Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding the Malware Threat - 42 School

Understanding the Malware Threat - 42 School

This presentation has been given at the 42 school and discuss about malware techniques.

Thomas Roccia

May 10, 2018
Tweet

More Decks by Thomas Roccia

Other Decks in Technology

Transcript

  1. Malware Understanding the Malware Threat and How to Respond Jean-Pierre

    LESUEUR Full Stack Developer x IT Security Researcher Thomas ROCCIA Security Researcher, Advanced Threat Research at McAfee @DarkCoderSc @fr0gger_
  2. Malware Agenda #1 What is a Malware? # Malware Definition

    # Malware Economy # Malware Attribution #2 Malware Techniques # Infection Vectors # Persistence # Privilege escalation # Evasion Techniques # C&C #3 Malware Analysis # Static Analysis # Dynamic Analysis #4 Usecase Remote Administration Tools (RAT) # Definition # Business Model # Network Architecture # Network Protocol # Payload Configuration #5 Conclusion
  3. What is a Malware? Malware Introduction to Malware – Focus

    on Remote Administration Tool Family An introduction to Malicious Software Malware
  4. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Different families of Malware Virus, Worm Dropper, File Binder / Wrapper / Crypter, Downloader Trojan Backdoor Remote Administration Tools (RAT) HTTP Botnet Scareware / Rogue Ransomware Stealer (Password and/or Files) Spyware, Adware CoinMiners Rootkit / Bootkit What is a Malware? Malware Families
  5. What is a Malware? # Who is behind ? Grey-hat

    Black-hat # Who use them and why ? • Script Kiddies • Criminal Organizations • Governments • Terrorism • IT Security Researcher Who and why
  6. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family What is a Malware? Malware Economy # Criminals are making money with their creation # Using it to steal data # Selling it for other criminals # Creating business model such as Malware as a Service
  7. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family What is a Malware? Malware Economy # Ransomware as a Service Source: https://securingtomorrow.mcafee.com/mcafee-labs/free-ransomware-available-dark-web/
  8. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family What is a Malware? Malware Economy # Exploit kits Source: https://www.mcafee.com/threat-center/threat-landscape-dashboard/
  9. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse
  10. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse Attribution can be faked!
  11. Malware Techniques Malware Introduction to Malware – Focus on Remote

