Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nico Yturriaga September 27, 2014. Why Necurs?  Infected 80,000+ during December 2012  Tagged as “Rootkit for Hire”  In the wild.

Published byArleen Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "Nico Yturriaga September 27, 2014. Why Necurs?  Infected 80,000+ during December 2012  Tagged as “Rootkit for Hire”  In the wild."— Presentation transcript:

1 Nico Yturriaga September 27, 2014

2 Why Necurs?  Infected 80,000+ during December 2012  Tagged as “Rootkit for Hire”  In the wild

3 What is a Rootkit?  Stealthy type of software  Activated at boot up  Removal can be complicated or practically impossible

4 Necurs is...  Obfuscated / Encrypted  Protective to itself and components  Able to Prevent AV Installation

5 Basic Flow

6 The Components  The Dropper (Executable.exe)  Infection Symptoms, The Executable, Rootkit Installation  The Rootkit (Driver.sys)  The Driver, Access Denial, AV and Application Blocking

7 Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.

8 Query ‘Syshost32’ Service The Dropper - Symptoms

9 Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.  ‘Syshost.exe’ in Device Manager

10 ‘Syshost.exe’ in Device Manager The Dropper - Symptoms The Dropper Executable

11 Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.  ‘Syshost.exe’ in Device Manager  Parse “HKLM\ System\ CurrentControlSet\ Services”

12 Parse “HKLM\System\CurrentControlSet\ Services” The Dropper - Symptoms

13 Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.  ‘Syshost.exe’ in Device Manager  Parse “HKLM\ System\ CurrentControlSet\ Services”  Verify Driver File Access Denial

14 Verify Driver File Access Denial The Dropper - Symptoms 16 characters length of driver file name [a-f, 0-9]

15 Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.  ‘Syshost.exe’ in Device Manager  Parse “HKLM\ System\ CurrentControlSet\ Services”  Verify Driver File Access Denial

16 The Executable The Dropper  Sample was obtained June 2014.  MD5 : 917406e5d63a4538e7a4e28f5dd13bef  Obfuscated and will eventually decrypt a new file : 39db776b96383b491362d7f003a1ffd0

17 Rootkit Installation The Dropper NO

18 Privilege Escalation The Dropper  Vulnerability listed as CVE-2010-4398  allows local users to gain admin privileges  bypass the User Account Control (UAC)

19 Rootkit Installation The Dropper NO

20 Rootkit Download The Dropper  Manipulate Windows Firewall by netsh.exe  Decrypt a List of IP addresses

21 Rootkit Installation The Dropper NO

22 Rootkit Installation The Dropper  Create System file

23 Rootkit Installation The Dropper  Load Rootkit as a Service

24 The Driver The Rootkit  MD5 : eaa43802c3801389911b6ad35c0ee71  Sample was Downloaded June 2014  Obfuscated and will eventually decrypt a new file : 787328fa36df1ce151eebf44fe07c0a6  16 characters file name [0-9, a-f] “.sys” extension

25 The Driver The Rootkit  Registry Entry at “\REGISTRY\MACHINE\ SYSTEM\CurrentControlSet\Services”

26 The Driver The Rootkit  Registry Entry at “\REGISTRY\MACHINE\ SYSTEM\CurrentControlSet\Services” SERVICE_BOOT_START

27 The Driver The Rootkit  “\REGISTRY\MACHINE\SYSTEM\CurrentControl Set\Control\ServiceGroupOrder”

28 The Driver The Rootkit  Registry Entry at “\REGISTRY\MACHINE\ SYSTEM\CurrentControlSet\Services”  Able to load in Safe Mode  Load before other Drivers

29 Driver – Dropper Communication The Rootkit  Create device object "NtSecureSys" and a Symbolic link "\??\NtSecureSys" o 0x22000C – Request Rootkit File Path o 0x220010 – Request Rootkit Registry Path o 0x220018 – Update the rootkit driver file by a supplied buffer o 0x22001C – Uninstall the Rootkit o 0x22002C – terminate a process using a supplied process name

30 Access Denial The Rootkit  Registry - CmRegisterCallback API

31 Access Denial The Rootkit  Registry CallBack Flow YES NO

32 Access Denial The Rootkit  File Access - Filesystem

33 Access Denial The Rootkit  FileSystem Filter Flow NO YES

34 Access Denial The Rootkit  Process / Thread  API ObRegisterCallbacks  NtOpenProcess, NtOpenThread [SSDT]

35 Access Denial The Rootkit  Process / Thread Call Back NO YES NO YES

36 Application Blocking The Rootkit  Black and White Listing Capabilities  Values at “\REGISTRY\MACHINE\SYSTEM\ CurrentControlSet\Services” Not Blacklisted / To White list Blacklisted

37 Application Blocking The Rootkit  API PsSetLoadImageNotifyRoutine Black

38 Application Blocking The Rootkit

39 GameOver Zeus Resurrected as of July 2014 Used to install CryptoLocker ransomware. Blamed for more than $100 million theft from banks, businesses and consumers worldwide.

40 Removal Tips Use a Boot CD e.g. [Hiren’s] Demonstration

41 References http://stopmalvertising.com/rootkits/analysis-of-zeus- gameover-with-necurs.html http://stopmalvertising.com/rootkits/analysis-of-zeus- gameover-with-necurs.html http://www.f- secure.com/weblog/archives/00002717.html http://www.f- secure.com/weblog/archives/00002717.html http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2010-4398 http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2010-4398 http://www.infosecurity- magazine.com/view/29806/necurs-rootkit-not-new-but- spreading-fast-warns-microsoft http://www.infosecurity- magazine.com/view/29806/necurs-rootkit-not-new-but- spreading-fast-warns-microsoft krebsonsecurity.com/tag/gameover-zeus/ MSDN Peter Ferrie http://pferrie.host22.com/papers/

Download ppt "Nico Yturriaga September 27, 2014. Why Necurs?  Infected 80,000+ during December 2012  Tagged as “Rootkit for Hire”  In the wild."

Similar presentations

and Mitigations Brady Bloxham

and Mitigations Brady Bloxham
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.

What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
File Management Chapter 12. File Management File management system is considered part of the operating system Input to applications is by means of a file.

File Management Chapter 12. File Management File management system is considered part of the operating system Input to applications is by means of a file.
1 Chapter 11: File-System Interface  File Concept  Access Methods  Directory Structure  File System Mounting  File Sharing  Protection  Chapter.

1 Chapter 11: File-System Interface  File Concept  Access Methods  Directory Structure  File System Mounting  File Sharing  Protection  Chapter.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Hackers They can u Read the data files u Run the application programs u Modify some files which may cause damages Individuals who gain unauthorized access.

Hackers They can u Read the data files u Run the application programs u Modify some files which may cause damages Individuals who gain unauthorized access.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.

IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.
11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.

11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.
UNITS meeting September 30, 2004 Network Security Roger Safian

UNITS meeting September 30, 2004 Network Security Roger Safian
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.

1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Week 2 File Systems & Unix Commands. File System Hierarchy.

Week 2 File Systems & Unix Commands. File System Hierarchy.

Similar presentations

Ads by Google