This past April (4/19 to 4/21) I had the great pleasure and experience of joining the Red Team at 9^th NCCDC competition.   It was actually my 2^nd year on the Red Team and 4^th year to attend in total (I judged in 2010 and 2011).  McAfee is actually a perpetual sponsor of this event.  That being said, I have my own selfish agenda when I attend.

Joining in as part of the Red Team is, by far, on of the most educational experiences I could possibly put myself in.   Not only are you tossed into a room w/ folks like Mubix, Vyrus, Raphael Mudge, and others – but also you are on a limited schedule and from the time that the competition starts it’s heated and non-stop.

The general strategy this year was to lay down all our toys and persistence (backdoors, beacons, RATs and other tools) on Day 1.   We made very little noise, hoping that the competing teams would gain a false sense of confidence and not notice our presence on their systems.   This way on Day 2 when the chaos commences, and the teams choose to just ‘restore from backup’ or ‘revert snapshots’ and the like, they end up restoring all our persistent tools and we retain access and ownership.

DarkComet Client Console

And . . . .. . It worked!

Different individuals on the Red Team had their unique tools and methods to gain and retain access and unset the teams’ activities.   As the McAfee guy, I choose to rely on some old, tried and true (and very accessible RATs).  Most of my activities centered on the use of DarkComet and, to a far lesser degree, DNA.

RAT Remote Process View

My philosophy was driven by two primacy goals.   First, I know these things work realllllllllly well.  And with these RATs on the box, I can control and own everything.  Second, and possibly more interesting, is that if these tools work, I know that the teams are not putting any effort into installing/deploying even the most basic endpoint/host-based AV solutions.   This is especially intriguing because, as a sponsor, McAfee provided the competition with our software.   I purposely did NOT do any crypting/packing/obfuscation on the RATs I generated.   I know that McAfee (and just about all other) vendors DID detect these things.  Yet, I still managed to install and persist on most of the hosts that I deployed to (deployed via Cobalt Strike btw).

When the competition was over, I chatted with a few competitors, and mentioned this fact.  I immediately saw the gears start turning.  I could tell they had a real “Ahhhh we should have done that” moment.  Not to mention, that McAfee (and others) detect meterpreter/MSF listeners and Trojans as malware/PUPs.  Those could have been curtailed as well.

Each year, the teams have to setup, maintain, and safeguard an environment for a faux company/entity.  This year the teams were tasked with tasked with the environment of a Correctional Institute.   This includes databases for tracking the whereabouts of prisoners, an e-commerce site for a prisoner commissary, and more.  From the Red Team perspective, this gives us some of our big bets for getting points deducted from the teams.   For example if you kill/mangle/destroy the database for tracking prisoner and personnel, that’s one of the high point items.   After all, they don’t want an IT issue to allow prisoners to go unaccounted for or escape, etc.   Other hot items include public web site defacement and acquisition of PII (personally identifiable information).  For added fun, many of us defaced the web sites by posting the company’s PII for all to see.

Defaced with PII

All and all it was a fantastic experience.   I look forward to future activities with this competition.

UTSA shot a documentary this year.  I’ll post details on that once it’s released.    However, if you’d like to get some really detailed info, Hak5 released a documentary filmed at the 2012 event.   It features great interviews and ‘behind the scenes’ Red Team action.   I’m not interviewed, but you can see the top of my head in a couple shots!!

Hak5 Doc – Jim’s Head

2012 Hak5 Documentary

Additional Blogs on NCCDC 2013

• David Cowen - http://mcaf.ee/wid10
• Raphael Mudge - http://mcaf.ee/ageor
• Alex Levinson - http://mcaf.ee/limh1

NCCDC 2013 Red Team Brief - http://mcaf.ee/uodvk

Bonus:   We recently did our 2^nd AudioParasitics episode with the great Raphael Mudge.   This time we have a full and glorious video demo of Cobalt Strike in action.  We actually walk though scenarios and give you details on how some of these Red Team activities actually occur.

AudioParasitics Episode 141 (video) - http://mcaf.ee/gep69

Generic Dropper.p (XtremeRAT)

This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

The result sets are organized as a specific directory structure.

Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on.  The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data	Sample Data 2
Sample Data 3	Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.

Memory dumps

PCAPs

All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.

Example:

Name: word.exe
MD5: 2BFE41D7FDB6F4C1E38DB4A5C3EB1211
Detection: Artemis!2BFE41D7FDB6

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

If you would like to learn more, you can read the following sources:

• http://www.opswat.com/partners/technology-partners
• http://www.mcafee.com/us/products/network-threat-response.aspx

FOCUS truly is a unique opportunity for the McAfee community to come together and share perspectives on today’s most important security issues. It is where we as McAfee get to show off our trusted advisor status in many presentations and discussions with customers and partner. Attendees can find out how companies are using the latest technologies to thwart attacks and reduce risk. In turn, we get to hear from our customers and partners and gain valuable feedback that we can use to improve our future offerings.

The agenda will feature world-class keynote presenters, including McAfee President and CEO Dave DeWalt, Worldwide CTO George Kurtz and Global Threat Intelligence CTO Mike Gallagher. President Bill Clinton is also a featured speaker. We’ll have 70+ breakout sessions covering network security, data protection, risk & compliance, emerging threats, endpoint security and more. Other highlights will include a Sponsor Expo with 40+ McAfee partners, targeted networking activities, unforgettable special events, and much more.

See you next week in Las Vegas!

Barry

We deeply regret the impact this may have had on you. In some cases, the outages were lengthy. Even among the vast majority of customers who did not experience operating disruptions, the mere possibility created an unwelcome distraction and reason for concern.

Our first priority was and continues to be helping all of our customers get back to business as usual reliably, confidently, and securely. The nearly 7,000 employees of McAfee quickly dedicated themselves to that effort, working literally around the clock and around the world to identify the error, remove the file that caused the problems from our servers, develop and release a corrected file, and provide our customers with hands-on support to repair impacted systems. The vast majority of affected users were back up and running smoothly within hours, and we are continuing to work diligently until we are sure that every last user node among each and every one of our customers is back in action. Again we offer our sincere apologies.

As that effort comes to a conclusion, our next and equally important priority is to review our processes to make sure this never happens again. We are implementing additional QA protocols for any releases that directly impact critical system files. We are also rolling out additional capabilities in Artemis that will provide another level of protection against false positives by leveraging an expansive whitelist of critical system files and their associated cryptographic hashes.

McAfee’s business is protecting you, our customers, from threats and harm. We pride ourselves on our record of doing so, and we sincerely apologize for this incident. We will work hard to restore and continue earning your full confidence in our company, our products and our brand.

Sincerely,

David DeWalt
President and Chief Executive Officer

First off, I want to apologize on behalf of McAfee and say that we’re extremely sorry for any impact the faulty signature update file may have caused you and your organizations.

I want to give you a brief update on what has happened since we first became aware of the false detection. McAfee team members have been working around the clock to fix the problem and work with impacted customers. We estimate that the majority of the affected systems are back up and running at this time and more systems are coming back online quickly.

Early Thursday morning (at around 1 AM PT) we published a SuperDAT Remediation Tool to help customers fix affected systems. The tool suppresses the driver causing the false positive by applying an Extra.dat file in folder. It then restores the “svchost.exe” Windows file, the file quarantined as a result of the false detection.

The tool has been successful at remediating the problem caused by the faulty DAT update for multiple customers. The tool itself and more details on how it works are available in our knowledge base. Additionally, we have support team members onsite and on the phone to assist impacted customers.

Of course many of you are asking how the faulty DAT made it past our quality assurance checks. The problem arose during the testing process for this DAT file. We recently made a change to our QA environment that resulted in a faulty DAT making its way out of our test environment and onto customer systems.

To prevent this from happening again, we are implementing additional QA protocols for any releases that directly impact critical system files. In addition, we plan to add capabilities to our cloud-based Artemis system that will provide an additional level of protection against false positives by leveraging an expansive whitelist of critical system files. (More details are available in an FAQ that was published Thursday night.)

