CARO workshop 2013

What can we tell about the targets of targeted attacks?

Mikko Hypponen, F-Secure

When we look at the ways targeted attacks are launched, in many cases we can figure out quite a bit about the the organization that was targeted by those attacks. This is especially relevant regarding samples of targeted attacks which are received through anonymized samples feeds, including those like Google's Virustotal of Jotti.

Vast majority of targeted attacks are launched with trojanised document files, and many of the exploits launched from the files show a document file to the victim. If that file is highly specific to a particular organization, that organization is most likely the target of the attack or at least related to the target of the attack.

This presentation will analyse a series of real-world targeted attack cases and looks at who's really being targeted. 

Recent APT Campaigns and Their Relationships

Timo Steffens and Thomas Hungenberg, CERT-Bund

In this presentation, we will show relationships between several APT campaigns that were either discussed publically in security blogs or were reported to CERT-Bund. The identified relationships are based on technical data and are categorized into three levels of confidence. A link between two APT campaigns is considered strong if command-and-control servers are shared or hash sums of involved malware binaries are identical. If the same (rare) malware family is used, a link is considered to be of medium confidence. Other commonalities are considered as weak links.

Analyses published on APT campaigns usually focus on activities of one group of actors only. Some researchers, for example, track the domain names used by the Comment Crew. In our presentation, we provide a more abstract view and look at relationships between different APT campaigns. While some relationships between campaigns such as Aurora and Elderwood or HTran and the Comment Crew have been discussed in blogs already, combining information on many additional other small links results in a much more comprehensive picture.

Are You Going to “Scarborough Fair”

Chun Feng, Microsoft

Firewall and Network Address Translation (NAT) have been widely deployed and are commonly used by organizations as a part of their network infrastructure.  To some extent, this mitigates the attacks from outside of the organization; this may be due to the address, port behind the firewall or NAT not being reachable from outside.  For a specific targeted attack, the attackers may need to take the firewall / NAT into account to accomplish the attack from outside.  In November 2012, we discovered a new mysterious breed of malware which has been used to target a global organization.  This malware, named Exforel, has been designed to penetrate the firewall / NAT under certain circumstances.

Exforel includes a rootkit component which works at a Network Driver Interface Specification (NDIS) level.  This rootkit component has been designed specifically to accomplish the attack for the following scenarios:  Opening a backdoor which can be accessed over the network on the affected machine, while not using any TCP / UDP ports; Rerouting TCP packets that can be redirected to the final targeted destination (Scarborough Fair) - a different port on the same host or a different port on a different host.

This presentation will explain the technical details about Exforel and how NDIS level hooks and private TCP / IP stacks are used to accomplish the attack from the outside.  Additional attack scenarios will also be discussed.

System and method of generically detecting the presence of emulated environments
Dr. Richard Ford, Florida Institute of Technology

A method of determining that protected software is running in a virtualized environment includes obtaining a set of baseline measurements of system call timings in native operating system environments. Statistical thresholds are established based on the baseline measurements such that there is a predetermined probability that protected software running in a native environment will experience system call durations that exceed the thresholds. The protected software is analyzed and instructions are incorporated within the software such that particular system calls, demonstrated to be differentiating using the set of baseline measurements and the threshold analysis, are executed during the normal running of the protected software. The incorporated instructions are used to estimate the parameter values that are to be compared with the established statistical thresholds. Repeated comparisons of the estimates obtained during the normal running of the protected software are executed to determine whether the software is running in a virtualized environment.

Breaking the Bank:  An Analysis of the 2012/2013 'Triple Crown' Financial Industry DDoS attacks.

Roland Dobbins, Arbor Networks

This presentation will provide an analysis of the high-profile 'Triple Crown' DDoS attacks launched against major US financial institutions in 2012/2013. Covered topics will include details of the attack methodology; attack success factors; comparison/contrast of these attacks with previous and current DDoS attack trends and methodologies; and successful attack mitigation strategies.

Safenet- A New APT Threat

Nart Villeneuve and Kyle Wilhoit, Trend Micro

Whether you prefer to call it “Advanced Persistent Threat” or “malware-based espionage” you cannot ignore the fact that there are successful and long term compromises of high value organizations and enterprises around the world by a consistent set of campaigns. As the “noisier” campaigns become increasingly well known within the security community numerous, new, smaller campaigns have begin to emerge.

