Equation APT analysis using Security Data Science platform: BinSecSweeper

Posted on September 24, 2015 by Simon Roses

As many readers already know, at VULNEX we have been working on our BinSecSweeper project whose development began in 2013 thanks to an award by US DARPA within its pilot program Cyber Fast Track (CFT) and we were the only Spanish startup to win a research award. In May 2014 I was invited to The Pentagon by DARPA to present my project, together with the other CFT participants. It was a unique and awesome experience!

Since then BinSecSweeper has changed in every way possible due to a strong engineering effort. With the rise of so many APT, I thought it would be interesting to analyze using Data Science techniques a recent APT that has gained a lot of media coverage: Equation APT Group.

For this analysis, I have got 419 Windows executables of this APT that we will proceed to examine with BinSecSweeper, let’s look at the results!

In Fig. 1 we have the project dashboard and we can see a summary of the analysis. BinSecSweeper has identified malware and high-risk vulnerabilities establishing a severe threat level alert (based on the US Homeland Security System). It draws our attention to different characteristics of the executables such as Packers, Personal Identifiable Information and binary similarities.

binsecsweeper_Online1
Fig. 1.

In metrics (Fig. 2) we see more details of the analysis, the metric that most interests us, at least to me, are the risks identified and the number of affected files. BinSecSweeper has identified interesting risks in this APT.

binsecsweeper_Online2
Fig. 2.

In BinSecSweeper we can deepen the analysis of one, several or all files, but for this high-level analysis our current objective is to obtain the big picture. So let’s look at the analytics data, a very powerful tool, see Fig. 3.

binsecsweeper_Online3
Fig. 3.

BinSecSweeper offers stunning graphics that help us to understand data very quickly and visually. In Fig. 4 we see a visualization of the entropy of the binaries. Most binaries are around 0.80 with some binaries in the 0.65 and 1.00 ranges.

binsecsweeper_Online4
Fig. 4.

In Fig. 5 we can see the different types of binaries and should call our attention that most files are DLL and there is also one Driver, no doubt a file we should analyze in more detail.

binsecsweeper_Online5
Fig. 5.

In Fig. 6 we see a very interesting metric, section names of the executables. It helps us to identify suspicious sections and packers.

binsecsweeper_Online6
Fig. 6.

Fig. 7 is related to the previous metric, in this case we have the number of sections. There is a file with 10 sections.

binsecsweeper_Online7
Fig. 7.

The following metric (Fig. 8) we have the number of imported libraries by the executables.

binsecsweeper_Online8
Fig. 8.

Imported functions of the executables are interesting to understand functionality. In Fig. 9 we have this metric, specifically the Top 15 functions.

binsecsweeper_Online9
Fig. 9.

We can also see the exported functions, Fig. 10.

binsecsweeper_Online10
Fig. 10.

In Fig. 11 we see the identified compilers. It is interesting to understand the tools used by the APT authors.

binsecsweeper_Online211
Fig. 11.

The last metric that we are going to see is the compilation timestamp of the executables organized by years. Clearly in 2008 the authors were very busy.

binsecsweeper_Online212
Fig. 12.

Very quickly and easily we have obtained a good understanding of this APT without entering into complex/costly analysis or reverse engineering, which would be our next step.

Today, with millions of malware circulating and the complexity of software, it is necessary to have in our arsenal powerful analysis tools such as BinSecSweeper, which uses advanced Data Science techniques to analyze the security and privacy of software.

Perhaps it would be interesting to analyze all antivirus with BinSecSweeper ;)

Hasta la vista Baby, I’ll be back soon with more analysis 

For more information about BinSecSweeper you can contact us at BinSecSweeper@vulnex.com

Does your organization use Security Data Science? What would you like to analyze?

— Simon Roses Femerling / @simonroses

Posted in Privacy, Security, Technology | Tagged , , , , , , , | Leave a comment

A Security Breach Can Hurt You, More Than You Think!

Posted on September 9, 2015 by Simon Roses

Week after week we read about security breaches in top websites around the world, where millions of user’s data are exposed and the company not even reply with an apology. Until now nobody in management (your typical C-level) assumed any responsibility of the breach, many times due to lack of security, but this tendency is starting to change.

