Transcript clampi-2010
http://www.cyanline.com Advanced High-tech Security Clampi Author of… Steven Branigan, President [email protected] Advanced High-tech Security http://www.cyanline.com Who am I? • Former… – Bell Labs Researcher, Bellcore Engineer, Cop • Author of High Tech Crimes Revealed. – Observed that insiders are more dangerous than outsiders. • My company, CyanLine handles – Wireless security products. – Network auditing and consulting. – Devising new tools for technical investigations. Copyright (c) 2009, CyanLine LLC. All rights reserved. 2 • • • • • • • http://www.cyanline.com • • • • • • • • • • • • • • • • • • • • GSM(Global Systems for Mobile Communication) A digital cellular or PCS standard for how data is coded and transferred through the wireless spectrum. It is the 2G wireless standard throughout the world - except in the United States. GSM is an alternative to CDMA. GHz(Gigahertz) One billion radio waves, or cycles, per second. Equal to 1,000 megahertz. GPS(Global Positioning System) A satellite-based navigation system made up of a network of 24 satellites placed into orbit by the U.S. Department of Defense. Hot Spots Wireless access points that are found in public places such as airports, conventions centers, hotels and coffee shops Hz(Hertz) A unit of measurement of one cycle per second, or one radio wave passing one point in one second of time. ISP(Internet Service Provider) Company which resells internet access LAN(Local Area Network) A system that links together electronic office equipment, such as computers and word processors, and forms a network within an office or building. MMS(Multimedia Messaging Service) A method for transmitting graphics, video clips, sound files and short text messages over wireless networks using the WAP protocol. MHz(Megahertz) One million radio waves, or cycles, per second. Equal to one thousand Kilohertz. MAC(Media-Access Control) A hard-coded or permanent address applied to hardware at the factory. NAT(Network Address Translation) A security technique—generally applied by a router—that makes many different IP addresses on an internal network appear to the Internet as a single address Ping(Packet Information Groper) A protocol that sends a message to another computer and waits for acknowledgment, often used to check if another computer on a network is reachable. Point-to-Point Method of transporting IP packets over a serial link between the user and the ISP. Point-to-Multipoint A communications network that provides a path from one location to multiple locations (from one to many). RFID(Radio Frequency Identification) An analog-to-digital conversion technology that uses radio frequency waves to transfer data between a moveable item and a reader to identify, track or locate that item. SID(System Identification) A five digit number that indicates which service area the phone is in. Most carriers have one SID assigned to their service area. SSID(Service Set Identifier) A unique 32-character password that is assigned to every WLAN device and detected when one device sends data packets to another. TDMA(Time Division Multiple Access) A wireless technology that allows for digital transmission of radio signals between a mobile device and a fixed radio base station. It allows for increased bandwidth over digital cellular networks. TCP/IP(Transmission Control Protocol / Internet Protocol) Internet protocol suite developed by the US Department of Defense in the 1970s. TCP governs the exchange of sequential data. IP routes outgoing and recognizes incoming messages. VoIP(Voice over Internet Protocol) Any technology providing voice telephony services over IP, including CODECs, streaming protocols and session control. VHG(Very High Frequency) Referring to radio channels in the 30 to 300 MHz band WAP(Wireless Application Protocol) A technology for wideband digital radio communications in Internet, multimedia, video and other capacitydemanding applications. It provides a data rate of 2Mbps WEP(Wired Equivalent Privacy) A feature used to encrypt and decrypt data signals transmitted between WLAN devices Wi-Fi Short for wireless fidelity -- used generically when referring of any type of 802.11 network, including 802.11b, 802.11a, 802.11g WAN(Wide Area Network) A communications network that uses such devices as telephone lines, satellite dishes, or radio waves to span a larger geographic area than can be covered by a LAN WISP(Wireless Internet Service Provider) See ISP Zulu Time Synonymous with Greenwich Meridian Time, a time designation used in satellite systems Advanced High-tech Security The glossary for today Copyright (c) 2008, CyanLine LLC. All rights reserved. 