This is a quick post to splainz the methodology behind how we were
able to make fingerprints for the Hacking Team and Equation Group
C&C infrastructure allowing remote identification of their servers,
as shown in
The Italian Job and
Equation Smasher releases on Github.
Myself and
March, the rootkit
wizard, have been at this kind of thing for quite some time, and have
had a great deal of success in enumerating and identifying C&C
infrastructure based on various oddities in how they present themselves.
A fine example of this was in our
Hunting Red October work prior (which resulted in the “asdic.pl” and “sonar.py” scripts).
Basically, here is a TL;DR on how you, too, can hunt down shitbag spies and other such nasties.
Step 1: Get samples of the malware and/or IP’s of some still active C&C servers.
This is often trivial. Once someone publishes a report, or you get
some nasty malware, identify the C&C server (run it in a sandbox or
whatever and sniff those sweet, sweet pacotes).
Step 2: Muck about with the C&C server.
Next up, do a portscan of the C&C server(s). Of particular
interest is the callback port. You want to fiddle with that port/service
a bit and see if it returns a “weird” or unique banner or response,
that you can chuck into
shodan and try identify similar servers.
The third step is fairly simple. Once you have a list of hosts that
also act in the same fashion and “smell” the same (much of this is based
on scientific jiggerypokery and general faffing about with them), you
portscan those and look for further similarities. Most oftentimes,
C&C infrastructure is “cloned” across hosts, so they all will be set
up in the same fashion.
Optional Step 4: Scan the Planet
Optionally, here you can scan the entire planet with masscan or zmap
looking for similar hosts that Shodan’s crawler might not have hit yet.
This gives you a nice list of IP’s to compare against netflow logs and
also to bang into online sandboxes/AV things to see if theres other
samples out there calling back, so you can gather more information and
link samples/campaigns together.
Optional Step 5: Hack the Planet
I have NOT engaged in this hypothetical step, and cannot legally advocate for it, however others such as
Malware.lu in the case of APT-1
(warning: PDF link) have done so. Somehow procure a copy of the C&C
software in question, fuzz the shit out of it, find some bugs, and own
the spying bastards, preferably uninfecting their victims and burning
their infrastructure to the ground. I include this step for completeness
only, and to point out that there is some recourse to be had.
Good sources of ~~DDoS numbers~~ IP addresses/C&C hosts to initially target for, er, interrogation are reports from
Citizen Lab
and AV vendors on the latest and lamest surveillance campaigns. Also,
because some espionage campaigns are cheapskates, obtaining copies of
widely (ab)used RAT software sold/used by ~~APT’s~~ script kiddies (such
as Poison Ivy/BlackShades/DarkComet) and analysing those examples is
also a fine way to find new, exciting fingerprints (and
vulnerabilities…) to go forth and ruin some attackers days.
Further note: If the malware uses a web based (say, written in PHP)
web panel, you might be able to fingerprint on HTTP titles or figure out
a google-dork or other way of identifying the panel. Think of web
panels as vulnerable webapps and apply the same thinking to locating and
finding vulnerabilities in them. Quite often the bit of the web panel
(the “gate”) that the implant calls back to fails miserably at
sanitizing inputs to databases or file outputs, so there are often some
gloriously exploitable bugs there. See the
Herpesnet teardown/ownage by malware.lu for some ideas on that :)
Have fun, and be safe. Remember kids - when fucking with C&C’s/malware, practice safe hex and wear your balaclavas!
I'd say that I am an eclectic amalgamation of many seemingly paradoxical
things. This can be exemplified in both my seemingly endless
persistence on many topics and arguments, as well as my careful
cautiousness on other topics and arguments. This is largely due to how
astute I am of the topic: more knowledge, more persistent; less
knowledge, obviously more cautious.
