Presentation is loading. Please wait.

Presentation is loading. Please wait.

Marta Janus Malware Researcher A tale of encounters with novel evasive malware.

Published byMichelle Chatfield Modified over 9 years ago

Similar presentations

Presentation on theme: "Marta Janus Malware Researcher A tale of encounters with novel evasive malware."— Presentation transcript:

1 Marta Janus Malware Researcher A tale of encounters with novel evasive malware

2 # whoami reverse engineering adept & enthusiast malware researcher @ KL since 2009 linux user since 2006 baldur’s gate player since 1999

3 Are rootkits on decline?

4

5

6 kernel-space no longer safe for malware bootkits easily detected hypervisor-level stealth too complex  shift in malware strategy Tough times for rootkits

7 hide from admin? bypass detection protect C&C infrastructure protect the payload Hiding vs. evasion the goals

8 Case 1: Baldur "When the going gets tough, someone hold my rodent!"

9 # Trojan.Win32.Baldur set of classical anti-vm / anti-dbg checks heavily based on a0rtega`s pafish overly exciting? not really, but......a textbook case :)

10 # classic_checks

11 # environmental_checks WinSpy ? MBAM ? ???

12 # environmental_checks

13 # drive_size_check

14 # game_over

15 Case 2: CVE-0158 & Gimemo "Evil 'round every corner. Careful not to step in any."

16 # armed-to-the-teeth http://www.securelist.com/en/analysis/204792298/ The_curious_case_of_a_CVE_2012_0158_exploit multilayered OLE objects, lots of obfuscation multi-stage shellcode: ~ stage_1: ROP chain ~ stage_2: decryptor of stage_3 ~ stage_3: egg-hunter ~ stage_4: dropper

17

18

19

20 # execute_payload

21 # payload: decrypt_loader

22 # skip_all_checks

23 # trigger_exception

24 # dummy_code

25 # seh_routine

26 # anti_hook, anti_bp

27

28 # anti_hook, anti_bp: trampoline

29 # the dropper & the bot

30 Case 3: PSW & more SEH "No effect?! I need a bigger sword!"

31 # Trojan-PSW.Win32.Multi also spread via hardened CVE-0158 exploit also lots of anti-* techniques code flow of the loader fully based on exception handling blocks payload saved as a registry value overwrites fxsst.dll to assure persistance

32 # malware_main; seh chain

33 # exception_1

34 # exception_handler

35 # dormant_phase

36 # check_trend_micro

37 # exception_4

38 # decrypt_inject

39 Case 4: hardened Zeus "Fool me once, shame on you; fool me twice, watch it! I'm huge!"

40 # Trojan.Win32.Zbot samples from period of March – May 2014 use of windows messaging system use of SEH multiple downloaders ~each with the same set of anti-* techniques

41 # load_cursor

42 # process_wndmsg

43 # seh_anti_debug

44

45 # enum_windows

46 Case 5: even more hardened Zeus "Boo says "WHAT?"

47 # ZeuS p2p aka Game Over works only on Windows 7 anti-emulation based on default values in the CPU registers drops Necurs rootkit (!) bypasses driver signing via setting TESTSIGNING option in BCEDIT

48

49 # init_dialog

50 # obfuscated_win7_check

51

52 # call_malware_main; step_17

53 Novel malware architecture bypass detection protect C&C infrastructure protect the payload the goals  anti-emu, anti-heur  multiple downloaders, waterholed websites  anti-re, anti-dbg, anti-vm, encryption, obfuscation, etc... the aid

54 loader packed, layered encryption, lots of anti-* injects and executes the dropper code dropper some encryption, some anti-* decrypts and executes the downloader/bot code bot small & simple, shellcode-like used only to get/decrypt/run the payload(s) payload downloaded from water-holed websites / pushed by C2 not stored on the disk, short-lived, controlled by C2

55 time or condition based triggers: ~specified timeframes ~specified settings ~specified system events (e.g. reboot, mouse click, etc.) environmental checks: ~files on disk, running processes, loaded DLLs, opened windows, mutexes, devices, registry settings....... checking initial values in CPU registers at EP ~fingerprinting the OS Known evasion techniques

56 overrunning sandbox/emulator: ~dromant phase (e.g. sleep loops) ~junk instructions, slower inside VMs (MMX, FPU, etc.) ~benign code (legitimate looking syscalls) ~stalling code (without the use of syscalls) using window messaging, apc procedures, etc. using chained Exception Handling mechanisms Known evasion techniques

57 Countermeasures  stealth analysis leave no artifacts  full emulation trace all instructions  full exploration follow multiple execution paths  bypass stalling loops detect & skip passive code

58 Thank You! "We are all heroes: You and Boo and I" marta.janus [at] kaspersky.com @mvjanus

Download ppt "Marta Janus Malware Researcher A tale of encounters with novel evasive malware."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Computer Basics Hit List of Items to Talk About ● What and when to use left, right, middle, double and triple click? What and when to use left, right,

Computer Basics Hit List of Items to Talk About ● What and when to use left, right, middle, double and triple click? What and when to use left, right,
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Bypassing antivirus detection with encryption

Bypassing antivirus detection with encryption
Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus  All viruses self-replicate  Anti-anti-virus means it’s “openly hostile” to AV  Anti-anti-virus techniques?

Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus  All viruses self-replicate  Anti-anti-virus means it’s “openly hostile” to AV  Anti-anti-virus techniques?
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Chapter 1 and 2 Computer System and Operating System Overview

Chapter 1 and 2 Computer System and Operating System Overview
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p. 495 - 527.

I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google