Malware: The Good, the Bad and the Ugly

Post on 18-May-2015

2,845 views 2 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Pete Arzamendi, CISSP, QSA, PA-QSA, GREM, is a consultant at 403 Labs with over 10 years of experience in systems administration, computer engineering, and information systems security. Pete regularly conducts penetration testing of systems and applications, security assessments, forensic investigations, and compliance assessments for the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). This presentation was given at the Milwaukee InfraGard meeting held at Milwaukee Area Technical College (MATC) on August 16, 2012. In it, Pete discusses different types of malware as well as malware and memory analysis, including an overview of analysis tools and some examples pulled from his past experiences.

transcript

Malware: The Good, the Bad and the Ugly

Pete Arzamendi

403 Labs, LLC

About Me

• Consultant and forensic investigator at 403 Labs– Qualified Security Assessor (QSA) – Payment Application Qualified Security Assessor (PA-

QSA)– Certified Information Systems Security Professional

(CISSP)– GIAC Reverse Engineering Malware (GREM)

About Me

• Former packet monkey, with more than 10 years of experience in the IT field

• Worked with small/medium businesses, and local and state authorities on computer forensic cases and security assessments

• Hobbies include malware analysis, vulnerability research and hiking

About 403 Labs, LLC

• Full-service information security and compliance consulting firm headquartered in Milwaukee with additional offices in Chicago and San Francisco

• Experts in the Payment Card Industry (PCI)– PCI Forensics Investigator (PFI)– Qualified Security Assessor (QSA)– Payment Application Qualified Security Assessor (PA-QSA)– Approved Scanning Vendor (ASV)– Qualified Security Assessor Point to Point Encryption (QSA

(P2PE))– Payment Application Qualified Security Assessor Point to Point

Encryption (PA-QSA (P2PE))

About 403 Labs, LLC

• Compliance assessments (HIPAA, GLBA, SOX, etc.)• Computer forensic investigations• Penetration testing including web application testing

and social engineering• Vulnerability scanning• Code reviews• IT audits• Risk assessments• Policies & procedures

Agenda

• Overview of malware• Analysis approaches• User versus kernel space• Establishing persistence• Memory analysis• Examples• Tools for analysis• Resources• Questions

Malware

• Wikipedia definition:– Malware, short for malicious software, is software

designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.

Malware Types

• Data-stealing– User credentials– Credit card numbers– Transferring funds– Confidential information

• Remote access– Bots

• Profit-based– Ransom/extortion– Advertisements

Analysis Approaches

• Static analysis– Review PE headers– Search for clear-text strings– Static code review

• Behavioral analysis– Registry monitoring– File system monitoring– Network monitoring

Analysis Approaches

• Which is better?– Up to you and your comfort level

• People with a light programing background may choose to start with behavioral

– I prefer to start with static analysis• If stuck, I move to behavioral to fill in the pieces

User Versus Kernel Space Malware

• User space– Runs as normal user, no special privileges

• Keyloggers– Uses Windows APIs GetAsyncKeyState and GetKeyState to

read keyboard clicks

• Process scraping for data– Accesses each process the user is running looking for data

• Attempts to blend into the background– Renames executable to match known Windows executable

• Easier to write and more stable than rootkits

User Versus Kernel Space Malware

• Kernel space– Requires and runs under evaluated privileges

• Rootkits– Difficult to get right– Attempts to cloak the malware

» System Service Descriptor Table (SSDT) hooking by changing Nt* function pointers in the SSDT table to point to malware

» Interrupt Descriptor Table (IDT) by modifying the interrupt service routine to point to malware

User Versus Kernel Space Malware

• Modify the forwarded and back links in ListEntry in EPROCESS structure to hide process

Achieving Persistence

• Now that the malware is installed, how do we achieve persistence?

• Several ways to achieve persistence– Registry settings

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

– Install Malware as service• Windows CreateService API

Memory Analysis

• Forensicswiki.org definition:– Memory analysis is the science of using a memory

image to determine information about running programs, the operating system, and the overall state of a computer.

• Pete’s definition:– Looking at the man behind the curtain and getting

intimate with the operating system.

What is Memory Analysis?

• Why is memory analysis useful? – Memory contains a wealth of information

• Process information– What applications are running– Who is running the applications– What data is the process working with– Ability to recreate the process executable

• Network information– Active connection information– Open ports activity listing

• Account information– Usernames– Passwords

• Encryption keys– Full disk encryption keys

Analyzing Memory

• What are we looking for?– Malicious “stuff”

• API hooks• DLL injections• Hidden process• Active listeners

– Non-malicious “stuff”• Encryption keys• User account information

Analyzing Memory

• So how do we find the goods?– Old-school way (very time consuming)

• Strings• Manually rebuild each processes structure

– New methods (let the tools do the heavy lifting)• Mandiant Audit Viewer/Redline• Volatility• Encase/FTK• Several others

Analyzing Memory

• Mandiant– Audit Viewer

• Requires Memoryze• Enumerates processes, drivers and dll hooking detection• Easy to use but clunky• Windows only

Audit Viewer

Analyzing Memory

• Mandiant– RedLine

• Easier to use the Audit Viewer• Support for other tools (IOC)• Nice graph view of what’s going on• Customizable audits• Windows only

