During our presentation we covered the lifecycle common to many Advanced Persistent Threat (APT) attacks and then outlined several case studies to illustrate countermeasures organizations have successfully deployed to combat the APT.  The following items were key points we covered during the workshop:

1.       “This can happen to you!” The time to begin preparing for these activities is now, prior to an incident.

2.       Organizations should define remediation success as removing today’s attackers from the environment and improving visibility such that subsequent attacks will be detected more quickly. It is not reasonable to define success as eliminating the APT threat, or as preventing the APT from re-compromising systems in the environment.

3.       Developing a remediation plan is not a one-size-fits-all process. Among other items, successful plans need to consider the attacker’s techniques and capabilities, the organization’s current visibility across their networks and systems, and resource constraints. Organizations can help prioritize remediation activities, given limited time and resources, by considering how each proposed activity helps detect, contain, or respond to the various stages of the attack lifecycle.

4.       MANDIANT has seen numerous organizations succeed at remediating APT intrusions by planning for and executing a remediation event, during which the organization isolates the environment and simultaneously implements several eradication, recovery and hardening activities. This approach generally increases the chance of successful remediation.

• Not following this approach in response to an APT intrusion generally increases the risk that the incident response effort will decline into a “whack-a-mole” situation.  In this type of situation, responders engage in a losing battle of remediating compromised assets as they are identified, while the attacker continues to compromise additional systems with different malware variants. Many organizations begin responding to APT compromises in this manner; which does not ultimately lead to success.
• This approach may not be appropriate in all situations or for other threat actors, however, we have generally seen this approach executed successfully to remediate APT compromises.

5.      The following activities tend to be critical remediation event activities; organizations should prepare for executing these activities prior to an incident.

• Isolating the WAN from the Internet.
• Blocking attackers’ known command-and-control domain names and IP addresses.
• Resetting passwords enterprise-wide (including all Active Directory infrastructure and any compromised accounts on other platforms).
• Rebuilding compromised systems.

These activities have formed the core of remediation event plans successfully executed by numerous MANDIANT clients.

6.       A few of the most critical hardening countermeasures include

• Ensuring Windows local administrator accounts are disabled or their passwords set to unique values on every system.
• Near-term, implementing application whitelisting on critical systems from which attackers can harvest password hashes en masse (e.g. domain controllers, mail servers, file servers).
• Blocking workstation-to-workstation communications using host-based firewalls.
• Patching third-party desktop applications that constitute the attack surface for spear-phishing attacks.

I hope you find the slides useful. If you have any questions regarding my post or from our presentation, please comment below.

• Do mass malware families share enough common attributes across families? Example, does conficker share code with waledac? If so, is it enough so that we could consider them members of a sub family. Also maybe proving they were written by the same author(s) or group of authors.
• Do mass malware families share code amongst APT samples? Example, this could mean that we find samples of subseven that match some of our APT backdoors (again just an example).

 
These two questions alone are very interesting because the results could indicate some author of a mass malware sample is also authoring malware for targeted attacks.
 
But we didn’t stop there. We also wondered:

• Do rootkits from rootkit.com have very high similarities to rootkits found by MANDIANT and out in the wild?
• Do APT samples of family A share enough in common to be also classified as part of family B? We can draw a lot of interesting conclusions if this is the case.

 
These are all interesting questions, but we had a lot of disappointments when doing the research and some ah ha moments where we thought about theories and realized why some wouldn’t be true. We also had some finds that we were surprised with, specifically regarding APT. We’ll be sharing the results on April 14th at 4:45. It should be fun. Our talk has a lot of diagrams, a lot of IDA screen shots, and a great video that Ero made.
 
If you can’t make it to Barcelona, we will be posting our slides and a follow up blog post. Stay tuned! I also have recently updated the slides for Advanced Memory Forensics in Incident Response for Black Hat USA to include an APT case study and a ton of additional information on observing the behavior of malware in memory.

