2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System -...
Transcript of 2016 HITCON Malware is In the Memory · Cuckoo Sandbox - Malware Automatic Analysis System -...
ⓒ Copyright 2016, blackfort security all rights reserved.
Malware is In the MemoryReal Time Malware Memory Analysis System
2016 HITCON
YoungJin Sim / BLACKFORT Security / Senior Researcher<[email protected]>
YoungHak Lee / BLACKFORT Security / Senior Researcher
Who we are
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
YoungJin Sim YoungHak Lee
New malware per day
Reference: http://www.redsocks.nl/blog-2/malware-statistics-march-2016/
- Per day average 425,531!
- Researcher Analysis time
average 1 hour
- 1day working hours 8 hours
- 425,531 / 8 = 53,191
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Cuckoo Sandbox
- Malware Automatic Analysis System
- Windows, OSX, Linux, Android Supported
- Trace API Calls(User Level API Hooking)
- Cuckoo Monitor.dll
- Rootkit Analysis is impossible
(example: Zero access)
- Vulnerable to Anti-VM
(example: Citadel)
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
- Reference: http://docs.cuckoosandbox.org/en/latest/introduction/what/#architecture
Why Memory Analysis?- All Programs are loaded in memory
- Malware Protector Bypass(packing, anti-debug)
- Advanced malware operates solely in memory
- Identifies system activity and overall machine state
- Memory reliability is very important
- Example: Memory Analysis, Drakvuf, Memminer
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
- Black Hat USA 2014 Arsenal Release
- Cuckoo Sandbox Dependencies
- Interval-based memory dump- Too many dumps are inefficient in analysis, time and disk space wise
- Trigger-based memory dump - API which has not been hooked cannot be analyzed
Memory Analysis
Interval-base Memory dump Trigger-based Memory dump
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
- Reference:https://github.com/djteller/MemoryAnalysis
Drakvuf- 2014 Hacktivity Release
- copy-on-write disk and memory
- extra resources allocated only when used vlan isolation
- Detect when - new process is scheduled, syscalls executed, file accessed/created/deleted, etc
Drakvuf structure
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
- Reference: http://drakvuf.com/
http://www.slideshare.net/tklengyel/drakvuf?next_slideshow=1
Drakvuf
Drakvuf Malware Analysis Result
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Memminer
- Cansecwest 2015 Release
- Agentless
- Used rekall & libvmi
- Operation System Data Dependencies cyBox
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
- Reference: http://cyboxproject.github.io/documentation/object-relationships/#Created
New Malware Analysis SystemMalware Analyst
Malware Analyst Structure
ⓒ Copyright 2016, blackfort security all rights reserved.
Malware Analyst Structure
ⓒ Copyright 2016, blackfort security all rights reserved.
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Why do LibVMI & Volatility Use?
- Library Virtual Machine Introspection
- Too many dumps are inefficient in analysis, time and disk space wise- Memory dumps are not necessary
- Memory Direct Access
- Reliability Memory
- Memory Analysis Result is reliability
- Volatility
- Possible to analyze a memory to obtain LibVMI
- Open source
- Focused on forensics, incident response, and malware.
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Why do LibVMI & Volaility Use?
- Library Virtual Machine Introspection
- Too many dumps are inefficient in analysis, time and disk space wise- Memory dumps are not necessary
- Memory Direct Access
- Reliability Memory
- Memory Analysis Result is reliability
- Volatility
- Possible to analyze a memory to obtain LibVMI
- Open source
- Focused on forensics, incident response, and malware.
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Memory Analysis Engine
- Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Command Analysis- Cmdscan
- _COMMAND_HISTORY- Find Windows Basic Command
- Consoles- _SCREEN_INFORMATION- Find Console I/O Data
- Shellbags- NTUSER.DAT & UsrClass.dat- Find Windows Environment, Timestamp, Installer ….
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Process Analysis - Privs
- Malware has the necessary permissions for malicious behavior
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Privileges Comment
SeBackupPrivilege Malware can leverage this privilege to copy locked files
SeDebugPrivilege Practically all malware that performs code injection from user
mode relies on enabling this privilege
SeLoadDriverPrivilege Malware can load or unload kernel drivers(Rootkit Load)
SeChangeNotifyPrivilege Malware can use this to determine immediately when one of
their configuration or executable files are removed by antivirus
or users
SeShutdownPrivilege Bootkit modify the Master Boot Record(MBR). Bootkit doesn’t
activate until the next time the system boots
Dangerous Privileges
Process Analysis - Auditpol
- Global audit policy
- Pstree
- Find and walks the doubly linked list
- Psscan
- _EPROCESS Objects instead of relying on the linked list
- Find Terminate Process & Hidden Process in Kernel Memory
- Procdump
- Find PE Header in Kernel Memory
Malware Analyst Process Tree image
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Process Analysis
Citadel Malware Original Binary Citadel Malware Unpacking Binary(Use Malware Analyst)
- Procdump
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Process Analysis
Tesla Ransomware Original Binary Tesla Ransomware Unpacking Binary(Use Malware Analyst)
- Procdump
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Thread Analysis- Threads
- Find Orphan Thread
- loaded modules by walking the doubly lined list and records their base address
and size
- _ETHREAD.StartAddress value is within the range of one of the modules
- Many Rootkit Uses Orphan Thread
- Example: Tigger, Mebroot
Tigger sample Orphan thread
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Network Analysis- Sockets & Connections
- Windows XP/2003
- _ADDRESS_OBJECT & _TCPT_OBJECT
structures are undocumented By MS
but many hackers have reverse-engineered
them in the past
- Netscan
- Windows Vista and later
- Finds _TCP_ENDPOINT
- Finds _TCP_LISTENER
- Finds _UDP_ENDPOINT
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
_Addr_Obj_Table _TCBTable
_ADDRESS_OBJECT _TCPT_OBJECT
Socket Search Connection Search
sockscan connections
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Service Analysis- Svcscan
- sErv tag, serH tag find in Kernel Memory services.exe
- Tags are embedded in merbers of each _SERVICE_RECORD
- Find all instances of the structures even if they’ve been unlinked from the list
- Compare the entries found by scanning with the ones found
via list walking and determine exactly what services have been
maliciously unlinked
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
MBR Analysis- Mbrparser
- MBR (signature: \x55\xaa)Finds in Kernel Memory
- Compare the partition table to MBR Scan result
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Memory Analysis Engine - Use LibVMI & Volatility
- Command Analysis
- Process Analysis
- Thread Analysis
- Network Analysis
- Service Analysis
- MBR Analysis
- Rootkit Analysis
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Rootkit Analysis- Driverirp
- _DRIVER_OBJECT struct finds in kernel memory
- Read the 28 values in the MajorFunction array and determine where they point.
