Digital 'Bian Lian' (face changing): the skeleton key malware

Friday 2 October 11:00 - 11:30, Green room

Chun Feng (Microsoft)
Michael Cherny (Microsoft)
Tal Be'ery (Microsoft)
Stewart McIntyre (Dell SecureWorks)

  download slides (PDF)

Bian Lian (face changing) is an ancient Chinese dramatic art that stems from Sichuan opera where performers can change their face masks almost instantaneously.

Interestingly, this 'face-changing' trick is not only used in Sichuan opera, it can also be adopted in the digital world by malware. A new breed of advanced persistent threat (APT) discovered by Dell SecureWorks known as 'Skeleton Key', is using this 'face-changing' trick.

When the 'Skeleton Key' malware is installed on the domain controller (DC), the attacker can play the face-changing trick on the domain by logging in as any user it chooses and perform any number of actions on the system including, but not limited to, sending/receiving emails, accessing private files etc.

This paper analyses the technical details of the 'Skeleton Key' malware. It unveils the tricks used by Skeleton Key to tamper with NT LAM Manager (NTLM) and Kerberos/Active Directory authentication. In particular, it details the tricks used by the malware to downgrade the encryption algorithm used by Kerberos, from AES to RC4-HMAC (NTLM).

The Skeleton Key malware can be removed from the system after a successful infection, while leaving the compromised authentication in place. This can pose a challenge for anti-malware engines to detect the compromise. This paper also discusses how on-the-wire detection and in-memory detection can be used to address some of these challenges.

Click here for more details about the conference.

Chun Feng

Chun Feng

Chun Feng was born in China in 1977. He graduated from Southeast University, China with a Master's degree in computer engineering. He joined Microsoft Australia as a virus analyst in early 2008, having previously worked for Computer Associates for about two years in the same capacity. His research interest focuses on malware originating from China. In his spare time, he plays around with magic tricks and enjoys photography.

Tal Be'ery

Tal Be'ery

Tal Be'ery is a Senior Security Research Manager in Microsoft, formerly the VP of Research at Aorato (acquired by Microsoft), protecting organizations through entity behaviour. Previously, Tal managed various security project teams in several companies. Tal holds B.Sc and M.Sc degrees in electrical engineering and computer science and is a Certified Information Systems Security Professional (CISSP). Tal is the lead author of the TIME attack against HTTPS, has been a speaker at security industry events including RSA, BlackHat and AusCERT and was included by Facebook in their whitehat security researchers list. Tal is a columnist for the securityweek.com magazine.

@TalBeerySec

Stewart McIntyre

Stewart McIntyre

Stewart is a Senior Analyst in the Dell SecureWorks Counter Threat Unit Special Operations team, where he provides customers with threat actor hunting and incident response services, and researches threat actor activities and capabilities. Stewart was a key member of the team involved in the discovery and analysis of the 'Skeleton Key' malware and is the main author of the subsequent public Dell SecureWorks malware analysis. Stewart holds a B.Sc. degree in computer science and artificial intelligence, from the University of Edinburgh. He has a widespread technical consultancy background, including penetration testing, reverse engineering, secure development lifecycle, and Identity and Access Management (IAM) development.