The webinar entitled Malware Behaving Badly is on Thursday, February 18, at 2:00 p.m. EST. The webinar title is a cute play on my DOD Cyber Crime (DC3) talk where I first introduced Malware Rating Index (MRI) into Audit Viewer (which is available for download).

If you saw my DC3 talk or viewed the slides and are wondering, “hey is this the same talk?” the answer is…well a little bit. The webinar will build off of a lot of the behaviors and theories I discussed at DC3. We will be addressing new behaviors as well as looking at APT vs Mass Malware behaviors.  I’ve added two new configurable behaviors to MRI and did enough research to scrap a third. I’ll share those as well as give more real world examples of how malware exposes itself in memory.

For example the below listing shows the keylogger, the process and the file handle that process has. The file handle is actual the log file the key logger is writing too.

If you didn’t catch my DC3 talk and didn’t understand the slides this is a good time to get an updated version of the talk. I’m going to focus on malware behavior, what it does when it’s installed that makes it stand out in memory. We will cover APT and Mass Malware, and specifically where we see their behaviors intersect. Some of these behaviors are horribly simple, i.e. flag svchost launched from directories other than \windows\system32. Some are as simple but may not be as obvious, for example flag svchost, or iexplore if they have a process handle to cmd.exe. These are rules that should never be true.

When discussing rules, I use that term loosely. Basically in Audit Viewer you now have the option to configure all this information. If you go to Operations -> Configure Malware Rating Index you can configure all these things and a few more not mentioned in this post but mentioned in the webinar. We will wrap up the webinar like always with a live demo. Live demos are the most fun really, it’s like NASCAR except it’s just reputation not lives on the line.

I hope you can join us, it should be fun.

If you would like to learn more in-depth about how physical memory analysis works, use Memoryze and Audit Viewer, understand MRI, or write your own malware rules, join Jamie and I at the CanSecWest training. CanSecWest specializes in technical, hands-on classes with an extremely low student-teacher ratio.

Historically, compromise data has been exchanged in CSV or PDFs laden with tables of “known bad” malware information – name, size, MD5 hash values and paragraphs of imprecise descriptions supplemented by ad-hoc exchanges between targets.

MANDIANT, inspired by field pressures, operation after operation, imagined a way to exchange not only indicators of specific compromises but structures which formalize the human-intelligence of decision-making, rules, exceptions, and ongoing adaptability. Our Indicators of Compromise (IOCs) were shaped operationally detecting real-world threats. We help our clients detect the APT right now, and they’re exchanging information about it using IOCs.

Conventional compromise datasets consist of table after table of immediately-stale data capturing few, if any, relationships. An Indicator of Compromise (IOC), however, is a Boolean decision tree that discriminates an indicator from a false-positive, theory from ground truth. What’s more, when you discover an exception or extension to a well-known-IOC you can describe it concisely and proactively, authenticate its source and re-evaluate your existing data to detect new instances of old compromises. This way, as a threat group adapts to your detections, you retain an IOC’s identity and maintain the value of intelligence shared with other targets over time.

Importantly, IOC is industry-standard XML so you already have tools and a community of experts who can comprehend, transform, and leverage new data immediately. Unlike many XML standards however, it’s simple – developed operationally with an eye toward staying adaptable, transformable, and scalable. IOC describes relationships which indicate compromise – this makes the format resilient to new data formats, data sources and decision engines.

At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned.

The talk is going to be interactive. And dammit I don’t care if you don’t want to interact with me. I’m both very convincing, persistent and well…charming! You will feel compelled to join in on this talk. I promise. I know this because I’m bringing bribes… And yes, I’m bringing what you are thinking.

This talk will contain a brief intro to memory analysis, a FAQ etc. We are not going to waste much time on the nitty gritty since most people are not interested in how we chop off the last 12 bits to get a physical offset from a virtual address. I know, you just fell asleep a little.  During this talk I will make a case for why memory analysis is important. I will pull from pervious APT investigations where disk analysis failed and had to be used in conjunction with memory analysis. Finally, we will discuss MANDIANT’s Malware Rating Index (MRI). We will finish with real APT incident demos where I’ll walk through the investigation of an infected system with APT.

