CryptoMalware: The persistent, ubiquitous threat - Aaron Lancaster

ameritech links he's going to be talking about for Joe Marler how's everyone doing this morning so I got I got asked to speak last minute about crypto malware I guess mr. gamblin couldn't make it today so hence my somewhat humorous but informative slide with the line through letting folks know that there's been a little bit of a change in the schedule even as of this morning so I hope you guys are all doing well did do we finally get the the talk across the street the hacking automotive security going over there did was anybody over there this morning okay good was it was it good I'm going to have to watch it later because I didn't

get a chance to get over there so well hey guys I want to keep this a little bit interactive this morning so please you know as I'm going through this if you guys have questions or comments or heckling remarks as Kevin Thomas tends to have you know just go ahead and shout those out and there might even be something in it for you so a little bit about myself I'm the info SEC team lead at tech links a little company here in town do managed services and value-added reseller I have around 15 years and information security experience co-founded the East Tennessee Issa chapter here in Knoxville to help try to bring the information security community

together increase knowledge sharing and to help improve the the market here in Knoxville for information security professionals as well as raise security practices here so at tech links I assess and advise companies of security best practices and I had in my slides yesterday best in quotation marks because a friend of mine Slade Griffin shoutout to Slade says that you know best is up for discussion it's really more like common practice and so you know the the best practice that we all say you know best practices we hear that industry Mont mantra is is really debatable right what is best for us so some of wort what we're here to talk about today is the practices that we see

and and so I've started using the term common practice because I think there's always room for growth and it's a continual improvement process you know that that we have to continually get can continually keep getting better at what we do so that being said I've done work here locally and nationally for companies like Oak Ridge National Lab US Army a company up in ohio called reynolds and reynolds a software development company for automotive dealer management systems also you know my free time I'm a worship leader I like to keep an eye on the the threat trends and I'm married celebrating ten years this year to my wife Kristen and we we have three daughters that we love dearly

so you know some of that threat trend analysis is really what precipitated this talk and so happy to share with you guys today a collection of knowledge from a lot of resources that are smattered across the internet as well as some of my own analysis that i've done so without further ado let's move on I want to just make mention I made mention here a minute ago about is a SI East Tennessee chapter here's some information for you guys if you're wanting more info on that check us out on Twitter or at our website etn Issa org and the reason that i have this up here is because one of the great benefits of the information systems

security association is this little publication that's put on by members called the ISS a journal and it's a monthly publication and in april actually the feature article was on cryptolocker and so one of the things that you guys can do is scan this completely benign and totally honest a QR barcode right here if you like and read this article for free I promise that it's not a malicious QR code you can come find me later and beat me up if it is so these slides will be available you know on SlideShare with the links as well as I have a resource page I published on my blog that go along with these slides so I really encourage you

guys to check out the ISS a journal and this article is really really good pretty much he pretty much stole my entire talk so I'm put in a journal article so before we have a chance to read that I'm going to go ahead and finish the talk up so last June you know the FBI put out an advisory through ic3 about crypto wall and just stating that you know crypto wall and its variants have been used actively to target us victims since april 2014 and the financial impact of victims goes well beyond the ransom fee itself which is you know typically 202 $10,000 I've heard numbers as high as twenty twenty-five thousand dollars depending on the organization and what the

the malware developers are able to determine from the infection who they're dealing with and then then you know inflate those fees and so you know as we're considering the reasons for this particular type of malware I think it's really this is a really insightful advisory to kind of keep in mind so how many folks here have this is maybe your first time here and about cryptolocker I really hope that's not the case anybody okay does anybody care to maybe tell us a little bit about things that they know about cryptolocker share a few things anybody know you're gonna let me you know let me fly solo today all right so you know cryptolocker is a crypto

malware it's ransomware and encrypts your files holds them for ransom you know which is by nature extortion that an act of extortion initially released September 2013 targets all versions of Windows encrypts files by file type we'll get into a list a little bit later but it's it's essentially everything useful when the encryption action is complete you're presented with a ransom note that that may include heckling of various forms in the the most recent versions and demands of payments you from you know in older versions two hundred dollars now on average is more around five to nine hundred dollars depending on the value of Bitcoin or whatever currency that is being demanded and then that can range up quite high as