Some CEOs have step down due to high profile security breaches such as Target in 2014 and infamous Ashley Madison just recently, July 2015. Management needs to start speaking cybersecurity and assume responsibility of security breaches.

A security breach can really hurt you – take for example Ashley Madison attack. 36 millions of users data exposed – but let’s be honest, although many of these users were fake profiles, anyway many real users were still affected by the breach. The problem for Ashley Madison is not the attack itself but what has been reveled: the company had plans to go public but by examining the data it looks it was a scam, ouch.

Another recent high profile security breach has been Hacking Team, a security company that develops offensive solutions for LEA and has been selling their products to oppressive regimes worldwide. Hacking Team was a known company for a while of suspicious activities but was not confirmed until a security breach revealed 400 gigabytes of their data containing products source code, client contracts, emails, and much more, the dark side of this company. Really ouch!

MBA schools need to start including cybersecurity awareness into their courses so management understands the problems and how to deal with them. It is not enough to have a good CSO/CSIO these days; management needs to be involved 100%, if not a security breach could hurt your company.

Should high management be involved in cybersecurity matters?

— Simon Roses Femerling – @simonroses

Posted in Security, Technology | Tagged , , , | Leave a comment

Race to 0day in Nation State Operating Systems

Posted on January 16, 2015 by Simon Roses

Operating System change is coming…

We all know that Windows still dominates the desktop arena with Linux and MacOS trying to catch up and that Android dominates the mobile space with iOS and Windows Phone trying to catch up as well. What many of these OSs have in common is that they are developed by USA companies (hello NSA!).

With the silent (or not that silent :) cyber guerrilla going on in the Internet between the West and the East it is not surprising that many Nation States are developing their own operating systems to cut the dependency on USA software vendors.

The Sony cyber attack by North Korea (supposedly, not proven yet) has caught a lot of media attention -even President Obama has spoken about the need of increasing cybersecurity- and to make things more interesting the operating system used by North Korea government was leaked on Internet and it is currently being analyzed by many security companies and intelligence agencies to find 0day.

Several Nation States have announced the development of their own “secure (cough)” operating system, the ones I know of:

  • Red Star OS: Linux based (Red Hat) with a Windows XP look & feel used by North Korea.
  • China: Several custom OSs.
    • COS: China Operating System based on Linux for mobile devices.
    • Kylin: First version was based on FreeBSD but current version is based on Ubuntu.
  • Russia: Several custom OSs.
    • RoMOS: A customized Android OS for mobile devices (this OS doesn’t send any information to Google).
    • Linux: Russia government announced switching to Linux as the national OS this year.
  • France: Not really their own operating system but the French military switched to Linux Ubuntu (allegedly to save money).
  • India: Also announced their own secure OSs (not much details published).
  • United State of America: Several custom OSs.
    • The Defense Information Systems Agency (DISA) is developing a secure version of Android to be used in mobile devices across the government.
    • Plan X: An OS develop by DARPA to be used by the military for cyber warfare operations in real time.

The fact that Nation States are developing their own customized OS for defensive purposes forces adversaries to obtain copies of these OSs to find 0day if they want to perform offensive actions, so we can expect the 0day market to grow in the incoming years for exploits and rootkits in all of these Nation State OSs.

There is a good chance for Nation States counterintelligence to publish fake OSs and software pretending to be the real thing for adversaries so they waste their resources trying to obtain copies and time analyzing the software or why not putting offensive software inside the OS to attack the systems used to analyze the software and compromise the network.

For sure security companies and intelligence agencies from both sides (West and East) must keep an eye on the technologies used by their adversaries and have ready a bunch of 0days on these OSs as the standard/regular Windows, Android and Linux versions will probably go away.

Nation States not putting enough resources to develop their offensive capabilities will be unable to perform any actions against adversaries that use custom OSs in the future.

Reader: If you know any more Nation States OS, please let me know and if you got copies of any of them send them my way, please!! (Already got Red Star OS, thanks)

What do you think of Nation States developing their own OSs?

— Simon Roses Femerling | @simonroses

Posted in Privacy, Security, Technology | Tagged , , , , | Leave a comment