Now, a little more about MRI. MRI is a huge update to Audit Viewer.  Instead of going after a fish (malware) with a hook (signatures), I’m going after fish (malware) with a drag net (MRI). The goal of this feature is twofold. First it is going to  help pinpoint specific processes that should be investigated further while attempting to eliminate some of the non-suspicious processes and get them out of the analyst’s way. It’s also designed to try and make APT detection easier. A lot of work went into looking at our samples and how they behave etc, and coming up with definable behaviors that trap those little creatures. MRI is made up of two components. The first component is a definable behavior rule set that is completely customizable. It is made up of three different types of rules:

• Process Path Verification – allows users to define what processes should be launched from what directories. This triggers on malware that copies and names itself after svchost or other system processes to subdirectories within system folders. For example a default rule is that svchost can only be executed from \windows\system32. Any time we see it running from somewhere else we flag the process.
• Process User Verification – allows users to define what processes should be running under what users.  This triggers on malware spawning svchost for purposes of unmapping image bases or hiding dlls within spawned svchost. So, for example, if malware copies itself to system32\dllcache and then names itself svchost.exe, you can define a rule saying svchost.exe should be running as local service, network service, or system. When Audit Viewer see svchost running as administrator it gets flagged.
• Process Handle Inspection – this allows you to define specific rules pertaining to malware or generic behavior. For example a default rule is to flag svchost or iexplore anytime it has a process handle to cmd.exe. There is just no good reason for this to _EVER_ happen. You can also define rules based on specific malware, for example if a3c mutant is present then flag the process as being infected with sality.

All of these features are configurable from the UI by going to operations -> Configure MANDIANT MRI.

The second component of MRI is a process address space scoring mechanism. We will be releasing an update to Memoryze at DC3. The new release will contain bug fixes as well as a new feature called “Verify Digital Signatures.” When this parameter is turned on memoryze will perform a “digital signature check” on all loaded modules. This can only be enabled on live memory analysis. The digital signature check verifies the module on disk is digitally signed. We do a bunch of math and use our Least Frequency of Occurrence to trust modules that aren’t signed but occur in more than X% of processes. Where X is defined by the user. We won’t flag or catch modified binaries in memory. So if a rootkit is doing userland hooking (it should be ashamed) we won’t know about it because we are checking disk to determine if it is digitally signed. There are a lot of reasons why we can’t verify in memory digital signatures.  It might make an interesting blog to detail all the reasons. With that said, this new feature gives us a good working idea of how much of the loaded modules in the process address space are signed and therefore trusted. It’s had fantastic results thus far. I’ve been using it on old incidents to see if we could have sped up results using these new methods. The answer seems to be yes in a lot of cases.

After DC3 I’ll have more blogs detailing how you can use and write better rules for MRI. But for now there will be a default distribution that you can use and modify. Again, like always, Audit Viewer is open source and free. Which means you can see the logic and rules behind MRI. Memoryze is and will stay free.

If you are going to be at DC3 and want to grab a beer I will be there from Sun (night)-Weds. Unfortunately I’m going to be missing all the great talks on Thurs so I can leave to compete in the Tough Guy Challenge. You are more than welcome to join at this race in Northern England. As I understand it there are still some open slots! See everyone at DC3!

The most significant commonality of APT malware is that it hides in plain sight. It avoids detection by using common network ports, process injection and Windows service persistence.  Every piece of APT malware cataloged by MANDIANT initiated only outbound network connections.  No sample listened for inbound connections.  So, unless an enterprise network is specifically monitoring outbound network traffic for APT-related anomalies, it will not identify the APT malware outbound beaconing attempts.

