Transcript clampi-2010
http://www.cyanline.com
Advanced High-tech Security
Clampi
Author of…
Steven Branigan, President
[email protected]
Advanced High-tech Security
http://www.cyanline.com
Who am I?
• Former…
– Bell Labs Researcher, Bellcore Engineer, Cop
• Author of High Tech Crimes Revealed.
– Observed that insiders are more dangerous than
outsiders.
• My company, CyanLine handles
– Wireless security products.
– Network auditing and consulting.
– Devising new tools for technical investigations.
Copyright (c) 2009, CyanLine LLC. All rights reserved.
2
•
•
•
•
•
•
•
http://www.cyanline.com
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
GSM(Global Systems for Mobile Communication) A digital cellular or PCS standard for how data is coded and transferred through the wireless
spectrum. It is the 2G wireless standard throughout the world - except in the United States. GSM is an alternative to CDMA.
GHz(Gigahertz) One billion radio waves, or cycles, per second. Equal to 1,000 megahertz.
GPS(Global Positioning System) A satellite-based navigation system made up of a network of 24 satellites placed into orbit by the U.S.
Department of Defense.
Hot Spots Wireless access points that are found in public places such as airports, conventions centers, hotels and coffee shops
Hz(Hertz) A unit of measurement of one cycle per second, or one radio wave passing one point in one second of time.
ISP(Internet Service Provider) Company which resells internet access
LAN(Local Area Network) A system that links together electronic office equipment, such as computers and word processors, and forms a
network within an office or building.
MMS(Multimedia Messaging Service) A method for transmitting graphics, video clips, sound files and short text messages over wireless
networks using the WAP protocol.
MHz(Megahertz) One million radio waves, or cycles, per second. Equal to one thousand Kilohertz.
MAC(Media-Access Control) A hard-coded or permanent address applied to hardware at the factory.
NAT(Network Address Translation) A security technique—generally applied by a router—that makes many different IP addresses on an internal
network appear to the Internet as a single address
Ping(Packet Information Groper) A protocol that sends a message to another computer and waits for acknowledgment, often used to check if
another computer on a network is reachable.
Point-to-Point Method of transporting IP packets over a serial link between the user and the ISP.
Point-to-Multipoint A communications network that provides a path from one location to multiple locations (from one to many).
RFID(Radio Frequency Identification) An analog-to-digital conversion technology that uses radio frequency waves to transfer data between a
moveable item and a reader to identify, track or locate that item.
SID(System Identification) A five digit number that indicates which service area the phone is in. Most carriers have one SID assigned to their
service area.
SSID(Service Set Identifier) A unique 32-character password that is assigned to every WLAN device and detected when one device sends data
packets to another.
TDMA(Time Division Multiple Access) A wireless technology that allows for digital transmission of radio signals between a mobile device and a
fixed radio base station. It allows for increased bandwidth over digital cellular networks.
TCP/IP(Transmission Control Protocol / Internet Protocol) Internet protocol suite developed by the US Department of Defense in the 1970s.
TCP governs the exchange of sequential data. IP routes outgoing and recognizes incoming messages.
VoIP(Voice over Internet Protocol) Any technology providing voice telephony services over IP, including CODECs, streaming protocols and
session control.
VHG(Very High Frequency) Referring to radio channels in the 30 to 300 MHz band
WAP(Wireless Application Protocol) A technology for wideband digital radio communications in Internet, multimedia, video and other capacitydemanding applications. It provides a data rate of 2Mbps
WEP(Wired Equivalent Privacy) A feature used to encrypt and decrypt data signals transmitted between WLAN devices
Wi-Fi Short for wireless fidelity -- used generically when referring of any type of 802.11 network, including 802.11b, 802.11a, 802.11g
WAN(Wide Area Network) A communications network that uses such devices as telephone lines, satellite dishes, or radio waves to span a
larger geographic area than can be covered by a LAN
WISP(Wireless Internet Service Provider) See ISP
Zulu Time Synonymous with Greenwich Meridian Time, a time designation used in satellite systems
Advanced High-tech Security
The glossary for today
Copyright (c) 2008, CyanLine LLC. All rights reserved.
3
Advanced High-tech Security
http://www.cyanline.com
The start
• Bank called CFO to advise that $80K
was about to transferred via ACH to 9
clients.
– Average transfer of just under $10k/person
– Were created through the CFO’s ids.
– Were approved by a second id.
Copyright (c) 2010, CyanLine LLC. All rights reserved.
4
Advanced High-tech Security
http://www.cyanline.com
Indicators of potential fraud
• #1 – The IP address was not the usual IP
address for the transactions.
– However, it was geographically similar
– The IP address came back to a home system.
• #2 – The ACH transfers were intended for
individuals.
– All near, but not exceeding, the $10K SAR
threshold
Copyright (c) 2010, CyanLine LLC. All rights reserved.
5
Advanced High-tech Security
http://www.cyanline.com
What happened?
• Were the IDs stolen or was this an
inside job?
• Investigation started by imaging the
CFO and the assistant’s systems.
Copyright (c) 2010, CyanLine LLC. All rights reserved.
6
Advanced High-tech Security
http://www.cyanline.com
First Analysis showed
• Nothing suspicious in the IE history on
either.
• Both systems had current AV software.
Copyright (c) 2010, CyanLine LLC. All rights reserved.
7
Advanced High-tech Security
http://www.cyanline.com
Follow-up analysis
• Examined the Windows startup
Copyright (c) 2010, CyanLine LLC. All rights reserved.
8
Advanced High-tech Security
http://www.cyanline.com
Suspicious
• Startup files in the Application Data
directory?
– Not normal
• Ran this program through a different
virus scanner, which reported “clampi”.
Copyright (c) 2010, CyanLine LLC. All rights reserved.
9
Advanced High-tech Security
http://www.cyanline.com
The gateslist
Copyright (c) 2010, CyanLine LLC. All rights reserved.
10
Advanced High-tech Security
http://www.cyanline.com
The gatelisted (explained)
• The Gateslist is a hex encoded list of
URLs of the malware controller.
• Sample URLs:
– 61.153.3.48/OcOLWIskOXxqvMHA
– 64.18.143.52/MldLsmdK1Lsdn5Ka
– 66.128.55.82/3kbLJ2Aghp5Tw4Vk
– 66.199.237.139/IvhNAd2Vellpa8eQ
Copyright (c) 2010, CyanLine LLC. All rights reserved.
11
Advanced High-tech Security
http://www.cyanline.com
Using URLs?
• Using URLs make clampi
communications difficult to detect.
• The IP addresses are of compromised
home systems.
Copyright (c) 2010, CyanLine LLC. All rights reserved.
12
Advanced High-tech Security
http://www.cyanline.com
Modules
• The registry keys are, with limited
exception, malware programs.
– This confuses virus scanners, as the file
being read is the registry, not a virus file.
• Most of the programs are encrypted.
– Except PSEXEC, a program that copies
the malware from one system to another.
Copyright (c) 2010, CyanLine LLC. All rights reserved.
13
Advanced High-tech Security
http://www.cyanline.com
Summary
• Intercepts banking credentials.
• Communicated out via port 80.
• The software is not completely stored
on disk as a file.
• The software has encrypted
components have slowed analysis.
• The software has the ability to copy
itself to other computers in the network.
Copyright (c) 2010, CyanLine LLC. All rights reserved.
14
Advanced High-tech Security
http://www.cyanline.com
Recommendation
• Manual inspection of registry entries.
• Use dedicated computers for banking
transactions.
• When surfing, use tools like DropMyRights or
Sandboxie
• If found on one system in the network:
– Change passwords on banking credentials from
safe systems at once.
– Eradicate from network.
Copyright (c) 2010, CyanLine LLC. All rights reserved.
15
Advanced High-tech Security
http://www.cyanline.com
More information
• Inside the jaws of clampi by Nicolas
Falliere with Patrick Fitzgerald and Eric
Chien
(http://www.symantec.com/content/en/us/enterprise/media/security_re
sponse/whitepapers/inside_trojan_clampi.pdf)
Copyright (c) 2010, CyanLine LLC. All rights reserved.
16