当前位置：网站首页>[network security officer] an attack technology that needs to be understood - high hidden and high persistent threats

[network security officer] an attack technology that needs to be understood - high hidden and high persistent threats

2022-06-22 09:04:00 【InfoQ】

One 、 Introduce

This paper starts with Rootkit Of

Life span

、

Achievable results

, as well as

The feasibility of using this technology to attack

and

Windows Rootkit Analysis of current situation

Discuss from four angles , Combined with historical attacks , Analyze the of mastering this technology APT The organization

Target groups of concern

and

Possible impact

, The final summary

Rootkit Position in different levels of attack activities

Two 、 “ A low profile ” Of Windows Rootkit

When you hear Rootkit when , What was your first reaction , High difficulty 、 High hiding ？ Yes , In recent years , With Windows Continuous improvement of security mechanism , Go to Windows Implant a... Into the system Rootkit The technical threshold has also been raised . But even if Rootkit The proportion of malware detected by all security products is very low , Nor does it mean that the threat it brings can be ignored , On the contrary ,

Rootkit The high threshold of makes it more used in higher quality attack activities , From this point of view , Every customer scenario appears Rootkit There may be a long-term attack behind it

For the attacker ,

High investment also means high income

, Develop a Rootkit It's not easy , But I found one Rootkit It's also not simple , The lifetime of an ordinary malicious sample may end when it is put into use , And one

Rootkit The survival time of can be as long as several years , Even longer

from Vista Start Windows Signature verification will be performed on the loaded driver , This makes the attacker's

The cost of implantation becomes higher

, and PatchGuard It also increases the cost for attackers to tamper with the system kernel . Based on this ,Windows Rootkit The voice of the opposition seemed to be much lower , Our attention to it is also decreasing , But can the threat it brings really be ignored ？ Or should it be understood as “ Low voice , High threat ”.

We can see from the picture below , No matter what Windows Rootkit How small is the voice of the opposition , It never disappeared

3、 ... and 、  In terms of survival time Windows Rootkit

【 Safety learning document 】

Let's put APT The stage of attack is simplified , In the initial management stage, an attacker may use vulnerability exploitation or phishing attacks , without doubt , Fishing attacks have also become popular in recent years .

Take document phishing as an example , Phishing emails received may look like this

Of course , We may also receive

Disguised as a document PE

file

It can also look like this

Although the forms are quite diverse , But careful you must have found , They all have some more or less

Recognizable features

, After the repeated baptism of fishing , Some people will even lose any email directly VT Run around （ Of course, this is not good , After all, misinformation of sensitive documents is still quite serious ）, These characteristics make attack activities very easy to expose .

Then assume that the attack has been carried out after permission maintenance , We will also check the following similar situations

Of course , This will seem a little too direct , Attackers may use more sophisticated techniques , such as DLL hijacked , On the one hand, it avoids the trace of persistence , On the other hand, it has also achieved certain results in avoiding killing , But we can still observe

Like to see , It's not too difficult to find an exception , Right , After all, the attacker left some traces in every link more or less , No matter which link we catch the threat , Both forward and backward , Restore the attack link . But because the real environment is complex enough , Not all personnel have safety knowledge and safety awareness , Leading to attacks can usually succeed , Even for a long time without being found . But at least , When you perceive that it may be a threat , It's still easier to find it .

that , Such a threat can still be called

“ Put it on the bright side ”

The threat of , You just need to find them more patiently and carefully ,

With the gradual integrity of safety system construction and the continuous improvement of safety awareness of all staff , The lifetime of such attacks will also be shortened

Come back to , Let's take another look Windows Rootkit, In the history of APT organization Strider Zeng Li used a model called Remsec Malware on multiple countries ,

Including government agencies

The system of

For five years

Monitoring for a long time

In fact, there is less than one word here “ At least ”, The Rootkit Help the attacker complete

For at least five years

Attack activities of , During this time

Including Russia 、 Iran 、 Rwanda 、 China 、 The Swedish 、 Belgium included

Of many countries

government organs 、 Scientific Research Center 、 Military organization 、 Telecommunications providers and financial institutions

Have been infected .

And the Rootkit Of

It's very functional

, With password theft 、 Keyboard record 、 Back door control and other functions , Imagine that such a malware has been monitoring the above targets for at least five years , Is it enough to alert people ？

Remsec When it was discovered , The researchers' evaluation of it is

“ A malware that is almost impossible to detect ”

, And this is what everyone has been thinking about Rootkit The understanding of , Is this very worthy of our deep thought , Is it Windows Rootkit Slowly disappeared , still

Limited by insufficient ability

The detection rate is so low , And the survival time is so long ？

In fact, for the attacker ,

There are many kinds of management skills

, You don't have to choose techniques that leave obvious marks like fishing , For those who use unknown techniques , Even 0day The act of attacking , It's less likely that we want to capture them in the management stage , In this case ,

Capture the attacker in the back door 、 Traces left by stages such as persistence

, And based on this backtracking , Restoring the attack link would be a good choice ,

and Rootkit Will hide all these traces , Increase the difficulty of our hit

. The figure below shows the opposition in recent years 0day Number

Four 、 In terms of achieving results Windows Rootkit

that Rootkit What kind of effect can be achieved ？

To operate a graphical interface Rootkit For example , It hides in the task manager calc.exe

let me put it another way ,Rootkit You can take what the attacker doesn't want you to find

Hide attack traces

, For example, in the process exception troubleshooting , Will focus on those with

Abnormal communication

Suspicious module loading

The process of .