Again, on behalf of McAfee, I’m very sorry for how you may have been impacted by the faulty DAT file update and thank you for your continued support and cooperation as we work to remediate the situation.

Barry

In our ongoing efforts to protect our customers from a seemingly endlessly multiplying variety and volume of attacks, today we released a update file that clearly did more harm than good. There was a legitimate threat and we wanted to protect our customers, as we have done successfully thousands and thousands of times before. But in trying to do so, we created negative and unintended consequences for some very important people. Many of you.

Having talked to literally hundreds of my colleagues around the world and emailed thousands to try and find the best way to correct these issues, let me say this has not been my favorite day. Not for me, or for McAfee. Not by a long shot.

Mistakes happen. No excuses. The nearly 7,000 employees of McAfee are focused right now on two things, in this order. First, help our customers who have been affected by this issue get back to business as usual. And second, once that is done, make sure we put the processes in place so this never happens again.

If you are a enterprise/corporate account, and you have an issue these entries in our virus information library and the knowledge base provide workarounds for this issue. If you are a consumer and have an issue, this support page provides information for impacted consumers or call +1 866 622 3911. We have teams of people standing by to help. (To contact McAfee by phone in your region, go to the “Contact Us” page on our Web site and select your country for the correct number.)

I also recommend customers sign up for our Support Notification Service to get real critical product information via e-mail. Go to the SNS Subscription Preference Center to subscribe. For more information, view the SNS KnowledgeBase article and FAQ.

Barry

The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21.

McAfee is aware that a number of customers have incurred a false positive error due to this release. We believe that this incident has impacted a small percentage of our enterprise accounts globally and a fraction of our consumer base–home users of products such as McAfee VirusScan Plus, McAfee Internet Security Suite and McAfee Total Protection. That said, if you’re one of those impacted, this is a significant event for you, we understand that and we’re very sorry.

Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3.The immediate impact on corporate users was lessened for corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, though those customers could also be impacted when running a scan.

The faulty update was removed from all McAfee download servers within hours, preventing any further impact on customers.

McAfee teams are working with the highest priority to support impacted customers. We have also worked swiftly and released an updated virus definition file (5959) within a few hours and are providing customers detailed guidance on how to repair any impacted systems.

Corporate Customers
- This entry in our virus information library provides workarounds
- Our knowledge base has two articles, one specific for VirusScan Enterprise users and one for Total Protection Service users
- Customers are discussing the issue in our online support community
- More details on this topic are available in an FAQ.

Consumers
- This support page provides information for impacted consumers
- Consumers are also discussing the topic in the online community

To contact McAfee by phone in your region, go to the “Contact Us” page on our Web site and select your country for the correct number.

Early morning on Thursday night (at around 1 AM PT) we published a SuperDAT Remediation Tool to help customers fix affected systems. The tool suppresses the driver causing the false positive by applying an Extra.dat file in folder. It then restores the “svchost.exe” Windows file. The tool has been successful at remediating the problem caused by the faulty DAT update for multiple customers. The tool itself and more details on how it works are available in our knowledge base.

We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring.

We sincerely apologize for the inconvenience this has caused our customers and will update this blog posting as more details become available.

Barry

PS: I just published another blog in response to some of your comments below.

(Updated at 3.35 PM PT to include statement on number of customers impacted.)
(Updated at 3.50 PM PT with a link to details for consumers who were impacted.)
(Updated at 5.13 PM PT with link to knowledge base.)
(Updated at 5.44 PM PT to correct the number of impacted consumers.)
(Updated at 8.20 PM PT removing detail on 5959 DAT capabilities.)
(Updated at 9.27 PM PT to provide additional detail on customer impact added link to new blog post.)
(Updated at 10.01 PM PT to add a link to the support community.)
(Updated at 11.58 AM PT on Thursday to add additional KB article links.)
(Updated at 1.10 PM PT on Thursday to add mention of remediation tool.)
(Updated at 2.45 PM PT on Thursday to restate number of customers impacted.)
(Updated at 12.53 PM PT on Friday to add a link to the FAQ.)