Presentation is loading. Please wait.

Presentation is loading. Please wait.

Merovingio: mislead the malware Juan Carlos Montes – INTECO-CERT.

Published byDuncan Huxley Modified over 9 years ago

Similar presentations

Presentation on theme: "Merovingio: mislead the malware Juan Carlos Montes – INTECO-CERT."— Presentation transcript:

1

2 Merovingio: mislead the malware Juan Carlos Montes – INTECO-CERT

3 Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

4 Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

5 Malware Analysis What else? New techniques Avoid signatures The market is dozed A lot of new samples daily It’s expensive complicated have people focused on malware analysis in a CSIRT

6 Malware Analysis State of art Commercial products are similar Same VM. Same drivers. Same look&feel. SAME RESULTS. The commercial products are the same limits One sample on each VM. Wait to reboot/reset the VM to start another analysis. The analysis spend 2-3 minutes all times. This time is not based on the behavior of the sample. Attached to the company for any grown. And… the source code is not our.

7 Malware Analysis Why? Need “anything” to detect new samples and behaviors Avoid the dependencies of the antivirus Avoid the problems with VM. One sample on each VM Samples are out of control on execution Hasten the analysis Include some control on the execution Create a system to simulate behaviors

8 Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

9 Merovingio “Virtual Machine” Sandboxie Pebhooking DorianIA And… his web site

10 Merovingio sample web site VirtualBox SandBoxie Pebhooking Dorian IA

11 Run programs in a sandbox Prevent permament changes on system Help us to load our libraries on each process Isolate each program execution

12 Merovingio Agent Tested in Windows XP and Windows 7 Developed in Python v2.7 Can manage all sandboxie instances as we want Recover the logs and send us to next step Multithread Can receive more that one sample at same time Decide on which instance must be executed the sample Free slot Specific analysis Monitorized the analysis to detected when the analysis end

13 Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

14 Pebhooking Published in Phrack #65 Dreg and [Shearer] (me) Modify the PEB in the process to exchange real libraries for our libraries All dynamic loaded libraries will be hooked Only is necessary repair the main IAT

15 process InheritedAddressSpace ReadImageFileExecOptions BeingDebugged Spare Mutant ImageBaseAddress LoaderData PEB Length Initialized SsHandle InLoadOrderModList InMemoryOrderModList InInitOrderModList  Flink … LoaderData InLoadOrderModList InMemoryOrderModList InInitOrderModList BaseAddress 7C801000 … BaseDllName “kernel32.dll” LDR_MODULE InLoadOrderModList InMemoryOrderModList InInitOrderModList … BaseDllName “xxxxxx.dll” LDR_MODULE InLoadOrderModList InMemoryOrderModList InInitOrderModList … BaseDllName “ntdll.dll” LDR_MODULE Pebhooking

16 process InheritedAddressSpace ReadImageFileExecOptions BeingDebugged Spare Mutant ImageBaseAddress LoaderData PEB Length Initialized SsHandle InLoadOrderModList InMemoryOrderModList InInitOrderModList  Flink … LoaderData InLoadOrderModList InMemoryOrderModList InInitOrderModList BaseAddress XXXXXXXXXX … BaseDllName “kernel32.dll” LDR_MODULE InLoadOrderModList InMemoryOrderModList InInitOrderModList BaseAddress 7C801000 … BaseDllName “ph_k32.dll” LDR_MODULE InLoadOrderModList InMemoryOrderModList InInitOrderModList … BaseDllName “ntdll.dll” LDR_MODULE Pebhooking

17 ph_ker32.dll Export the same functions that kernel32.dll We must do a specific dll for each service pack The functions exported have the same ordinal as the original function We can manage any function we want Store the return value Modify params in runtime Block the execution on any API

18 Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

19 Dorian IA It is based on the workflows of neural networks Set the time on each log received Analyze the log looking for patterns Create execution blocks Try to link the different blocks to create behaviors Show the results in a new log that is send to the website At this moment can learn new behaviors, our aim is create a real AI

