Let's get started. So my name is Brad Woodberg, I'm a product manager with Emerging
Threats at Proofpoint and today we're going to be talking about command and control
channels. So just a quick run down of what we're going to be covering. A few minutes on the
intro, we're going to go heavy into some malware techniques, we're going to talk about you
know actual malware, case studies, what we're kind of seeing, predictions and trends for the
malware. I think this is actually, sorry we're having an issue on that, I think I have like one
older version of the rev on here but we're just going to plow through it. We're going to talk
about defense and then we'll again wrap this up all in 45 minutes so that we can go get some
beer and have some fun tonight. So why command and control right? Why is this topic so
interesting because you know so much of the you know so much of the information that you know
that we talk about that we see in the security
industry, blogs, articles, etc. focus on vulnerabilities, exploits and the actual
malware. And these are all great topics, you know all very interesting but you know one of the
big challenges for anyone who's operated in IDS you know actually dealing with this on the
front lines is we know that trying to detect you know vulnerabilities, the whole CVE game, you
know different types of exploits you know it's it's very noisy, it's not very high fidelity. You
often times will you know have you know alerts that trigger, you know alerts that trigger
when actually you know an asset wasn't actually breached. But actually when you look at command
and control that's actually the point where you can say hey with high confidence I know that this
asset has been compromised you know when you see that that control channel is reaching out you
know it's kind of as Rashid Wallace and my Detroit Pistons once say you know the ball don't
lie and when you see that command and control channel you know that something's going on. But
probably the other thing that's really interesting about command and control is that this is
actually the point where you go you know from being on the front lines to the back lines to the
pure defense. Um you know you're getting hounded all day long, you know attacked from
every which way uh to actually the tables are being turned on the attacker. So um you know
where you had to get it right every single time and they only had to get it right once, now
it's the other way around. In order for them to maintain that connection uh to maintain that
control over that asset they have to be right all the time. Uh and so that's why I think uh you
know this is interesting and uh why you know why we should talk about it today. So uh you
know just a minute or two you know just when we look at just how how this whole thing gets
started right? I the way I see it there's really two primary ways that assets are being
compromised. You have executable content uh you know this is your traditional malware uh
scripts macro embedded uh in word documents and other office file formats et cetera. Um you
know there's actually not an exploit happening here it's just uh often times now it's just
social engineering get someone to open a dock and uh and and then you know there's uh malware
that now runs the machine. Uh the other way is uh you know there's uh you know there's a
the exploit driven approach which is obviously ever so popular with uh with the exploit kits
um and this is where you know you're actually taking advantage of a vulnerability to be able to
gain execution control on an endpoint. But really it doesn't matter how it happened the fact
is you know all that matters is that it's been compromised. So um you know to say a word or
two like why do why does malware even need command and control channels like what what's
happening here? Um you know often times when an asset is breached it's not
under the best of of of scenarios. Um you know it may happen on an asset that really isn't the
ultimate target, ultimate goal. It doesn't have the information that uh you know that uh uh an
attacker is looking for. Um there might not be sufficient privileges. Uh it might you know
especially when you're dealing with uh exploits you know you have a very small buffer uh or a
window in which to fit the actual payload in so you have to deliver it in pieces. Um and um you
know really uh you know often times a lot of malware just doesn't have a full especially
if you're dealing with like crimeware you know not so much target attacks. Um you know it's
basically shipped bare bones and it needs to get more information before it can uh pull off
whatever it's trying to do. So that's where command and control comes in. Um you know just a
word or two I mean you know basically the command and control channel is gonna be used for a lot of
different things for pushing the actual configuration for escalating the breach as I
mentioned. Um and this is where it's gonna be reaching out to command and control
infrastructure. Um another aspect of command and control infrastructure is that it's gonna be
actually exfiltration. So getting the information you know the intellectual property
that's on an endpoint on an asset out into uh you know the attacker's hands. So if we look at
something like uh like Locky uh you know maybe going through and cataloging all the files on the
endpoint uh figure out what's interesting and encrypting them. Um you know if we look at
something like uh uh ZBot uh it's actually this one is actually using a DNS channel uh for you
know uh command and control. So uh you know they didn't even have to use a command and control
to use anything special to customize or actually or even direct for that matter. With DNS you can
just send a query and it's gonna find its way home and essentially all the way to the uh server and
back. So you know in this case it's uh actually exchanging commands and information for the uh for
the malware to uh to take advantage of. So let's just take a quick look at uh you know an ever
popular uh uh vector. So the Angular exploit kit may it rest in peace. Um you know this is I I
chose this because it's really interesting. Um you know it's really interesting. Um you know
it's just so prolific uh you know in the last few years um you know even you know I saw like a
bakery down the street from my house uh had uh their website had actually been popped and and was
serving up an Angular redirector. And that's really the interesting thing um you know uh uh is
that um you know it's it's not that there's not that the signs are always so obvious uh you know
leading up to an infection. You know it's not like it was uh you know defaced or something like
that. It was just you know there was a little iframe shoved in there and you know if you weren't
uh you know some security software you wouldn't you would never know. Um but anyhow uh we
digress. Uh so so looking at the Angular exploit kit you know first you know typically you're