as I had mentioned previously you're given a timed period you know a time window where we're in you need to pay that ransom in order to be giving your data back if you don't pay the ransom the malware threatens to delete your data for good and most of these you know different various versions of crypto malware are demanding payment by money pack or Bitcoin I've pretty even heard of some recent versions now asking for amazon gift cards or iTunes gift cards and some of these things you know they seem so bizarre and off the wall but it's basically anything that you know these developers malware developers can use anonymously to make money right we're going to get into a little bit

more of the the making money in a minute cryptolocker encrypts everything useful essentially even now going after a company intellectual property in most recent versions AutoCAD drawings as well as other types of you know business specific documents have been included in this and here's a little bit of a you know a consultant statement on and I'll just read it to you hear this thing hit pretty much all the file extensions that are usable for mp3s to Microsoft Word documents about the only thing it didn't touch were system files and exe s encrypting almost everything else with twenty forty forty eight bit RSA keys that would take like a quadrillion years to decrypt once the infection happens it can even spread

from someone on a home pc using a VPN to access their work network and for me that's the most scary part and interestingly enough crypto wall for and other more recent variants are now used have now even increase their key length to a 4000 bit key length so these developers are continually making improvements continually getting smarter they know that we're trying to defend against these kinds of threats and so the advances are are continuing and so one of the things that one of the takeaways I'd like to have for you guys you know during this presentation is what are some of the more recent developments and how do we protect against some of those so looking at the

numbers for some of these you know in 2014 cryptolocker was infecting over 50,000 computers a month peak the u.s. is the number one targeted country statistically and in the US over 3,300 36,000 computers have been recorded as being infected and you know one of the things that's really interesting is you know how metadata can be used to determine what what's happening with infections like this and one of the things that is is out there is google search numbers right so search results for cryptolocker alone are over 210,000 per month and it's on the rise and you know that's a really good indicator of how how big of an issue this is for people you don't

just go out and you know and I've were many people just go out and search for cryptolocker on Google unless they're looking for an answer to some kind of problem so which brings us to another related issue and that's Mel vertising how many folks the term malvert izing is new to you it's okay you know if you're not vulnerable enough to stick your hand up for some of these questions let me just tell you that yesterday I made a bunch of changes to my presentation and then I'd closed it without saving so so there now that we're all sharing openly so Mel vertising is a malicious al advertisement that's injected through through an advertisement stream and you

know one of the things that you may be aware of but may not have a you know occurred to you in light of how these threats are propagated is that many websites today don't control their advertising stream those ads are served rendered through a third party service through an external service and then displayed through an iframe or a script of some sort on their website and they really have next to no control over what is being displayed there that has become an excellent vector for infection an excellent way to serve up our our malicious software the developers have identified that and are using that and so this has really become somewhat of an Internet pandemic I put on this slide

you know before I forgot to save my changes the real cyber pandemic because one of the other things I've been following recently is the FBI vs apple case so who's also watching FBI vs apple and the things that are you know coming in the wake of that and I just found it kind of comical that you know one of the things that we we had had heard was we need to unlock the iPhone because it may it may contain a cyber pathogen so so I had put on here you know the real cyber pathogen because it was found later that you know even that that the the iphone didn't really in question didn't really contain

a cyber pathogen you know so these types of things are you know the severity of this threat is has led to FBI advisory has led to other things like you know fortune 500 companies investing highly in protection against cryptolocker I find it interesting that sixty-nine percent of Fortune 500 websites use external javascript to render portions of their websites you know we talked about malvert izing and how JavaScript can play into that sixty-four percent of them of those sites running outdated web apps I think you know one of the apps that comes to mind you know is WordPress there's there's a there's a cold fusion there's a there's a long list you know of those types of things but I feel like

you know we we've got some so big issues to handle in advising companies with this type of capital of how to implement just common practices keeping those applications up to date and and filtering external content so we've done some case studies through through you know of our customers at tech links one of the things that we've seen is that we're still seeing among our customers one infection per month and on average over the past year or more over five cases in 2015 alone and healthcare comprised forty forty six percent of those which may look as you know a disproportionately high number of infections but of the customers that we serve that's actually a representative number of even across every vertical so

