Case Study in Using Bad Malware Design Against Attackers

hey everybody ready for another talk once again want to thank our sponsors uh feedback again biz.com feedback uh if you have session feedback go on the schedule there's a feedback survey button um there is still a raffle left at the end of the day um for $150 Amazon gift card courtesy of jamalo so please put your name on that there may may not be any t-shirts left um you can go check and see um otherwise uh this is uh John bck and Artic Modi um of Fidelis cyber security going to present our next talk all right thank you thank you all right we'll go ahead and get started it's like the second to last Talk of the

conference so I know like many of you are tired or whatever so I thought we'd do something like really technical that might get you all you know kind of engaged and talking about writing device D drivers with JavaScript you know it's really it's a really good idea and how many people actually believe this is my topic right okay there's one person right just a sense of humor check here so our talk is about sucker punching malare specifically using malare design flaws or design decisions uh as both defense and offense against attackers we going into one uh particular case study uh with J socket uh and some stuff that we've done in the past right uh so a

little bit about who we are right my name is John bck I manage the uh threat systems team uh at Fidelis cyber security uh hardock here is my boss vice president of threat research right it sounds impressive right but he's made two bad decisions since I've known him you know one he hired me and two he promoted me so maybe not so impressive after all right so why sucker punching malware right uh you know for for those of you who get the reference right you know show me your cyber War face right you know there's something satisfying about doing something more than detecting threats is it comes down to the deck is stacked against us Defenders right the

attackers have more tools the economics favor them uh and the time for us to respond is much higher than the time it is for them to respond and adapt right we detect we write rules deploy those Technologies watch for Telemetry you know that is a timec consuming process versus putting a new binary in the field is a very short process uh takedowns and prosecutions are timec consuming Endeavors uh for the two prosecutions I've done in the last two years been of it averages about 8 months from me getting involved to somebody being arrested right and there is no way to scale that response uh so again deck is stacked against us uh but really what

gets fun is getting inside uh the action cycle of the adversary right is getting inside their head and treating it like a frat house so a little bit about udal loops the symmetria talk yesterday talked a little bit about that uh it's observe Orient detect act and it's the mental cycle uh people do in adversarial situations right they see something that the new data point new adversary somebody engaging a new Behavior right you know Orient themselves to that reality decide on a course of action and then act right if you can get inside that Loop that mental process it creates a deao disabil ising factor uh you know for your adversary so the key is right

is to to act in a way that's faster uh than those adversaries so we talk about sucker punching and this has collapsed a little bit from a longer talk because we only got 30 minutes right but ultimately in terms of Sucker punching I mean you could block IP addresses uh take domain names uh simple stuff right level one you know level two you've got peer-to-peer networks for command and control which attackers like because it gives them resiliency but they lose authentication so if you can poison a peer-to-peer command and control Network you could take over or disable a botn net uh you know compromised websites for instance dedex 3 weeks ago uh somebody uh took

over a compromised website that was used by dedex to deliver a Vera antivirus instead of malware all right you know that's a good little disruptive tactic not very persistent but uh you know that's level two but level three uh which we'll be talking about in our case study is figuring out those things that really matter to an adversary you know what is their single point of weakness pain pressure whatever and use that against them finding some other way uh to flip the tables on them right uh but ultimately like I said the goal is to live rentree inside their head uh and treat it like a frat

house so I mean a lot of this is just like the exploitation process for legitimate software that many of us here you know end up creating you know malware finally is just software based on something that a human being being is created you know it ends up with design flaws there are um objectives for the for the uh the author of The malware that they're trying to meet that then leaves them exposed um you know okay we we did the JavaScript kind of case and that of course you know that developer needs help but you know even for somebody writing malware writing especially in the the remote access Trojan rat scenarios that we're talking about

there's a lot of there's a lot of um you know just corner that have to be cut or are often cut that then you know open up sort of opportunities for people like us um any product managers here I'm sure there are lots of software developers here I'm sure there are lot of software developers who worked with product managers and you got to hate those [ __ ] product managers and you know I used to be one not too long ago so I speak from experience but you know at the end of the day what is what is somebody doing when they're writing software right you know they're they're building requirements you know they're the developers are writing the software

they're testing the software hopefully they're deploying it you know eventually you know they get to that stage they get feedback they do support all of this process that you know your average software developer follows you know in a software development house is what the malare developer ends up doing and so you know this is where we get opportunities to observe you know what are they actually trying to do and then how do we end up you know getting in the middle of that so the you know we're going to talk a little bit about alien spy this was you know this is uh just you know an iteration of you know a multi-generation rat Tool uh we're going