gonna hit some sort of a redirector right? Uh in this case as I mentioned our our poor
bakery uh and that is going to redirect you to a traffic distribution system. Um so this is
basically going to evaluate your endpoint. It's gonna say hey you know they're running
Microsoft Windows uh 7 and Flash this version. Okay we're gonna custom tailor an exploit
to that actual um uh an exploit to that endpoint. Um and then finally you know an exploit in
payload will will be delivered often times by different infrastructure. Now here's the really
interesting thing about this. Up until this point um there's no you really don't have
confidence that an asset has actually been compromised. And all the while you're probably
chasing down a million alerts from your IDS and all sorts of other endpoint systems uh because
you know they're saying hey you know we saw this Angular redirector and blah blah blah and
there's this exploit and you know it checked what version of Flash. But there's really
no indicate you know no no high fidelity uh uh indication that this has actually been
fully compromised until you see that command and control. Uh and once you see that then
you know for sure that um you know that that the system has been uh overtaken. Now just
a quick word uh you know for uh you know a lot a lot of times people get uh lateral
infections uh uh confused with uh actual command and control. Uh and then you know
basically with lateral infections you know typically what you're talking about is how malware
is going to spread within an organization. Um and um uh you know one thing that I think
is a big differentiator is that typically lateral infections will leverage native enterprise
protocols uh to to spread. Not exclusively but but that's a lot of what we see um uh whereas
command and control may be anything from a traditional channel um to uh you know a
uh so so basically maybe like a HEP, HEPS and maybe a custom protocol. We'll talk about
some of the different trends and things uh in in just a little bit. Um but uh but uh but
effectively um uh you know the the internal lateral stuff like if we take Locky for you
know as a perfect example and and all the hospitals uh that made a lot of news um you know
when they got breached and all their you know uh files were encrypted and the whole place
shut down uh and they had to pay $17,000 ransom which is really quite a steal in my my
opinion for uh you know for uh you know for uh you know for uh you know for uh you know for
full operations of the hospital but uh but yeah glad it wasn't more. Um in that case you
know basically it was just an endpoint that got compromised. It wasn't like the file server got
breached uh and then you know it actually uh you know broken the uh you know actually
encrypted the files. It was an endpoint that had access to the file server using SMB. It
encrypted the files. Uh so you you actually do see a lot of that you know just leveraging the
native protocols that are within uh the network itself. Whereas command and control is a far uh
far more uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh
far more uh uh uh uh uh uh uh uh uh uh um you know rich and exotic and an
interesting uh um uh uh set of uh protocols are used.
Now I like to kinda just you know just before we get into the the meat you know just talking
about how kinda the cat and mouse game has evolved. Because like many things um you know
the attackers kinda operate on a uh you know on an economical scale, right? You know they
don't want to especially when you're talking about crime ware but they don't wanna do y'know
take more effort than they need to. You know spend more money more time and spend more time
time to uh to make their infrastructure more robust. Um so they're going to kind of you know
play along with the vendors and what is you know um actually you know being effective to the
point where it's not then they kind of up the game. Um and you know a lot of the very early
malware was just you know leveraging very simple you know high level or high uh high high
range uh like TCP UDP ports um that you know could really easily be filtered out on a on a
router or on a firewall you know easy as that. Um you know kind of uh evolved into leveraging
other applications like IRC uh for for command and control um and then of course you know as
some organizations started to tamp down more and more and restrict firewall access and
outbound proxy access uh you know a lot of them and really the the funny thing is that there was
a at the the exact same time I feel like uh you know a lot of the the peer to peer
applications the file sharing apps BitTorrent and so forth they kind of converged a
lot along with the malware because they realized that hey you know these ports are are almost
always open so you know so we can leverage them. Malware also shifted over port 80 port 443.
Then you had the NGFWs come out that could identify hey this isn't HTTP this is some you
know uh binary protocol that we've never seen so we can block it. And all that isn't very
interesting but what's starting to get more interesting is how uh a lot of the malware is
leveraging um you know different types of cloud apps uh and it's actually um you know
doing uh steganography and in in encoding messages in um you know in files and in various
other uh uh metadata that we'll we'll see we'll go through some examples in a bit. Um and this
is kind of where you know where I think a lot of the future is but um you know essentially the
malware has gotten to a point where it it it you know it's really getting sophisticated in
command control channels. Now at the same time it's important to look at how uh command
control systems are being hosted. Um you know uh now we're in a time where uh you know we're
in a this isn't like categorically you know uh uh a precise uh you know kind of drop off at any
point in time uh for for when things change over but you know but we actually do see you know
progression especially with some of the more sophisticated actors in malware. You know at the
very beginning everything was kind of statically hosted. Um you had uh IPs that were hard
coded into malware and the malware wasn't really changing. So today we still see IPs that are
hard coded into malware but um you know it it it wasn't really you know you would have these
uh C2 hosts that are up for you know years and uh you know it would take a long time for that to
kind of filter into uh you know various lists and so on and so forth. Um you know that the you
know I think those days are uh you know things have evolved uh uh quite a bit um you know
shifted to leveraging DNS but again you still had a single point of failure a name um you know
and uh even though the IP could change and you could route the traffic elsewhere uh you were you
still had to you know cope with the fact that you know if that DNS name was
discovered and blacklisted wasn't changed and again we're talking over a long period of time