As Threat Researchers in Trend Micro’s Future Threat Research team, Nart Villeneuve and Kyle Wilhoit discovered and disassembled a new APT threat- termed Safenet. This threat has not been identified/discussed in the public, and is a new, active APT threat.  There are varying levels of visibility across the phases of an APT campaign, however, over time we can assemble various pieces from multiple attacks to gain a broader understanding of a campaign. This information is used to monitor the activities of the attacker over time, and take advantage of any mistakes they make along the way to gain a deeper understanding of their operations.

This talk will cover from start to finish how the threat was initially identified, distribution techniques (including targeted emails and malicious documents exploiting CVE-2012-0158) , persistence techniques, network communications and C2 infrastructure (industry verticals of the victims we were able to identify, the data ex-filtration techniques used and a characterization of the stolen data we were able to recover), reverse engineering techniques, and source code (Yes, source code!) of the malware and tools that were used by the Safenet actors. In addition, this talk will demonstrate how the threat actors used the tools to create their malware.


  • Collecting technical and contextual indicators over time in order to cluster seemingly singular events into “campaigns”.
  • Mapping command and control infrastructure and locating “leakages” that expose additional information.
  • Analysis of the network communications between a compromised host and a command and control server (as well as between a malicious operator and the command and control server).
  • In depth analysis and discussion of source code of malware and tools used by Safenet including an assessment of the level of professionalization, the crypto used as well as the stealth and evasion techniques used.

Attacking the Hypervisor

Peter Szor and Deepak Gupta, McAfee and Xiaoning Li, Intel

Recent advancements in processor technology allows the implementation of Hypervisor based security, allowing it for utilization of security products, virtualization technology, as well as newly evolved threats. As Hypervisor based systems are getting more common, and security technology evolves further to utilize it for threat prevention, attacks will continue to co-evolve. The presentation will introduce the basics of Hypervisor based technology, and its use, and show possible new attacks against them.

Advanced Evasion Techniques by Win32/Gapz

Aleksandr Matrosov and Eugene Rodionov  ESET

This presentation will be focused on the advanced evasion techniques employed by complex threats as well as by advanced persistent threats targeting the Microsoft Windows platform, with the intention of staying unnoticed by security software. In this talk the authors will review their analysis of the Win32/Gapz bootkit as a prominent example of malware implementing rich rootkit functionality, and will discuss whether bootkits are applicable in targeted attacks.

There are several features that make Win32/Gapz remarkable and these are correspondingly reflected in the presentation. First of all, its original dropper. which incorporates functionality that allows it to bypass HIPS systems and elevate local privileges by exploiting several vulnerabilities (CVE-2011-3402, CVE-2010-4398) in the kernel of Microsoft Windows OS versions. Another notable feature of Win32/Gapz is the way it infects the system. It employs a brand new boot kit technique resulting in the modifying of only 4 bytes of data in the VBR (Volume Boot Record) of the active partition, which makes it difficult to spot  the presence of the infection in the system. And, finally, it has rootkit functionality implemented in the module loaded by the bootkit. This module, with notably rich functionality, has an intricate layout and provides malware with a covert channel by which to communicate with a C&C server, self-defense mechanism, hooking engine and so on. All these features are interesting due its original low-level implementation and make Win32/Gapz an advanced threat which deserves proper attention.

The rest of the talk will be devoted to discussing whether bootkits may be employed in targeted attacks. The authors will offer reasons why most of the recently discovered malware samples involved in targeted attacks do without bootkits and rootkits operating in kernel mode.

Financial Malware: Overview of Attack and Defense Techniques

Alexey Monastyrsky and Denis Nazarov, Kaspersky

Banking trojans have always been considered one of the most dangerous malware threats because they directly affect people’s wealth. And even if some of them don’t try to directly steal money, as is possibly the case with one of the recently discovered nation-state cyber-espionage campaign, they can monitor finance/funding sources of their targets. Until recently the only type of protection against this kind of malware offered by security companies was traditional anti-virus. But now users can choose between the old approach and some newer technologies offered by both specialized products and anti-malware software.