A few of the most poignant stats about APT malware are listed below:

APT Malware:

• Average File Size: 121.85 KB

Most Common APT Filenames:

• svchost.exe (most common)
• iexplore.exe
• iprinp.dll
• wiinzf32.dll

APT Malware avoids anomaly detection through:

• Outbound HTTP connections
• Process injection
• Service persistence

APT Malware Communication:

• 100% of APT backdoors made only outbound connections
  • 83% used TCP port 80 or 443
  • 17% used another port

Because APT malware is so difficult to detect, simple malware signatures such as MD5 hashes, filenames, and traditional anti-virus methods usually yield a low rate of true positives.  M-Trends will provide detailed information about how exactly organizations can posture themselves for success when fighting attackers with such specialized and sophisticated capabilities.

If you’d like to register for a copy of “M-Trends,” drop us a note at info(at)mandiant(dot)com otherwise, keep your eyes peeled to our blog  and http://www.mandiant.com for the official release of “M-Trends.”

Special Thanks to Peter Silberman, the MANDIANT malware analysis team, and product engineers for their work in developing this information.

MANDIANT has over seven years experience conducting Advanced Persistent Threat (APT) intrusion investigations for the U.S. government, the defense industrial base and commercial organizations.  During that time, we’ve learned many things, and we want to share our lessons learned with the security community.  A team of our APT experts has been working diligently on a report that we call “M-Trends.”   M-Trends focuses on what the APT attackers do and how they do it.

Some highlights from “M-Trends” include:

• The APT isn’t just a government problem; it isn’t just a defense contractor problem; and it isn’t just a military problem. The APT is everyone’s problem.
• No target is too small, or too obscure, or too well-defended. No organization is too large, too well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone.
• Classic “prevent and detect” techniques do not effectively counter the APT. The attackers can easily defeat normal defenses. They successfully evade anti-virus software, network intrusion detection and under-equipped incident responders. They use sophisticated techniques to conceal their presence: hiding malware on their target’s own hosts and exfiltrating data in its own network traffic.   A staggering 100% of APT malware identified by MANDIANT made ONLY outbound connections from victim networks, 83% of which used TCP port 80 or 443.
• The APT’s goals are twofold:
  • to steal information to achieve economic, political and strategic advantage.
  • to establish and maintain an occupying force in their target’s environment, a force they can call on at any time. When the APT wants additional data from a target, they don’t need to re-establish a presence. They simply call on their existing assets, locate, steal and exfiltrate the data they need.

We will introduce “M-Trends” at a launch party during the 2010 DoD Cyber Crime conference in St. Louis, MO.  The report authors will be there to answer your questions and share their knowledge.  If you’ll be in St. Louis stop by and see us on Wednesday, January 27 from 6- 9 in the Crystal Ballroom at the Renaissance Grand.

Register for a copy of “M-Trends” and keep your eyes peeled to our blog  and http://www.mandiant.com for the official release of “M-Trends.”

I know you’re wondering,  ‘Should I be interested in this talk?’ The answer is unequivocally yes. First, you get to hear my and Ero’s angelic voices, which alone is worth the price of admission (free).

Second, this talk runs the gamut of information. Ero will discuss volume, how much VirusTotal sees on a day-to-day basis. He will also cover popular families (I bet you can’t guess which is the most popular, and no it doesn’t start with my and end in doom). Ero will also discuss obfuscation, what trends Virus Total is seeing, what kinds of packers, etc.

I will discuss the Advanced Persistent Threat, specifically speaking about the malware these attackers leave behind. I will discuss how the malware commonly behaves, what it can look like, and why it’s so hard to catch these guys.

You will get interesting statistics like what percent of APT backdoors are detected by any engine VirusTotal supports. You might also see a statistic like what percent of APT uses encryption when communicating.

We’ll cover information that can be interesting to a network administrator trying to protect his company, a CSO who wants to understand the threat landscape better, forensicators who are trying to catch these guys, malware analysts who are curious about behavior, and those who just want to hear our voices!