you know not like what we have today which can be you know hours or days uh basically the the
DNS uh uh you know the the malware could be shut down. Config updates malware actually you
know go out and and update itself again not particularly sophisticated but where things
start to really get interesting in in my mind is you know around the time of the game over
botnet with uh with the Zeus malware because um uh it certainly wasn't the the very first but
we saw you know
organizations really really really had a very hard time for for several years I mean you know
for for you know almost you know eight years or something uh trying to control this malware
because it leveraged more advanced techniques you know domain generation algorithms peer to
peer um you know C2 infrastructure so you really got rid of that um you know that that
centralized model uh in the same way that you know like BitTorrent and you know uh uh Skype and
other types of uh uh peer to peer uh you know uh you know uh you know uh you know uh you know
peer to peer based uh networking uh protocols and applications would work um and perhaps the
most interesting is that now so many of the uh or not so many but we're seeing more and more of
the uh uh malware starting to leverage cloud services as C2 so basically you don't even have
to operate anything yourself um you know we'll get into the list a little bit but you know you
can use Twitter you can use Amazon you can use the comment section um you know kind of the
classic uh you know Cold War spy drop where you know you bring the briefcase in the park and you
drop it and leave and someone else can use it and you know you can use it and you know you can use it
and someone else comes and picks it up it's kind of the same approach and the beauty of it is it
requires almost no investment um and uh we'll get you know we'll save more for that uh in in in
just a bit. Um so yeah so one of the things that I found uh most interesting is is
steganography and uh you know what's kind of happening uh you know some of the potential we've
seen you know hints of this uh certainly in a bunch of different malware and I think it's you
know probably one of the most uh you know powerful uh you know kind of uh you know
ways to be able to exchange information in a covert channel um you know basically this is
hiding information in plain sight it's been used you know it's not anything new it's been used for
centuries uh if you guys have ever uh seen the video of um uh I think it was a Army or Naval
Captain Jeremiah Denton who was captured in Vietnam and he actually blinked in Morse code
they're you know doing one of those kind of captive videos where they interview and ask all
those questions and he actually blinked in Morse code torture and of course they put out the video
and uh you know I'm not sure that they probably knew that that type of thing was going on
anyways but it was you know very very powerful because here you know no you know obviously the
the Vietnamese uh Army didn't know uh and uh you know it kind of made it through so I think a lot
of the kind of similar techniques uh can be used in actual malware uh for covert channels and when
you look at it there's actually just a wealth of of potential opportunities and places that you can
hide this data um you know everything from protocol headers uh
you're talking about the network layer metadata and files you have um you know all different types
of um uh you know encodings um audio video etc we'll go into some of this um and it just really
makes for a an excellent place to hide your data and have plausible deniability
and of course you can layer other um uh you know other techniques on top of it so you can
leverage encryption plus stag to kind of hide things um you know in plain sight if you will
let's take a look at a few examples so um this is actually an APT malware sample uh that that we
saw um and uh I obviously anonymized the uh the IP addresses uh but but basically what was happening
here was that the um the the intro machine that was compromised we think it was kind of like a
Chinese APT um uh it was sending TCP packets um you know and and there was no flags which is
obviously a an interesting uh problem zero window um and it was never a
problem so it was actually um you know it was just establishing a session so it was actually
communicating to a C2 you know just by sending these packets just by leveraging the the fields
in the headers um and this can really be done with a number of different protocols it's not
anything that's restricted to to TCP um another example is um you know when it comes to images
we're seeing you know malware like VATRAC and others that they'll actually embed configuration
in an image uh so the in this case what I did was I used a tool called OpenPUF and I took
the DEF CON logo DEF CON 24 logo and one logo I had you know is just the original and the other
is there's an encoded message um and as you can see there's you know you can't see right uh it's
it's there there's nothing uh that that our eyes can distinguish what's actually happening here is
it's actually uh using the least significant bit and it's encoding the message or the file you can
do anything in that least significant bit so you know the color palette is tweaked by you know
just one tiny uh value in in the in the in the in the in the in the in the in the in the in the in the
in each pixel and that's enough that you know another party could come across it grab it
extract the message out if they know what to look for but to not only the human eye but even other
computers it would be very hard to be able to detect this type of technique so let's talk about
another uh set uh you know besides just trying to hide what are attackers trying to do to ensure
that uh their command and control channels are um you know are uh not compromised um and so there's
a number of different uh effect uh
counter-offensive techniques that they're taking um you know one technique is um is is to actually
filter who can connect uh back and and this is used in other uh cases too i mean it may be used
in the case of um not just for c2 but it can be used in the case of um uh you know actual malware
infections right especially targeted phishing you know they want to make sure that vendors uh and
also non-target um you know assets uh uh you know when when they're dealing with targeted attacks
um aren't going to be uh you know potentially compromised because of course they don't want
vendors learning the secrets and so on and so forth um you know with crime where there might
be a little bit less uh you know they they might care less and cast a wider net over what they're
trying to uh to compromise so you might not see that quite as much uh but we do actually see a lot
of filtering uh from you know ip address spaces um you know not only countries but even down to
individual organizations if they're targeting an actual organization um another thing is uh
