Cyber Side-Effects - Cloud Databases and Modern Malware

Cyber Side-Effects:
Cloud Databases and Modern Malware
Amichai Shulman, CTO, Imperva

1

© 2014 Imperva, Inc. All rights reserved.

Agenda
§  Introduction
§  The story of a malware and a database
§  DAMP – Database as a malware platform J
§  Reflections on malware and DB access
§  Reflections on DBaaS and DB vulnerabilities
§  Summary and conclusion
§  Q&A

2


Amichai Shulman, CTO, Imperva
§  Speaker at Industry Events
•  RSA, Appsec, Info Security UK, Black Hat

§  Lecturer on Information Security
•  Technion - Israel Institute of Technology

§  Former security consultant to banks & financial services
firms
§  Leads the Application Defense Center (ADC)
•  Discovered over 20 commercial application vulnerabilities
§  Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

3


HII Reports
§  Hacker Intelligence Initiative (HII) is focused at
understanding how attackers are operating in practice
•  A different approach from vulnerability research

§  Data set composition
•  ~350 real world applications
•  Anonymous proxies

§  More than 30 months of data
§  Powerful analysis system
•  Combines analytic tools with drill down capabilities

4


Confidential

The Story of a Malware and a Database

5


Malware Sample
§  Obtained sample in June 2013
•  Phishing email

§  Made in Brazil
§  Uses popular hosting service for Drop and C&C
•  C&C stores functional code and bot management information
•  Drop server stores stolen information

§  Uses local SQLOLEDB provider for database
communication

6


Malware Sample – Infection Flow
§  Starts with a phishing email
•  Notice of debt from known bank in Brazil
•  “E-mail verified by windows live anti-spam”
•  Link to alleged pdf file (detailing the debt)

7


§  Starts with a phishing email
•  Notice of debt from known bank in Brazil
•  “E-mail verified by windows live anti-spam”
•  Link to alleged pdf file (detailing the debt)

8


§  Link leads to a screen saver file
§  Practically an executable

9


Follow the Rabbit

10


Follow the Rabbit
§  MIM “attack” between payload and hosted database
•  Capture negotiation packet
•  Switch from encrypted to plain text
•  Connect with plaintext credentials to hosted DB

11


Follow the Rabbit
§  MIM “attack” between payload and hosted database
•  Capture negotiation packet
•  Switch from encrypted to plain text
•  Connect with plaintext credentials to hosted DB

12


Follow the Rabbit
§  After connection is established to DB
•  Malware stub invokes stored procedure “retorna_dados”
(retrieve data)

•  Retrieves 3 binary payloads from table “carrega” (payload)
•  Stub selects one (according to column number)
§  Saves it in %AppData%
§  Names it govision.dll

13


Follow the Rabbit
§  VirusTotal results for original binary: 30/46
•  Categorized as “banker”

§  Other 2 binaries less “notorious” achieving 4/47 and
10/47

14


Follow the Rabbit
§  VirusTotal results for original binary: 30/46
•  Categorized as “banker”

§  Other 2 binaries less “notorious” achieving 4/47 and
10/47

15


Follow the Rabbit
§  2nd stored procedure called “add_avs”
•  Registers new bot agent in the C&C database

16


Follow the Rabbit
§  2nd stored procedure called “add_avs”
•  Registers new bot agent in the C&C database
•  Identifier (C volume), version, Windows OS, browsers (Explorer
and FireFox), date and some more ambiguous info “ins###”

17


Jumping Into the Rabbit Hole

18


§  Connecting to the DB and collaborating with the service
provider revealed:
•  5 C&C databases and 2 Drop servers
•  C&C grouped by different binaries in “carrega”
§  CC1.db1, CC1.db2, CC1.db3
§  CC2.db1, CC2.db2

•  Drop servers
§  Drop1 – compromised mail accounts
•  Correlated machines from CC1&2 with data in Drop1

§  Drop2 – stolen banking activity information
•  From the same bank in initial phishing email

19



20


C&C Servers
§  Similarities
•  Same table structure
•  Same set of stored procedures
•  Some agents found in multiple tables
§  Due to multiple infections / test machines

•  Binaries (divided to 2 groups)

§  Differences
•  Mostly disjointed sets of agents
•  Names
•  Differences in format of stored data
§  Hyphen instead of parenthesis
§  Version number
21


C&C Servers

Same machine in all tables

22


C&C Servers
§  Overall ~350 machines infected between Feb-June 2013

23


C&C Servers
§  95% of infections occurred between June 3 – June 10
•  Earlier infection perhaps QA tests
•  Attacker ran small simultaneous campaigns – wasn't detected by
anti-spam mechanism

24


C&C Servers
§  OS distribution
•  54% use old XP OS
•  65.5% enterprise editions

25


C&C Servers
§  OS distribution
•  54% use old XP OS
•  65.5% enterprise editions

26


Drop Servers
§  DROP 1
•  Compromised email accounts
•  SMTP & POP3 servers
•  Contact lists

§  Extracted from Outlook or Outlook express
§  Some “hand picked” accounts were found to be blocked
due to spam
§  From April 10 - June 10, 2013
§  ~600 infected machines & 767 compromised accounts
§  Thousands of stolen contacts

27


Drop Servers
§  DROP 1
•  Compromised email accounts
•  SMTP & POP3 servers
•  Contact lists

§  Extracted from Outlook or Outlook express
§  Some “hand picked” accounts were found to be blocked
due to spam
§  From April 10 - June 10, 2013
§  ~600 infected machines & 767 compromised accounts
§  Thousands of stolen contacts