    Administration Tool Family Infection / Evasion / C&C / Privilege Escalation Malware
  12. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Infection Vectors Medias USB keys, CD/DVD, (External) Hard Drives Social Networks Facebook, Twitter, Google+, YouTube / Dailymotion, Instagram etc. Websites Phishing, Distributed Software, Vulnerabilities (JAVA, Flash, Web-browser) Exploits Local Exploits, Remote Exploits, Physical Exploits Network Sharing P2P Software (Torrent, Emule), Network file (NAS, FTP) Email Phishing, attachment
  13. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Infection Vectors # Supply Chain Attack Third Party Infected Download Trojanised Software Source: https://www.youtube.com/watch?v=tX0v-rMcuwc
  14. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Persistence # To survive to reboot Malware need to be persistent on the infected machine. # Registry RUN keys # Task Scheduler # Windows Services # AppInit_DLL # COM Hijacking # Bootkit
  15. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Persistence # Registry RUN Keys # Emotet Malware Example HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  16. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Persistence # Scheduler can be used to run tasks | NotPetya • at <time> shutdown.exe /r /f • schtasks /create /SC once /TN “” /TR shutdown.exe /r /f /ST <time>
  17. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Persistence # Bootkit
  18. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Privilege Escalation # Malware needs to elevate privilege to perform actions To access to sensitive data to steal/modify/encrypt… # Token Manipulation # Bypass User Access Control (UAC) # Vulnerability Exploitation # Hooking # Dump Credentials # Many more
  19. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Privilege Escalation # Token Manipulation | Teslacrypt
  20. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Privilege Escalation # UAC Bypass | Operation HoneyBee cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe # The macro extracts the CAB file into %systemroo%\system32, using either wusa.exe or expand.exe (depending on the OS) to bypass UAC prompts # Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections) Source: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
  21. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Privilege Escalation # Vulnerability Exploitation | Wannacry - EternalBlue # EternalBlue Vulnerability from Equation Group (MS17-010) – Kernel Exploit # Used to spread on the network but also to obtain system privileges https://www.slideshare.net/ThomasRoccia | https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/
  22. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Privilege Escalation # Credentials Dumping | Olympic Destroyer http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
  23. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Evasion Techniques # Malware use Evasion Techniques to avoid detection, analysis https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques Packer/Binder/Crypter Compress/Encrypt, IAT Protect, Code Virtualizing Process Injection Process Hollowing, DLL Injection, Process Doppelganging Sandbox Evasion VM Artifacts, x86 Instructions, Sleep, Running Process Anti-Virus Evasion Disabling AV, file Size, Injection Obfuscation Base64, XOR, Encryption, Hash, Custom Anti-Debugging Windows API, Timing Check, Debugger Detection Anti-Forensic Melting, File-less, Wiper, Removal
  24. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Evasion Techniques # Packers https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/
  25. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Evasion Techniques # Process Hollowing | Zcrypt Ransomware
  26. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Evasion Techniques # Antivirus Detection | Pinkslipbot
  27. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Evasion Techniques # Virtual Machine Detection | Pinkslipbot
  28. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Evasion Techniques # Unprotect Project | Malware Evasion Trick Database Unprotect.tdgt.org
  29. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Command & Control # Malware needs to communicate with C&C # Infected machines controlled by the same C&C are called Botnet # Malware use C&C to: # Receive command # Exfiltrate/download data # Get encryption key (Ransomware) or interact to pay the ransom Matthew Andrews/Getty Images/Hemera
  30. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Command & Control # Fast-Flux communication # One domain has multiple IP addresses # Every 3 min or more, host is pointing to another computer # Infected machines can serve of proxy https://commons.wikimedia.org/wiki/File:Single_und_double_flux.png
  31. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques Command & Control # Domain Generation Algorithm # Connexion to multiple domains # Lot of domain can be generated by the sample # Attackers can activate one of several servers to allow communication # Conficker worm used this technique https://www.senet-int.com/blog/2013/09/malware-domain-generation-algorithm-dga
  32. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Techniques More Information # Mitre ATT&CK Matrix | https://attack.mitre.org
  33. Malware Analysis Malware Introduction to Malware – Focus on Remote

    Administration Tool Family Process, Techniques, Tools Malware
  34. • Packed? • Encrypted? • Reverse Engineering Malware Introduction to

    Malware – Focus on Remote Administration Tool Family Malware Analysis Process Identification Analysis • Hash calculation • Virus Total… • Anti-Virus • Previous research • Internal Databases Static Dynamic Detection and Remediation • What the malware does? • Which CnC it contacts? • Does it still data? • How does it infects my system? • Sandboxing • Debugging • Monitoring Infected machines • Block CnC • Deploy signature • Clean infected machines • Improve Security
  35. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Analysis Toolkit # Static Analysis # Packer Detection: PEiD, RDG Packer Detect, DIE… # PE Format: Ressource Hacker, PEStudio, StudPE… # Reverse Engineering: IDA, Radare2, DnSPY… # Sysinternals: Strings, Sigcheck… # Utilities: HexEdit, Python…
  36. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Malware Analysis Toolkit # Dynamic Analysis # Process: Process Explorer # Monitoring: Regshot, Procmon, Autoruns, API-Monitor… # Network: Wireshark, Fiddler, CurrPort… # Debugging: OllyDBG, X64DBG… # Sandbox: Cuckoo, Proprietary Sandbox…
  37. # What is a Remote Administration Tool A RAT is

    a Malware Framework designed to take the control of a remote system: • Trojan Backdoor • Botnets • File Binder / Wrapper, Downloader • Stealer • Spyware • Crypter • Worms Commonly offered remote control modules: • Remote Desktop Streaming • Remote Webcam Streaming • Remote Ambient Sound Streaming (Micro) • Keylogger • Password Grabber • System Management • File System Management RAT Introduction
  38. • Backorifice • SubSeven (Sub7) • Optix • Beast •

