Why you should never use the internet

Overview

The Situation Infiltration Characteristics Techniques Detection Prevention

The Situation: Shit Just Got Real The players and the game has changed

Criminal organizations*Governments**

Profit/Politically drivenCyber weaponsFBI vs Coreflood

Professionally developedUser manualsMaaS

*may or may not be organized** may or may not be criminals

Infiltration Legitimate (compromised) hosts

Direct: Wordpress hackedIndirect: Advertisements

Exploit Packs Search Engine Optimization hacks

Breaking newsCelebrities (Snookie causes infections)

SocialFacebook, Twitter, etc

Characteristics (the lines have blurred)

Virus Trojan/Backdoor Rootkit Scam/Scareware/Randsomware Password stealers Worms

Techniques

API Hooking Run-time Patching Boot sector modification Browser Content replacement

API Hooking

Allows malware to intercept Windows API calls

Can be done in user or kernel space, but in kernel space it’s much more powerful

API HookingProgram

KERNEL MODEUSER MODE

DeleteFile[A|W]

NtDeleteFile

ZwDeleteFile

System Service Descriptor Table

SSDT

API Hooking: ExampleProgram

KERNEL MODEUSER MODE

DeleteFile[A|W]

NtDeleteFile

ZwDeleteFile

System Service Descriptor Table

SSDT

fakeDelete

API Hooking

Allows rootkits to do a lot of nasty thingsHide processes/filesHide networking (to a degree)Basically take over your system

Fairly straightforward to implement However, it is easy to detect

Run-time Patching

Replaces API calls with your own by patching the API routine itself

Can achieve the same goals as API hooking, but harder to detect

Run-time Patching: Example

Target Code

Run-time Patching: Example

Detour Jump Malicious Code

Target Code

Jump Back

Run-time Patching

Very tricky to implement Harder to detect

You have to scan the memory spaceIf it’s not permanent, an offline analysis isn’t

very helpful

Boot Sector Modification

Changes boot sector code to load an alternative boot loader

This boot loader can change the way Windows boots, including disabling checks and protections

Can be difficult to remove (and detect)

Browser Content Replacement Allows the malware to modify what you

see and send in your web browser Can replace forms, POST data, POST

locations, hide data… “View Source” does nothing:

modifications are done in memory HTTPS is not relevant

Browser Content Replacement: Zeus botnet From the user manual:“Intercepting HTTP/HTTPS-requests from wininet.dll

(Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries:1. Modification of the loaded pages content (HTTP-inject).2. Transparent pages redirect (HTTP-fake).3. Getting out of the page content the right pieces of data (for

example the bank account balance).4. Temporary blocking HTTP-injects and HTTP-fakes.5. Temporary blocking access to a certain URL.6. Blocking logging requests for specific URL.7. Forcing logging of all GET requests for specific URL.8. Creating a snapshot of the screen around the mouse cursor

during the click of buttons.9. Getting session cookies and blocking user access to specific

URL.”

Detection AV (loosing race) Monitor outbound communications

TCPViewNetstatBorder monitoringOutbound watching IDS (snort)

System InternalsTCPViewProcmonRootKitRevealer

Detection: GMER

Rootkit detector Detects:

Hidden processes, hidden files, hidden DLLs, hidden registry keys, hidden*

SSDT, IAT, EAT hooksMBR modificationSuspicious drivers…lots more

Detection: GMER

Prevention

Update software (not just Windows) Windows 7 (x64) EMET Uninstall Adobe Reader Chrome/Firefox VMs/Linux/OSX

Further Information Blogs

F-secure: http://www.f-secure.com/weblog/Sophos: http://nakedsecurity.sophos.com/Inreverse: http://www.inreverse.net/

Online toolsVirus Total: http://www.virustotal.com/Anubis: http://anubis.iseclab.org/

Samples:Malware domain list:

http://www.malwaredomainlist.com/Offensive Security:

http://www.offensivecomputing.net/

LayerOne

Hacker con at the Anaheim Marriott May 28-29 Hardware Hacking, Lockpicking,

Contests $100 online, $140 at the door

References 2010 Websense Threat Report: http://www.websense.com/content/threat-

report-2010-introduction.aspx?cmpid=prblog Verizon 2011 Data Breach Investigations Report:

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf?&src=/worldwide/resources/index.xml&id=

Microsoft Security Intelligence Report v10: http://www.microsoft.com/security/sir/

Book: “The Rootkit Arsenal”, by Reverend Bill Blunden Book: “Malware Analyst’s Cookbook”, by M. Ligh, S. Adair, B. Hartstein, M.

Richard Book: “Reversing: Secrets of Reverse Engineering”, by Eldad Eilam MSDN Documentation: http://msdn.microsoft.com/en-us/library/default.aspx

Questions?

seanbmcallister@gmail.com