Hope you guys can join us for a good time, I know Ero and I really enjoyed giving this talk at Source Barcelona and are looking forward to doing it again.

You can sign up for the webinar here.

We’ve gotten around to uploading the slides.  They include all the statistics we came up with for this talk. When you review the slides take a look at slide 16 “Complexity of Mydoom” and slide 17 “Complexity of Kraken.” These two slides depict control flow graphs of the popular malware Craken and MyDoom.  Notice how much functionality is crammed into these binaries. As an Anti Virus company that’s a lot of data and bytes to work with to generate a successful signature.

Now look at slide 44 “Sample BA”, it’s the control flow graph of an APT sample. Notice some differences? Our hope is this talk gets people thinking about the different types of threats, different malware families make to organizations, as well as the clear differences between APT and mass malware.

The talk is made up of two completely different perspectives in the battle against malware. Ero is the CRO at  Virus Total (also a researcher with Zynamics). Virus Total processes tens of thousands of pieces of malware a day. Virus Total’s perspective is very unique; few if any companies process the amount of malware Virus Total processes. Ero will give you statistics on what Virus Total is seeing, such as the trends in packing, how many samples it processes and information about families it is tracking. This will be the first time these statistics will be made public.

I will be speaking from MANDIANT’s perspective. Our perspective differs from Virus Total in that we only deal with very high value targets and very specific custom written malware. It is no secret that MANDIANT is on the forefront of fighting the Advanced Persistent Threat (APT). Daily we are collecting and analyzing malware that has never seen the light of day. We have never given out details about the individual pieces of malware we’ve collected, and furthermore we’ve never given out statistics on how our overall collection of APT malware behaves. In this talk, you will receive all kinds of good information, such as what percentage of APT outbound communication is encrypted vs. plain text, or what percentage of APT is actually persistent on the host vs. run once. Some of the statistics I’ll be releasing may be very surprising, but also very enlightening.

Our talk will conclude with Ero and I doing our best  Ollie the Weatherman interpretation of where we think malware will evolve over the next year or two, and what we can do about it. I’m excited to give this talk because it’s a step away from what Ero and I usually present, and the content is so unique. If you’re unable to attend the conference look for the slides on our website. Hope to see you there! If you want to meet up for a beer, e-mail me peter.silberman@mandiant.com.

In our always-on, breaking news culture, jumping the gun on the intent and origins of an attack can put geopolitical relationships at risk. The job of the media is to deliver facts that can be verified, and support its news content with insight, expertise and speculation from industry sources on what transpired and who might be responsible.

In the case of the U.S. and South Korean web site denial of service attacks, it took less than 24 hours for the world media to independently confirm, and largely dispel, reports that this particular spate of attacks was ‘state-sponsored’ by the North Korean government or its sympathizers, after reports to the contrarydominated the headlines in Asia the preceding night.

In an interview with Reuters, MANDIANT Executive Vice President Michael Malin outlined the following differentiators between spot attacks committed to disrupt and gain attention, and state-sponsored cyber-attacks conducted with deeper scale and intent. Malin’s view was corroborated by other industry research and opinions:

1.) Sophistication
Low-tech attacks, Distributed Denial of Service (DDoS) for example, were more commonplace in the late nineties. They feature less sophistication, greater disruption and are designed to make a point, grab attention or feed into a hacker’s notoriety and ego.

State-sponsored attacks, commonly known in government circles as the Advanced Persistent Threat (APT), are far more sophisticated and perpetual in nature. These attacks are intricate, complex and involve a consistent attack stream using a marked increase in human and technology resources to keep its enemy constantly in a reactive position.

2.) Anonymity
Home-grown, low-tech cyber-crime is more likely to be detected eventually and unearthed through traditional criminal investigation and forensic analysis. In many instances, these hackers operate in small clusters or individually, and enjoy the limelight of their acts, including being brought to justice.

State-sponsored cyber-crime is more mysterious, typically conducted under the mainstream radar, highly covert, and targeted at government, energy, financial services or other critical infrastructure. These conspirators are backed by governments or regimes, and identified more as state-sponsored organizations rather than individuals.