    LanFiltrator • Institution 2004 • Netbus • Coma • Y3k RAT • Prorat • Mosucker Past generation : Recent generation : • Poison Ivy • Bifrost • Blackshades • Turkojan • DarkComet • NetWire • SpyNet (Xtreme RAT) • NjRAT • NanoCore • L0stD00r • SubSeven (New gen) # Few renowned RAT’s RAT Introduction
  39. One shot The product owner received a one time payment

    and gives in exchange the different application parts. Monthly, Yearly, Version The product owner could also decide to rent his Malware with a subscription limited in time. Extra Services • FUD / UD • Support • Pay per installs • Extra Modules • Training • Open Source Access RAT Business Model
  40. Payment methods: Liberty Reserve Online banking system Western Union Cash

    deposal service PayPal Ease of use Crypto-currency Bitcoin, Monero, Ethereum RAT Business Model
  41. Malware Identify the different parts of the Framework C&C Stub

    Editor Stub Graphical application to take the control of infected machines by the Malware Graphical application designed to configure the Malware The Malware .exe, .js, .bat, .py, .pdf, .docx RAT Identify the Different part of the Framework
  42. Malware Network Protocol • Client / Server based architecture •

    Malware coder can create custom protocol • They can also use existing protocol (HTTP Botnet) • To evade detection, cryptographic principle could be used RAT Network Protocol
  43. # Mode 1 : Direct Connection C&C – Client Connect(89.27.25.120)

    Stub – Server Listen(1403) Out Port (TCP/UDP) > 1403 Internet (Cloud) In Port (TCP/UDP) > 1403 Malware Network Models RAT Network Models
  44. # Mode 2 : Reverse Connection Malware Network Models C&C

    – Client Listen(1403) Stub –Client Connect(45.25.142.32) In Port (TCP/UDP) > 1403 Internet (Cloud) Out Port (TCP/UDP) > 1403 RAT Network Models
  45. # Mode 3 : Hybrid (Direct and/or Reverse) Malware Network

    Models C&C – Client Connect(89.27.25.120) Stub – Server Listen(1403) Out Port (TCP/UDP) > 1403 Internet (Cloud) In Port (TCP/UDP) > 1403 C&C – Client Listen(1403) Stub –Client Connect(45.25.142.32) In Port (TCP/UDP) > 1403 Internet (Cloud) Out Port (TCP/UDP) > 1403 AND / OR RAT Network Models
  46. Malware Network Protocol # Example of communication system Server Client

    Main Thread + Listener Thread (Server) Closed Client New Client Receive Plain / Text Management Thread Receive Buffer Thread Process List File List Reverse shell stdout buffer Webcam Streaming Desktop Streaming File Transfer + + Main Thread + Connection Attempt to C&C routine Thread New Server + Command Parser and Dispatcher Thread Process List File List Remote Desktop Thread + RAT Network Protocol
  47. Malware Network Protocol # Nature of transmitted data CSV kill:14032,1254,12687

    JSON { “action”:”kill”, “data”:[ 14032, 1254, 12687 ] } BYTES (Struct) 4c000000011402000000 0000c0000000000000469 b000800200000005284ce b6f7c8d3015284ceb6f7c 8d3014b5333d55ba3d301 00fa01… RAT Network Protocol
  48. Malware Network Protocol # Use case : Basic File Transfer

    1 2 filesystem;c:\ filesystem;c:\windows,c:\users,c:\Pr ogram Files,c:\Program Files (x86)|c:\file.pdf,c:\file2.png... 3 downloadfile;c:\file.pdf 4 downloadfile;c:\file.pdf,10240 5 OK 6 CHUNK 1 CHUNK 2 CHUNK N C&C Infected system file size / packet size = number of packets required for a file transfer RAT Network Protocol
  49. Malware Network Protocol # Encryption Layer Symmetric Encryption RC4 /

    AES / Camelia Key : passw0rd RC4 / AES / Camelia Key : passw0rd Packet Data (Plain, Byte) Cloud Packet Data (Plain, Byte) Hello CF012FA29C Hello CF012FA29C RAT Network Protocol
  50. Malware Network Protocol # Little reminder to XOR Encryption 0