- Rootkit driver can hook entires in a driver’s IRP function table
- For example overwrite the IRP_MJ_Create function in a driver’s IRP table,
a rootkit can inspect create file, create process….
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Rootkit Analysis- Devicetree
- Windows uses a layered architecture for handling I/O requests
- Multiple drivers can handle the same IRP
- Instead of hooking a target driver’s IRP function, as previously described,
a rootkit can just insert, or attach, to the target device’s stack.
- Drivermodule
- DriverIRP Data finds in kernel memory
- Get Driver name & Driver Display name
- After find new driver modules and dump driver modules
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Rootkit Analysis- Callbacks
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Type API
Process Creation PsSetCreateProcessNotifyRoutine API
Thread Creation PsSetCreateThreadNotifyRoutine API
(BlackEnergy used)
Image Load PsSetLoadImageNotifyRoutine API
(stuxnet used)
Registry Modification CmRegisterCallback(XP), CmRegisterCallbackEx(Vista later)
(Ascesso used)
Bugchecks KeRegisterBugChecknCallback,
KeRegisterBugCheckReasonCallback
Callback to use rootkit
- A callback rootkit does not use well have Shutdown, DebugMesage, FileSystem, PnP callbacks.
Malware Analyst Structure
ⓒ Copyright 2016, blackfort security all rights reserved.
Mamon- Detect Process change, File change, Registry change
- API Function Argument Monitoring
- Operation System Data Dependencies CyBox
- Reg, Process, File ….
- Why does Kernel-Level Hooking Use?
- Anti-VM Bypass(VM-Hardening)
- Rootkit Analyze
- CmRegisterCallback(XP), CmRegisterCallbackEx(Vista later) used
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Mamon- Detect Process change, File change, Registry change
- API Function Argument Monitoring
- Operation System Data Dependencies CyBox
- Reg, Process, File ….
- Why does Kernel-Level Hooking Use?
- Anti-VM Bypass(VM-Hardening)
- Rootkit Analyze
- Windows Driver Kit uses
- Mamon runs in a virtual machine.
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Malware Analyst Structure
ⓒ Copyright 2016, blackfort security all rights reserved.
Network Analyze- MITM Proxy & TCPDump use
- Why do use MITM Proxy
- Decrypt SSL, HTTPS
- Classifies each packet protocols.
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
1. Connection
2. Redirection
3. Initiate SSL
handshake with SNI
6. Complete SSL
handshake
7. Request
4. Initiate SSL
handshake with SNI
5. CN & SANs
8. Request
Client
Server
MITM proxy example data(https://www.google.com)MITM Proxy Structure
Reference: http://docs.mitmproxy.org/en/stable/howmitmproxy.html#transparent-https
Network Analyze
- HTTP Replay Use
- Download Meta-File(image, flash, sound ….)
- Drawing Network Flow
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Citadel Network Analyze result
Citadel Network Flow image file
DemoCitadel, Memory Hacking Rootkit malware, Tesla ransomware
DemoCitadel, Memory Hacking Rootkit malware, Tesla ransomware
Limitation of Malware Analyst- Only Supported 32bit Windows
- Anti Memory Forensic
- Another Anti-VM
- Hooking Detect Malware
- ETC
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
Benefits of Malware Analyst- Unpacking Binary
- Decrypt Network Packet Data(HTTPS, TLS ….)
- Malware Run Behaviors Timeline
- Rootkit Analyze
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
FutureThreat Insight & Malware Analyst
Future- Supported x64 Windows and Anti-VM, Anti-Memory Forensic research
- Supported create IOC pattern file
- Threat Insight
- Web Site Thread Detect System
- Malware Analyst and Thread Insight will cooperate
- New Malware Database Platform
ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com
New Malware Database Platform!
ⓒ Copyright 2016, blackfort security all rights reserved.
Thank you
Reference: The Art of MEMORY FORENSIC BOOK