State Sponsored Malware Identification/Detection Project

Introduction: State sponsored malware is among the top growing threats to electronic privacy we face. Each year, elements within the state national security apparatus release an assortment of invasive applications known commonly as malware - but this stuff is anything except common. It can steal your passwords, documents and even record your keystrokes. In certain instances, such as Stuxnet (a joint US-Israeli venture) destroy physical property.

Goals:
1) Create an easily adaptable (possibly using XML) database of known SSMW samples.
2) Catalog entries according to their origin, deployment, use, etc.
3) Create some process by which these can be identified with open source software that well create and release. We can do this by scanning for known checksums, files, processes and so on.

I think we especially, as enquirers into alternative topics, need a way to ensure we aren't victimized by illegal malware.

Any volunteers for this project? It is sure to be a research and effort intensive project, but one that could likely benefit many people in the long term.

At first, I didn't realize the scope of this problem! I feel that its best to use a standard-ish type method to document them. For those joining me in this project, feel free to use your own template if you'd like!

Name of malware: (ex. Flame, stuxnet, warriorpride)

Type: (Virus, Trojan, worm, composite, etc)

Attack Vector: (download, USB drive, worm, etc)

Mechanism of action:

Duration of action:

Known infections:

Origin:

Associated footprint: (checksum, files, etc)

Removal technique:

I think this is a decent format, at least to start with. If anyone has a better way, I'm all ears!

a reply to: JBurns

State Sponsored Malware Database Entry #1

Name: STUXNET

Type: Worm/zero day exploit (x4)

Attack Vector: Worm, USB Drive

Mechanism of action: Targets WIN OS/Siemens Step 7 software to affect programmable logic controllers. These controls, among other things, are used to regulate centrifuges that separate Uranium-235 from the common U-238 isotope - in a process known as enrichment. STUXNET literally caused 20% of Iran's centrifuges to rip themselves apart.

Duration of action: unlimited potential, as Stuxnet has a root kit module allowing it to hide its files and processes from detection.

Known infections: Iran nuclear enrichment facilities

Origin: US/Israel

Footprint: (going to compile its source and run a few tests on my Dev machine)

Detection removal: (no current precise method, our project will climate in open source software for detection and removal)

The first weapon made entirely of code.
-vimeo.com/25118844

I am currently setting up a "nuke this server" type set up for this project.

It will allow us to test these malware applications in a VM sandbox. I'm working on a way to give remote access to the VMware for other researchers to conduct tests/review findings.

Just wanted to welcome Jamiros and Fossilera to the project! We'll be posting regular updates in here. Please stay tuned for what's sure to be a great project.

Special thanks to Springer and ladyinwaiting!

JB

a reply to: JBurns

Finally made it in on the project! Can't wait to lend some expertise as an Engineer into the mix.

First off, I will second the idea on using an XML-based database to start. Eventually, as this project theoretically grows, we may want to consider another method of storing the data, but for now this will do fine.

-foss

Foss,

Hopefully that offer is still open!

So I made some progress here, and using some of the recently leaked archived/resources from TestMyAV.com I set up a test server in an isolated VM environment for studying samples. If anyone participating in this project would like SSH access to the Hyper-V server, send me a U2U and I'll send you connection information.

The hypervisor itself has a VM remote desktop connection application that will allow you to securely work with samples. The host OS also has a myriad of tools (like wireshark) and a VM running security onion for additional testing/observation.

I could also set up a server running MySQL/Apache for maintaining a database, or we could utilize XML + a .NET application.

Hopefully we can get together and make some progress here!

In May of this year, a piece of malware known as "WannaCry" infected hundreds of thousands of computers around the world. This specific worm functioned by encrypting certain files on a victim's PC and demanding a ransom be paid to unlock them. Although the attack wasn't orchestrated by a Government entity, it made use of an attack vector known and suppressed by NSA in order to facilitate their own offensive exploitation.

The "Cryptoworm" made use of an exploit in Windows' SMB (server message block) protocol known as ETERNALBLUE, which is believed to be the actual exploit used by NSA, as leaked by the Shadow Brokers in April of this year. This particular strain was interesting, because it included a "Kill switch" that could be activated by simply registering a certain domain name (such as: www.stopmyvirus.com - not the real kill switch, just an example). Although this kill switch significantly slowed the spread of this worm, later mutations had the kill switch removed. It is speculated that the author may have intended this functionality to determine whether or not the malware was being executed in a sandbox, or a live target's machine (by attempting connection to an arbitrary URL, and halting/proceeding based on the result of that attempt). In this instance it is likely the author wanted to make their malware more difficult to detect and analyze (stealth).

Name of malware: WannaCry

Type: Cryptographic Ransomware Worm

Attack Vector: Worm, NSA exploit ETERNALBLUE (CVE-2017-0147)

Mechanism of action: Buffer overflow into SMBv1 buffer leading to privileged code execution

Duration of action: 7 days to pay ransom, or files remain encrypted indefinitely

Known infections: Hundreds of thousands of affected systems (at least 200k)

Origin: Unknown creator of malware, exploit enabling this functionality was developed by NSA

Associated footprint: Worm does not hide infection, and displays ransom message to victim. Additionally:

SHA-256 Hashes:
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9 76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844 f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494 fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

File name: @[email protected]

Removal technique: Once infected, the only current possibility is obtaining the decryption key from the hijackers. In the future, these private keys could be discovered and potentially released to victims, through prosecution/legal means. Although the mathematical constructs of public key infrastructure is very secure, there may still be some unknown vulnerability in the attacker's implementation of the cryptographic algorithms - if so this would potentially enable recovery of the key. If not infected, you can apply Microsoft Security Bulletin MS17-010 or immediately run Windows Update to patch your PC against this attack.

This isn't a specimen report, but is a recent release by the EFF (10/30/17) regarding government malware. It is a good read for anyone interested in this topic, as well as those who just want a better understanding of state sponsored malware.

www.eff.org...

North Korea's FALLCHILL malware

According to DHS & FBI sources, North Korea has been using malware code named "FALLCHILL" since 2016. This malware targeted aerospace, telecom and financial industries according to an alert issued today (11/14/17).

The alert -- issued jointly by the FBI and the US Computer Emergency Readiness Team (US-CERT), which is part of the Department of Homeland Security (DHS) -- identifies IP addresses that North Korean actors are suspected of using to maintain a presence on victims' networks. The agencies warned of "severe impacts" from successful intrusions, including the loss of proprietary information and operational disruptions.

FALLCHILL, the alert said, is issued from a command and control (C2) server to a victim's system using multiple proxies to obfuscate network traffic. It uses fake Transport Layer Security (TLS) communications, encoding the data with RC4 encryption.

The malware typically infects a system as a file dropped by other North Korean malware or as a file unknowingly downloaded from a compromised site. It collects basic information such as OS version information and system name, and it allows for remote operations including searching, reading, writing, moving and executing files.

Article: www.zdnet.com...

It would appear one of North Korea's (code named HIDDEN COBRA) cyber espionage capabilities has been exposed, and it will be interesting to learn what kind of impact it had on defense contractors.

This threat is rated as severe by the agencies, and according to The Guardian, is still active on U.S. networks.

www.theguardian.com...

I will create a separate specimen report when technical details become available. I will also keep an eye out for samples to run in a sandbox for a deeper analysis.