阿碼外傳-阿碼科技非官方中文 Blog: 2013/3/4

2013年3月4日

阿碼科技於 RSA 推出 APT 偵測與鑑識 API


各位好,久違了!我們團隊剛完成了今年於舊金山的 RSA Conference 展覽;回首過去,我們已經連續七年參展了!我們想藉此機會,在這邊向各位報告阿碼最近努力的方向。我們已經16個月沒有寫部落格了。我們太忙了:許多新的客戶要支援,許多新的威脅要研究,許多新的技術要開發...這種種,使得花時間寫部落格一事,成了一種不具合理性的奢侈。距離我們再次寫部落格,可能還要好幾個月的時間,但是我們想要先在此做個簡短的報告。

過去16個月當中,我們致力於以下方面:


  1. 擴大我們的技術團隊,並且透過課程與考試來刺激並提升團隊的技術。
  2. 完成並推出 HackAlert V5 API,並研發 V6 API;V6 API 將於今年 Q3 推出。
  3. HackAlert V5 API 中加入針對性攻擊(API)的偵測,可偵測的範圍包含各種文件檔案(PDF、Word、Excel、Powerpoint、Access、Project、Exe、網頁、廣告),並產生AFRM- (Armorize Fornsics and Reporting Methodology) 格式的鑑識報告。
  4. 與全球最大之電子郵件安全廠商合作,推出具有多重安全掃瞄之電子郵件服務,其中特別對於針對性攻擊(APT)之防禦以及個資法等需求做設計。
  5. 研發並完成 CodeSecure V5,並開始 CodeSecure V6 之研發。
關於 1) 擴大我們的技術團隊

在這邊我們恭喜在過去六個月內,通過 EC-Council Certified Ethical Hacker (CEH) 「道德駭客認證」的35位同事:Adam Wei (ECC974360),Ain Chang (ECC974345),Alex Ruan (ECC974342),Allan Ku (ECC971799),Angus Wei (ECC974359),Aryan Chen (ECC974344),Carol Ru (ECC974341),Cyndi Wei (ECC974340),Eddie Chou (ECC974362),Eric Liu (ECC971746),Fred Tai (ECC971717),Hsuan Wang (ECC974346),Hyman Pan (ECC971733),Jasmine Chen (ECC974343),Jason Yang (ECC971702),Jeff Lee (ECC971815),Jimmy Huang (ECC974354),Joe Chang (ECC974361),Jordan Forssman,Lance Chang (ECC971730),In-Yee Lee (ECC971736),Mars Fu (ECC971756),Martin Chen (ECC971707),Matt Huang (ECC974356),Max Hsu (ECC974353),Michelle Juan (ECC974363),Paul Chen (ECC974358),Robin Huang (ECC971724),Roger Wang (ECC971813),Susan Chiu (ECC974347),Tom Kao (ECC971805),Van Cheng (ECC974357),Wayne Huang (ECC971814),以及Wilson Chiou (ECC971812)。恭喜他們!

對於我們來說,持續的學習與在職訓練,是保持頂尖技術的關鍵。我們會持續在這方面加強。

關於 2) HackAlert V5 API 的推出

我們於 2009 年推出 HackAlert V3 API,至今,V3 API 已經非常成熟且穩定了。基於 V3 API 的經驗,並導入新的雲端與大量資料技術,我們發產出了三代的 HackAlert API。其中,我們使用了:
  1. Non-relational, elastic storage
  2. Map reduce
  3. Big data technologies
  4. Message queues
  5. Elastic load balancers
  6. Virtualization and dynamic provisioning
  7. Distributed shared memory
  8. Distributed caching
我們於2010年推出了 HackAlert V4 API,主要針對惡意廣告的掃瞄。上星期,於 RSA 2013 年會上,我們推出了 HackAlert V5 API,主要針對電子郵件與針對性攻擊(APT)的掃瞄,以及提供 AFRM 格式的鑑識報告。

HackAlert V5 API 的設計,主要也針對巨量的掃瞄做改進,有足夠的scalability以及穩定性,足以承受如 Google 般的巨量掃瞄。

針對以上提到的惡意廣告之檢測以及電子郵件內容之檢測,阿碼都很幸運地旗開得勝,兩個應用第一個簽約的客戶,都是該領域全球最大的廠商!