to then talk about J socket some of the stuff that's happened recently um you know alien spy in some form or the other has been around since at least 2012 and originally with adwind and frutas rat you know with those the the the earlier uh incarnations there were there were some fairly significant uh compromises in the Middle East that had been reported you know using those tools tools and you know the tools originally were essentially distributed for free um you know you know a a special characteristic of these tools is that they were they're all they're all jar you know they're all Java based tools and so what happened was you know they a lot of people realized fairly early on

that your classic spam filter knows to look for executable files for binary files but not necessarily for jar files and so this became this really neat way of just bypassing a lot of email protection to get to a user and then of course you know the hapless user that that that installs a malware is then you know is then owned um now along the way they realized that there was a lot going on a lot of people were profiting and they wanted to be in on that that you know the value capture and so it went commercial somewhere along the way our first engagement with with aliens byy with the this sorry this kind of uh

succession of rats was was in 2014 and that was with when we wrote a paper on something called unre comrat you know a you a successor to adwin um adwin and futas and just within a few weeks of of our publishing that paper you know they aliens spy. net was registered and that's really where our Story begins the story that we want to tell you about today um so then if you just step back and think about the challenges of selling rats you're you're selling rats to eventually to people with malicious intent you know they're not you know this these aren't like your average users of software where the average user of software you know many of us will

attest to them doing you know kind of stupid stuff and malicious stuff but in this case you are absolutely selling your package to somebody who has essentially Criminal Intent so they're Scoundrels right they install you know if they if they bought the package from you they're can install it in multiple systems they're going to provide it to their friends some number of them might actually just go ahead and post it to a forum share it with lots of different people um you know okay even if if you ignore all that just selling a rat means you're always doing updates you know you're you you find that lots of systems you know doesn't install on certain

systems doesn't work as well elsewhere so you're doing you're updating your software you're providing support you're might be running chat forums some people are known to run entire like you know fairly elaborate forums in Facebook on Facebook providing support to users of rats um you know and also along the way other people show up who just are like value added resellers they're essentially just taking your you know the package that you're Distributing and making it available on their site for what could be a significant markup again something that as an author you'd be you know why is somebody else capturing that value um and then finally us on the the defense side you know we figure out how

to how to detect command and control we write signatures and we go we go catch um you know the you know campaigns in action so so if you were the author what would you do right you do what pretty much any every software development shop ends up doing some amount of Licensing control some amount of installation control um you you know where you can you use TLS um and and this is something I really want to emphasize that doing this then opens up these exposures that we later got to exploit so then you know we we think of alien spy in particular as a rat net and this is like you know totally akin to a bot net there's

there's you know there's the person who is is writing the software who is publishing new malware who is making it available on a site in this case aliens spy. net uh eventually there are lots of people buying the package and using it for their purposes and they you know they what they're essentially buying is the panel and the panel is what they get to install on their systems that's where they generate malware uh the package that is the malware that is generated they try to deliver to victims get them to install and eventually you know you you might one might assume that every every buer of the software is going to have multiple victims um there's a lot

of TLS well mainly we observed in Alien spy between the victim and the um uh and the panel all of that was like a self-signed certificate John we'll talk a little bit about that in you know so then you you you look at this this whole network and then you observe you know what maybe there is a single point of failure and this is essentially what happened and last year you know we got to take part in this um alien spy was taken down you know in one swoop and I'll explain how we got to that we published our paper on alien spy the 8th of April 2015 I I have to tell you guys

we were General Dynamics Fidelis security systems at that time you know that General Dynamics does not like doing this stuff uh you know doesn't like getting involved doesn't like getting their name in in the paper um so all we did was publish a paper there was no action that we took you know on our part but somebody at GoDaddy happened to read the paper and decided you know what this domain doesn't really uh belong with to you know to the uh the malware creators and so they suspended the domain essentially two days later and the effect of this just as soon as they did that the effect of this that was that with now that the domain is gone

they couldn't sell new panels um all of the chat rooms were hosted at ensp by.net so at that point you know all these users who are either talking to each other are talking to the author asking questions you know discussing best practices I'm sure uh all of them were suddenly had nowhere to talk you know about these things and had to go find other ways to regroup but more importantly everybody who had a panel was connecting back to aliens spy. for authentication and Licensing so every panel went down and as a result they could not generate any new malware and every existing campaign you know because the panel was down if you were a victim

and you were connecting back to uh to somebody who was running a panel well that guy's panel is down you're you're you know U your network is down you're no longer you know under their control so you know with this in this network taking down aliens SpyNet had this you know Fair kind of Fairly large impact just like that now along the way I you know aliens spy kind of the story kind got a little bit richer well got richer for those of us on the research side but it turned out that um uh there was an Argentinian prosecutor who had had been um you know Alberto nisman who had been about to or was in the process of filing