In this presentation we are going to review the techniques used by the online banking malware and at least one component of a recently discovered APT threat to perform Man-in-the-Browser attacks against modern browsers. We will show that only a small number of browser injection methods are currently utilized by malware to steal banking related information, and that new protection technologies used in modern security software can prevent these attacks and provide the user with a clean browsing environment.

We will also demonstrate that there is no “silver bullet” in this confrontation since those protection technologies are not invulnerable and can be bypassed by the future generations of the online banking malware.

Microsoft's War on Malware – Applying Automation and Measuring Its Success

Dennis Batchelder, Microsoft

In 2002, Bill Gates sent an email to all Microsoft employees that put in motion a pivotal change in the way Microsoft thinks about security. In 2012, Microsoft shipped Windows 8 with built-in antimalware to drive up coverage and disrupt the Windows malware ecosystem.  But during this decade, the bad guys fought back with a Denial of Service, overwhelming us all with too many attacks for our human researchers to handle.

Enter automation. We’ve coped by building tools to keep our customers fully updated with our latest and greatest signatures.  We’re chasing the dream that our researchers will be free to move on to newer and more challenging puzzles and tasks.

But what is the effectiveness of this automation? Is it making a difference? These days our researchers mostly focus on more efficient generic signatures.  How are they doing, and how do they compare?

This session will discuss Microsoft’s automation strategy and show how we measure success. We will compare the effectiveness of automated signatures against researcher-generated signatures. We will discuss the role of researchers in the further development and upkeep of automated processes, and what we think are the most promising areas of investment, present and future.  How should we best balance the use of humans and machines?  Come hear about Microsoft’s experience and what we’ve learned along the way.

Dissecting Operation High Roller: Case Study of Targeted Attacks on Businesses World Wide

Ryan Sherstobitoff, McAfee Labs

 How the high-tech mantra of “automation and innovation” helps a multi-tiered global fraud ring target high net worth businesses and individuals. Building on established Zeus and SpyEye tactics, this ring adds many breakthroughs: bypasses for physical multi-factor authentication, automated mule account databases, server-based fraudulent transactions, and attempted transfers to mule business accounts as high as €100,000 ($130,000 USD). Where Europe has been the primary target for this and other financial fraud rings in the past, our research found the thefts spreading outside Europe, including the United States and Colombia.

Unlike standard SpyEye and Zeus attacks that typically feature live (manual) interventions; we have discovered at least a dozen groups now using server-side components and heavy automation. The fraudsters’ objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research: Operation High Roller.

With no human participation required, each attack moves quickly and scales neatly. This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code and appears to be worthy of the term “organized crime.” This study found 60 servers processing thousands of attempted thefts from high-value commercial accounts and some high net worth individuals. As the attack shifted emphasis from consumers to businesses, mule business accounts allowed attempted transfers averaging in the thousands of Euros, with some transfers as high as €100,000 (US$130,000). Three distinct attack strategies have emerged as the targets have expanded from the European Union, to Latin America, to the United States. Debunking the popular wisdom that only big banks are affected, the research documents attacks at every class of financial institution: credit union, large global bank, and regional bank. So far, we estimate the criminals have attempted at least €60 million (US$78 million) in fraudulent transfers from accounts at 60 or more financial institutions (FIs). If all of the attempted fraud campaigns were as successful as the Netherlands example we describe in this report, the total attempted fraud could be as high as €2 billion.

In this presentation we will cover:

  • Why was Operation High Roller successful? How did they get in? What was their motivation?
  • Overview of the technical strategies used in Operation High Roller to penetrate finance departments of businesses worldwide.
  • A review of the complex web injection system used in conjunction with remote transaction servers used by the Zeus and SpyEye malware familes.
  • Techniques and methods using memory and traffic analysis to identify targeted campaigns like High Roller. Includes demonstration of POC memory analysis system used in aiding the investigation into these campaigns that ultimately resulted in the discovery of Operation High Roller. 

