Merovingio: mislead the malware Juan Carlos Montes – INTECO-CERT.

Slides:

Advertisements

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Advertisements

Thank you to IT Training at Indiana University Computer Malware.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Malware Identification and Classification

Operating System Security : David Phillips A Study of Windows Rootkits.

Chap 2 System Structures.

Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October

ITMS Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

CS533 Concepts of Operating Systems Class 14 Virtualization.

Operating Systems. What is an Operating System? A layer of software between users/applications and the hardware. The first program loaded onto a computer.

Memory Management 2010.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems: Principles and Practice

The Origin of the VM/370 Time-sharing system Presented by Niranjan Soundararajan.

Avira AntiVir Premium Kaiyu Wang. About the Avira AntiVir Premium The Avira AntVir from German. It just has 30MB, but it can kill 1,600,000 virus Fust.

Automated Malware Analysis

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Windows Memory Forensics and Direct Kernel Object Manipulation Jesse Kornblum.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Spyware Sue Scott Technology Librarian. What is Spyware Malware – (Malicious Software) A general term to encompass unwanted software on a personal computer.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

Threading Models in Visual Basic Language Student Name: Danyu Xu Student ID:98044.

Computing and the Web Operating Systems. Overview n What is an Operating System n Booting the Computer n User Interfaces n Files and File Management n.

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

Sandbox Exploitations - ECE 4112 Group 12 - Gary Kao Jimmy Vuong.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Processes and OS basics. RHS – SOC 2 OS Basics An Operating System (OS) is essentially an abstraction of a computer As a user or programmer, I do not.

®® Microsoft Windows 7 for Power Users Tutorial 9 Evaluating System Performance.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

Module 10 Administering and Configuring SharePoint Search.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Lecture 8 February 29, Topics Questions about Exercise 4, due Thursday? Object Based Programming (Chapter 8) –Basic Principles –Methods –Fields.

Computers Operating System Essentials. Operating Systems PROGRAM HARDWARE OPERATING SYSTEM.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,

Win32 Programming Lesson 14: Introducing Windows Memory (C Rox…)

Chapter 4 – Threads (Pgs 153 – 174). Threads  A "Basic Unit of CPU Utilization"  A technique that assists in performing parallel computation by setting.

CS 346 – Chapter 2 OS services –OS user interface –System calls –System programs How to make an OS –Implementation –Structure –Virtual machines Commitment.

Computer Systems Week 14: Memory Management Amanda Oddie.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

1.Nattawut Chaibuuranapankul M.2/6 No. 8 2.Poonnut Sovanpaiboon M.2/6 No.11 3.Sarin Jirasinvimol M.2/6 No Attadej Rujirawannakun M.2/6 No.28.

Efficient Live Checkpointing Mechanisms for computation and memory-intensive VMs in a data center Kasidit Chanchio Vasabilab Dept of Computer Science,

NETWORK SECURITY Definitions and Preventions Toby Wilson.

Security Architecture and Design Chapter 4 Part 2 Pages 319 to 357.

Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.

Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Fermilab Scientific Computing Division Fermi National Accelerator Laboratory, Batavia, Illinois, USA. Off-the-Shelf Hardware and Software DAQ Performance.

Matt Lemons Nate Mayotte

Chapter 1. Basic Static Techniques

Chapter 2: Operating-System Structures

Part 1: Basic Analysis Chapter 1: Basic Static Techniques

Practical Rootkit Detection with RAI

Chapter 3. Basic Dynamic Analysis

bitcurator-access-webtools Quick Start Guide

CMSC 491/691 Malware Analysis

CSC 497/583 Advanced Topics in Computer Security

Basic Dynamic Analysis VMs and Sandboxes

Presentation transcript:

Merovingio: mislead the malware Juan Carlos Montes – INTECO-CERT

Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

Malware Analysis What else? New techniques Avoid signatures The market is dozed A lot of new samples daily It’s expensive complicated have people focused on malware analysis in a CSIRT

Malware Analysis State of art Commercial products are similar Same VM. Same drivers. Same look&feel. SAME RESULTS. The commercial products are the same limits One sample on each VM. Wait to reboot/reset the VM to start another analysis. The analysis spend 2-3 minutes all times. This time is not based on the behavior of the sample. Attached to the company for any grown. And… the source code is not our.