RedLine

Analyzing memory

• Volatility (awesome!)– Cross-platform written in Python– Modular design– Open source– Large development community (very smart people

making modules)– Command line– Volatility from here on out!– Now supports 64 bit

Volatility

Find the Hidden Process

• Compare the difference of psscan and pslist output

• Easier way psdiff

Example 1

• Resource section of the executable– Normally used for raw resource data:

• Icons, bitmaps, dialog boxes

• Malware sample used resource section to store email and IP addresses

Example 1

• Known and widely-used malware– Perfect Keylogger– Process scraper – hkcmd.exe

• Malware sent data to foreign IP addresses via HTTP and SMTP

• One of several similar cases

Example 2

• Encoded files– Perfect Keylogger configuration file encoded with

simple XOR– 0 XOR with AA = AA thus AA was the key to decrypt

the configuration and data files

Example 2

Example 2

• Decode configuration file and data files• Configured to send its log information to an IP

address in Canada and email address of michaeljackson***********@yahoo.com

Example 2

• Shipping the goods– Process scraping malware sending data via FTP– Once the malware sends the file it removes it from

disk– Investigating swap and unallocated space comes in

handy

Example 2

Example 2

• Keep on trucking– The malware creates a registry key under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

– This will cause the malware to run every time a user logs into the system

• Hides under c:\windows to appear legitimate

Example 2

Example 3

• Malware– Known process scraping malware package– Malware was running as a service– Retrieved data via remote access

Example 3

• Malware searching memory for credit card numbers

Example 3

• Malware taking hold– Example of the malware installing itself as a service to

survive reboots

What’s on the Horizon?

• More browser-based attacks– Browser-specific attacks– Java – Flash

• More malicious documents– Microsoft Office documents– Adobe PDFs

What’s on the Horizon?

• More mobile device attacks– Android– Apple iOS– Windows Mobile

• Stealthier malware– Resident only in memory and not on disk

Useful Tools –Malware Analysis in Windows

• Static analysis– IDA Pro– PEiD– Peview– Volatility– RedLine

Useful Tools –Malware Analysis in Windows

• Dynamic analysis– WinDbg– OllyDbg– Immunity debugger – SysInternals Suite (Strings, Autoruns, Process

Monitor, Process Explorer)– Regshot– LoardPE

Resources

• Microsoft Windows Developers Network– msdn.microsoft.com

• Openrce.org– http://www.openrce.org/articles/

• Volatility– http://code.google.com/p/volatility/

• Offensivecomputing.net– http://www.offensivecomputing.net

• Windows - Managing Virtual Memoryhttp://msdn.microsoft.com/en-us/library/ms810627.aspx

• REMnux– http://zeltser.com/remnux/

Resources

• Intel Assembly manuals– http://www.intel.com/content/www/us/en/processors/

architectures-software-developer-manuals.html/

• IDA Blog– http://www.hexblog.com/?cat=3

• IDA disassembler and debugger– http://www.hex-rays.com/products/ida/index.shtml

• Immunity debugger and Ollydbg– http://www.immunitysec.com/products-immdbg.shtml– http://www.ollydbg.de/

Questions?

Thank you for staying awake!

Peter “bokojan” Arzamendi parzamendi[at]403labs[dot]com

403 Labs, LLC

www.403labs.com

877.403.LABS

Top related

Good Bad Ugly 8 - Sleep Issue
Documents
THE GOOD, THE BAD, AND THE UGLY · THE GOOD, THE BAD, AND THE UGLY 2019 | 2 San Global nestments | 9703828901 | sanglobalinestmentscom ABOUT THE GOOD, THE BAD, AND THE UGLY The Good,
Documents
The Good, the Bad & the Ugly - CORE · The!Good,!the!Bad!&!the!Ugly!!!!!Linus!Andersson&!David!Andersson!! ! 1!! The Good, the Bad & the Ugly - an exploratory study of impact investors’
Documents
Animal Testing: Good, Bad or Ugly?
Documents
The good, bad, and ugly
Documents
WebPagetest - Good, Bad & Ugly
Technology
The Good, The Bad, The Ugly.
Documents
Infographics pt. 1: - „The Good, the Bad and the Ugly“ – Good, bad and ugly Examples of infographics
Entertainment & Humor
Viral marketing good bad and ugly
Education
Software: the good, the bad and the ugly...Software: What’s good, bad and ugly The bad and ugly • Home made “glue” scripts for running software can be bug prone • “dark
Documents
Open Apps - Good, Bad or Ugly?
Technology
The ugly, the bad, and the not-so-bad Gilles Durantonsiteresources.worldbank.org/EXTPREMNET/Resources/489960-1338997241035/Growth...The ugly, the bad, and the not-so-bad Gilles Duranton
Documents
The Good, Bad and Ugly
Documents
Wifi the good bad and ugly
Engineering
Benson Good Bad Ugly
Documents
The good, bad and the ugly
Business
Headlines. The Good, the Bad and the Ugly Let’s start out with the bad & the ugly….
Documents
Good bad and ugly (Solar Event)
Documents
IMA: The Good, The Bad, and The Ugly - artist … · IMA: The Good, The Bad, and The Ugly ... The Bad The Ugly Conclusion Outline. 6 ... T1 T2 T3 Partition A Partition B Partition
Documents
The Bad & The Ugly
Design

Copyright © 2018 DOCUMENTS