it's not one particular vertical that's being affected most by this it's every vertical every industry is being affected equally it just so happens that it tech links we have more health care customers than other customers so if you're in health care you're just as likely as any other industry and vice versa to to be targeted for cryptolocker alright so you know we talked about the motivation earlier it's mainly financial these these developers are looking for money through Bitcoin moneypak a single instance could make over 250 thousand dollars in a month within a corporation and crypto wall has resulted in over a million dollars paid out and ransoms and you know they're after the information they're after the money but most of all

it's it's just been easy for these developers to continue doing this despite law enforcement action against these developers so here's a little history about cryptolocker you know it's gone by many names so we kind of started with just plain cryptolocker moved on to the F family in 2014 we saw the crit Ronnie variants the revit on variants crowd II otherwise referred to as crypto wall three last fall saw we saw crypto wall for come with a major major change in the splash screen change in functionality and then last fall we also saw the first Linux variant come with Linux encoder one so you know the the linux unix platforms are no longer safe from this some more recent trends

that we've seen is ransomware using rdp to spread android ransomware communicating over XMPP tour switchers to help decentralize traffic in you know obfuscate the origin of the attack and anonymize protect the developer and the command and control network from discovery and isolation we've seen browser mobile and eunuch linux variants and i think you know the biggest thing is i have extortion on this slide but i had to come up with a little bit more of a specific terminology to discuss this because you know ransom you know demanding a ransom is extortion and so that's not really very very specific and so one of the trends that I expect us to see is what i'm calling leak where and

and what i'm expecting for us to see in this in leak where is that if you choose if you're infected and you choose not to pay the ransom that your data will be leaked in a WikiLeaks kind of fashion or similar to you know the threats that we've seen through big breaches like the sony breach you know we're going to splatter you all over pay spin if you don't pay whatever we demand from you and a couple of my peers have pointed out that X filtration is an issue so you know well what about X filtration and and I think that that's a valid point however if you were not able to protect defend against this threat and you

weren't able to remediate it before the encryption action was complete I question highly your ability to limit port 80 or 443 exfiltration of this data so does anybody have a comment on that I will give you a teacher if you say something so that I can take a drink of water nothing okay

so crypto wall three you know encrypts files displays ransom or a lock screen and here are some of as a long list of signatures by various vendors talking about their particular signature for that for the for crypto wall three as you can see you know most vendors are doing something in this area some are doing more and we're going to talk about that a little bit more later in the presentation but there are some really more advanced than just an anti virus signature ways that some vendors are developing to try to combat this which i think is great because we have to do something as a matter of fact several big firewall vendors teamed up last year

to do a great deal of threat research around crypto wall and they came out with a report in q4 called the the crypto wall report threat report and of that they came out with some pretty staggering statistics maybe even more staggering than what we've talked about so far and among those are an estimated 325 million dollar dollars in damages 839 or more command and control URLs five second-tier IP addresses used for command and control 49 campaign code identifies unique campaigns or run four hundred and six thousand or more attempted infections of version 3 alone and over four thousand unique samples and then after all that research we saw version 4 come come into the wild and

with that we saw some some interesting changes encrypting file names and the type which was new because previously one of the remediation techniques was to identify the types of the files that you that had been encrypted to to kind of tabulate what damage had been done now even the extensions had been encrypted which made it much more difficult to remediate the threat and an HTML ransom note re couching the the way that the threat had encrypted that information in a you need to help your files o kind of message and it also included generally taunting and arrogant kind of message so congratulations you've been you become part of a large community crypto wall so not the kind of congratulations that I

really want to receive on a friday afternoon at 4pm Linux encoder one we know to be written in C using the polar SSI library you know requires admin privileges runs as a daemon and deletes itself starts by encrypting the home directory then traverses the filesystem recursively and is only looking at directory starting with these extensions obviously going after people's hosted content their server infrastructure and only included a limited file extension list which was you know I kind of look at this as like a beta roll out no the developers is very early on there they're going after low-hanging fruit and trying to hit people where it's going to hurt them the most so I just