that that can be leveraged as actual uh you know kind of stagger you know hidden messages in in
handshakes uh poison ivy is a really interesting uh you know a long-standing piece of malware that
does that it actually kind of encodes uh you know a handshake in the in the um in the initial
connection and so even on that that essentially you know first data packet it'll know you know hey
this is a a legit um you know system or not um so we can you know just filter that out without uh
if there's you know just some other type of asset trying to reach out it can filter it and of course
encryption um you know especially leveraging uh you know pre-loaded ssl certs um it's interesting
we'll talk about let's encrypt because it has some implications here but essentially you know
you can if you just pre-load a trusted ssl relationship you know the kind of public key
or or symmetric key into the actual malware it can make a connection out immediately and so they can
basically ensure that only malware um that or at least until that that certificate has been
compromised only malware that is the actual target malware can reach out and so other types of uh uh
you know ssl snooping tools are trying to grab information uh wouldn't be able to uh to to have
success there and uh just anecdotally you know just in terms of what what some of the things
that we're seeing is that there's actually been a pretty strong push to a lot of anti-sandboxing
techniques uh by the attackers
um i won't get into a lot of specifics but you can you know we're seeing that it's getting harder
and harder you know if any of you guys like uh you know there's there's open source tools like like
cuckoo and other rigs you know the attackers are definitely trying to get wise to um you know to to
prevent sandboxing analysis of their uh you know in a major way right this is not a new thing but
we're seeing just it really the the stakes are ramping up on uh malware that's trying to you
know kind of fly it below the radar so it's not just from a c2 perspective there's a lot
of things all the way from the exploit to the um you know to to to the command and control where
this type of thing is happening uh just a word i mean you know there's obviously different types of
uh uh you know kind of families right uh you know crimeware this is just going to be casting a
huge wide net um typically these are pretty chatty but they will you know we will see
um you know that they'll go to a little bit greater lengths uh in a lot of cases to to avoid
uh detection a lot of the target attacks i mean you'd be surprised
you know a lot of them are still just leveraging off-the-shelf remote access tools right and
in other commercial tools um you know they they they are targeted in that they are
you know the the actual actor is targeting a particular party a particular organization
but they're not terribly sophisticated all the way up to the targeted espionage um where you know
just the sky's the limit right um you know this uh you know in some some cases they may lack c2
altogether but you know if you think about the you know stocks nuts and the flames and the dookus
you know there can be some pretty sophisticated uh command and control that can happen and and
even insider threats uh to basically make those uh make those work so that we kind of covered you
know we talked a little bit about some evolution things that we've seen uh historically over time
we talked about some of the different uh components of uh of malware let's actually
dive into a bunch of different case studies and look at how different pieces of malware are
you know are uh communicating with uh with command control
so ghostrat is like you know probably one of the most simple examples and again you know this is
this is out there there still is a uh you know a lot of ghostrat that we see infections um
because it's just such a um you know prevalent tool that anyone can use and you know this is
just essentially you know they at least the commodity versions obviously anyone can modify
any of these things um but you know they're it's actually going to have you know a string in the
actual payload so um so it's really it's really it's really it's really it's really it's really
it's really easy for say like an ids to be able to identify it because it's just you know it's there
it's it's not really so obfuscated uh it's kind of like if you look at like the evolution of
bittorrent you know uh you know it started on just running on random ports and then you know
they switched to port 80 but then they you know not exclusively but you know they would say
bittorrent in the in the in the actual uh protocol and then they got to the point where
they're using you know very advanced uh uh uh forgetting the name cat amelia um
uh distributed hash table functions to ensure that you know there wasn't such a an easy way to
match specific bits because everything was being uh dynamically generated on the fly
so poison ivy we kind of talked about a little bit earlier where basically um you know this is
leveraging uh you know a handshake so uh you know it's it's trying to basically identify is who's
connecting to me uh you know a target asset um is it actually you know could it potentially be a
researcher they typically will embed you know there'll be some malware be delivered it'll have
a password in it and that is used in the challenge authentication um so that you know even if you
have different strains of poison ivy um you know an individual actor can you know differentiate
and make sure that that only the correct target is talking to them um again that can be important
because if you you know just allow anything wide open it means that you know the viability of this
malware of this actual compromise is going to be uh you know
uh not as long-lived because it'll be too easy to identify too easy to take down
nanolocker this one uh you know was uh you know came out uh last year is really interesting uh
javascript um uh you know uh ransomware you know ransomware has just been absolutely blowing up
but one of the the you know the things that i found really interesting is again not necessarily
leveraging um you know like hdp or a tcp based protocol but actually uh leveraging uh the network
so uh lend us your knowledge well you know i have found out you know from the computing
world for the uh was the center cortis we have was it has can go into the data service
and handle uh all or to uh and into the uh the uh you know the your uh the the uhTelegram
protocols have a lot of great hiding spots. I mean if you look at the difference between like
IPv4 and IPv6, now granted IPv6 has all the next headers and you know there could be some
things, interesting things that you could do there, but there's a lot of you know uh a space
where you know at the time you know in the days of yore they didn't know precisely you know
that this whole internet thing was going to blow up so they put lots of uh you know lots of
padding and other other uh potential areas where you could hide things in um and uh you
