Going gets tough
description
Transcript of Going gets tough
![Page 1: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/1.jpg)
Marta JanusMalware Researcher
Going gets toughA tale of encounters with novel evasive malware
![Page 2: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/2.jpg)
# whoami
• reverse engineering adept & enthusiast
• malware researcher @ KL since 2009• linux user since 2006• baldur’s gate player since 1999
![Page 3: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/3.jpg)
Are rootkits on decline?
![Page 4: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/4.jpg)
![Page 5: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/5.jpg)
![Page 6: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/6.jpg)
• kernel-space no longer safe for malware
• bootkits easily detected• hypervisor-level stealth too complex shift in malware strategy
Tough times for rootkits
![Page 7: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/7.jpg)
• hide from admin?• bypass detection• protect C&C infrastructure
• protect the payload
Hiding vs. evasion
the goals
![Page 8: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/8.jpg)
Case 1: Baldur
"When the going gets tough, someone hold my rodent!"
![Page 9: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/9.jpg)
# Trojan.Win32.Baldur
• set of classical anti-vm / anti-dbg checks
• heavily based on a0rtega`s pafish• overly exciting? not really, but...• ...a textbook case :)
![Page 10: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/10.jpg)
# classic_checks
![Page 11: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/11.jpg)
# environmental_checks
WinSpy?
MBAM ?
???
![Page 12: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/12.jpg)
# environmental_checks
![Page 13: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/13.jpg)
# drive_size_check
![Page 14: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/14.jpg)
# game_over
![Page 15: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/15.jpg)
Case 2: CVE-0158 & Gimemo
"Evil 'round every corner. Careful not to step in any."
![Page 16: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/16.jpg)
# armed-to-the-teeth
http://www.securelist.com/en/analysis/204792298/The_curious_case_of_a_CVE_2012_0158_exploit• multilayered OLE objects, lots of obfuscation• multi-stage shellcode:
~ stage_1: ROP chain~ stage_2: decryptor of stage_3~ stage_3: egg-hunter~ stage_4: dropper
![Page 17: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/17.jpg)
![Page 18: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/18.jpg)
![Page 19: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/19.jpg)
![Page 20: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/20.jpg)
# execute_payload
![Page 21: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/21.jpg)
# payload: decrypt_loader
![Page 22: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/22.jpg)
# skip_all_checks
![Page 23: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/23.jpg)
# trigger_exception
![Page 24: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/24.jpg)
# dummy_code
![Page 25: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/25.jpg)
# seh_routine
![Page 26: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/26.jpg)
# anti_hook, anti_bp
![Page 27: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/27.jpg)
# anti_hook, anti_bp
![Page 28: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/28.jpg)
# anti_hook, anti_bp: trampoline
![Page 29: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/29.jpg)
# the dropper & the bot
![Page 30: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/30.jpg)
Case 3: PSW & more SEH
"No effect?! I need a bigger sword!"
![Page 31: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/31.jpg)
# Trojan-PSW.Win32.Multi
• also spread via hardened CVE-0158 exploit• also lots of anti-* techniques• code flow of the loader fully based on
exception handling blocks• payload saved as a registry value• overwrites fxsst.dll to assure persistance
![Page 32: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/32.jpg)
# malware_main; seh chain
![Page 33: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/33.jpg)
# exception_1
![Page 34: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/34.jpg)
# exception_handler
![Page 35: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/35.jpg)
# dormant_phase
![Page 36: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/36.jpg)
# check_trend_micro
![Page 37: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/37.jpg)
# exception_4
![Page 38: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/38.jpg)
# decrypt_inject
![Page 39: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/39.jpg)
Case 4: hardened Zeus
"Fool me once, shame on you; fool me twice, watch it! I'm huge!"
![Page 40: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/40.jpg)
# Trojan.Win32.Zbot
• samples from period of March – May 2014• use of windows messaging system• use of SEH• multiple downloaders
~ each with the same set of anti-* techniques
![Page 41: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/41.jpg)
# load_cursor
![Page 42: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/42.jpg)
# process_wndmsg
![Page 43: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/43.jpg)
# seh_anti_debug
![Page 44: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/44.jpg)
# seh_anti_debug
![Page 45: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/45.jpg)
# enum_windows
![Page 46: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/46.jpg)
Case 5: even more hardened Zeus
"Boo says "WHAT?"
![Page 47: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/47.jpg)
# ZeuS p2p aka Game Over
• works only on Windows 7• anti-emulation based on default values
in the CPU registers• drops Necurs rootkit (!)• bypasses driver signing via setting
TESTSIGNING option in BCEDIT
![Page 48: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/48.jpg)
![Page 49: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/49.jpg)
# init_dialog
![Page 50: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/50.jpg)
# obfuscated_win7_check
![Page 51: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/51.jpg)
# obfuscated_win7_check
![Page 52: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/52.jpg)
# call_malware_main; step_17
![Page 53: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/53.jpg)
Novel malware architecture
• bypass detection• protect C&C
infrastructure• protect the payload
the goals anti-emu, anti-heur multiple downloaders, waterholed websites anti-re, anti-dbg, anti-vm, encryption, obfuscation, etc...
the aid
![Page 54: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/54.jpg)
loader• packed, layered encryption, lots of anti-*• injects and executes the dropper code
dropper
• some encryption, some anti-*• decrypts and executes the downloader/bot code
bot
• small & simple, shellcode-like• used only to get/decrypt/run the payload(s)
payload
• downloaded from water-holed websites / pushed by C2• not stored on the disk, short-lived, controlled by C2
![Page 55: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/55.jpg)
• time or condition based triggers: ~ specified timeframes~ specified settings~ specified system events (e.g. reboot, mouse click, etc.)
• environmental checks:~ files on disk, running processes, loaded DLLs, opened
windows, mutexes, devices, registry settings.......• checking initial values in CPU registers at EP
~ fingerprinting the OS
Known evasion techniques
![Page 56: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/56.jpg)
• overrunning sandbox/emulator:~ dromant phase (e.g. sleep loops)~ junk instructions, slower inside VMs (MMX, FPU, etc.)~ benign code (legitimate looking syscalls)~ stalling code (without the use of syscalls)
• using window messaging, apc procedures, etc.• using chained Exception Handling mechanisms
Known evasion techniques
![Page 57: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/57.jpg)
Countermeasures
stealth analysis leave no artifacts full emulation trace all instructions full exploration follow multiple execution
paths bypass stalling loops detect & skip passive
code
![Page 58: Going gets tough](https://reader035.fdocuments.in/reader035/viewer/2022062323/5681668e550346895dda5fb8/html5/thumbnails/58.jpg)
Thank You!
"We are all heroes: You and Boo and I"
marta.janus [at] kaspersky.com@mvjanus