Malware: The Good, the Bad and the Ugly
-
Upload
403-labs-llc -
Category
Technology
-
view
2.851 -
download
2
description
Transcript of Malware: The Good, the Bad and the Ugly
![Page 1: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/1.jpg)
Malware: The Good, the Bad and the Ugly
Pete Arzamendi
403 Labs, LLC
![Page 2: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/2.jpg)
About Me
• Consultant and forensic investigator at 403 Labs– Qualified Security Assessor (QSA) – Payment Application Qualified Security Assessor (PA-
QSA)– Certified Information Systems Security Professional
(CISSP)– GIAC Reverse Engineering Malware (GREM)
![Page 3: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/3.jpg)
About Me
• Former packet monkey, with more than 10 years of experience in the IT field
• Worked with small/medium businesses, and local and state authorities on computer forensic cases and security assessments
• Hobbies include malware analysis, vulnerability research and hiking
![Page 4: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/4.jpg)
About 403 Labs, LLC
• Full-service information security and compliance consulting firm headquartered in Milwaukee with additional offices in Chicago and San Francisco
• Experts in the Payment Card Industry (PCI)– PCI Forensics Investigator (PFI)– Qualified Security Assessor (QSA)– Payment Application Qualified Security Assessor (PA-QSA)– Approved Scanning Vendor (ASV)– Qualified Security Assessor Point to Point Encryption (QSA
(P2PE))– Payment Application Qualified Security Assessor Point to Point
Encryption (PA-QSA (P2PE))
![Page 5: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/5.jpg)
About 403 Labs, LLC
• Compliance assessments (HIPAA, GLBA, SOX, etc.)• Computer forensic investigations• Penetration testing including web application testing
and social engineering• Vulnerability scanning• Code reviews• IT audits• Risk assessments• Policies & procedures
![Page 6: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/6.jpg)
Agenda
• Overview of malware• Analysis approaches• User versus kernel space• Establishing persistence• Memory analysis• Examples• Tools for analysis• Resources• Questions
![Page 7: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/7.jpg)
Malware
• Wikipedia definition:– Malware, short for malicious software, is software
designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.
![Page 8: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/8.jpg)
Malware Types
• Data-stealing– User credentials– Credit card numbers– Transferring funds– Confidential information
• Remote access– Bots
• Profit-based– Ransom/extortion– Advertisements
![Page 9: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/9.jpg)
Analysis Approaches
• Static analysis– Review PE headers– Search for clear-text strings– Static code review
• Behavioral analysis– Registry monitoring– File system monitoring– Network monitoring
![Page 10: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/10.jpg)
Analysis Approaches
• Which is better?– Up to you and your comfort level
• People with a light programing background may choose to start with behavioral
– I prefer to start with static analysis• If stuck, I move to behavioral to fill in the pieces
![Page 11: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/11.jpg)
User Versus Kernel Space Malware
• User space– Runs as normal user, no special privileges
• Keyloggers– Uses Windows APIs GetAsyncKeyState and GetKeyState to
read keyboard clicks
• Process scraping for data– Accesses each process the user is running looking for data
• Attempts to blend into the background– Renames executable to match known Windows executable
• Easier to write and more stable than rootkits
![Page 12: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/12.jpg)
User Versus Kernel Space Malware
• Kernel space– Requires and runs under evaluated privileges
• Rootkits– Difficult to get right– Attempts to cloak the malware
» System Service Descriptor Table (SSDT) hooking by changing Nt* function pointers in the SSDT table to point to malware
» Interrupt Descriptor Table (IDT) by modifying the interrupt service routine to point to malware
![Page 13: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/13.jpg)
User Versus Kernel Space Malware
• Modify the forwarded and back links in ListEntry in EPROCESS structure to hide process
![Page 14: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/14.jpg)
Achieving Persistence
• Now that the malware is installed, how do we achieve persistence?
• Several ways to achieve persistence– Registry settings
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
– Install Malware as service• Windows CreateService API
![Page 15: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/15.jpg)
Memory Analysis
• Forensicswiki.org definition:– Memory analysis is the science of using a memory
image to determine information about running programs, the operating system, and the overall state of a computer.
• Pete’s definition:– Looking at the man behind the curtain and getting
intimate with the operating system.
![Page 16: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/16.jpg)
What is Memory Analysis?
