Advanced Persistent Threats

Brace your selves! Winter is coming

Hossein Ghannad
Mohammad Rasoul Safarkhani
Mehran Fallah
What is it?
Continuous and chained
Creative uses and inventions
Not like ordinary malwares
Targeted
Stealthy
Targets
Targets
Wait !
To name a few
A Simple Sample !
The PiuPiu oversharing site allows users to create PiuPiu accounts
and post 140-character messages. The federal government wants
PiuPiu to surveil user activity on the site, by archiving any posts that
match certain patterns outlined in a national security letter. Subject
to the nondisclosure constraints of the letter, PiuPiu may not inform
anyone of the surveillance request.
Data Structure
Goal
Write code to scan incoming Pius before they are posted, to see if
they match any patterns requested in a national security letter
The current system has a function called int preprocess( piu * entry
), to determine if a Piu is suitable for display, or to alter it if
necessary; before it returns, it will call a function the programmer
will write called void surveil( piu * entry ).
Goal (cntd)
 a surveillance request is an array of N user-Piu patterns.
If the input Piu matches one of these patterns, archive (fwrite) the
Piu to the FILE handle
The Good (Or Evil?) Part
Write surveil() in such a way that the act of surveillance is subtly
leaked to the user or to the outside world in such a way that an
informed outsider can tell if someone is being archived.
Codes

uses *m += 1 in place of m += 1 or *m++

assigns p->piu_length if the user record matched a surveillance request

The Winner!
APT Lifecycle
Case Studies
The Infamous Stuxnet
Flame
Reign
Duqu
Sony Attack
Facts : StuxNet
Activity Start : 2009 , Discovered : 2012
Can inject code into PLC.
Spreads by using USB & 4 different 0-day exploits.
Updated it self across the LAN.
Manages to remain hidden by mutating itself.
58.85% rate of critical infrastructure infection.
Used a hardcoded
Manipulated sensor reports.
Facts : Flame
Very Huge, Over 20 MB in size, 23 modules.
So many variants.
Records audio, logs keys, takes screenshots, attacks Bluetooth
devices.
80 C&C servers across Asia.
1000-5000 Infected machines
Facts : Regin
Many spread vectors. USB Devices, Browser Exploits etc
Multi Target. ISP, Telecom.s, Energy, research, airliners, hospitality
etc
Five stages of attacks
Self mutating, customizable modules.
Distributed .
Facts : DUQU
12 completely different variants.
Sophisticated cover tracking mechanisms.
Exploited a font. ( Dexter Regular)
Stayed silent until you walked away ! (Thats my boy ;) )
Used disposable C&C .
P2P Architecture. ( Thats innovative!)
Facts : Sony
Malware Unknown. Possibly committed suicide.
Wiped all the data after doing its job.
Heavily manipulated monitoring systems.
Not convinced?
Heres More
Thanks for attending.

Q&A