Take white plus black technology as an example , Although this technology can achieve good results in killing free , But if there are both abnormal communication and suspicious modules ( Unsigned dll), We can still easily locate outliers .

And through some simple skills , To a certain extent, the malicious use of white and black dll To hide

and Rootkit The hidden effect that can be achieved , It will be much better than the situation above , When using Rootkit From the analysis tools

Completely hide

These outliers are , Can you quickly determine that there is a problem with the process ？

Of course , Here is only the exception module filtered ,

It's just Rootkit A small part of what you can do

, in addition to , service 、 port 、 Traffic can also pass through Rootkit To operate , So what do you want to see , The attacker can show you what ,

“ Put it on the bright side ” The threat becomes “ Hidden in the dark ” The threat of

, It becomes extremely difficult to find exceptions on the host .

5、 ... and 、 In terms of feasibility Windows Rootkit

The previous content mentioned ,Windows Two security mechanisms are introduced to counter Rootkit, They are signature verification and PatchGuard, We will discuss these two points separately .

1. Signature verification

About this part , Foreign security researcher Bill Demirkapi stay Black Hat 2021 Issues 《Demystifying Modern Windows Rootkits》 The answer is given in , The corresponding solutions are

Direct purchase

、

Misuse of disclosure certificate

and

seek “0day” drive

1.1 Purchase certificate

There's nothing to say about this way , The only thing an attacker needs to consider , Namely

Whether the purchase channel is reliable enough

, Whether there is a risk of identity exposure .

1.2 Misuse of disclosure certificate

In terms of feasibility ,

Windows I don't care if the certificate has expired or been revoked

, Through the leaked Certificate , An attacker can generate in any Windows Valid driver signatures under all versions

Since there is no need to buy certificates , While reducing costs, it also avoids the risk of exposing identity due to unreliable purchase channels , Besides , There are not many preconditions for implantation in this way , And mining “0day” Compared with the way of driving , The technical difficulty is reduced a lot , Of course ,

After knowing the information about the leaked Certificate , Relevant safety manufacturers can target this kind of Rootkit Kill and intercept

The following figure shows some historical disclosure certificates collected , From this picture we can see

Leaked information is not uncommon

1.3  “0day” Drive utilization

In terms of feasibility ,

There must be something that can be used “0day” drive

, And historically , There was a famous APT Organizations use drivers with legal signatures to load malicious drivers , The organization is

Russia APT Hacker organization Turla

, The legal drivers it uses are VirtualBox, The following is a description of the utilization process

2. PatchGuard

The Internet contains win7、win10 Including many open source projects , An attacker can integrate these items

Bypass PatchGuard

, Implanting malicious code into the kernel , Realization Rootkit function

6、 ... and 、 From the current situation Windows Rootkit

When we try to be in VT on Hunting, Will find

The use of invalid certificates is very common

Actually , Even if you meet a

With a legal signature Rootkit

It's nothing new

Look back and look at 2021,Windows Rootkit Attacks are more concentrated in the game industry （ I think , This is one reason why they are relatively exposed faster , As the amount of transmission increases , Also received more attention ）, But when Rootkit

Turn the gun head to aim at higher value targets

when , When their purpose is no longer simply to make profits , When their

Less movement

When hiding is more targeted

, Are we ready to deal with it ？ After all, from a technical point of view ,APT What reason does the organization have to refuse Rootkit Well ?

It is worth noting that , When APT The organization picked up Rootkit When this weapon , Their gun heads will be aimed at

Including the government 、 Various important organizations including the military

, Their purpose will no longer be to simply make a profit , It is

Long term monitoring of the target

and

The theft of important information

, This point from history APT Application Rootkit It is not difficult to find in the attack .

7、 ... and 、 summary

Although the attack based on the combination of social workers and fishing can

Less cost

Take the target , But left behind

Obvious marks

It will lead to a sharp reduction in its survival , It's easy to be in

The management stage is exposed

, After being managed through other unknown channels , With the help of legal process 、 Mechanism to complete malicious activities ( Such as Lazarus Yes Get-MpPreference The use of ), Or through white and black ( Such as dll hijacked ,LOLBINS) And other methods for back door placement and Authority maintenance , Although it has a good effect on the aspect of free killing , but

Can't hide the attack trace well

Rootkit More corresponding to placing in the back door 、 Persistence phase , Attackers who master this technology will also have

Higher technical level

, They might

Prefer some advanced management skills

, With

Reduce the possibility of each link being captured

, Of course ,

The higher the value, the more investment will be attracted

, It's more difficult for us to deal with it calmly , As a matter of fact , Is there a APT It is unknown that the organization is using this technology to carry out attack activities .

原网站

版权声明
本文为[InfoQ]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/02/202202220522201701.html