Welcome to duststar theory

Attack on Google Part 2: An insider coordinated attack?

Autor duststar

Continuing from this post.

Google suspects it was an insider leak that provide the attackers their targets

Read more here. http://www.guardian.co.uk/technology/2010/jan/18/china-google-cyber-attack

And, we had more revealations on the trojan that was used in the recent attack.
The trojan was named Hydraq by the anti-virus vendors.

Symantec has released a summary and a technical detail on this.
http://www.symantec.com/connect/blogs/hydraq-attack-mythical-proportions
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99&tabid=2

ThreatExpert has analysed the binaries and the report (technical) is provided in 2 parts:
http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html
http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html

Some interesting observations

Part 1 (http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html)

1. It runs as a service through svchost.exe. This method generally “hides” the trojan process from showing up on the tasklist.

Firstly, the trojan registers itself as a system service RaS[4 random characters] by creating registry entries under the newly created key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]

The “ImagePath” value of its service registry key is set to start svchost.exe, as shown below:

“ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]

2. It make use of %TEMP% to copy itself to. Common place for malware to reside in because almost any other application also uses this system variable for file processing.

For instance, the trojan can create a copy of itself under a random filename in the %TEMP% directory, or it may create a copy of itself under the name %TEMP%\c_1758.nls.

Part 2 (http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html)

1. Hinder reverse engineering efforts by increasing code complexity. Complexity equals more time required for tracing program execution flow.

It is also worth noting that the trojan’s code is very fragmented – it is deliberately split into small chunks with the size of a few instructions each, connected with the calls and jumps into a large maze: the code of Trojan.Hydraq contains 1,748 jumps and 922 calls – tracing it requires quite a bit of a patience.

2. Use of encryption to protect the C&C connection details. To defeat static analysis “String” search.

The trojan carries its C&C connection details (server, name, port, retry delay, etc.) inside the internal resource (name is 100, type is 243). The resource is 344 bytes in size, and it is encrypted.

3. Use of alternative DNS to resolve the C&C server IP addresses. To defeat DNS “sink-hole” defence.

It starts doing so by trying to resolve its host name first. If this attempt fails, the trojan makes a DNS query by crafting a TCP packet on port 53 of an alternative (legitimate) DNS server, also specified in its resource, in order to resolve the same host name. For example, the analysed sample has alternative DNS server 168.95.1.1 – this is dns.hinet.net server located in Taiwan.

4. Evade network detection by encoding its network packet through inverting its bytes.

If the connection to remote host on port 443 succeeds, the malware prepares a packet to send – it is 20 bytes in size:

00 00 00 00 00 00 FF FF 01 00 00 00 00 00 00 00 00 00 77 00

The packet is encoded by inverting its bytes:

FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF

5. Evade network detection by encrypting response network packet from server using XOR. Network transport protection mechanism.

As soon as the packet is submitted to the live C&C server, it receives the response packet that is also 20 bytes in size. It is encrypted with the XOR 0xCC.

6. Self-updating to survive.

It may be assumed that upon successful connection to the remote C&C server (sl1.homelinux.org), the trojan was designed to be able to update itself. A new copy may have a different C&C server specified in its resource (e.g. yahooo.8866.org, 360.homeunix.com or as in the last seen sample – blog1.servebeer.com) in order to survive the shutdown of the old servers.

Recommended protection and detection strategy against such 0-day of similiar “style”

1. Sysem lock-down with minimal user privileges.
2. Deploy Host-based intrusion detection system that monitors for:
 - Changes to registry esp. services modification, startup entries etc
 - Creation of new services
 - Creation of new child process from Internet Explorer, parent process (For this incident, this trojan was installed due to a remote code execution vulnerability in Internet Explorer.)
3. Deploy firewall at network perimeter to prevent out-going DNS access from client networks.
4. Deploy desktop firewall for clients and implement tight control over network access provisioning.

.duststar