HackAlert V3 以及 V4,也因此到達了產品生命週期的尾聲。自2012年11月開始,新的客戶已經不能取得 V3 或 V4,我們也正協助所有既有客戶移植到 HackAlert V5 API 上面。

HackAlert V6 API 則重新寫了所有既有的元件,包含底層的偵測元件,都是全部從零開始重寫的。HackAlert V6 API 預計今天 3Q 上市,服務所有的客戶。



關於 4) 與電子郵件安全龍頭合作

承上述,HackAlert V5 API 一推出,就吸引了業界電子郵件安全之龍頭廠商使用,也將阿碼的技術,帶入了一個新的領域。與此龍頭廠商合作,我們體會到,除了 APT 的偵測之外,email 安全的整體 solution 應包含:
  1. DLP:Email 的內容以及附件,應該深入搜尋分析,找出任何含有個資與機密的文件,配合公司 制訂之規則 (policy) 加以控管。規則要有好的 UI 來定義與整理。
  2. 通報的方式要具有彈性:由於當外送的 email 違反了公司的規定時,通報過程敏感,故不應該所有事件都統一通報 IT 主管。例如 當 HR 部門外送了一份含有個人資料的履歷,那麼該通知誰?抑或 RD 部門,外送了一份還有機密資料的文件,則又應該通知誰?哪些行為,直接退回郵件,哪些是經過審查可以放行,哪些則是需要通報違規?若高階主管寄給下屬的信中,具有不雅字眼,或騷擾性字眼,則又該通知誰?
  3. 規則要可以訂得深入。例如 APT 攻擊中的 PDF 檔案,若存在於有密碼之壓縮檔中,則可能不容易解開來掃瞄。那麼,公司是否允接收許有密碼的壓縮檔?外送的檔案呢?
  4. 透過 email 的附檔,可以了解公司內部,所擁有的檔案到底有多少,並追蹤版本。如果聯合網路磁碟機(SMB)與 Sharepoint 的外掛等,怎可以逐漸把公司內部所有檔案加以追蹤並保存,以及統計,哪些檔案的哪些版本,被分享給哪些人了?在個資法開始後的今天,這些功能格外重要。
  5. 攻擊圖譜與報告。即使是針對性攻擊,也可能有多個目標。針對某攻擊事件,可以清楚地表示出,有誰收到攻擊了?有誰開了檔?有誰按了連結?惡意程式做什麼事情?連回哪裡去?這些資訊要能盡量自動產生,才能在第一時間,對 IT 人員產生幫助。
基於以上,我們與該電子郵件龍頭相互合作,對方全球客戶,統一由阿碼科技 HackAlert V5 API 負責掃瞄 URL與附檔的安全性,而我們則取得對於於亞洲之銷售權,得以提供對方之解決方案與我們亞洲之客戶使用。此相互授權,讓我們的客戶能夠獲得最高品質的技術與服務:在 APT 針對性攻擊方面,有阿碼獨步全球的掃瞄引擎,在其他電子郵件安全方面,則有全球最先進,最完整的平台,並由阿碼科技就近提供服務。

關於 3) 針對性攻擊(API)的偵測與 AFRM 鑑識報告

這一段,太多專有名詞了,似乎用中文不容易翻譯,我們先保留原文。這段的重點是,我們發明了 AFRM 鑑識報告,讓使用者可以很簡單明瞭地透過我們的鑑識報告,來了解一個攻擊中間發生的所有事情,以及所有行為的來龍去脈。

AFRM-based reporting is an important new feature of the HackAlert V5 API. For every scan you submit to the HackAlert service (ex: online ad, URL, malware, document exploit), you will get a detailed, aggregated forensics report, laid out according to the Armorize Forensics Reporting Methodology (AFRM). AFRM enables you to easily comprehend the returned forensics data, and to use it for your own further analysis. AFRM reports include:
  1. Scene details (eg., URL, ad tag, PDF document).
  2. Aggregated interpretations (eg., “malicious”, “blacklisted”).
  3. Aggregated proofs (eg., “drive-by download”, “registry modification”, “process injection”). Proofs provide support for interpretations.
  4. Aggregated exhibits (eg., code snippet of shellcode, code snippet of exploit code, code snippet of HTTP responses, parameters of API calls, sections of binary files). Exhibits are sections of evidences that provide support for proofs.
  5. Aggregated evidences (eg., HTTP response, API calls, binary files).
  6. Evidence correlations (eg., Javascript 1 (Exhibit A) --> document.write (Exhibit B) --> Javascript 2 (Exhibit C) --> Load iframe 3 (Exhibit D)).
You will know exactly what a target is made up of, what it tries to do, where the attack is coming from, and the causality relationships between the collected evidences.

