This was yet another Black Hat talk I saw and a Ms. Marion Marschalek (left) and a Mr. Morgan Marquis-Boire (right) gave it. A Claudio Guamieri was supposed to be there too, but was absent. In early 2010 Google announced it had been hacked by China. Silicon Valley has been hacked by China. Everyone has been hacked by China. Big countries are using hacking as a form of espionage and small countries wish they were. Malware has become a threat to the intelligence industry. Intruders now go into networks and observe them rather than act maliciously and get out right away. Ways the bad can get in include:
- threat intelligence (analysis on existing exposed data which reveals something new)
- telemetry data (data collected from infected endpoints which have been hacked)
- leaked documents (think Edward Snowden)
- infected machines
- gossip
The talk was basically on reverse-engineering who might be a responsible party (which nation?) for an attack. The example of Babar, a piece of malware the government of France introduced in Canada to spy on individuals there, was used. In the case of Babar, its binary tied into other binaries (sometimes indirectly by way of a daisy-chaining effect) which had reared their ugly heads before in malicious circumstances. If one looked at the other pieces of malware and where they had been used before, the finger of blame pointed to France. In short, how you hack says a lot about who you are. You may be signing your name without realizing it. Things investigators may look at to deduce a "signature" for a setup include string constants (Error messages, String formatting style, English grammar mistakes, C&C commands, Timestamp formatting), implementation traits (Memory allocation habits, Use of global variables, Multi-threading model, Software architecture and design, Constructor design, Dynamic API loading technique, Exception handling, Usage of public source code, Programming language and compiler, Compilation time stamps and time zones), custom features (Obfuscation techniques, Stealth and evasion techniques, Use of encryption and compression algorithms, Encryption keys, Re-used source code, Malware specific features, System infiltration, Propagation mechanisms, Artifact naming schemes / algorithms, Data exfiltration techniques, System / OS version determination technique, C&C command parsing implementation), and infrastructure (C&C servers, Countries / languages used for domain hosting and naming, Beaconing style, Communication protocol and port, Communication intervals). What do some of these terms mean? C&C stands for command and control and in the space of malware is of infrastructure such as virtual or physical servers used to facilitate attacks. Data exfiltration is the transfer (stealing) of sensitive data. When traffic exits a network on regular intervals it makes a "beacon" (or heartbeat). Artifacts are evidence of the hack lingering after the fact. A binary is a file, maybe an executable, maybe a .dll, but not a human readable text file.
No comments:
Post a Comment