$kernel->infect(): Creating a cryptovirus for Symfony2 apps

MALICIOUS CRYPTOGRAPHY IN SYMFONY APPS

Raul Fraile@raulfraile

• PHP/Symfony2 developer at

• PHP 5.3 Zend Certified Engineer

• Symfony Certified Developer

• BS in Computer Science. Ms(Res) student in Computing Technologies.

• Open source: LadybugPHP

ABOUT $ME

STUFF WE’LL TALK ABOUT

• Cryptovirology studies how to use cryptography to design malicious software.

• Closely related to ransomware and private information retrieval.

• A fundamental twist in cryptography.

CRYPTOVIROLOGY

CRYPTOVIROLOGY

Public Key Cryptography

Symfony Internals

Hiding Strategies

Protection Strategies

CREATING OUR OWN CRYPTOVIRUS

…for fun and profit!

WARNING• This is not a real virus, just a

proof of concept. • Symfony is not more

vulnerable than other frameworks, this talk takes Symfony just as an example.

• We assume that the virus is already in the target computer.

KEEP CALM

OUR CRYPTOVIRUS#1 Get public key from the hacker server

GET public_key

Hacker serverApp server

OUR CRYPTOVIRUS#2 Infect the Symfony 2.x app

app[_dev].php

bootstrap.php.cache

Kernel events

OUR CRYPTOVIRUS#3 (a) Use the public key to encrypt data

app[_dev].php

bootstrap.php.cache

Kernel events

Database

User uploads

Logs

…

OUR CRYPTOVIRUS#4 (a) Pay to get the private key to decrypt data

GET private_key


OUR CRYPTOVIRUS#3 (b) Intercept user/passwords and save them encrypted

app[_dev].php

bootstrap.php.cache

Kernel events

raul

Submit

User

*****Password

OUR CRYPTOVIRUS#4 (b) Get user/password pairs using a backdoor

GET users


PUBLIC KEY CRYPTOGRAPHY

• Public key (asymmetric) cryptography requires two different keys: public and private.

• Based on one-way functions (trapdoors), which are easy to compute in one direction, but believed to be difficult to find its inverse.

• Most used one-way functions: integer factorization, discrete logarithm and elliptic curves.



WANT SEND image.jpg

AliceA A

BobB B

B

image.jpg

101101001011001 Chuck

p = 115307171677547 q = 190761112638809 n = p * q = 21996124364443030184426121523

Having p and q, calculate n Having n, calculate p and q

Multiplication Factorization


SlowFastnot in Polinomial time

n = 21996124364443030184426121523 = p * q = … = 115307171677547 * 190761112638809

• Open Source toolkit for SSL/TLS, as well as a full-strength general purpose cryptography library.

• PHP extension: php-openssl.

OPENSSL

$config = array( "digest_alg" => "sha512", "private_key_bits" => 4096, "private_key_type" => OPENSSL_KEYTYPE_RSA, ); !// Create the private and public key $resource = openssl_pkey_new($config); !// Extract the private key openssl_pkey_export($resource, $privKey); !// Extract the public key $pubKey = openssl_pkey_get_details($res); $pubKey = $pubKey[“key"];

PHP + OPENSSL

PHP + OPENSSL

-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5gclOxvP9AyrUkk01b+b aa3TQSclpol0B/2bU8e54DfJkCermqN8aHQFhscWtDQeQjZMBMa3LPjql/QW0cgw knXrG0Ns+pk8960v8y1TBUK/AeOTfYJJ00A4Od6g7fA5oMOeI8IMaCD1eSJC5Fzi bhVUygxMzc4ctqqvnJGDd7BPKo8Dg8pFHPnNF6hj7rb/JogWq9qiKZEXFRwMnJSg … -----END PUBLIC KEY-----

