Download presentation
Presentation is loading. Please wait.
Published byArleen Pierce Modified over 8 years ago
1
Nico Yturriaga September 27, 2014
2
Why Necurs? Infected 80,000+ during December 2012 Tagged as “Rootkit for Hire” In the wild
3
What is a Rootkit? Stealthy type of software Activated at boot up Removal can be complicated or practically impossible
4
Necurs is... Obfuscated / Encrypted Protective to itself and components Able to Prevent AV Installation
5
Basic Flow
6
The Components The Dropper (Executable.exe) Infection Symptoms, The Executable, Rootkit Installation The Rootkit (Driver.sys) The Driver, Access Denial, AV and Application Blocking
7
Infected by Necurs? The Dropper Windows Platform (32 bit / 64 bit) Query ‘Syshost32’ Service.
8
Query ‘Syshost32’ Service The Dropper - Symptoms
9
Infected by Necurs? The Dropper Windows Platform (32 bit / 64 bit) Query ‘Syshost32’ Service. ‘Syshost.exe’ in Device Manager
10
‘Syshost.exe’ in Device Manager The Dropper - Symptoms The Dropper Executable
11
Infected by Necurs? The Dropper Windows Platform (32 bit / 64 bit) Query ‘Syshost32’ Service. ‘Syshost.exe’ in Device Manager Parse “HKLM\ System\ CurrentControlSet\ Services”
12
Parse “HKLM\System\CurrentControlSet\ Services” The Dropper - Symptoms
13
Infected by Necurs? The Dropper Windows Platform (32 bit / 64 bit) Query ‘Syshost32’ Service. ‘Syshost.exe’ in Device Manager Parse “HKLM\ System\ CurrentControlSet\ Services” Verify Driver File Access Denial
14
Verify Driver File Access Denial The Dropper - Symptoms 16 characters length of driver file name [a-f, 0-9]
15
Infected by Necurs? The Dropper Windows Platform (32 bit / 64 bit) Query ‘Syshost32’ Service. ‘Syshost.exe’ in Device Manager Parse “HKLM\ System\ CurrentControlSet\ Services” Verify Driver File Access Denial
16
The Executable The Dropper Sample was obtained June 2014. MD5 : 917406e5d63a4538e7a4e28f5dd13bef Obfuscated and will eventually decrypt a new file : 39db776b96383b491362d7f003a1ffd0
17
Rootkit Installation The Dropper NO
18
Privilege Escalation The Dropper Vulnerability listed as CVE-2010-4398 allows local users to gain admin privileges bypass the User Account Control (UAC)
19
Rootkit Installation The Dropper NO
20
Rootkit Download The Dropper Manipulate Windows Firewall by netsh.exe Decrypt a List of IP addresses
21
Rootkit Installation The Dropper NO
22
Rootkit Installation The Dropper Create System file
23
Rootkit Installation The Dropper Load Rootkit as a Service
24
The Driver The Rootkit MD5 : eaa43802c3801389911b6ad35c0ee71 Sample was Downloaded June 2014 Obfuscated and will eventually decrypt a new file : 787328fa36df1ce151eebf44fe07c0a6 16 characters file name [0-9, a-f] “.sys” extension
25
The Driver The Rootkit Registry Entry at “\REGISTRY\MACHINE\ SYSTEM\CurrentControlSet\Services”
26
The Driver The Rootkit Registry Entry at “\REGISTRY\MACHINE\ SYSTEM\CurrentControlSet\Services” SERVICE_BOOT_START
27
The Driver The Rootkit “\REGISTRY\MACHINE\SYSTEM\CurrentControl Set\Control\ServiceGroupOrder”
28
The Driver The Rootkit Registry Entry at “\REGISTRY\MACHINE\ SYSTEM\CurrentControlSet\Services” Able to load in Safe Mode Load before other Drivers
29
Driver – Dropper Communication The Rootkit Create device object "NtSecureSys" and a Symbolic link "\??\NtSecureSys" o 0x22000C – Request Rootkit File Path o 0x220010 – Request Rootkit Registry Path o 0x220018 – Update the rootkit driver file by a supplied buffer o 0x22001C – Uninstall the Rootkit o 0x22002C – terminate a process using a supplied process name
30
Access Denial The Rootkit Registry - CmRegisterCallback API
31
Access Denial The Rootkit Registry CallBack Flow YES NO
32
Access Denial The Rootkit File Access - Filesystem
33
Access Denial The Rootkit FileSystem Filter Flow NO YES
34
Access Denial The Rootkit Process / Thread API ObRegisterCallbacks NtOpenProcess, NtOpenThread [SSDT]
35
Access Denial The Rootkit Process / Thread Call Back NO YES NO YES
36
Application Blocking The Rootkit Black and White Listing Capabilities Values at “\REGISTRY\MACHINE\SYSTEM\ CurrentControlSet\Services” Not Blacklisted / To White list Blacklisted
37
Application Blocking The Rootkit API PsSetLoadImageNotifyRoutine Black
38
Application Blocking The Rootkit
39
GameOver Zeus Resurrected as of July 2014 Used to install CryptoLocker ransomware. Blamed for more than $100 million theft from banks, businesses and consumers worldwide.
40
Removal Tips Use a Boot CD e.g. [Hiren’s] Demonstration
41
References http://stopmalvertising.com/rootkits/analysis-of-zeus- gameover-with-necurs.html http://stopmalvertising.com/rootkits/analysis-of-zeus- gameover-with-necurs.html http://www.f- secure.com/weblog/archives/00002717.html http://www.f- secure.com/weblog/archives/00002717.html http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2010-4398 http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2010-4398 http://www.infosecurity- magazine.com/view/29806/necurs-rootkit-not-new-but- spreading-fast-warns-microsoft http://www.infosecurity- magazine.com/view/29806/necurs-rootkit-not-new-but- spreading-fast-warns-microsoft krebsonsecurity.com/tag/gameover-zeus/ MSDN Peter Ferrie http://pferrie.host22.com/papers/
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.