want to make a quick pitch for my buddy Russ he's talking this afternoon on power cell for cyber warriors who's planning on attending Power Cell for cyber warriors no it's got actually got to be on your sched like to raise your hand ok ok ok good good okay and one of the things that r us is going to talk about is a module that can be used in powershell to test distribution of crypto malware and so you guys will want to check that out I was talking with them a little bit earlier in the back and I said well you know Russ you might want to you know say a couple more words so if you're at this talk and you show

up there Russ might have some some goodies for you something delicious information or something maybe even more so how can you get this you know the cyber threat Alliance report revealed that sixty-seven percent of infections were the result of phishing attacks and thirty percent were the result of exploit kits so obviously we've got a lot more work to be done in the area of what user education you should have got a shirt earlier because you raised your hand earlier so there you go user education basics right I mean we come back to the very first weakness that you know we've identified over and over again you can't fix stupid right so we've got a lot more work to do in user education

and fishing awareness and and you know I'll i recant my statement a little bit by saying that these fishing campaigns are incredibly incredibly smart almost indistinguishable from the genuine article and it takes a keen keen eye to identify you know when this is being used and so if you maybe you've been the root you know the victim of a fishing campaign the resulted in cryptolocker it's okay come see me later I'll give you a hug so here's a little kind of chart showing what the phishing email you know kind of process or chain would look like I'm sorry for you folks in the back that this is you know that's probably hard for you to see I tried to

make it bigger but I couldn't you know the victim you know through vulnerable browser and redirection is you know is presented with a malicious server then redirected again to an angler or other compromised server they're going to get the exploit kit page which is going to then check for virtual machine and security products so you know in the most recent versions these the software is sandbox aware right so anybody go into bypassing sandboxing later this afternoon okay so also related and then if the sandbox is detected we're exiting to a JavaScript exception exception error if not then serving the ex lloyds of malicious payloads leading to the compromise of the system which is which is pretty smart so these you know

the developers are finding ways to keep their code from even being examined in a sandbox environment exploit kits here's kind of a list of of some of the identified campaigns their corresponding exploit kits additional you know in addition to angler magnitude neutrino and rig we've seen VIP and fiesta as well so earlier I talked a little bit about malvert Iseman and how that kind of tides in here and that is really you know what is feeding the drive-by download mechanism and here's a little bit of a chart from Microsoft talking about drive-by downloads in detail and you know this is where the iframe or JavaScript that's hosting that that malvert Iseman would become the mechanism within the drive-by download

for that software to be served up or that script to be run so this relates you know to the previous page where as kind of an additional layer of serving up this and then directing the user's browser toward that command and control Network

I put this at slide in because a lot of times when we r you know online the best of us you know we can get in this in this mode of clicking through material and that can very quickly lead to this drive-by download situation you end up you know oh that article looks interesting but it's served up by a third party that is not completely trustworthy and doesn't really screen their content very well and then all of a sudden you end up on a website you shouldn't end up on and there's there's kind of a little bit of an additional piece of information in this meme that I'm going to get back to in a little bit

but here's the iframe teardown j aj company inc com may be hacked let's check it out so we go and look at that and we can see here the iframe to the angler exploit kit that you know shows us that the site's still hacked just like google told us you know because of this malvert izing is a silent killer doesn't really require any type of user interaction to propagate the the malware just browsing to that website viewing the ads having you know JavaScript enabled on your critical domain controller that you don't have another one of causes it to become infected and you're running as admin domain admin not using enhanced security controls nobody does that so you know essentially web

browsing it is now you know a big big issue as it relates to this and one of the problems it's led to this is just our advertising economy right so it's a complex economy buying selling of advertisements many websites are sponsored you know by wet by advertisement you know we've known for a long time that Google's main business is advertisement not search you know and so anybody here from google I heard there's someone here from Google today but yeah we wish we were all raising our hands right and then you know this but one of the things that Google does do a good job of is screening advertisements whereas other websites may not do that

type of diligence you know so what we really need is industry partners that work closely together to detect these kinds of threats and keep them out of our you know Internet economy keep them out of our web browsers and so hopefully we can see some of that come as time goes on but probably not yes okay

we do have a lot of third-party advertising and this is a big concern for us do you have any recommendations that we could all use to do a better job keeping bad mal were tossing off um I don't happy to get back to you on that that's talking more about that yeah so thank you for your comment yes sir so if I understand what you're saying correctly the mal vertising is actually being hosted through legitimate advertising companies it's not like somebody's hacking the site and sending it off into someplace we already it's just they place an ad they happen to stick the link in there to the X plate know if you go right wow so of the you