-----BEGIN PRIVATE KEY----- YungQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDmByU7G8/0DKtS oTTVv5tprdNBJyWmiXQH/ZtTx7ngN8mQJ6uao3xodAWGxxa0NB5CNkwExrcs+OqX uBbRyDCSdesbQ2z6mTz3rS/zLVMFQr8B45N9gknTQDg53qDt8Dmgw54jwgxoIPV5 nkLkXOJuFVTKDEzNzhy2qq+ckYN3sE8qjwODykUc+c0XqGPutv8miBar2qIpkRcV gAyclKCPdhrW9OZiWX7IbhM95BwNJ3JZtPhWNA42IBlwv1tPMbiKnRcLC0FEL0qK Iv7z1uPMaCYo+HioCcECUXj6b2nuDbdNIpXHQr98fC+vjxJWmd6zfcXG98h0eBrp nbXU9SvNdX1fzHmDRrAl+NselZK5SHgyYY5aUb4gyyxQ+dVCWTaZQ1MmYZxiu4g4 a20tJHHYqkFV7ogS8u+Kfq4h/SlJ2wHeEhE4An1hXlEJXIZpK/z0+quScgKiqx9t oBhkG44f4KIVfpqg9RKgrg9yFaavFjWJSIbXh+ciuLDDI/150as5pFKAtENuVXjS xmrbpbbxeamKHNSD6O+wFbOaOw/r4NEWd1/p0AZ+qBRNl4fgCMCxRWDui6txjKGK oiFVf6Brf3xg/69KoCTS3svJ4Kmm0TB8tloXKRW/qXhFkQJpn12wCwuazPE98nep xApa2zTc7xcLt4ISJYHNCRX+n3puFwIDAQABAoICAB/K6QhsZaeTgLJUz+qjGvXW … -----END PRIVATE KEY-----

$data = “Creating a cryptovirus for Symfony2 apps”; !// Encrypt the data openssl_public_encrypt($data, $encrypted, $pubKey); !// Decrypt the encrypted data openssl_private_decrypt($encrypted, $decrypted, $privKey);

PHP + OPENSSL

SYMFONY INTERNALS

kernel.request

Request

Response

kernel.controller

kernel.view kernel.response

kernel.terminate

kern

el.e

xcep

tion

KERNEL EVENTS

• kernel.request is dispatched as soon as the request arrives. Listeners can return a Response and “end” the execution.

• kernel.controller is dispatched once the controller has been resolved. Listeners can manipulate the Controller callable.

KERNEL EVENTS

• kernel.view is dispatched only if the Controller does not return a Response object.

• kernel.response allows to modify or replace the Response object after its creation.

KERNEL EVENTS

• kernel.exception is dispatched if there is an uncaught exception. Last chance to convert an Exception object into a Response object.

• kernel.terminate is dispatched once the response has been sent. Allows to run expensive post-response jobs.

KERNEL EVENTS

• The bootstrap.php.cache file is created to improve performance, reducing IO operations.

• Just a copy&paste of common classes and interfaces that will be used for sure.

BOOTSTRAP FILE

BOOTSTRAP FILE

{ "name": "symfony/framework-standard-edition", "scripts": { "post-install-cmd": [ ..., “Sensio\\Bundle\\DistributionBundle\\Composer \\ScriptHandler::buildBootstrap", ... ], "post-update-cmd": [ ..., “Sensio\\Bundle\\DistributionBundle\\Composer \\ScriptHandler::buildBootstrap", ... ] } }

HIDING THE VIRUS

• Virus definitions. Antivirus software scans files to find matches. Useful for known malware (up-to-date antivirus).

• Heuristics allow antivirus software to identify new or modified malware, even without virus definition files. Based on system calls, network packets, kernel events…

ANTIVIRUS

unlink(__FILE__);

REMOVING ITSELF

$originalCode = "phpinfo();"; !// encode with base65 n times $encoded = $originalCode; $times = 5; for ($i=0; $i<$times;$i++) { $encoded = base64_encode($encoded); } !// generate hidden code $code = sprintf('eval(%s"%s"%s);', str_repeat('base64_decode(', $times), $encoded, str_repeat(')', $times) ); $code = gzdeflate($code); !var_dump($code); // K-K??HJ,N53...

GZIP + BASE64

eval(gzinflate($code));

GZIP + BASE64

• Polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact.