    0 0 1 0 1 0 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0 1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1 1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1 1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1 0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0 Plain data Secret key Encrypted data DATA xor KEY = ENCRYPTED_DATA ENCRYPTED_DATA xor KEY = DATA ENCRYPTED_DATA xor DATA = KEY RAT Network Protocol
  51. Malware Network Protocol # Encryption Layer Asymmetric Encryption RSA /

    ECC Remote public key RSA / ECC Local private key Session key Session key Cloud Step 1 : Transmit a generated temporary session key using asymmetric algorithm RC4 / AES / Camelia Key : temporary session key RC4 / AES / Camelia Key : temporary session key Packet Data (Plain, Byte) Cloud Packet Data (Plain, Byte) Hello CF012FA29C Hello CF012FA29C Step 2 : Symmetric encryption using transmitted session key RAT Network Protocol
  52. Malware Payload Configuration • Payload configuration contains important information about

    how to contact the C&C • IP address(es) / Domain Name pointing to IP address(es) • Communication Port(s) • It also contains other important configuration elements such as • Persistence Information's (Startup, Process, File) • Anti’s functions (Anti-VM, Anti-Debugger etc.) • Encryption key (symmetric) • C&C private key for asymmetric traffic encryption (Asymmetric) • Optional file downloader (if dropper module available and enabled) • Embedded files (File Binder / Wrapper) • Fake error messages / events (Open other process) • Etc. RAT Payload Configuration
  53. Malware Payload Configuration • Multiple ways exist to store the

    configuration inside the Stub • PE Resources Section • PE Custom Section • EOF (End Of File) • In the same way of network communication, the configuration could be from any formats • Plaintext : CSV, JSON, XML • Byte encoded structures • Some Malware encrypt configuration data to hide sensitive data's RAT Payload Configuration
  54. Malware Payload Configuration # PE (Portable Executable) Resources .rsrc (Resource

    Section) DOS Segment PE Header Section Tables Section 1 … Section N DOS Header Icon Versions Info Bitmaps Custom Resources Window Resources (Dialogs) * LockResource, LoadResource, UpdateResource, SizeOfResource… RAT Payload Configuration
  55. Malware Payload Configuration # PE (Portable Executable) Sections Section Tables

    Add new section info Section Address : 0x000FF12A Size of section : N Bytes Name of section : malconf Section 1 DOS Segment PE Header Section 1 Section N DOS Header … Custom Section 0x000FF12A Explore PE Header and Sections (PE Bear) JSON / CSV / Structures etc. { "cncaddr": [ "127.0.0.1", "192.168.0.11", "89.214.25.111", "lamer.no-ip.org", "lamer2.dyndns.org" ], "startup": { "enabled": true, "name": "svchost.exe" } [...] } RAT Payload Configuration
  56. Malware Payload Configuration # EOF (End of File) Payload configuration

    is simply appended at the End of the application file. Appending content at the end of an application file doesn’t corrupt the application itself since it is out of the scope defined by the PE Structure (SizeOfImage structure attribute defined in the PE Header > IMAGE_OPTIONAL_HEADER) Most Antivirus detect such behavior by comparing the size of the image (SizeOfImage) from the PE Header with the file size. Example (Pascal/Delphi) RAT Payload Configuration
  57. Malware An example of timeline Malware Execution ping + timeout

    delete original copy run installed copy Installed Exit Process Copy to destination location Register location to startup Extract embedded files Download / Execute Initialize Melting Inject code to legitimate process (Explorer.exe ; Iexplore.exe ; firefox.exe) No Create Mutex Exists No Yes Establish a connection to C&C Anti-VM Yes Detected Yes No RAT Infection Process
  58. Malware Introduction to Malware – Focus on Remote Administration Tool

    Family Conclusion # Malware are becoming more and more complex # Security industry and researcher are developping new techniques to fight advanced threats. # Understand the concepts behind malware can help to stay protected
  59. Thank You Jean-Pierre LESUEUR Full Stack Developer x IT Security

    Researcher @DarkCoderSc Thomas ROCCIA Security Researcher, Advanced Threat Research at McAfee @fr0gger_ Q/A