Malware Analysis Why? Need “anything” to detect new samples and behaviors Avoid the dependencies of the antivirus Avoid the problems with VM. One sample on each VM Samples are out of control on execution Hasten the analysis Include some control on the execution Create a system to simulate behaviors

Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

Merovingio “Virtual Machine” Sandboxie Pebhooking DorianIA And… his web site

Merovingio sample web site VirtualBox SandBoxie Pebhooking Dorian IA

Run programs in a sandbox Prevent permament changes on system Help us to load our libraries on each process Isolate each program execution

Merovingio Agent Tested in Windows XP and Windows 7 Developed in Python v2.7 Can manage all sandboxie instances as we want Recover the logs and send us to next step Multithread Can receive more that one sample at same time Decide on which instance must be executed the sample Free slot Specific analysis Monitorized the analysis to detected when the analysis end

Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

Pebhooking Published in Phrack #65 Dreg and [Shearer] (me) Modify the PEB in the process to exchange real libraries for our libraries All dynamic loaded libraries will be hooked Only is necessary repair the main IAT

process InheritedAddressSpace ReadImageFileExecOptions BeingDebugged Spare Mutant ImageBaseAddress LoaderData PEB Length Initialized SsHandle InLoadOrderModList InMemoryOrderModList InInitOrderModList  Flink … LoaderData InLoadOrderModList InMemoryOrderModList InInitOrderModList BaseAddress 7C … BaseDllName “kernel32.dll” LDR_MODULE InLoadOrderModList InMemoryOrderModList InInitOrderModList … BaseDllName “xxxxxx.dll” LDR_MODULE InLoadOrderModList InMemoryOrderModList InInitOrderModList … BaseDllName “ntdll.dll” LDR_MODULE Pebhooking

process InheritedAddressSpace ReadImageFileExecOptions BeingDebugged Spare Mutant ImageBaseAddress LoaderData PEB Length Initialized SsHandle InLoadOrderModList InMemoryOrderModList InInitOrderModList  Flink … LoaderData InLoadOrderModList InMemoryOrderModList InInitOrderModList BaseAddress XXXXXXXXXX … BaseDllName “kernel32.dll” LDR_MODULE InLoadOrderModList InMemoryOrderModList InInitOrderModList BaseAddress 7C … BaseDllName “ph_k32.dll” LDR_MODULE InLoadOrderModList InMemoryOrderModList InInitOrderModList … BaseDllName “ntdll.dll” LDR_MODULE Pebhooking

ph_ker32.dll Export the same functions that kernel32.dll We must do a specific dll for each service pack The functions exported have the same ordinal as the original function We can manage any function we want Store the return value Modify params in runtime Block the execution on any API

Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

Dorian IA It is based on the workflows of neural networks Set the time on each log received Analyze the log looking for patterns Create execution blocks Try to link the different blocks to create behaviors Show the results in a new log that is send to the website At this moment can learn new behaviors, our aim is create a real AI

DorianIA LoadLibraryW|IMM32.DLL CreateFileW | C:\ikkka.exe|0x178 CreateFileW|COMCTL32.DLL|0x4C LoadLibraryW|user32.dll WriteFile | 0x178 | 0x22800 | XXXXXXXXX CloseHandle | 0x4C CloseHandle | 0x178 Log from PebHooking CreateFileW | C:\ikkka.exe | 0x178 WriteFile | 0x178 | 0x22800 | XXXXXXXXXX CloseHandle | 0x178 Block

DorianIA LoadLibraryW|IMM32.DLL CreateFileW | C:\itself.exe|0x77 ReadFile | 0x22800 | XXXXXXXXX CloseHandle | 0x77 DeleteFile | C:\autoexec.bat CreateFileW | C:\ikkka.exe|0x178 CreateFileW|COMCTL32.DLL|0x4C LoadLibraryW|user32.dll WriteFile | 0x178 | 0x22800 | XXXXXXXXX CloseHandle | 0x4C CloseHandle | 0x178 Log from PebHooking CreateFileW | C:\ikkka.exe | 0x178 WriteFile | 0x178 | 0x22800 | XXXXXXXXXX CloseHandle | 0x178 Block CreateFileW | C:\itself.exe|0x77 ReadFile | 0x22800 | XXXXXXXXX CloseHandle | 0x77 Block Read itself Write itself in other file Similar content: we use ssdeep to compare the information with threshold 95% The sample was copied itself to another path. DeleteFile | C:\autoexec.bat Block

Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

Website features User management Able to upload different samples at same time Hold the history to recover old reports Able to looking samples for filename or hash (SHA1) All the communication with the agent is transparent to user Easy to get if any sample if malicious or not, directly from the history

Merovingio screenshots Home page / Send samples

Merovingio screenshots History

Merovingio screenshots Raw log

Merovingio screenshots Analysis

Merovingio screenshots API

Merovingio Achievements Max. runtime 2 minutes, but the analysis stop when we don’t detect any new behavior We can analyze over 20 samples on the same machine (VM or real) To grown we need add more RAM memory to allocate more process or add a new machine to get 20 slots more. Very cheap (information for 20 analysis): Only one machine 4Ghz CPU (4 cores) and 4Gb RAM We can stop the analysis when the sample finish the execution.

Merovingio numbers 720 samples can be analyzed on each sandbox instance daily samples using 20 instances on the sandboxie Only 1 cheap machine to get this numbers