know as prevalent as these protocols still are today it makes a really great uh a channel for
attackers. So game over Zeus we you know uh uh we talked about this a little bit earlier where
um you know basically they they want to avoid having the you know kind of uh fixed string
centralized model and um you know and to make it hard for IDSs to identify um so actually what
they do is is a combination of techniques but basically uh they will XOR information in the
packet payloads and then you know you know you know you know you know you know you know
from the packet upload um so it's always changing and it you you know it's very difficult to
leverage signature based technologies with traditional IDSs to be able to identify this
malware because basically um it is you know it is always changing now that doesn't mean there
isn't other ways to do it um but uh you know your your traditional uh tools of the trade if you
will um you know need not apply. Now Drydex uh uh you know B negó Trojan uh obviously has
you know, just kind of, it took for quite a long time the, you know, just the whole
enterprise sector by storm. And who would have thought that, you know, in 2015 through
2016 that macro-based malware would be, you know, so pervasive and successful. But the
fact of the matter is, is that it is and it was. And, you know, even to this day, you
know, there still is, you know, a great deal of malware that's leveraging these, you
know, age-old techniques from, you know, the days of Windows 95 or whatever. Particularly
interesting is, you know, one shift that we've kind of seen is, you know, it's getting
harder and harder to attack the machine, right? Because of, you know, different types of
security protections that are built in. And so attackers are, you know, kind of saying, ah,
forget about that, we're just going to attack the human. And so I think like Drydex is a
great example of that where, you know, someone will, you know, get a document delivered
it'll, you know, one really cool example that I loved was the document would actually be
blurred. And so it would be an invoice dock, it would be blurred, but there would be a
message that says, you know, click enable content so that the message will be, you know,
visible. You know, this may, this payload may be, you know, corrupted if you, you know, click
enable content, it'll be visible. And that's exactly what it did. Unbeknownst to the user,
it also reached out, grabbed a payload, and, you know, popped the machine. And, you know, it
didn't, and any virus, traditional AV, couldn't keep up with that because they would send, you
know, a new hash of those documents. They would send millions and millions, you know, hundreds of
millions even on some days. And so tremendously successful even to this day. And obviously
there's a lot of different, you know, flavors, if you will, of the different malwares because
they may be done by different actors. But, you know, in this case, in this one, you know,
they're actually, again, leveraging the kind of the blind, the dead end, you know, the
head drop, just like I kind of talked about with, like, Twitter, Amazon, you know, using
Microsoft comments to be able to essentially, you know, deliver command and control information
that can be, you know, exchanged between this endpoint and the actual server in a covert
fashion. Now Tor, you know, obviously Tor is near and dear. It has, you know, some very
important real world applications, you know, especially in certain countries and regimes and
for journalists. So certainly not trying to knock on Tor. But, you know, for the same reasons
why it's great for the, you know, the aforementioned use cases, it's actually becoming quite a
problem for a lot of the research community because it doesn't even really require any type
of, you know, client. You know, you can literally use, like, Tor to web and do this whole
thing client-less. So whether it's Vaultrack or Delexis or, you know, there's a whole number.
We'll look at some trends that I've seen in a minute. You know, Tor really is a, you know, a
great way to essentially bridge that gap between the endpoint and the command and control
channel. You know, just kind of, you don't have to worry about anything once you establish
that tunnel. Oh, yeah. So basically, quick animation here. So, you know, just showing here,
we got the initial compromise where, you know, the payload is delivered as exchange. You know,
the endpoint is probing for Tor information, Tor nodes doing DNS resolution. And then, finally,
it's making its connection to Tor to web. And so it can exchange this information covertly.
Now, AirViper, this was one, you know, we did some research on at Proofpoint. This is
obviously a targeted APT attack, you know, against, you know, the parties in the Middle East,
we'll say.
Israeli. And basically, you know, it was just leveraging simple HTTP. So even though this is,
you know, kind of a sophisticated target attack, you can see that, you know, sometimes it's
easier to blend in and remain kind of obscured, if you will, than to go completely out of your
way to be able to essentially evade detection. So we talked about a few different, you know,
types of malware. Let's look at some trends. So one of the first things that we did was we
looked at, you know, the first ones that's really interesting is SSL. Again, just like Tor, SSL is,
you know, is a critical, fundamental, you know, component of our lives and justly so. You know,
we basically went in the last couple of years from about 30% of the internet traffic to, you
know, just right around, you know, 70% today leveraging SSL. And so what does that mean when it
comes to, you know, to encryption, or sorry, to, you know, to, you know, to, you know, to, you
know, command and control? Um, uh, uh, in, in and of itself, it didn't mean that much. But one
thing that, that was a huge game changer is Let's Encrypt. Again, uh, excellent, uh, project and,
you know, um, basically allowing anyone to get SSL certificates without having the security
poverty line. Um, you know, the browsers would trust it, so on and so forth, so you could
secure your applications. But now the attackers are leveraging that too, right? Uh, because
they say, hey, you know, I can now, in an automated fashion, get legit SSL certs, you know,
certs that the client is going to trust for free, and, um, you know, I can just burn them, you
know, and, uh, just like a domain name, uh, just kind of rifle through them. Um, so while I don't
think that this will have, you know, much of an impact on, like, the state-sponsored, uh, uh,
you know, malware, I think that, you know, especially for crimeware, it's like, why wouldn't
you throw it in, in a, you know, in an encrypted tunnel and just make it that much harder, uh,
for organizations to, uh, to, to find this information. Now, IPv6 is really interesting
because, you know, we don't see quite as much of it as, as one would expect, uh, and even in the