know 336,000 I made on my last campaign I reinvest 20,000 in an advertising campaign that's malicious and now all of a sudden I've served up you know an additional you know 1.5 million malicious ads that's not I mean that's money well that's money well spent right for the developer so this is you know as as Robin pointed out is something that we'd all like to do something about its question of how we do that and so it requires you know an industry coming together and talking about that so and I will get back to you Robin on so yeah file system mods cryptolocker is saving itself with a random file name which makes it hard to detect creating

autostart entries in the system configuration these work even in safe mode hijacking exe extensions to delete shadow volume copies and the linchpin of the shadow valium copies is on your desk tops this is what allows you to do a system restore so if you don't have your shadow volume copies available you're basically going to get a message that says oh can't do a system restore and how many people are backing up desktops with a third-party backup system backup system where you can restore very few very few probably a good idea for your critical desktops if you have a desktop that's like the gonna end business as you know it then maybe a good idea your computer all right so for

us techies how it works we download the encryption keys encrypt the files and then demand the ransom here's a pink cap of of that action

you can see the proxies in work as well as the the tour switchers being used to to kind of redirect that traffic we get our encryption keys and establish connection through a domain generation algorithm this is what one of the things that's making it very difficult to block cryptolocker through that that most relied upon NSA top 15 information assurance mechanism domain whitelisting were reputation filtering like Open DNS you know maybe a checkpoint or other services that are out there it's now not effective where as effective because of the domain generation algorithm component the malware connects and downloads a public key to the windows system configuration and then the private key is saved to the command and

control server and this is of course the reason why we can't find the key we need to decrypt from the local system it's just not there here's a list of file extensions that cryptolocker is looking for I know this is really hard to read so you can check it out later when it's done encrypting these files is when you're presented with the the ransom note so you may not even know the encryption is going on aside from indicators like high cpu load high memory utilization exactly yeah so resource monitoring it then becomes an early indicator as well as your network ID s so as mentioned earlier draw files are now target and interestingly enough even as of this

week cryptolocker is now going after map drives first so there may not even be an indicator on the desktop of this happening it's it's really those map drives which which says to me we're going after corporate information even more aggressively than in previous versions so detecting preventing and remediation quickly i'm going to move through these because i'm running out of time most people the first time they they find out about this is when they get the screen some people are discovering this through their sim products are out there with signatures talking that that will help you detect the traffic initially and then they're finding that their local files are inaccessible or their server files are

inaccessible and you know in the case of that map drive information being targeted first that's really our first indication is oh there's all these weird file extensions on my my map drive on the server and now i can't access any of that information so staying map to network drives all the time is an additional vector that we open up for for cryptolocker to propagate through the enterprise here's some external threat policies that are helpful in discussing or and detecting the the check in via sim you can see the IP dash address es check in as well as the HTTP requests on the unusual port and then a signature that's been tailored to the crypto wall which

calling you know a trojan here's the screen nothing new here not not much new information on this slide just to say you know here's the ransom in an average amount it's timed the private key will be destroyed and again this is really the first indication a lot of people have that they've they've got an issue log management can be used to detect this monitoring correlation services are useful as far as you know things like high disk utilization your memory and CPU load and and other things so phone home is kind of hit or miss because again we're routing these things through a number of different mechanisms that make it much more difficult to detect local ransom note files are also an

indicator here are some frequently left behind extensions and file names these can be searched using scripts to alert detect an alert and even shut down the system but the developers have you know identified that this is how one of the ways that we're detecting this and so they're dropping these files at the end which then decreases our time to react talked about the scanning using PowerShell script file screen management with audit rules can be useful and it's important to note that all these things work in combination to bring your detection time down you know some detection have gone over five days you know or more so how many people do backups more fine days yeah most people are doing

backups more often than five days so that means that if you do a backup every 20 every two days you would have rolled encrypted files to your backups twice during that time period at least right yeah in our Chi 1 per month for a year exactly on you stop exactly yeah so but rolling to backup is no bueno so here we you know come back to this user awareness training is key not running as local admin does provide some protection user account controls doesn't really apply your path app data so you know this is where a software restriction policy is really important who who's using software restriction policies in their in their business today highly