a case against the Argentinian government uh related to you know the cover up you know alleged cover up of a bombing in buenosaires that happened in 1992 again allegedly Hezbollah that did it and you know there's this really murky story uh around uh Alberto nisman and his death essentially I think it was like January 2015 so before we got around to publishing what what we did um and then later in the summer uh it was revealed that you know at the time of his death you know he had alien spy installed what was originally uh said to be his mobile phone but you know in later analysis you know was more likely to have been his

laptop again no you know this is this is you know potentially complete coincidence but um uh you know citizen lab uh and you know a few others felt that there was you know there was a fairly significant kind of connection here so this this emerged later of course by the time we we found this out alien spy was gone so you might ask like is that the end of the story and you know the answer is not really you know so here's the part where we get to have a little bit of uh you know at least I got to have a little bit of fun right you know we write our detection rules you know we're a

security vendor we detect things but old rules never really die they kind of just sit around for a while uh you know there's zero traffic you know and all of a sudden we start seeing traffic you know on Aliens by again it's like this is gone what's going on right uh cuz he carried over some of the artifacts that we'll talk about uh that made him vulnerable the first time and it was used to much greater affect the second time so roughly two two and a half months after the aliens by takedown uh jet.org is registered same kind of mechanism right you've got a subscription server where you download uh the C2 you pay over Bitcoin or uh the

various web money and and underground Payment Systems uh but most of the code stayed the same and most of the artifacts will talk in great detail right still thing Java based uh multiplatform has an Android component it had one in Alien spy uh and the unfortunate reality uh of the alien spy takedown is I was about to start doing the research on the Android component and then everything went dark and I couldn't do any research so I was kind of bummed about that but J sakor kind of provided a component to say all right you know now I've got some time to actually research the Android part of this and we'll talk a little bit about

that in a second uh kasperski estimates that this author has made about $200,000 uh in about a year and a half of operation so not a bad living uh of you know putatively tax-free money uh so certainly a fair uh a fair market for these kind of tools and it did provide a good Niche I mean multiplatform Mac Linux Windows the functions were tailored for the underlying operating system uh so it certainly provided a good tool for use uh in criminal stuff we saw actors using it for criminal uh motivation to load Financial now whereare uh you know script kitties may have used it uh and certainly higher level intelligence agency related organizations right the binary itself is kind of

Highly opusc uh you know using aitor uh and some encryption right and they want to prevent uh and they used SSL TLS in a way that made interception of the traffic difficult right as was mentioned this project with this author started more as a freear tool right he kind of gave it away and then realized hey you know what could be making cashy money with this why am I giving it away and that was what he started with adwind which was three or four iterations back well somebody had cracked it and then started Distributing it for free and that became the psychological motivation he used to start enforcing you know a a subscription system to make sure he kept

cash uh capturing that money that was an intentional design Choice he made which undermined him both an alien spying J socket and we'll talk about that in a second right uh and just as a bit of human intelligence the author tends to frequent uh a Spanish-speaking Forum indect indect I think I'm pronouncing that right or indetectable Donnet uh so not really great opsac uh on his part uh to enumerate you know his actual identity and see kind of the organization he had which is relatively flat so talk a little bit about the architecture uh you know uh and we saw it on the earlier side with aliens by that graphic you had a subscription server that basically

provided encryption keys and file structure and other information there was a a routine heartbeat of all the C2 panels saying hey am I still valid yes you are right if that ever failed for any reason right the panel would close that's it you can't communicate with your victims uh but they did something interesting uh is that they were doing certificate pinning where the actual certificate of jet.org and the IP address of the DNS name were hardcoded into the builders so there were any changes whatsoever the Builder would change uh the Builder would fail to start or it would close again he wants to verify he's getting the money but he also wants to limit the amount of

surveillance that we can do uh so some of my usual tricks of getting around that uh system call tracing doesn't work in Java so I couldn't get uh easily into uh into the cycle uh to see exactly how the API worked because he really wants to avoid people kind of creating cracked versions okay the ceric C ific details uh in the Builder itself were interesting this was something that was created as part of J socket is that he also did certificate pinning between the C2 panel and the victim so if there was something in the middle between the victim and and the C2 right it would also fail the malware would fail to launch right and you had see this uh the

certificate details behind me ayus right oddly specific things from an intelligence perspective I love free form text Fields because it is very very hard to put anything in a free form text field that I can't model and attribute so just doing a quick quick rudimentary Google search you know I find this page which probably doesn't show up very particularly well but as silus wordpress.com is instructions of how to create a Java key store and a certificate he basically followed these things step by step saying I'm going to do this with this CN uh with this country code he even used the same Java key Store password in Al ion spy of storath which means you can manipulate

the key store and and defeat his his mechanisms he did uh learn a little bit about encryption to change that password uh as time went on but now I know says you know what he doesn't really know much about encryption or SSL he's just following uh instructions that he finds on the web which lets me know something a little bit more about him he wants to focus on his Java not on his security so the implications of this right no SSL man in the middle works right you can't get in the middle of the tra but on the flip side right uh you know if there's something in the middle just a web proxy that breaks SSL right the

