br />

Why does %SystemRoot% Malware work?<br />

When a DLL is called, Windows checks for DLL in:<br />

1. Known DLLs (Listed in registry – for speed not security)<br />

2. Current directory <strong>of</strong> executable<br />

3. %SystemRoot%\System32<br />

Ref: http://msdn.micros<strong>of</strong>t.com/en-us/library/7d83bc18(VS.80).aspx<br />

User logs in to system, Explorer.exe executes, calls<br />

DLLs<br />

Windows will check for called DLL in:<br />

− 1. Known DLLs = not found<br />

− 2. Current directory (%SystemRoot%) = found<br />

Malware executes and then calls the legit DLL in<br />

%SystemRoot%\System32

5<br />

More Difficult to Find<br />

Create new service that sounds normal<br />

− Example:<br />

Service Name = Genuine Installer Service<br />

ImagePath or ServiceDLL = malware.exe or dll<br />

Modify “Installed Components” regkey<br />

− Example:<br />

HKLM\SOFTWARE\Micros<strong>of</strong>t\Active Setup\Installed<br />

Components\[Random Variable]\StubPath\malware.exe<br />

Modify ImagePath or ServiceDLL <strong>of</strong> unused service<br />

− Example:<br />

Service Name = Distributed Link Tracking<br />

Client<br />

ImagePath or ServiceDLL = malware.exe or dll

6<br />

Simple Stuff<br />

Malware in user’s startup folder<br />

− Used in phishing attacks<br />

− user != administrator<br />

Modify “Run” regkeys<br />

− Over a dozen possible regkeys<br />

Modify “Userinit” regkey<br />

− HKEY_LOCAL_MACHINE\SOFTWARE\Micros<strong>of</strong>t\Windows\<br />

CurrentVersion\Winlogon\Userinit\userinit.exe,<br />

malware.exe

7<br />

Contact Information<br />

christopher.glyer@mandiant.com<br />

Mandiant Oktoberfest User Conference<br />

− Alexandria, Va. October 12-13<br />

− www.mandiant.com/oktoberfest<br />

More MANDIANT info<br />

− www.mandiant.com<br />

− blog.mandiant.com<br />

− mandiant.com/products/free_s<strong>of</strong>tware<br />

Indicator <strong>of</strong> Compromise Editor (IOCe)<br />

Memoryze<br />

Highlighter<br />

Web Historian

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!