Exploit-Based Malware Infections

To explain AFRM, we first take a look at the exploit-based malware infection (EBMI) process, which is a widely used attack vector in Advanced Persistent Threats (APT). In EBMI, the victim is infected via opening a malicious document, often referred to as a document exploit. Common document exploit formats used in EBMI include Web pages, PDF files, Word files, Powerpoint files, Excel files, and Flash files embedded inside one of the previous types.

Phase 1: Exploit delivery and shellcode execution

During EBMI phase 1, the victim opens a document via a (document) renderer–defined as a software program that displays the document. Common (document, renderer) pairs include: (Web page, Web browser), (Web page containing flash, Web browser with flash support or plug-in), (Web page containing Java applets, Web browser with applet support / JRE), (PDF document, PDF reader), (Word document, MS Word), (Excel document, MS Excel), (Powerpoint document, MS Powerpoint), etc.

The document here, being malicious, is referred to as a document exploit. It contains mechanisms to exploit vulnerabilities either directly inside the renderer itself, or inside one of the renderer’s installed plug-ins (eg., Flash, Java applet, Real player, etc). If the exploited vulnerability is unknown to the renderer provider (vendor), then it is called a 0-day exploit.

This exploitation code (the exploit) is often implemented using scripting languages (eg., Javascript, Actionscript, VBScript, VBA) Two key factors make scripting languages extremely useful for this purpose: a) they provide the functionality needed to exploit the targeted vulnerability and b) being interpreted languages, it is very easy to obfuscate the exploitation code, thus making detection difficult.

Common (renderer, scripting language) pairs include (Web browsers, Javascript), (Flash, Actionscript), (PDF, JScript), (Office documents, VBA macros). Note that Javascript, Actionscript, and JScript are all ECMA-based scripting languages.

The following attacks leverage an EBMI process: a) drive-by download attacks, b) malvertising attacks, c) URL-based email attacks, and d) attachment-based email attacks. In (a) (b) and (c), the browser ultimately loads a Web page served by an exploit pack, which serves polymorphic Web-page exploits. The server that hosts the exploit pack is called the exploit server, and the involved URLs are called the exploit URLs.

Phase 2: Malware execution

When a document exploit is opened and upon successful exploitation, a dropper is often created on disk and executed. The dropper can either be the actual malware, or it can be just a tiny executable whose sole job is to download the actual malware over Internet.

In order to permanently infect the compromised system, the malware will often a) move itself to permanent disk locations and b) modify system configuration (eg., registry settings) so as to be auto executed upon every system startup. In order to hide itself from security checkers and users, the malware will often a) rename itself to seemingly legitimate filenames or b) arrange for alternative, less detectable and higher-privileged methods of execution, for example, using process injection.

Once permanently installed, the malware will typically start to a) connect back home to the command-and-control (CNC) server, or to b) send the collected information back to the attacker.

Using the HackAlert V5 API, you will not only be able to detect EBMI, but also receive detailed forensics reports on exactly what had happened during the two EBMI phases.

關於 5) CodeSecure V5 的推出

CodeSecure V4 是我們第一次推出純軟體式的 CodeSecure。相較於 CodeSecure V3,CodeSecure V4 更具彈性與可攜性。然而,我們就像是從通盤掌握軟硬體的 Apple,變成了只掌握軟體 Android 的 Google 一樣,在陌生不受我們控制的平台上執行 CodeSecure V4,多少遇到一些前所未有的困難。

CodeSecure V5 改善了不少這方面的問題,同時也在速度以及涵蓋性上面有了大幅的突破。去年,我成功地說服了我六位交大的同學與室友,放棄了他們很好的工作,來加入阿碼的行列。其中之一是 Martin Chen,我跟他從大學時之前籌備蛋糕社,佛學營,一直到現在,長期配合起來非常有默契。他是新的 CodeSecure 掌舵者,並另外寫了他自己的一篇部落格。我將這令人興奮的 CodeSecure V5 上市,留給他介紹。


繼續閱讀全文...