3) Sensitivity
Very simply, applying the same characteristics and profile types of our serial cyber-offenders, was the crime specific to the compromise of classified or confidential information? Or more focused more on creating spot havoc and high-profile disruption?

The MANDIANT view:
This attack appeared to be more of a denial of service attack rather than the traditional state-sponsored act. In our experience, state-sponsored actors fly under the radar to either gain access or steal information versus denying or degrading a service.

By better understanding the scope, profile and motives of cyber criminals, we can more effectively identify, anticipate and remediate the crimes they commit.

MANDIANT continues to address the Advanced Persistent Threat, finding evil and solving crime for some of the most critical government organizations and high-value commercial enterprises.

For more in-depth coverage on the South Korea/US web site denial of service attacks, including commentary from MANDIANT Executive Vice President Michael Malin, access the following story from Reuters: http://www.reuters.com/article/newsOne/idUSTRE5680CC20090709

But how many of us have seen these cute cuddly creatures on live systems or in dead memory? This is your opportunity to come see if you can find the malware of an actual APT incident as well as some other incident of my own creation.

The contest will run two days and kick off Monday, May 18 at 9:45 a.m.  The contest will work as follows:  you will be given access to a virtual machine (VM). This VM will be pre-loaded with Audit Viewer and Memoryze. Audit Viewer will already have the audits needed to solve the incident loaded, which will cut down on the time needed at the station. You will have 10 minutes to go through the results of the audit and answer a set of four to five questions. At minutes 4, 6, and 8 you can ask for hints. If you answer three more of the questions on the first day you are eligible to compete on the second day. The second day will work the same. One of these two days will contain actual APT malware taken from an incident we responded too. The contest is designed to simulate what we see on a daily basis and to help attendees learn more about finding malware in memory. The prize will be an iLive IP908B 9″ Portable DVD Player With iPod® Dock And Swivel Screen.

If you are wondering how to prepare for the contest, we recommend you read the Audit Viewer user guide included in Audit Viewer. You should understand the data displayed by Audit Viewer and how to navigate/search Audit Viewer results. You will not have to run Memoryze as all the data you need to solve the case will be preloaded into Audit Viewer. We will have an Audit Viewer training slide deck running at the contest so you can if you’d like cram prior to the competition but as one of my college professors might have said “cramming is not recommended.”

You may say, “well I don’t have much memory analysis experience.” That does not matter! Stop by the booth, I will be there to walk through how to do memory forensics on 15 or so unique memory images. Each memory image is a different type of malware or scenario. All our demonstrations will utilize MemScript, which is a FREE EnCase script written by Kelcey Tietjen that integrates memory analysis into EnCase. This is a great chance to come and learn something new. And, as always, if you have questions about previous talks we’ve given or upcoming research you’ve read about, I’ll be more than happy to chat about those as well. So stop by, watch others compete, come and see the big red box, talk memory, APT, fluffy bunnies and more.

Hope to see you there!

I recently spoke at the DoD cybercrime conference on Advanced Persistent Threat (APT) forensics.  During the presentation I talked about several ways you can use forensics to answer difficult questions that arise once an APT incident is identified.  Some of these questions are:

• What was the initial vector?

• What did the attackers do exactly?

• Was any sensitive data exposed for exfiltrated?

• How do we successfully respond to the incident?

These questions can usually be answered easily if the response team has the right tools and methodology.  This is where the APT M-unition pack will help.  In this package are templates for forensic methodology, EnScripts to help with analysis, and the presentation given at DoD cybercrime. The forensic methodology template can be opened with NoteCase. NoteCase is available at the following link:

NoteCase

If anyone has questions on the use of the EnScripts or steps in the methodology feel free to contact me by email at kelcey.tietjen@mandiant.com. The APT M-unition pack can be acquired from below:

APT M-unition Pack

Kelcey