Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | suzanna-bradford |
View: | 221 times |
Download: | 2 times |
The Situation: Shit Just Got Real The players and the game has changed
Criminal organizations*Governments**
Profit/Politically drivenCyber weaponsFBI vs Coreflood
Professionally developedUser manualsMaaS
*may or may not be organized** may or may not be criminals
Infiltration Legitimate (compromised) hosts
Direct: Wordpress hackedIndirect: Advertisements
Exploit Packs Search Engine Optimization hacks
Breaking newsCelebrities (Snookie causes infections)
SocialFacebook, Twitter, etc
Characteristics (the lines have blurred)
Virus Trojan/Backdoor Rootkit Scam/Scareware/Randsomware Password stealers Worms
API Hooking
Allows malware to intercept Windows API calls
Can be done in user or kernel space, but in kernel space it’s much more powerful
API HookingProgram
KERNEL MODEUSER MODE
DeleteFile[A|W]
NtDeleteFile
ZwDeleteFile
System Service Descriptor Table
SSDT
API Hooking: ExampleProgram
KERNEL MODEUSER MODE
DeleteFile[A|W]
NtDeleteFile
ZwDeleteFile
System Service Descriptor Table
SSDT
fakeDelete
API Hooking
Allows rootkits to do a lot of nasty thingsHide processes/filesHide networking (to a degree)Basically take over your system
Fairly straightforward to implement However, it is easy to detect
Run-time Patching
Replaces API calls with your own by patching the API routine itself
Can achieve the same goals as API hooking, but harder to detect
Run-time Patching
Very tricky to implement Harder to detect
You have to scan the memory spaceIf it’s not permanent, an offline analysis isn’t
very helpful
Boot Sector Modification
Changes boot sector code to load an alternative boot loader
This boot loader can change the way Windows boots, including disabling checks and protections
Can be difficult to remove (and detect)
Browser Content Replacement Allows the malware to modify what you
see and send in your web browser Can replace forms, POST data, POST
locations, hide data… “View Source” does nothing:
modifications are done in memory HTTPS is not relevant
Browser Content Replacement: Zeus botnet From the user manual:“Intercepting HTTP/HTTPS-requests from wininet.dll
(Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries:1. Modification of the loaded pages content (HTTP-inject).2. Transparent pages redirect (HTTP-fake).3. Getting out of the page content the right pieces of data (for
example the bank account balance).4. Temporary blocking HTTP-injects and HTTP-fakes.5. Temporary blocking access to a certain URL.6. Blocking logging requests for specific URL.7. Forcing logging of all GET requests for specific URL.8. Creating a snapshot of the screen around the mouse cursor
during the click of buttons.9. Getting session cookies and blocking user access to specific
URL.”
Detection AV (loosing race) Monitor outbound communications
TCPViewNetstatBorder monitoringOutbound watching IDS (snort)
System InternalsTCPViewProcmonRootKitRevealer
Detection: GMER
Rootkit detector Detects:
Hidden processes, hidden files, hidden DLLs, hidden registry keys, hidden*
SSDT, IAT, EAT hooksMBR modificationSuspicious drivers…lots more
Prevention
Update software (not just Windows) Windows 7 (x64) EMET Uninstall Adobe Reader Chrome/Firefox VMs/Linux/OSX
Further Information Blogs
F-secure: http://www.f-secure.com/weblog/Sophos: http://nakedsecurity.sophos.com/Inreverse: http://www.inreverse.net/
Online toolsVirus Total: http://www.virustotal.com/Anubis: http://anubis.iseclab.org/
Samples:Malware domain list:
http://www.malwaredomainlist.com/Offensive Security:
http://www.offensivecomputing.net/
LayerOne
Hacker con at the Anaheim Marriott May 28-29 Hardware Hacking, Lockpicking,
Contests $100 online, $140 at the door
References 2010 Websense Threat Report: http://www.websense.com/content/threat-
report-2010-introduction.aspx?cmpid=prblog Verizon 2011 Data Breach Investigations Report:
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf?&src=/worldwide/resources/index.xml&id=
Microsoft Security Intelligence Report v10: http://www.microsoft.com/security/sir/
Book: “The Rootkit Arsenal”, by Reverend Bill Blunden Book: “Malware Analyst’s Cookbook”, by M. Ligh, S. Adair, B. Hartstein, M.
Richard Book: “Reversing: Secrets of Reverse Engineering”, by Eldad Eilam MSDN Documentation: http://msdn.microsoft.com/en-us/library/default.aspx