APT BISCUIT

Via: Cryptome

As a 30 second background; years ago, circa 2005-2007 I worked for a FLA (four letter acronym) on this exact subject and recognize a lot of the tools in question. Amusingly, I tried to give a talk that was essentially a sanitized appendix of their report at 25C3 (‘we got owned by the (rhymes-with-unease) and didn’t even get a lessons learned’) and was visited by the FBI who ‘encouraged’ me to not perform the talk.

At any rate, a new age has dawned and another page has turned and we’re apparently far more open on this subject these days. In particular, I note one of the tools that Mandiant identifies as “BISCUIT”; I worked on what appears to be earlier variants of this tool. There are *a lot* of variants as it morphed over the years. Initially it operated as a DLL named “wauserv.dll”, which was supposed to look like the Windows Update DLL “wuauserv.dll” (windows update automatic update server dll). They would change a registry key and point the DLL loaded by Windows Update to their DLL and effectively hijack the Windows Update service (+1 point, clever).

The backdoor traffic at the time would contact C&C servers via domains that were hardcoded into the DLL, although over time this changed and remote updating functionality was included. Every X minutes (random timeframe that was something like mod 10 minutes) the service would do a DNS lookup of the C&C domain name and most of the time it would receive a reply that resolved to a loopback IP address (something in the 127.0.0.0/8 subnet; the TTL for the DNS records were low, like 1 minute IIRC). Whenever the intruders were ready to access the backdoors, they would switch the DNS records to make it resolve to a new IP.

This is a tactic that I imagine still occurs to this day, and so SOCs (security operation centers) and similar might find IPS (intrusion prevention system) rules that detect DNS replies resolving to loopback IPs with low-TTLs; from memory, this had some false positives that needed to be worked out in particular this sort of DNS reply sometime although semi-rarely legitimately occurs and rules written too loosely on the TTLs will flag on many many public DNS servers.

Read more: here

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s