Malware Regional threat Profile

Steve Santorelli, Team Cymru

Public abstract will follow…

Targeted Attack Case Study: Signed Binaries in South Asia

Jean-Ian Boutin, ESET

In late 2012, we analyzed a malicious binary that was delivered through spear phishing using the infamous CVE-2012-0158 exploit. Upon further analysis, we discovered that this binary was part of a targeted attack and was digitally signed. Looking through our collection revealed that the same certificate was used to sign various malicious binaries containing functionalities to transfer sensitive information from compromised systems to the attacker’s C&C infrastructure. These binaries were used in targeted campaigns, mostly against users in south Asia. The certificate, now revoked, was used to sign almost exclusively malicious binaries from late November 2011 until September 2012.

In this presentation, we will go over this campaign, detail the inner working of the binaries we found, how they were installed on the victim’s system as well as the C&C infrastructure used. Some of the techniques to make analysis of the binaries harder will also be reviewed. With the signing date in each binary, it is possible to track the evolution of the binaries, the C&C infrastructure and the different campaigns in which the binaries were used. We will also explain who the victims were and what the timeline of this campaign is. Finally, we will also spend some time discussing the relevance of signing malicious files and how this technique fits in the overall targeted attacks scene. 

Operation “Red October”

Costin Raiu and Vitaly Kamluk, Kaspersky

During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.

Kaspersky Lab's researchers have spent several months analyzing this malware, which targets specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.

This presentation will cover:

  • earliest variants of the malware (2007)
  • victims profiles
  • C&C domains and servers
  • mobile malware components: known and unknown
  • an overview of +1000 malware plugins discovered during the research
  • possible links with other campaigns

The use of embedded Flash exploits in targeted attacks

Timo Hirvonen, F-Secure

Microsft Office document files with embedded Flash exploits have been common in targeted attacks in the past years. This presentation is a technical analysis of such Flash exploits targeting two different vulnerabilities, CVE-2011-0609 and CVE-2012-1535. The first one was used in the RSA breach in 2011. The exploit was delivered inside an Excel file. The second vulnerabity was exploited in August 2012 using many different kinds of emails with Microsoft Word and Microsoft Excel attachments.

Each case is started by analyzing the email (when available) that was used in the attack. The focus, however, is on analyzing the attached malicious documents and the exploit techniques used. For CVE-2012-1535 we compare the shellcode found in different documents and try to identify both similarities and differences in the shellcodes. One of the key findings of this analysis is recommendations on how to mitigate such attacks. Analyzing the shellcode in detail will also reveal interesting details about what kind of systems and defences the attacker expects the victim to have: Windows XP vs. Windows 7, limited user vs. administrator, Office 2003 vs. Office 2010 etc. As F-Secure was the first to discover the email used in the RSA attack, we will also recommend practical methods and tools for identifying similar attacks among large collection of samples. 

Common Traits for Advanced Persistent Threat

Bjarne Roe and and Frode Hommedal, Norwegian National Security Authority (NSM) NorCERT

Targeted attacks have come to be the main focus of NSM NorCERTs analysis team. This development is based on NSM NorCERTs increasing involvement in handling targeted attacks. The targeted attacks varies from the vacuuming campaigns of the so called "Comment crew" to vastly more advanced operations.

We share the view that targeted attacks are about the attacker and not the malware, however we strongly believe it is also very much about the targets. We believe it is as simple as this: If you have high value assets you will attract attackers.

We will present some common traits for advanced persistent threat (APT) campaigns, with the intent of giving some ideas how to separate APT campaigns from other campaigns. We will present how we view the threats, with regards to why single source analysis is not enough for attacker identification.

Our presentation will include insight into why we deal with countering APT and why it is a prioritized objective. We will introduce how we handle APT, and offer some insight into the difference between our event driven handling and our long term studies of attacks.

We will present a case study which consists of several attacks against a specific sector in the Norwegian industry. The attacks are highly correlated to other attacks we are familiar with, which have previously struck several European countries. We will share some technical details from these attacks.

Hypervisor-Based, Hardware-Assisted System Monitoring

Carsten Willems and Ralf Hund, Ruhr-University Bochum

In the last few years, many different techniques were introduced to analyze malicious binary executables. Most of these techniques take advantage of Virtual Machine Introspection (VMI), the process of analyzing the state of a virtual machine from the outside. On the one hand, many approaches are based on system emulators which enable a tight control over the program execution. Unfortunately, such approaches typically  induce a huge performance overhead. On the other hand, there are approaches based on hypervisors. Early implementations were hampered by the missing virtualizability of the x86 instruction set architecture:

since the memory management unit (MMU) itself was not virtualized, memory separation needed to be enforced in software with the help of so called shadow page tables, an approach that again induced performance overhead.

