Nico Yturriaga September 27, 2014. Why Necurs?  Infected 80,000+ during December 2012  Tagged as “Rootkit for Hire”  In the wild.

Slides:

Advertisements

Similar presentations

and Mitigations Brady Bloxham

Advertisements

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

AVG Internet Security 7.5 Product presentation.

File Management Chapter 12. File Management File management system is considered part of the operating system Input to applications is by means of a file.

1 Chapter 11: File-System Interface  File Concept  Access Methods  Directory Structure  File System Mounting  File Sharing  Protection  Chapter.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Hackers They can u Read the data files u Run the application programs u Modify some files which may cause damages Individuals who gain unauthorized access.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.

11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.

UNITS meeting September 30, 2004 Network Security Roger Safian

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Week 2 File Systems & Unix Commands. File System Hierarchy.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

WINDOWS SERVICES. Introduction You often need programs that run continuously in the background Examples: – servers –Print spooler You often need.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

Tutorial 11 Installing, Updating, and Configuring Software

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 10: File-System Interface.

Spyware, Viruses and Malware What the fuss is all about.

1 Operating Systems Security. 2 Where Malware hides ? Autoexec.bat or autoexec.nt can start malware before windows start Config.sys, config.nt Autorun.inf.

Rootkits in Windows XP  What they are and how they work.

Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.

Unit R005: Understanding Computer Systems Introduction System Software Software (i.e., programs) used to control the hardware directly Used to run the.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.

Windows Vista Inside Out Ch 10: Ch 10: Security Essentials Last modified

Compatibility and Interoperability Requirements

Attack Plan Alex. Introduction This presents a step-by-step attack plan to clean up an infected computer This presents a step-by-step attack plan to clean.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

CAP6135: Malware and Software Vulnerability Analysis Rootkits Cliff Zou Spring 2012.

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.

 Jaden Terry.  To obtain privacy and protect data from other people. o Businesses Customer/Employee information Credit card numbers To gain a competitive.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

1 NTC/TCS Training Dallas 2009 TaxWise, TrueCrypt, and Vista There are several issues that need to be addressed when using TaxWise and TrueCrypt on computers.

Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:

1 National Technology Committee 2008 TaxWise and VISTA There are several issues that need to be addressed when using computers with the Windows VISTA Operating.

Chapter 10: File-System Interface Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 10: File-System Interface File Concept.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

W elcome to our Presentation. Presentation Topic Virus.

"Most people, I think, don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President of Sony's Global Digital Business.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab.

Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

Securing Tomorrow’s World Microsoft Security Roadmap Ed Gibson & Steve Lamb Microsoft Ltd.

Windows Vista Configuration MCTS : Network Security.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

From: windows-7-password.html.

Windows Vista Configuration MCTS : User Account Security.

Protecting Against Cyber Attacks PLEASE TAKE A MINUTE TO LOOK AT THIS IMPORTANT MESSAGE. THIS IS HAPPENING HERE AND NOW! LET US SAVE YOU AND YOUR INFORMATION.

Presented by Martin Šimek Ransomware, Internet of Things and Botnets vs. Control.

Technical Implementation: Security Risks

Intercept X Early Access Program Sophos Tester

Botnets A collection of compromised machines

Malware Reverse Engineering Process

A+ Guide to Managing and Maintaining Your PC, 7e

Malware Reverse Engineering Process

Botnets A collection of compromised machines

Intercept X for Server Early Access Program Sophos Tester

Chapter 3: Windows7 Part 2.

Local Administrator Rights

Chapter 3: Windows7 Part 2.

G061 - Network Security.

Presentation transcript:

Nico Yturriaga September 27, 2014

Why Necurs?  Infected 80,000+ during December 2012  Tagged as “Rootkit for Hire”  In the wild

What is a Rootkit?  Stealthy type of software  Activated at boot up  Removal can be complicated or practically impossible

Necurs is...  Obfuscated / Encrypted  Protective to itself and components  Able to Prevent AV Installation

Basic Flow

The Components  The Dropper (Executable.exe)  Infection Symptoms, The Executable, Rootkit Installation  The Rootkit (Driver.sys)  The Driver, Access Denial, AV and Application Blocking

Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.