28


Drop Servers
§  Drop1 had (only) 7 agents correlated to C&C servers
•  Strengthens the hypothesis that these servers are from the same
family
•  Size of unknown operation much bigger than we had access to
•  Much more C&C servers than Drop servers
§  Infection achieved by multiple small campaigns rather than single large
one
§  Botnet army more resilient to server “takedowns”

29


Drop Servers
§  Drop 1 email accounts gives visibility to geographical
distribution
§  Top: Brazil, USA, Argentina, Spain

30


Drop Servers

31


Drop Servers
§  Drop2 contains stolen banking activity
§  Same banking application that was targeted by the
phishing campaign
§  Each record contains
•  Serial number
•  Machine ID
•  Unstructured data
•  Timestamp

§  No machines were correlated with entries in other
databases
§  Over 400 entries from 12 different machines
32


Drop Servers
§  Attackers targeted corporate accounts
•  Offer greater financial rewards
•  Bank is dedicated to corporate accounts
•  The bank itself was not breached

§  Timeline between May 17 - June 15, 2013

33


Drop Servers
§  Attackers targeted corporate accounts
•  Offer greater financial rewards
•  Bank is dedicated to corporate accounts
•  The bank itself was not breached

§  Timeline between May 17 - June 15, 2013

34


Drop Servers
§  Drop2 entries come from 5 different malware versions:
•  118, 126, 127, 128, 129
•  Only one machine “evolved” from 128 to 129

35


Drop Servers

§  Version entries by date
36


Drop Servers
§  Entries in same timeframe contain the same
“CONTROLE” (session) value
§  Entries are a form of stripped HTML pages sent to the
drop server by the malware
§  All accounts are business accounts of small organizations
in Brazil

37


Drop Servers
in Brazil

38


Drop Servers
in Brazil

39


DBaaS as a Malware Service

40


Database as a Service
§  For legitimate users
•  Easy to setup
•  No maintenance needed

§  For criminals
•  C&C and Drop servers
•  Jeopardize “neighbors”

41


Database as a Malware Service
§  Cheap and safe playground for hackers
•  Easy to setup
•  Anonymous
•  Affordable

§  Hiding in plain sight
•  Hacker activity is masked with normal activity
•  Difficult to pick up the specific DB used by hacker

§  Resilient
•  Certainly impossible to take down the entire DB machine
•  Impossible to “hijack” C&C DNS
•  IP blacklisting is not possible
42


Reflections on Malware & DB Access

43


DB Access by Malware
§  Embedded Code (TrendMICRO report)
§  Packaging DB drivers into modern malware modules
§  Malware access C&C databases
§  Stuxnet manipulating internal database

44


DB Access by Malware
§  Stuxnet

§  Narilam
•  Updates MSSQL accessible by OLEDB & tamper stored data

§  Kulouz

45


Reflections on DB Vulnerabilities

46


DB Vulnerabilities
§  DB vulnerabilities pose small risk to enterprises
§  None of the breaches of past decade involving internal
DB were attributed to vulnerabilities
§  Internal breaches usually carried out by non technical
perpetrators
BUT
§  Hosted databases are exposed to the web
§  “Sitting duck” for criminal hackers

47


Protocol Layer Vulnerabilities
§  DB protocols are a mess
•  Proprietary, ill documented (to say the least)
•  Designed for internal network use

§  In DBaaS they become web protocols used over public
networks
§  CVE-2013-1899 open source PostgreSQL DB
•  Sample exploit: psql --host 10.1.1.1 --dbname=”-rpg_hab.conf” –
user=”aaaaaaa”
•  DoS of the entire server
•  Catastrophic results in shared environment

48


Knock Knock Jokes
§  CVSS 2.0 is the standard for computing risk score of a
vulnerability
§  Authentication requirement accounts for 1 point out of 10
§  In a shared DB hosting environment everyone can
authenticate to the DB
§  CVE-2012-5611 MySQL vulnerability
•  Sample exploit: GRANT select ON
MYSQssssssssssssssssssssssssssssssssssssssssssssssssssss
sssssssssssssssssLqqqqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.* TO ‘user11’@’%’
•  DoS of the entire server

49


Who Stole My Cheese?

50


Summary & Conclusion

51


Summary
§  Attackers continue to show creativity
•  Using cloud DB offering as an alternative to traditional C&C / Drop
servers
•  Harder detection and takedown

§  Commercial malware is gradually becoming more
“database aware”
•  Attackers have the tools to pry into your database
•  Next step: autonomous malware targeting internal databases

§  Shared DB hosting platforms imply higher risk
•  Exposure to protocol layer vulnerabilities
•  Actual vulnerability score is at least 1 point higher

52


Recommendations
§  It’s all about the data, stupid!
§  While “network” and “end point” hygiene is important,
attackers are ultimately looking for your data
•  In large, modern, enterprise networks – infection is inevitable

§  Enterprise must invest in security layers closer to their
data assets
§  DB service providers (and their customers) must re-asses
risks and invest in virtual patching

53


Webinar Materials
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
Post-Webinar
Discussions

Webinar
Recording Link

54

Answers to
Attendee
Questions

Join Group


www.imperva.com

55


Cyber Side-Effects - Cloud Databases and Modern Malware

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Viewers also liked

Viewers also liked (20)

Similar to Cyber Side-Effects - Cloud Databases and Modern Malware

Similar to Cyber Side-Effects - Cloud Databases and Modern Malware (20)

More from Imperva

More from Imperva (20)

Recently uploaded

Recently uploaded (20)

Cyber Side-Effects - Cloud Databases and Modern Malware