case of malware today, um, you know, it's, uh, you know, it's, it's not as prevalent, uh, uh, as,
as, as, you know, we probably would have predicted, you know, five years ago, you know, even
with the, all the, basically, IPv4 netblocks being, uh, exhausted. Um, and, uh, but, but it
actually represents a pretty big, uh, challenge for us in the security community. You know, you
can get your own, you know, slash 48 from, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
you know, from Hurricane Electric, uh, you know, which is, uh, you know, 65,000, uh, netblocks
with each, you know, I don't even know what that number is, you know, trillions, whatever, uh, of
hosts for yourself, right? Um, and so some of the, you know, traditional things that we could
do where we could say, hey, you know, we can, you know, blacklist individual IPs or even, you
know, kind of pseudo-netblocks, like, how do you do that when, you know, anyone can get access
to such a massive number of IP addresses? Um, you know, I definitely think that, that, you
know, sooner or later, IPv6 is going to be, is going to be, is going to be, is going to be
going to, you know, start to make a big splash. It's just, once we hit that tipping point of,
uh, you know, uh, of, of availability, uh, to, to, to endpoints, and we're, we're definitely,
I think we're, we're starting to get there very soon. Um, and the other interesting thing
about IPv6 is a lot of security technology actually still doesn't support it, surprisingly
enough, or, or it does, but, you know, you're running a ancient version of whatever firmware,
you know, from a vendor, and, and it, and it doesn't support it. Or, uh, you know, one of
the interesting things is, uh, you know, the, the, the, the, the, the, the, the, the, you know,
one of the interesting things is, you know, with IPv6, um, you know, there's all the
different tunneling capabilities. So, um, you know, even today you can do IPv6 over IPv4
tunneling in a number of different protocols. Uh, IP protocol 41, uh, is, is a good example of
that, but you can do it over GRE and so on and so forth. Um, and because you can take that
approach, you know, you, you know, if, if, uh, security technology can't strip off those
layers, can't recognize it, um, then it's just, you know, it's a, it's a, it's a, it's a
perfect path, right? Because it can just send it right on through. Where it may tech, detect it
in an unencapsulated format, it'll totally be blind to it, totally miss it, uh, when it comes
to just, you know, slapping a header on it. Tor, as I mentioned, so this is from, uh, you
know, some of the, uh, internal, uh, data I have access to, um, but we've definitely seen an,
an increase of the malware samples of, of Tor over time. You know, it's a little bit lumpy in
some cases, um, but, uh, it, it certainly isn't going down and, um, you know, it, it, it
I think it's just kind of a matter of time, you know, on the threat landscape if, you know,
people, um, you know, don't, you know, start blocking other mechanisms, but they don't really
do anything to address Tor, then, you know, more and more authors will just, uh, will just go
with that. Now, leveraging, uh, you know, actual cloud apps for command and control, um, you
know, again, this is, this is so attractive and here's the thing, you know, I talked about some
of the names that you would know, right? You know, the Twitters, the Amazon, the Microsoft, um,
you know, how they're using, like, technology, you know, how they're using, like,
Net or something to, to, uh, encode messages, but really, I'm actually a lot less worried
about the, the name brand cloud apps than I am, you know, other types of systems, you know,
just like how my bakery got, you know, popped with, with Angular, you know, there's so many,
you know, mom and pop shops or other organizations, uh, other applications that are out
there that won't have, you know, such a sophisticated team with, you know, incredible
research staff that'll be able to, you know, basically identify that, hey, something is going
on here because now there's all these thousands
of hosts that are connecting and, you know, there, there's some shenanigans afoot, right?
Um, you know, they might notice eventually when everything totally crashes, but it might
take a long time before they get to that point. Um, and, uh, and, and, and, and, again, it's,
it's so, uh, it's just, it's such an attractive target because, again, you don't have to host
anything. You, you give up a little bit of control, uh, but, you know, if you can do it
right, it's, uh, you know, it's kind of prime for the, for the picking. Um, and along those
lines, um, you know, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the,
there's so many different ways that you can leverage a cloud app, uh, to be able to, you
know, hide that information, um, you know, whether it's a, an application like Dropbox where
you can upload files, whether it's a, you know, a, a, a, you know, Snapchat or something, who
know, you know, Snapchat, but Instagram where you can upload an image and have the
information literally encoded in that image and have people grabbing it and all of a sudden
you're trending on, you know, Instagram or whatever, you know, but, but it's really because
all this, you know, malware is, is, is phoning home and it's grabbing, it's getting this
information. Um, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and,
and, um, you know, uh, it really creates, uh, you know, an, uh, you know, an infinite set of
possibilities. So, you know, I expect in, in future years, in, in, in, in, really all this
tech we could dedicate a whole talk to maybe there'll be some cover in a future, future talk,
um, but, you know, it's, it's really, uh, you know, my, in my view, uh, you know as soon as
the kinda cat and mouse game catches off the arms race and attackers say, okay, you know, some
of these traditional methods aren't working, I think that they'll definitely see more and more
that would...
uh, take advantage of such a prime target. Another thing is layered evasion. So, um, you
know, we see this with, you know, I would say more like the APT style actors, um, uh, because,
you know, they can kinda, rather than being crimeware and, and massively, you know, uh, uh,
triggering a lot of activity, you know, if you're just sending, you know, doing some IP
fragmentation with TCP segments, uh, you know, evasions on top of that, um, you know, maybe,
you know, throw in SSL above that, HTTP, there's obviously a lot that you can do within, uh, the
HTTP protocol, uh, to be able to hide information, um, and of course, as I've gone in, in some,
uh, length, you know, there's a lot that you can do in the actual embedded content itself, um,
starting to leverage these techniques, uh, uh, in, um, you know, in, in concert, right? Um,
because really it, uh, it's, it's, uh, uh, a way that you can catch, uh, you know, some
security vendors off guard.