However, processor vendors have recently added hardware support for MMU virtualization and modern CPUs offer so called Two-Dimensional Paging to overcome such performance bottlenecks.

In our presentation we demonstrate how this processor feature can be utilized to implement a binary analysis framework. More specifically, we introduce an approach to monitor code execution based on the concept of Currently eXecutable Pages (CXP), i.e., we precisely control which memory pages are currently executable to enable the interception of intermodular function calls and their corresponding returns. When an interception occurs, we apply VMI to deduce runtime information such as function parameters. To demonstrate the practical feasibility of the proposed approach, we implemented VMMInspector, a framework for binary analysis on 64-bit machines and Windows 7. In several case studies we present different usage scenarios for that framework.

Amongst other applications we demonstrate how the kernel rootkit TDSS/TDL4 can be analyzed in an automated way

Post factum investigation of a targeted attack

Jakub Kaminski, Microsoft

Investigating a compromised system some time after the intrusion or the initial attack occurred, introduces a new set of problems. In addition, an investigator is not always the first person to examine the machine; and therefore, not the first person to inspect the exploited system and suspect files.

When the need for secrecy is high and there’s no full disclosure of who has been involved, there’s no way of knowing how many parties have conducted the research and what they’ve done so far; thus, it’s easy to create a situation where one investigation interferes with another, and the final results of one investigation are distorted by earlier works.

This presentation will provide a real-world example of a targeted-attack investigation and the problems encountered. A discussion of files discovered, tricks used, malware involved and potential entry point will follow. 

jEoPardized by Targeted Attacks

Gregory Panakkal, K7

Targeted attacks and APTs have been actively exploiting Elevation of Privilege (EoP) vulnerabilities in the modern editions of Microsoft Windows. Full administrative rights are sought to deploy components that can stealth and root themselves deeply into the host.

EoP vulnerabilities, when exploited, give elevated access to arbitrary code allowing significant changes to protected areas of the system which would otherwise have been restricted. Starting from Microsoft Vista, through the use of UAC, less sophisticated malware have been denied access to make changes to key portions of the operating system. This makes post-infection detection and its removal trivial. However, detection and removal of APT malware is far from straightforward precisely due to their ability to circumvent UAC and other security features to install core low-level, deep-rooted binaries.

The infamous Stuxnet exploited two different EoP vulnerabilities that affected Windows XP and Windows 7. Duqu, believed to be a close cousin of Stuxnet, made use of a font parsing bug allowing arbitrary code to be run in kernel mode. Interestingly, less-sophisticated but yet advanced and persistent malware such as ZeroAccess try to elevate their privileges through social engineering during the initial stages of the infection process.

A recent targeted attack discovered at the end of 2012, exploiting an IE 0-day, made use of an EoP vulnerability in Windows 7 that allows auto-elevation with default UAC settings. This method, albeit discovered in 2009, remains open to exploitation and works reliably on both the x86 and x64 versions of the Windows OS.

This presentation explores the key EoP exploitation methods used by recent strains of targeted attack and APT malware. Most of these vulnerabilities have been fixed, however some remain unresolved and open to attack. How Windows 8 stacks up against these unaddressed vulnerabilities is also explored.

In addition, this presentation discusses a potential attack PoC (with demo) using the INF (Microsoft Information File) format to bypass default UAC settings in Windows 7 and Windows 8 to silently gain admin privileges. 

Targeted attacks on Russian banks

Dmitriy Volkov, Group-IB

Qhost is used the last 3 years in attacks on clients of 2 Russian banks. We will describe the working scheme of this Cybercrime Group and show the revenue from this primitive trojan.

Carberp on Android was the first bank trojan on Google Play, targeting 2 Russian banks. How did this happen and who is behind this? Furthermore we will show a real-life example: a direct attack on the Internet Banking System Administrator manipulating the client's data. Finally we will describe how Russian bank trojans are changing their attack vectors. their next target: Broker Systems.