3 Advanced High-tech Security http://www.cyanline.com The start • Bank called CFO to advise that $80K was about to transferred via ACH to 9 clients. – Average transfer of just under $10k/person – Were created through the CFO’s ids. – Were approved by a second id. Copyright (c) 2010, CyanLine LLC. All rights reserved. 4 Advanced High-tech Security http://www.cyanline.com Indicators of potential fraud • #1 – The IP address was not the usual IP address for the transactions. – However, it was geographically similar – The IP address came back to a home system. • #2 – The ACH transfers were intended for individuals. – All near, but not exceeding, the $10K SAR threshold Copyright (c) 2010, CyanLine LLC. All rights reserved. 5 Advanced High-tech Security http://www.cyanline.com What happened? • Were the IDs stolen or was this an inside job? • Investigation started by imaging the CFO and the assistant’s systems. Copyright (c) 2010, CyanLine LLC. All rights reserved. 6 Advanced High-tech Security http://www.cyanline.com First Analysis showed • Nothing suspicious in the IE history on either. • Both systems had current AV software. Copyright (c) 2010, CyanLine LLC. All rights reserved. 7 Advanced High-tech Security http://www.cyanline.com Follow-up analysis • Examined the Windows startup Copyright (c) 2010, CyanLine LLC. All rights reserved. 8 Advanced High-tech Security http://www.cyanline.com Suspicious • Startup files in the Application Data directory? – Not normal • Ran this program through a different virus scanner, which reported “clampi”. Copyright (c) 2010, CyanLine LLC. All rights reserved. 9 Advanced High-tech Security http://www.cyanline.com The gateslist Copyright (c) 2010, CyanLine LLC. All rights reserved. 10 Advanced High-tech Security http://www.cyanline.com The gatelisted (explained) • The Gateslist is a hex encoded list of URLs of the malware controller. • Sample URLs: – 61.153.3.48/OcOLWIskOXxqvMHA – 64.18.143.52/MldLsmdK1Lsdn5Ka – 66.128.55.82/3kbLJ2Aghp5Tw4Vk – 66.199.237.139/IvhNAd2Vellpa8eQ Copyright (c) 2010, CyanLine LLC. All rights reserved. 11 Advanced High-tech Security http://www.cyanline.com Using URLs? • Using URLs make clampi communications difficult to detect. • The IP addresses are of compromised home systems. Copyright (c) 2010, CyanLine LLC. All rights reserved. 12 Advanced High-tech Security http://www.cyanline.com Modules • The registry keys are, with limited exception, malware programs. – This confuses virus scanners, as the file being read is the registry, not a virus file. • Most of the programs are encrypted. – Except PSEXEC, a program that copies the malware from one system to another. Copyright (c) 2010, CyanLine LLC. All rights reserved. 13 Advanced High-tech Security http://www.cyanline.com Summary • Intercepts banking credentials. • Communicated out via port 80. • The software is not completely stored on disk as a file. • The software has encrypted components have slowed analysis. • The software has the ability to copy itself to other computers in the network. Copyright (c) 2010, CyanLine LLC. All rights reserved. 14 Advanced High-tech Security http://www.cyanline.com Recommendation • Manual inspection of registry entries. • Use dedicated computers for banking transactions. • When surfing, use tools like DropMyRights or Sandboxie • If found on one system in the network: – Change passwords on banking credentials from safe systems at once. – Eradicate from network. Copyright (c) 2010, CyanLine LLC. All rights reserved. 15 Advanced High-tech Security http://www.cyanline.com More information • Inside the jaws of clampi by Nicolas Falliere with Patrick Fitzgerald and Eric Chien (http://www.symantec.com/content/en/us/enterprise/media/security_re sponse/whitepapers/inside_trojan_clampi.pdf) Copyright (c) 2010, CyanLine LLC. All rights reserved. 16