That don't basically, uh, you know, even, even in 2016, uh, might be blind to either the
individual mechanisms or some combination of the mechanisms. Um, it's, uh, it's, it's definitely,
uh, a real concern and, you know, again, you know, then you can keep on looping all these
evasions, then you tunnel all the traffic. It's, it's kinda, you know, up to, uh, you know, the
mind's eye in terms of imagination, uh, for how, how sophisticated the evasions could get.
And, uh, you know, as I've been saying, a whole bunch,
steganography is, uh, you know, just a, uh, you know, the, the possibilities there, so
limitless. So, um, you know, I would definitely expect to see more and more actors. And I guess
the really scary thing about steg is that, you know, when done right, it's, it's so incredibly
difficult to identify, um, you know, as we saw earlier with the, with the mirrored images,
right? Um, so it's, it's almost, you know, uh, you know, what concerns me is more the unknown,
unknown aspect of, uh, of attackers, uh, that, that, that could leverage this type of, uh,
technique, um, because unlike, you know, some of the traditional mechanisms that we can use to
identify individual patterns, identifying steganography is incredibly difficult in a lot
of, uh, in a lot of cases, both for a human and, and even for a machine. So, you know, how, you
know, how do you do that when, you know, you have the amount of bandwidth that we're sending,
you know, ever increasing, it's getting more and more expensive to cope with that. How do you
even identify, uh, when this type of technique is being used? Um, it's a, it's a very good
problem.
So we kind of talked a little bit about, uh, you know, uh, uh, the different, uh, uh,
trends and predictions. Let's talk about defense, right? What are some of the things that you can
do, take away from this talk to, you know, basically, uh, defend your network, your assets,
your infrastructure? Um, and start with the really obvious, but shockingly, uh, it still is
not even in, in this, uh, you know, 2016, isn't, uh, that highly used. So basically I took a
ton of malware samples, millions of malware samples that we had, um, and looked specifically at
the command and control port.
Um, and, and what ports they were using. And about 17% of the, of the malware was using high
range TCP ports for command and control. So I'm not even talking about, you know, uh, uh, you know,
other aspects of the malware. I'm talking specifically for the command and control. Um, and
they do that because, of course, most people leave those wide open. Uh, and that's kind of a bad
idea. I, I totally get why and it's a, can be an administrative nightmare, but, um, you know,
it's, you can eliminate a lot of low hanging fruit, uh, when it comes to, to
command and control. And basically, if you can, with a lot of these, uh, pieces of malware, you
might be able to totally break it if it can't phone home, right? If it can't get that extra
payload, if it can't, you know, share that encryption key or whatever, you can prevent this
attack from being successful with, you know, the click of a mouse. Um, you know, another big
thing is making sure that you don't have, um, you know, applications, uh, that, that you
wouldn't expect or wouldn't desire on your network, running on your network. So, you know, if
you're an enterprise and there's no real reason for you to be running on your network, you know,
you're running Tor, you probably shouldn't allow Tor out, uh, because, um, you know, the malware
will definitely take advantage of that. Um, you know, even, uh, you know, un, unknown binary, I
should say, streams, but basically, you know, some malware on occasion will just run, you know,
some sort of odd encrypted protocol. If you can do deep packet inspection and do, uh, basically
encryption entropy, which is something that a lot of modern IDSs do, uh, and NGFWs, you can
identify potentially, uh, you know, uh, unknown, uh, types of, uh, of, of, uh, of, uh, uh,
malware just because it's, you know, again, it's not matching a, a traditional protocol. It's
actually not leveraging steganography. It's kind of standing out like a sore thumb. The next
thing is to fingerprint no malware. Um, and, uh, uh, you know, this, um, you know, definitely
get, get, give a shout out and, and plug to, uh, you know, to ET Open, uh, which is, you
know, uh, free to anyone. Maintain, uh, you know, we, we curate it, but it's, uh, free to
anyone in the community. Um, and that's something that we focus, uh, heavily on because, you
know, rather than having, you know, just trying to only fingerprint all the CVEs and, you know,
play the whole CVE game with, you know, 15 year old German help desk software or whatever, you
know, focusing on, hey, we see this malware in the wild right now and we're going to
specifically identify it and so if you see this trigger, uh, you know, you really know that,
that this is bad. Um, and, uh, you know, again, you know, a lot of people talk about the
security poverty line and, and, uh, that's true to some extent, but there are a lot of great
open source tools. Uh, you know, you don't have to, uh, you don't have to, uh, you know,
to, to break an arm and a leg, uh, to get your hands on and this is a great example because,
you know, by fingerprinting the known malware, um, you know, you can introduce, you know,
kind of a, a very good signal to, signal to noise ratio and basically identify the known
bad. Now SSL is, you know, again, it's, it's kind of a mixed blessing, right? Uh, because
there's just a lot of blind spots nowadays, especially if you're off of an SSL tap. Um, and
so there's a few different things that you can do, um, uh, when it comes to SSL. Um, you know, a
lot of the, there's a lot of new systems that are supporting SSL man in the middle. Again,
there's, you know, controversy there. Uh, you know, you can't always use it, uh, you know,
for good reason, but, um, you know, in, in, if your situation dictates and you can break it
open for some traffic, uh, for instance, let's say any SSL site that you, you, that, that
isn't categorized by, say, like a web filter or something like that, you could break it open and
inspect it. You'd be able to identify, you know, potential, uh, you know, uh, command
control infection and so on and so forth.
