Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reverse Engineering Malware and Mitigation Techniques

Similar presentations


Presentation on theme: "Reverse Engineering Malware and Mitigation Techniques"— Presentation transcript:

1 Reverse Engineering Malware and Mitigation Techniques
SIA404 Reverse Engineering Malware and Mitigation Techniques Jacek Milunski – NATO Computer Incident Response Center Andrzej Dereszowski – NATO Computer Incident Response Center Raf Cox – Microsoft BeLux

2 Overview Who are we? Why malware reverse-engineering is important
Mitigation techniques Demos: Malware-dropper versus AppLocker ShellCode versus EAF (EMET) Buffer-overrun versus DEP (EMET) Buffer-overrun versus Heapspray-preallocation (EMET) ROP-exploit versus DEP and Mandatory ASLR (EMET) Conclusions

3 NATO Computer Incident Response Capability
KFOR ISAF NTM-I Norfolk Brunssum Mons OPERATION OCEAN SHIELD NATO HQ & Agencies NC3A NAMSA NETMA …….. EUFOR Lisbon Naples OUP Libya DARFUR Support African Union

4 Incident Response Services
System Engineering System hardening Enterprise-wide security tools Forensics analysis Advice to projects Incident Detection & Response Intrusion detection Incident handling Web site monitoring monitoring Vulnerability Management Assessments and testing Security awareness Cyber Defence Exercises Prevent Detect Respond Recover Feedback

5 Mitigation techniques

6 Overview We will deep-dive into actual malware code:
How does it work? What exploit techniques does it use? Look under the hoods what’s going on and how the malware executes How do countermeasures block these exploits? Focus on AppLocker , DEP, Heapspray allocation & mandatory ASLR (last 3 enforced through EMET)

7 WARNING DO NOT TRY THIS AT HOME OR AT THE OFFICE!
We’ve selected actual malware targeted at NATO that has been analyzed (so we know what it does) Testing malware can will infect your systems Malware testing and reverse engineering must only be done on fully isolated systems We selected a few (real) samples that are relevant for the purpose of this presentation (mainly based on older PDF exploits) WARNING

8 Case 1: malware-dropper versus AppLocker
targeted PDF with CVE (Adobe Reader Cooltype TTF vulnerability) OWNED! Winword.js ~temqp.tmp Adobe.pdf

9 Malware-dropper

10 Application Control policies
Controls the execution environment Supports multiple scenarios: Blacklisting (deny specific known-bad apps) Whitelisting (only allow approved apps) Code-signed Apps only Location-based (e.g. only allow apps to run from %programfiles% and %windir%) AppLocker Rules: Block or allow Apply to <user> or <group> Rule-type: path, publisher (code-signed) or hash Exceptions (combination of rule-types)

11 Malware-dropper blocked by AppLocker

12 Enhanced Mitigation Experience Toolkit
In the following samples, we will use several advanced protection mechanisms that are build-in into the OS or enforced through EMET EMET (Enhanced Mitigation Experience Toolkit) is a free tool that will enhance existing memory-protection mechanisms (e.g. mandatory ASLR, DEP opt-in, …) Introduce new protection mechanisms (EAF, heapspray-allocation,…)

13 Case 2: ShellCode sample
Process We use a proof-of-concept exploit code (http://skypher.com/index.php/2010/11/17/bypassing-eaf/) Test-application (w32-testival) loads shell-code sample in memory (RWE-access) Jumps to Shell-code Heap ShellCode Stack NTDLL EAT Code Kernel32 EAT EAT ShellCode

14 Case 2: ShellCode vs EAF protection (EMET)
EMET will set a hardware breakpoint on Export Address Tables of NTDLL and Kernel32 If code originates from code-pages or application-modules  succeed If originates from stack or heap  STOP Can be circumvented by evading hardware breakpoints… Process Heap Stack ShellCode NTDLL EAT Code Kernel32 EAT EAT

15 Malware scanning Extended Address Tables versus EAF

16 Case 3: buffer-overrun vs DEP
Targeted malicious PDF document fires a CVE exploit Adobe Reader this.MediaPlayer.new() vulnerability The exploit uses classic heap spraying to prepare execution of the shellcode Successfully executed on Windows XPSP3 with Adobe Reader 8 (works also with 9)

17 Case 3: Heap spraying explained
Process nop slide Heap 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc shellcode 0c0c 0csc 0c0c 0csc 0c0c 0csc 0c0c 0csc Code exploit

18 Buffer overflow

19 Case 3 buffer-overrun vs DEP (EMET enabled)
After enabling DEP with EMET, the exploit fails to execute Access violation exception when executing address 0x0c0c0c0c DEP blocks the execution of code located on the heap

20 Buffer overflow (EMET DEP enabled)

21 Case 4: How about heap spraying allocation ?
The same PDF is used to test if the HeapSpray protection stops the attack Adobe Reader wants to jump to 0x0c0c0c0c but … there is no memory allocated at this address HeapSpray protection stops the attack as well Can be employed as a second layer to block this attack Drawback: easy to circumvent if the attacker knows we are using it

22 Buffer overflow (EMET HeapSpraying enabled)

23 Case 5: Fixed ROP gadgets vs ASLR
Available since Windows Vista Exploit: targeted PDF with CVE (Adobe Reader Cooltype TTF vulnerability) Despite DEP enabled and default ASLR settings the exploit successfully executes (thanks to ROP shellcode and not relocated DLL: icucnv36.dll)

24 Case 5: ROP explained

25 Buffer overflow with ROP exploit (EMET DEP enabled)

26 Case 5: Fixed ROP gadgets vs ASLR (DEP + Mandatory ASLR enabled)
DEP + Mandatory ASLR stops the exploit ! The program jumps into nonexistent address: the shellcode had hardcoded addresses into icucnv36.dll EMET forces icucnv36.dll to be relocated Adobe Reader jumps into the void …

27 Buffer overflow with ROP exploit (EMET DEP + Mandatory ASLR enabled)

28 Conclusions You still need to patch, have up-to-date AV, run as standard user and harden systems AppLocker effective to counter drive-by downloads and social engineering (not against 0-day exploits) EMET is quite effective as additional protection against 0-days, although not perfect It will break some techniques which are considered as “universal DEP and ASLR bypass” by forcing all DLLs to be randomized (see Mandatory ASLR+DEP together makes exploit writing much more challenging (see Object Confusion technique with CVE on Vupen’s blog)

29 Track Resources www.microsoft.com/twc www.microsoft.com/security

30 Resources Learning TechNet http://europe.msteched.com
Connect. Share. Discuss. Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers

31 Submit your evals online
3/31/ :31 PM Evaluations Submit your evals online © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 3/31/ :31 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Reverse Engineering Malware and Mitigation Techniques"

Similar presentations


Ads by Google