20 DorianIA LoadLibraryW|IMM32.DLL CreateFileW | C:\ikkka.exe|0x178 CreateFileW|COMCTL32.DLL|0x4C LoadLibraryW|user32.dll WriteFile | 0x178 | 0x22800 | XXXXXXXXX CloseHandle | 0x4C CloseHandle | 0x178 Log from PebHooking CreateFileW | C:\ikkka.exe | 0x178 WriteFile | 0x178 | 0x22800 | XXXXXXXXXX CloseHandle | 0x178 Block

21 DorianIA LoadLibraryW|IMM32.DLL CreateFileW | C:\itself.exe|0x77 ReadFile | 0x22800 | XXXXXXXXX CloseHandle | 0x77 DeleteFile | C:\autoexec.bat CreateFileW | C:\ikkka.exe|0x178 CreateFileW|COMCTL32.DLL|0x4C LoadLibraryW|user32.dll WriteFile | 0x178 | 0x22800 | XXXXXXXXX CloseHandle | 0x4C CloseHandle | 0x178 Log from PebHooking CreateFileW | C:\ikkka.exe | 0x178 WriteFile | 0x178 | 0x22800 | XXXXXXXXXX CloseHandle | 0x178 Block CreateFileW | C:\itself.exe|0x77 ReadFile | 0x22800 | XXXXXXXXX CloseHandle | 0x77 Block Read itself Write itself in other file Similar content: we use ssdeep to compare the information with threshold 95% The sample was copied itself to another path. DeleteFile | C:\autoexec.bat Block

22 Index Malware Analysis what else? state of art why? Merovingio Sandboxie Merovingio Agent PebHooking DorianIA Merovingio Website

23 Website features User management Able to upload different samples at same time Hold the history to recover old reports Able to looking samples for filename or hash (SHA1) All the communication with the agent is transparent to user Easy to get if any sample if malicious or not, directly from the history

24 Merovingio screenshots Home page / Send samples

25 Merovingio screenshots History

26 Merovingio screenshots Raw log

27 Merovingio screenshots Analysis

28 Merovingio screenshots API

29 Merovingio Achievements Max. runtime 2 minutes, but the analysis stop when we don’t detect any new behavior We can analyze over 20 samples on the same machine (VM or real) To grown we need add more RAM memory to allocate more process or add a new machine to get 20 slots more. Very cheap (information for 20 analysis): Only one machine 4Ghz CPU (4 cores) and 4Gb RAM We can stop the analysis when the sample finish the execution.

30 Merovingio numbers 720 samples can be analyzed on each sandbox instance daily 14.400 samples using 20 instances on the sandboxie Only 1 cheap machine to get this numbers

Download ppt "Merovingio: mislead the malware Juan Carlos Montes – INTECO-CERT."

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Pokas x86 Emulator for Generic Unpacking By Amr Thabet
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Malware Identification and Classification

Malware Identification and Classification
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Chap 2 System Structures.

Chap 2 System Structures.
Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
ITMS- 3153 Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.

ITMS Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
CS533 Concepts of Operating Systems Class 14 Virtualization.

CS533 Concepts of Operating Systems Class 14 Virtualization.
Operating Systems. What is an Operating System? A layer of software between users/applications and the hardware. The first program loaded onto a computer.

Operating Systems. What is an Operating System? A layer of software between users/applications and the hardware. The first program loaded onto a computer.
Memory Management 2010.

Memory Management 2010.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Operating Systems: Principles and Practice

Operating Systems: Principles and Practice
The Origin of the VM/370 Time-sharing system Presented by Niranjan Soundararajan.

The Origin of the VM/370 Time-sharing system Presented by Niranjan Soundararajan.
Avira AntiVir Premium Kaiyu Wang. About the Avira AntiVir Premium The Avira AntVir from German. It just has 30MB, but it can kill 1,600,000 virus Fust.

Avira AntiVir Premium Kaiyu Wang. About the Avira AntiVir Premium The Avira AntVir from German. It just has 30MB, but it can kill 1,600,000 virus Fust.

Similar presentations

Ads by Google