Within that SSL, um, stream. But the good news is, is actually you don't have to do that in all
cases. Um, and again, you know, uh, the, you know, etopen, abuse.ch is another great, uh, source,
um, you know, have, um, you know, not only signatures, but publish, uh, blacklists,
certificate blacklists. So just by, you know, you can actually just view what is a known bad
certificate, you never have to crack open the stream. You can just fingerprint it and say,
okay, you know, this machine has popped because it's reaching back, you know, using a,
you know, let's say Drydex, uh, uh, you know, known bad SSL. So going to a known bad site, um, so
it doesn't require you to actually crack open the stream to figure that out.
Hero 6 anomaly detection, you know, normally these things drive us all crazy because they're so
chatty and so, you know, kind of unreliable. But as you probably saw in a bunch of the samples,
especially on some of the targeted attacks, um, you know, basically if, uh, you know, if, uh,
you, um, you know, when leveraged in the right context, they can really, you know,
light up like a Christmas tree because you will find, uh, you know, uh, uh, you know, some of the
different types of techniques and these layered evasion techniques, uh, it's a great way to defeat
it. Again, doesn't require a commercial solution. There's tons of off the shelf stuff that you can
do and leverage, uh, to be able to detect these types of techniques. And really it's, you know,
at the end of the day, just giving a shit, right? Um, you know, a lot of people, um, they just
don't, right? You know, and, and there's kind of like, uh, uh, you know, I, I was told, you know,
there's kind of three types of organizations, right? You have like the compliant, you have
security conscious, and you have the, um, uh, and you have the, um, uh, security sensitive. So
the compliant is just like, I don't care, I just need to buy this so I can check off this PCI
checklist and, you know, just tell me how much it is, go away. And you have the security sen- uh,
con- uh, you know, conscious who are like, hey, we want, we want to do the right thing, we don't
have, you know, a whole team of experts, um, you know, and, and, and they're, you know,
definitely a perfect audience for this because, again, there's a lot of, uh, there's a lot of,
again, you know, you can get, you know, even without having to spend an arm and a leg, you can
get solutions that can help you if you actually care. The security sensitive, you know, they
kind of have a, a, you know, a whole practice going on and, you know, less worried about them,
they kind of know what to do. Um, uh, but, you know, perhaps the most importantly is to get
involved, right? Um, so there's, and, and I don't mean like in a, like spend money, donate or
anything kind of way, like if you find, uh, you know, command control channels, interesting
samples, um, you know, in your own environment, um, you know, it's really easy to get them into
the broader community. Uh, you know, ET Open's a great way, uh, Snort, uh, you know, BRT as well.
There's other foundations. If you're a coder, you can develop, help develop, uh, you know, some
of the engines that can detect this stuff, uh, you know, Suricata, Snort Grow, uh, Moloch,
there, there's a whole bunch of, uh, different ways that, that you can, uh, get involved. So, uh,
just to kind of wrap this up, because I know it's beer o'clock and, uh, we definitely, uh,
definitely don't want to.
Uh, impose on that. Um, so, so basically, the trends speak for themselves. You know, I don't
have to speak in hyperbole. Everyone knows, you know, how serious the, the actual malware and
compromise problems are. Um, you know, and, and, uh, and it's only getting worse. It's really
not gotten to a point where it's better. TaxSurf is so massive. There's so many different ways
that, that we can get breached. But, you know, we can leverage our strengths, in this case,
detecting command and control channels, which is, uh, really, really, really, really important.
And, uh, you know, we can leverage our attacker's weakness, in a lot of case, cases, to be able to,
you know, both prevent infections and, uh, and counteract, you know, when they do happen,
respond quickly. Um, and, you know, basically, as we up our game, they're going to up their
game. We, you know, got to have, uh, you know, kind of a line of sight to where things are going
in the future. Um, but, uh, you know, but, but, but as long as we kind of stay in touch, in
tune, you know, review our, uh, you know, with the community, reviewing our, our logs, our
information, our infrastructure, what it has to tell us, uh, you know, that's really kind of the
thought that we have at mitigating this stuff. Um, and, um, yeah, basically, that's what I got.
And I want to say a few thank yous. Uh, thank you, thank you. Uh, good job. Thank, thank
you all. Thank DefCon, you know, for, uh, accepting this talk. Let me get up here on the
soapbox. And, uh, yeah, for everyone for, for attending. Coming all the way over here from
Bally's. Missed out on Mr. Robot. I saw them all in the green room. It was really funny. I was
like, oh, my God. It's like, I'm not worthy. But, uh, uh, so, yeah, and, like, basically, the
whole Emerging Threats team, FruitPoint, uh, there's too many people to name, but, uh, thanks
everyone.