Query ‘Syshost32’ Service The Dropper - Symptoms

Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.  ‘Syshost.exe’ in Device Manager

‘Syshost.exe’ in Device Manager The Dropper - Symptoms The Dropper Executable

Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.  ‘Syshost.exe’ in Device Manager  Parse “HKLM\ System\ CurrentControlSet\ Services”

Parse “HKLM\System\CurrentControlSet\ Services” The Dropper - Symptoms

Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.  ‘Syshost.exe’ in Device Manager  Parse “HKLM\ System\ CurrentControlSet\ Services”  Verify Driver File Access Denial

Verify Driver File Access Denial The Dropper - Symptoms 16 characters length of driver file name [a-f, 0-9]

Infected by Necurs? The Dropper  Windows Platform (32 bit / 64 bit)  Query ‘Syshost32’ Service.  ‘Syshost.exe’ in Device Manager  Parse “HKLM\ System\ CurrentControlSet\ Services”  Verify Driver File Access Denial

The Executable The Dropper  Sample was obtained June  MD5 : e5d63a4538e7a4e28f5dd13bef  Obfuscated and will eventually decrypt a new file : 39db776b96383b491362d7f003a1ffd0

Rootkit Installation The Dropper NO

Privilege Escalation The Dropper  Vulnerability listed as CVE  allows local users to gain admin privileges  bypass the User Account Control (UAC)

Rootkit Installation The Dropper NO

Rootkit Download The Dropper  Manipulate Windows Firewall by netsh.exe  Decrypt a List of IP addresses

Rootkit Installation The Dropper NO

Rootkit Installation The Dropper  Create System file

Rootkit Installation The Dropper  Load Rootkit as a Service

The Driver The Rootkit  MD5 : eaa43802c b6ad35c0ee71  Sample was Downloaded June 2014  Obfuscated and will eventually decrypt a new file : fa36df1ce151eebf44fe07c0a6  16 characters file name [0-9, a-f] “.sys” extension

The Driver The Rootkit  Registry Entry at “\REGISTRY\MACHINE\ SYSTEM\CurrentControlSet\Services”

The Driver The Rootkit  Registry Entry at “\REGISTRY\MACHINE\ SYSTEM\CurrentControlSet\Services” SERVICE_BOOT_START

The Driver The Rootkit  “\REGISTRY\MACHINE\SYSTEM\CurrentControl Set\Control\ServiceGroupOrder”

The Driver The Rootkit  Registry Entry at “\REGISTRY\MACHINE\ SYSTEM\CurrentControlSet\Services”  Able to load in Safe Mode  Load before other Drivers

Driver – Dropper Communication The Rootkit  Create device object "NtSecureSys" and a Symbolic link "\??\NtSecureSys" o 0x22000C – Request Rootkit File Path o 0x – Request Rootkit Registry Path o 0x – Update the rootkit driver file by a supplied buffer o 0x22001C – Uninstall the Rootkit o 0x22002C – terminate a process using a supplied process name

Access Denial The Rootkit  Registry - CmRegisterCallback API

Access Denial The Rootkit  Registry CallBack Flow YES NO

Access Denial The Rootkit  File Access - Filesystem

Access Denial The Rootkit  FileSystem Filter Flow NO YES

Access Denial The Rootkit  Process / Thread  API ObRegisterCallbacks  NtOpenProcess, NtOpenThread [SSDT]

Access Denial The Rootkit  Process / Thread Call Back NO YES NO YES

Application Blocking The Rootkit  Black and White Listing Capabilities  Values at “\REGISTRY\MACHINE\SYSTEM\ CurrentControlSet\Services” Not Blacklisted / To White list Blacklisted

Application Blocking The Rootkit  API PsSetLoadImageNotifyRoutine Black

Application Blocking The Rootkit

GameOver Zeus Resurrected as of July 2014 Used to install CryptoLocker ransomware. Blamed for more than $100 million theft from banks, businesses and consumers worldwide.

Removal Tips Use a Boot CD e.g. [Hiren’s] Demonstration

References gameover-with-necurs.html gameover-with-necurs.html secure.com/weblog/archives/ html secure.com/weblog/archives/ html bin/cvename.cgi?name=CVE bin/cvename.cgi?name=CVE magazine.com/view/29806/necurs-rootkit-not-new-but- spreading-fast-warns-microsoft magazine.com/view/29806/necurs-rootkit-not-new-but- spreading-fast-warns-microsoft krebsonsecurity.com/tag/gameover-zeus/ MSDN Peter Ferrie