Date post: | 18-Aug-2015 |
Category: |
Technology |
Upload: | tyler-halfpop |
View: | 91 times |
Download: | 11 times |
Malware ArmorBlackhat
Tyler Halfpop, Fidelis Cybersecurity
• Threat Researcher for Fidelis CyberSecurity• Working on doctorate in computer science• SANS Lethal Forensicator• Certifications – CISSP, GREM• Site: tylerhalfpop.com | Twitter: @tylerhalfpop
$ whoami
Malware protections designed to:
1. Make malware more difficult to detect2. Make malware more difficult to analyze and
understand what it is doing.
What is Malware Armor?
1. Dynamic Analysis – safely watch what it does2. Static Analysis – what can we learn about it without
running it
Malware Analysis
(Branco, Barbosa, & Neto 2012)
Malware Armor in Wild
(Branco, Barbosa, & Neto 2012)
Types of Malware Armor
• Detecting virtualization artifacts or using anti-VM instructions (Red pill, no pill, etc.)
• Becoming less common because of the increased usage of virtualization
Anti-Virtualization
Emotet Anti-Virtualization Example - Kaspersky
0xBCF398B5 = vboxservice.exe0x2C967737 = vmacthlp.exe0xE3EBFE44 = vmtoolsd.exe 0x61F15513 = vboxtray.exe(Shulmin, 2015)
- If detected the malware contacts fake C2 Servers to confuse analysts.(Shulmin, 2015).
- Detect when under the control of a debugger or mess with debuggers- Tons of techniques, buta few are most common
- The “Ultimate” Anti-Debugging Reference by Peter Ferrie (2011) details many of the techniques in a 147 page pdf
Anti-Debugging
IsDebuggerPresent() – returns nonzero if the current process is running in a debugger
Anti-Debugging Windows API
There are other APIsas well to look out for
Decompiled:
Manually Checking Process Environment Block (PEB)
typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId;} PEB, *PPEB; mov eax, dword ptr fs:[30h]
mov ebx, byte ptr [eax+2] test ebx, ebx jz NoDebuggerDetected(Sikorski & Honig, 2012)
time.debug > time.run
Timing Checks
rdtsc ;ticks since reboot stored in edx:eaxxor ecx, ecx add ecx, eax rdtsc sub eax, ecx cmp eax, 0xFFF jb NoDebuggerDetected rdtsc push eax ret(Sikorski & Honig, 2012)
Windows API GetTickCount()can be used in a similar fashion
• Techniques to make disassemblers mess up • Disassemblers must make assumptions on how to
display code• There is no alignment and instructions have a
variable length of bytes
Anti-Disassembly
• Linear (objdump)• Disassembles code straight through from the
beginning to the end• Recursive Traversal (IDA)
• Intelligently goes over and follows the code discovering what should be disassembled
Two Types of Disassemblers
(Eagle, 2011)
Shiva Anti-RE
(Eagle, 2011)
Shiva Anti-RE
(Eagle, 2011)
Shiva Anti-RE
• Obscuring programs to make them more difficult to analyze
• Simple Substitutions (Ceasar, XOR, Base64)• Real Cryptography• Custom encoding• Insert junk code
Obfuscation
(Lipovsky & Cherepanov, 2015)
XOR Loop Strings
• Used to shrink malware• Make detection more difficult• Make analysis more difficult• Often combine multiple armoring techniques
Packers
(Branco, Barbosa, & Neto 2012)
Packers
(Branco, Barbosa, & Neto 2012)
Top Packers
UPX
UPX Unpacked
• Modern malware is often armored and protected with anti-vm, anti-debugging, anti-disassembly, obfuscation, and packers.
• Malware still needs to execute it’s business, so there is usually a way for skilled analysts to make it reveal it’s secrets in order to create indicators and better understand attacks
• Malware also still needs to communicate on the network where we can pick that up
Conclusion
Branco, R. R., Barbosa, G. N., & Neto, P. D. (2012). Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Black Hat USA.
Eagle, C. (2011). The IDA pro book: The unofficial guide to the world's most popular disassembler. San Francisco: No Starch Press.
Ferrie, P. (2011). The ultimate anti-debugging reference.Hale Ligh, M., Case, A., Levy, J., & Walters, A. (2014). Art of memory forensics: Detecting
malware and threats in Windows, Linux, and Mac memory.Lipovsky, R., & Cherepanov, A. (2015). OPERATION POTAO EXPRESS. Retrieved from
http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf
Sikorski, M., & Honig, A. (2012). Practical malware analysis: The hands-on guide to dissecting malicious software. San Francisco: No Starch Press.
Shulmin, A. (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved June 7, 2015, from https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/
References
QUESTIONS?THANK YOU!
@tylerhalfpop tylerhalfpop.com | @FidSecSys fidelissecurity.com