This is the fourth part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.
Continuing from the third part of our paper…
Security Solutions Bypass
The next layer of defense that an attacker confronts is the end point security provided by third party vendors. Host Intrusion Prevention Systems (HIPS) for example, detect ROP exploitation and prevent shell code execution by injecting their modules into commonly exploited applications and placing hooks at various operating system APIs. However, these inline hooks meant to monitor suspicious activities and detect exploitation attempts are placed under the same privilege as the rest of the code in the process, thereby undermining the security solution’s ability to maintain and intercept all the required APIs.
This technique involves the attackers executing standard function prologues of intercepted APIs within self and then transferring control just past the JMP instruction intended to intercept the call.
Fig.10: Control flow depicting bypass of JMP instruction in a hooked API
The DeputyDog campaign  which exploited the CVE-2013-0389 vulnerability, employed the above technique to bypass the interception of WinExec() API calls by security software.
Direct SYS Calls
These are a sequence of CPU instructions that transfer control to the kernel directly from the application code instead of using the OS provided user mode APIs.
Payload Delivery via Documents or Sparse Encrypted Fetches
Shell code used as part of the exploitation chain may need to execute a larger payload to establish a backdoor on the machine. To prevent this payload from being detected by security scanners, the attackers can:
- Embed the payload in popular document formats like PDF, DOC, etc. The shell code when run, locates this payload in the document by scanning for specific magic markers, extracts it and executes it, or
- Download smaller encrypted chunks of the larger payload stealthily onto the victim’s machine. These chunks are later reassembled and executed on the victim’s machine.
The attackers use custom cryptors to encrypt their malicious code and attempt to defeat traditional signature based Anti-Virus scanners. At times, these files are digitally signed using trusted stolen certificates to appear legitimate and to circumvent local system policies.
The notorious Stuxnet malware for instance used malicious kernel drivers signed with valid stolen digital certificates to bypass Anti-Virus scanners.
Equipped with information about the security solutions installed in the organization’s end point, these payloads are often tested for detection by the vendor’s security scanner before they are deployed onto the victim’s machine.
The attackers execute their malicious payloads directly on the victim’s machine without ever writing the file on the machine’s disk. Traditional security solutions that scan only files on the disk in real-time cannot see these malicious payloads that are directly written and executed in memory. Behavioral analysis systems do not intercept these operations either fearing additional performance overheads.
In the BaneChant APT campaign , the shell code downloaded an innocuous XOR encoded binary as the first level payload. This binary in turn downloaded a second level payload which was an executable impersonating an image file meant to bypass security scanners. Once downloaded, this binary was executed directly in memory.
Indicators of Compromise
The initial compromise stage of an APT represents an attacker’s attempts to gain entry into the target organization’s network. In an environment defended by multiple layers of logging and security, it becomes quite a challenge for an attacker to be successful without leaving behind digital footprints. Provided below are some symptoms that could indicate a compromise in an organization’s network:
Suspicious System Changes
The presence of unauthorized applications that start from uncommon auto-start locations could indicate a compromise. Files names that resemble popular/operating system files like svchost.exe, acrord32.exe, etc. and dwell in unusual locations should also raise suspicion levels.
Fig.11: System file name present in an unusual auto-startup location
Hidden instances of popular applications like Internet Explorer, code-injection attempts into trusted operating system related processes, installation of unauthorized software, loading of driver files without an entry in the Service Control Manager, etc. could also indicate compromise.
Unusual Disk Activity
Exploitation attempts using heap spray techniques tend to use significant amounts of memory.
At times this can lead to high disk activity due to frequent page-file access. Attempts to sweep a user’s profile area for personal or confidential data could also result in increased disk activity, which could indicate compromise.
Compromised Security Components
Partially enabled security features or completely disabled security solutions on endpoints, even for a brief period of time, could indicate that something is wrong.
Loading of Unsigned Drivers in x64 Systems
x64-based Microsoft Windows verifies and allows only digitally signed driver binaries to load during system boot-up. Unsigned malware that want to load early on during the boot process will have to disable this verification process.
Boot kits for instance, tend to bypass the driver signing policy by making persistent system wide changes. Successful loading of a custom unsigned “test” driver on a machine infected with such a boot kit could indicate a compromise.
Fig.12: Windows alerting on loading an unsigned driver
Since human behaviour is manipulated to the attacker’s advantage during this stage of an APT, training programs should be conducted at regular intervals to educate the users on the latest intrusion techniques. These programs should aim at explaining the importance of security along with adequate examples, as well as changing user behaviour such that they follow security policies correctly.
Pen test emails mimicking a spear phishing attack could be used to improve the employees’ resilience towards such attacks .
Email applications and web browsers could be run in a virtualized environment that is automatically reverted during startup.
Malicious email attachments and drive by downloads would be contained within this environment and reboot resilient code would not survive a revert-to-clean-snapshot assuming that the malware cannot escape the guest VM and infect the host.
Intent to View
Suspicious or unknown email attachments should explicitly be stripped by security solutions.
These attachments should be released to a user only if he/she explicitly requests them.
Detecting Bypassing Attempts
Evasion techniques such as hook-hopping can be identified by breaking some basic assumptions made by the attacker. The security solution can replace the random number of instructions from the function prologue with its own code sequence. This way, shell code that attempts to bypass the initial JMP instruction would still land on the code sequence controlled by the security solution.
Few security solutions use multiple int 0×3 instructions past the initial JMP instruction to trigger a debug exception when executed, breaking the flow of execution.
Hook bypass attempts using direct system calls from user-mode processes can be flagged using a kernel module, if this user-mode to kernel-mode transition does not originate from the native layer.
K7 Threat Control Lab
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: