This document discusses targeted cyber attacks in 2011 and beyond. It describes how attackers have invested in developing tools and techniques to infiltrate systems using exploits, malware, and social engineering. Specific examples from 2011 are provided, including exploits of Adobe Flash and Reader. The document also discusses how attacks may evolve in a post-Windows environment as mobile devices and tablets become more prominent targets. It suggests attackers may increasingly focus on platforms like Android and iOS, and looks at early research into exploiting HTML5 features.

1. 2011 Wintel Targeted Attacks and a Post-
Windows Environment APT Toolset
Extending the APT infiltration into new technologies
SAS 2012
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
kurt.baumgartner@kaspersky.com

2. The Infiltration
2011 and Prior
Targeted attacks and subsets
“The APT” v “APT” v “APTs”? „It‟s a “who”, not a “how”‟
General targeted attack activity, the APT and targets
2011 attack details and IoC
Post windows world?
Attacks 2012 and beyond

3. The APT Infiltration
2011 and Prior
Timelines!
Corporate organizations are now defending themselves against nation
states?
Note – chart leaves out NGO‟s like Tibet‟s Government in Exile, the Falun
Gong, various political and non-profit orgs, etc
"State of the Hack: It‟s the End of the Year as We Know It 2011", Mandiant,
http://www.mandiant.com/presentations/state_of_the_hack_its_the_end_of_the_year_as_we_know_it_-_2011/

4. The Infiltration
2011 – Persistent? Relentless

5. The Infiltration
2011 Offensive Security R&D Investment
Indications of Attack Investment
Flash – simple fuzzing, one bit adjustment (fairly low)
Mitsubishi Heavy Industries – low
RSA – medium (0day along with Poison Ivy?)
Lockheed Martin – medium (another 0day + RAT?)
Google – fairly low (IEPeers 0day)
Tibetans, Uyghurs – low
Undisclosed law firms – low
Beltway think tanks – low
Massive Fortune 50 Energy Firms – low
Various overseas political groups – low
Human rights groups – low
Setting up, rotating, maintaining thousands of C2 – fair effort
Email automation – low
Translators/social engineers and schemers – fair effort

6. Targeted Attacks and Infiltration
Email as a Vector of Attack – Schemes, Automation
• Phishing with better bait – themes of relevant geographical, timely
conference discussions, familiar interests, urgenct geopolitical
interests, shared financial interests
• Automated schemes and changing work hours to fit targets

7. Targeted Attacks - “Steal Everything”
Exploitation – Examining the attackers’ work
2011 Exploitation – Adobe Flash, Adobe Reader, Mozilla Firefox, Microsoft
Office documents and Windows system components
Let‟s discuss one of their favorites from this past year (CVE-2011-0611)
Malicious pdf
???
PdfStreamDumper
http://sandsprite.com/blogs/index.php?uid=7&pid=57
Flash Player Debugger (Flash Player Projector content debugger)
http://www.adobe.com/support/flashplayer/downloads.html
Fdb.exe Flex SDK
http://opensource.adobe.com/wiki/display/flexsdk/Downloads
SWFTools with SWFDump, although a Flash Decompiler might help
Olly and patience – there is no crash
Xvi32 or another hexeditor, .AS structures will be obfuscated and mangled
Note – Adobe code can be a lot like Microsoft code - unexpected structures
result in unexpected runtime behaviors

8. Targeted Attacks - “Steal Everything”
Exploitation – Examining the attackers’ work
Laying out the 2 Actionscripts with static and dynamic analysis
replaceString on obfuscated code strings
call hexToBin on the concatenated strings
8.swf/Mainline.as calls loadBytes on the *de-obfuscated* “ddd.swf” and loads it
to run, it is this badly mangled file that triggers the exploit for CVE-2011-0611
ddd.swf attacks authplay.dll with its own actionscript custom function called on
a confused object type
Object type confusion is the name of the game, failure in authplay flow
verification
Heap spray and a chunked multi-stage shellcode deobfuscation stub, kernel32
decomposed api call hash resolution and use (_lcreat, _lwrite, _lread, _lseek)
provides ROP with over 50 links, drops dll from pdf content to %temp%,
LoadLibrary(AdobeARM.dll) writes out rudll.dll, registers it as 6to4 Servicedll,
loads into svchost.exe
http://www.fortiguard.com/sites/default/files/CanSecWest2011_Flash_ActionScript.pdf

9. Targeted Attacks - “Steal Everything”
Post Exploitation - Data Collection, Lateral Movement, Exfiltration
365day and folks that don‟t update  “anyone who has an interest in security
has already updated” Really?
Effective but stale exploitation vs
0day and “original research” or the “author”
RATs, backdoors, spyware
Data thievery
Communications - encrypted?
Comments Crew – Shady?
Low investment - Pass-the-Hash utils, WCE
New Active Directory vulnerability
Archivers (rar), 7z, available source
POSTs, FTP, outbound obfuscated communications

10. Targeted Attacks - “Steal Everything”
Post Exploitation – Why “these” tools?
2011 Backdoors – Poison Ivy, Agent, Agent, Agent2…
Why Poison Ivy? Where is it from?
ChaseNET хакер “forums” founded by previous Evil Eye Software Th3ChaS3r
Members included ksv, shapeless, Heike, Digerati (busted in Operation Bot
Roast II because of mistaken C2 config file update)…
ShapeLeSS joined ChaseNET as 18 year old Swedish kid in late October
2005, coded Poison Ivy
Codius assumes the project years later, continues to distribute it for free
SDK allows for new plugins and development, max size 7kb
Connections? No. Continued development today? No.
Stable, available, and FREE builder? Yes. Free SDK? Yes. Free crypters? Yes.
Quantifiable tool? Reliable? Yes. Low investment? Yes.

11. Targeted Attacks – Identifying Details
Indicators of Compromise
Indicators of Compromise – indicators? artifacts?
OpenIOC open source project
IoC Editor
IoC Finder
Isn‟t that what AV provides?
Only it is based on XML format without
the performance considerations?
http://openioc.org/

12. Targeted Attacks – Identifying Details
OpenIOC?
IoC examples
~
Stuxnet

13. A Post Windows Environment Toolset
Tablets are everywhere

14. Targeted Attacks in a Post-Windows World
Abused Platforms
Android and iOS dominate the market
Smartphones and tablets
Blackberry(?)
Windows Phone(?)
Starting with the .mil space…
2011 – DISA STIG Android v2.2 Dell Mobile
Good Technology “Secure Browser” includes encryption capabilities with a
fallback to Safari
Webkit Dell Native Browser
Attacks start with .gov/.mil? Sign of the times…

15. Targeted Attacks in a Post-Windows World
Originating research
Offensive security and “original research”?
Increased investment…
HTML5 features and native support in browsers
Increased attack surface
Cache poisoning, clickjacking, data leakage
Attacking remote client-side BoF?
http://www.slideshare.net/seguridadapple/attacking-the-webkit-heap-or-how-to-
write-safari-exploits
Flash for mobile replaced with HTML5 and AIR

16. Thank You
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
kurt.baumgartner@kaspersky.com