• Makes it difficult for antivirus software to recognise the code as it constantly changes.

• Emulation (sandbox) may be used.

POLYMORPHIC CODE

echo 'Hello world!'; !echo 'Hello' . ' ' . 'world!'; !printf('Hello world!'); !file_put_contents('php://stdout', 'Hello world!'); printf('%c%c%c%c%c%c%c%c%c%c%c%c', 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64, 0x21 );

POLYMORPHIC CODE

All of them print “Hello world!”, but using different code which generate different AST/opcodes.

POLYMORPHIC CODE

POLYMORPHIC CODE

Op Operands1 ECHO Hello+world%21'

2CONCAT Hello', '+'CONCAT ~0, 'world%21'

ECHO ~1

3SEND_VAL Hello+world%21'DO_FCALL printf'

4SEND_VAL php%3A%2F%2Fstdout'SEND_VAL Hello+world%21'DO_FCALL file_put_contents'

5

SEND_VAL %25c%25c%25c…%25c%25c’SEND_VAL 72SEND_VAL …101, 108, 108, 111, 32, 119, 111, 114, 108, 100, 33DO_FCALL printf'

• The goal would be to create a polymorphic engine that generates different code in each infection randomly.

• Really difficult to get random numbers in computers, as they usually can be predictable.

POLYMORPHIC CODE

rand() mt_rand()

RANDOM NUMBERS

• Computational methods are not considered true random number generators. In practice, they are sufficient for most tasks.

• Physical methods use physical phenomenon expected to be random. For example, atmospheric noise (random.org), radioactive decay, radio noise or even a coin flipping.

RANDOM NUMBERS

http://random.org

RANDOM NUMBERS

1 2 3 4 5 6 7 8 9 10

Human brain

RANDOM NUMBERS

1 2 3 4 5 6 7 8 9 10

Ideal PRNG

PROTECTING US

PROTECTING US

• Before the infection: security measures, restrictive permissions, disable php-openssl if we don’t need it, allow_url_fopen, virus inoculation…

• Once the app has been infected, we want to know it as soon as possible, checking its integrity.

Hash functions create a fixed-length digest from data of arbitrary length.

HASH FUNCTIONS

Easy to compute.

Infeasible to generate a message that has a given hash.

Infeasible to modify a message without changing the hash.

Infeasible to find two different messages with the same hash.

Tiny changes in source generate (with high probability) big changes in the digest.

HASH FUNCTIONS

• md5() is not collision resistant. It is possible to create two files that share the same checksum.

• We can include the checksum of the whole project in the build process and check it regularly.

HASH FUNCTIONS

use Symfony\Component\Finder\Finder; !$finder = new Finder(); $finder->in(__DIR__ . ‘/project') ->files() ->name('*.php'); !$hash = hash_init('sha512'); foreach ($finder as $file) { hash_update($hash, $file->getContents()); } !// hash of the whole project $hash = hash_final($hash);

HASH FUNCTIONS

• The PHAR extension provides a way to put entire PHP applications into a single file.

• Equivalent to Java JAR files.

• PHAR files can contain a signature (checksum) of the included files.

PHAR SIGNATURES

Stub

Manifest

File contents

Signature

Actual contents of the files

Describes the contents of the files: filename, size, timestamp, CRC32…

Phar Signature in MD5, SHA1, SHA256, SHA512 or OpenSSL (key pair)

__HALT_COMPILER();Usually contains loader functionality

PHAR SIGNATURES

LET’S SEE IT IN ACTION!

THANK YOU!

https://www.flickr.com/photos/sanofi-pasteur/7413644106 https://www.flickr.com/photos/robbie73/8280822928

https://github.com/raulfraile/cryptosymfony

https://www.flickr.com/photos/sanofi-pasteur/7413644106

https://www.flickr.com/photos/robbie73/8280822928

$kernel->infect(): Creating a cryptovirus for Symfony2 apps

Technology

Transcript of $kernel->infect(): Creating a cryptovirus for Symfony2 apps