Friday 2 October 11:00 - 11:30, Green roomChun Feng (Microsoft)
Michael Cherny (Microsoft)
Tal Be'ery (Microsoft)
Stewart McIntyre (Dell SecureWorks) download slides (PDF)Bian Lian (face changing) is an ancient Chinese dramatic art that stems from Sichuan opera where performers can change their face masks almost instantaneously.Interestingly, this 'face-changing' trick is not only used in Sichuan opera, it can also be adopted in the digital world by malware. A new breed of advanced persistent threat (APT) discovered by Dell SecureWorks known as 'Skeleton Key', is using this 'face-changing' trick.When the 'Skeleton Key' malware is installed on the domain controller (DC), the attacker can play the face-changing trick on the domain by logging in as any user it chooses and perform any number of actions on the system including, but not limited to, sending/receiving emails, accessing private files etc.This paper analyses the technical details of the 'Skeleton Key' malware. It unveils the tricks used by Skeleton Key to tamper with NT LAM Manager (NTLM) and Kerberos/Active Directory authentication. In particular, it details the tricks used by the malware to downgrade the encryption algorithm used by Kerberos, from AES to RC4-HMAC (NTLM).The Skeleton Key malware can be removed from the system after a successful infection, while leaving the compromised authentication in place. This can pose a challenge for anti-malware engines to detect the compromise. This paper also discusses how on-the-wire detection and in-memory detection can be used to address some of these challenges.Click here for more details about the conference.