malware would never fire right so it's a built-in defense and he didn't really care that he had less victims because he was really focused on one preventing us from detecting and monitoring him and two from people creating cracked versions of his software right so identical copy pasted steps from that last website uh you know that he used which lets me know how he built it and how he could technically defeat it right now a little bit about Android too right because I was able to sit there and get into Android similar thing with apks is that you need to sign uh an Android application with uh with a signing certificate right and the Builder uses the same signing

certificate across all versions right which again provides that detect detection mechanisms across versions across families that allows us to detect them over time so when he came back on the radar we were able to see them right so uh this made these apks very easy to find if you were doing certificate based uh you know looking for particular attributes um you know even if you were uploading them to the Play Store I mean usually uh the model for malicious apks is some kind of social engineering to get somebody hey install this change the settings on their phone uh you know but there there there was a small window of which to get this into the Play Store

all right um so there will be some more forms of this right as builders for APK malare happens is managing the certificates it'll be a very difficult thing uh for the attacker to do but looking for those attributes uh certainly uh you know will make it easier to detect malicious APK so something to keep track of more uh than just uh just in this narrow case of of java so you know as an official saying I'm not saying you know there was any J socket apks actually in the Google Play Store except that there were and they were removed right so um based on indications of of finding so people are using these you know uh known CS sign

the things upload it to the Play Store so now there's a little bit more knowledge to prevent that kind of mechanism uh from happening the last mental psychological aspect I want to talk about is that the author himself really didn't like a whole lot of attention right he was aggravated about our alien spy post he's been aggravated uh about several things that are keeping track of him if you look at that form in detecta bles you will see him using the account uh the username adwind uh to say hey I'm no longer involved with this and this is some crack version kind of creating some rudimentary hey uh plausible deniability right he didn't like the attention uh

that he was under and this was creating some difficulties for him and hopefully will create some more difficulties going forward but one aspect of that attention is that there is an individual Kevin Breen out of the United Kingdom he creates a lot of open source malware decoders that lets you just statically rip configuration items out of malware it is a great tool set I encourage you all that if you're interested in these things take a look at but this particular a actor knew that Kevin Breen was doing this and he started rotating encryption Keys uh in the actual dropped binaries that was provided by J Saka dorg many iterations of those were actually homophobic slurs dressed uh

addressed at Kevin Breen so he knew who Kevin Breen was was mocking him by name and and doing steps to try to uh to get around the decoding process but the reality is is that he created some difficulties for himself right that Central server controlled uh everything so we had a little bit of fun with him right jet.org originally was on a shared hosting box okay well what could go wrong in a share hosting environment is that I was simply able to pay the hosting provider a premium give me an account on that box right and in one of my papers I created I put in a reference to operation biscuit eater right a very directed message to him

that if you went to operation biscuit eater. org or.com right you'd see this message once he figured out the reference which is in about 24 to 36 hours he immediately moved from that share hosting box to a dedicated box but had to reship all of his binaries because the IP address was hardcoded in there so that none of the builders would work he would have to redistribute again and that poor user experience was creating downward pressure on his economics right so fast forward today two weeks ago kasperski SAS some researchers post a great more deal about jet.org right and and the malware behind it and not really being happy with the increasing level of of what was going on

he had burned down jet.org his server everything and just went to ground right so uh you probably can't see this right but this is again the thread on indetectable net from two days ago talking about hey where did this guy go some people say he went to Brazil on the beach he's enjoying his 200 Grand whatever he's doing you know but very clear that this guy disappeared very very quickly so what did we learn you know of how to do this right this TLS pinning right it creates a mechanism to authenticate the server right I know I'm talking to the server because the certificate matches it was signed great nothing can be manipulated there except

that if you do SSL man in the- Middle right in a proper environment you would be doing that no victims will be talking but if you created any pressure on the uh jet.org also it would take it all down with you right so focusing on that subscription server allowed us to kill all c2s with one particular shot and knowing his paranoia let me get inside of his head and have a little bit of fun right it takes a long time to prosecute somebody but you could troll somebody fairly fairly quickly right so final note uh you know I do run a lot of private Intel sharing groups on specific threats exploit kits dos soong uh with people all over the industry you

know if you're interested in participating in some of these operations let me know uh you know we all work for own companies but I I don't really care about that I care about people with Talent looking to tackle the problem so if you're interested in joining find us more of our research threat keek.com you find us on Twitter uh any questions someone's got a question come on come on it's a second to last talk somebody's you know somebody's still here with with a pulse we can take questions offline if we need to just want yeah so we want to thank the speakers again appreciate them and again on behalf of