recommend software restriction policy or app Locker in you know it's newer newer form so you know check that out it's worth your time especially on terminal servers and citrix servers yeah those things we are really easy to run you brought him every day sealy recent domain have been registered that maybe somewhere years cool whatever civil j yeah awesome lee Baird's discover scripts awesome thanks Kevin alright so you know Microsoft is not recommending you pay the ransom the FBI has kind of flip flopped on this pay the ransom don't pay the ransom pay the ransom don't pay the ransom paying the ransom is always a way to continue you know this this industry to feed this

industry so I'll leave it at that running antivirus and malware protection with with a full scan not just your quick scan mechanism preventing spam you know additional things to do can't you know what we were saying common security practices run up to date software latest software updates understanding how these how this malware works turning on your firewall limiting user privileges obviously you know attending a talk like this helps raise all of our understanding of how this works and so hopefully it's been helpful for you yeah yeah ad blockers or pop-up blockers are also a really great way you know to mitigate against the mal vertising drive drive-by download malicious iframe component as a matter of fact on here

there are some some tools that you can use these are all in my my my resources page which I'm going to show for you guys in just a minute and you know one of those that I just want to kind of come back to is is twofold well really two things opendns or another web reputation filtering mechanism is key and two products that use application control as a part of antivirus are a big win because companies like kaspersky and others are researching these threats keeping a pulse on them and then updating the through a behavior signature system a behavior signature stream malicious application signatures so at runtime watching the system detecting these and then also even in it

even providing a rollback feature for application actions in some some cases you know obviously a professional remediation is key here restoring from incremental backup we talked a little bit about that using utilities and regaining access to your files I have a list of utilities I'm going to provide you guys with as part of my resources that I've talked about retrieving keys online these you know these networks are being taken down by law enforcement all the time keys are constantly being published and so there is hope even you know down the road of recovering from an infection like this even if there weren't incremental backups available even if you didn't pay the ransom for those desktops that aren't built aren't

backed up rebuilding from gold image wipe the machine it's not just cryptolocker that we're talking about cryptolocker comes with other things like Blackshades remote access tool and other trojan downloaders that can be very very difficult to identify and remove and you know because of that early reaction is really essential in earlier versions disconnecting from the net work was shown to stop the encryption algorithm process it's no longer the case really a hard shutdown is what's needed pull that drive and mounted externally and then attempt to decrypt and salvage what is possible in an isolated environment reimage a restore our files is is the way to go here so as I mentioned earlier save that what can't

be decrypted to offline storage in case the keys are you know later published out and I mentioned how law enforcement is taken down these networks on an ongoing basis so with that questions you know how smart the algorithm for cryptolocker is for example could I do something like make a samba share and do like a link to itself and then it'll go after the samba share sort of a honey pot black hole yeah and it'll just recurse itself to death in his trap it yeah so that has been shown to be an effective mechanism in slowing down the process and you know at freaknic last fall I heard a really interesting talk called analog security there's a book

out about it and the whole premise is security is time-based and an increasingly complex virtualized high performance environment we have now become so fast that we exceed our ability to react to that and so what you're talking about is a way of slowing down the infection long enough maybe long enough to give yourself by yourself some more time it dislike to notice yeah yeah it's not yet smart enough to know that it's been given a honey directory or whatever you want to call it so a micro honey pot of some sort to the best of my knowledge okay cool thank you here's my resources again clean QR codes so you guys I'm serious about that the slides will be up

on SlideShare yes one of my buddies ran across one of their sites and one of their clients ended up with one that it actually was already seeing the shares even though they weren't mapped so it actually was running through picking up the shares live on the network and hunting for them and this client had made a mistake and the person who God had had more privileges than he should have so it ate up a whole bunch of stuff but she didn't have a map map shares to it so the mappings becoming less of a problem it's learning how to go find its own okay great thanks for sharing that I'm going to be updating this so you

guys want to check back every once in a while here's my contact information and again encourage you to link up with us at East Tennessee Issa and share the wealth of information that's out there so i'll leave this slide up for you guys that want to connect with the organization so thanks for coming I appreciate your attention guys