• Why is memory analysis useful? – Memory contains a wealth of information
• Process information– What applications are running– Who is running the applications– What data is the process working with– Ability to recreate the process executable
• Network information– Active connection information– Open ports activity listing
• Account information– Usernames– Passwords
• Encryption keys– Full disk encryption keys
![Page 17: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/17.jpg)
Analyzing Memory
• What are we looking for?– Malicious “stuff”
• API hooks• DLL injections• Hidden process• Active listeners
– Non-malicious “stuff”• Encryption keys• User account information
![Page 18: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/18.jpg)
Analyzing Memory
• So how do we find the goods?– Old-school way (very time consuming)
• Strings• Manually rebuild each processes structure
– New methods (let the tools do the heavy lifting)• Mandiant Audit Viewer/Redline• Volatility• Encase/FTK• Several others
![Page 19: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/19.jpg)
Analyzing Memory
• Mandiant– Audit Viewer
• Requires Memoryze• Enumerates processes, drivers and dll hooking detection• Easy to use but clunky• Windows only
![Page 20: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/20.jpg)
Audit Viewer
![Page 21: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/21.jpg)
Analyzing Memory
• Mandiant– RedLine
• Easier to use the Audit Viewer• Support for other tools (IOC)• Nice graph view of what’s going on• Customizable audits• Windows only
![Page 22: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/22.jpg)
RedLine
![Page 23: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/23.jpg)
Analyzing memory
• Volatility (awesome!)– Cross-platform written in Python– Modular design– Open source– Large development community (very smart people
making modules)– Command line– Volatility from here on out!– Now supports 64 bit
![Page 24: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/24.jpg)
Volatility
![Page 25: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/25.jpg)
Find the Hidden Process
• Compare the difference of psscan and pslist output
• Easier way psdiff
![Page 26: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/26.jpg)
Example 1
• Resource section of the executable– Normally used for raw resource data:
• Icons, bitmaps, dialog boxes
• Malware sample used resource section to store email and IP addresses
![Page 27: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/27.jpg)
Example 1
![Page 28: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/28.jpg)
• Known and widely-used malware– Perfect Keylogger– Process scraper – hkcmd.exe
• Malware sent data to foreign IP addresses via HTTP and SMTP
• One of several similar cases
Example 2
![Page 29: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/29.jpg)
• Encoded files– Perfect Keylogger configuration file encoded with
simple XOR– 0 XOR with AA = AA thus AA was the key to decrypt
the configuration and data files
Example 2
![Page 30: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/30.jpg)
Example 2
• Decode configuration file and data files• Configured to send its log information to an IP
address in Canada and email address of michaeljackson***********@yahoo.com
![Page 31: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/31.jpg)
Example 2
• Shipping the goods– Process scraping malware sending data via FTP– Once the malware sends the file it removes it from
disk– Investigating swap and unallocated space comes in
handy
![Page 32: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/32.jpg)
Example 2
![Page 33: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/33.jpg)
Example 2
• Keep on trucking– The malware creates a registry key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
– This will cause the malware to run every time a user logs into the system
• Hides under c:\windows to appear legitimate
![Page 34: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/34.jpg)
Example 2
![Page 35: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/35.jpg)
Example 3
• Malware– Known process scraping malware package– Malware was running as a service– Retrieved data via remote access
![Page 36: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/36.jpg)
Example 3
• Malware searching memory for credit card numbers
![Page 37: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/37.jpg)
Example 3
• Malware taking hold– Example of the malware installing itself as a service to
survive reboots
![Page 38: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/38.jpg)
What’s on the Horizon?
• More browser-based attacks– Browser-specific attacks– Java – Flash
• More malicious documents– Microsoft Office documents– Adobe PDFs
![Page 39: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/39.jpg)
What’s on the Horizon?
• More mobile device attacks– Android– Apple iOS– Windows Mobile
• Stealthier malware– Resident only in memory and not on disk
![Page 40: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/40.jpg)
Useful Tools –Malware Analysis in Windows
• Static analysis– IDA Pro– PEiD– Peview– Volatility– RedLine
![Page 41: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/41.jpg)
Useful Tools –Malware Analysis in Windows
• Dynamic analysis– WinDbg– OllyDbg– Immunity debugger – SysInternals Suite (Strings, Autoruns, Process
Monitor, Process Explorer)– Regshot– LoardPE
![Page 42: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/42.jpg)
Resources
• Microsoft Windows Developers Network– msdn.microsoft.com
• Openrce.org– http://www.openrce.org/articles/
• Volatility– http://code.google.com/p/volatility/
• Offensivecomputing.net– http://www.offensivecomputing.net
• Windows - Managing Virtual Memoryhttp://msdn.microsoft.com/en-us/library/ms810627.aspx
• REMnux– http://zeltser.com/remnux/
![Page 43: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/43.jpg)
Resources
• Intel Assembly manuals– http://www.intel.com/content/www/us/en/processors/
architectures-software-developer-manuals.html/
• IDA Blog– http://www.hexblog.com/?cat=3
• IDA disassembler and debugger– http://www.hex-rays.com/products/ida/index.shtml
• Immunity debugger and Ollydbg– http://www.immunitysec.com/products-immdbg.shtml– http://www.ollydbg.de/
![Page 44: Malware: The Good, the Bad and the Ugly](https://reader035.fdocuments.in/reader035/viewer/2022062312/5559ff70d8b42ad00a8b4dc6/html5/thumbnails/44.jpg)
Questions?
Thank you for staying awake!
Peter “bokojan” Arzamendi parzamendi[at]403labs[dot]com
403 Labs, LLC
www.403labs.com
877.403.LABS