Mechanics of Malware's Darkside

Transcript

1. The Mechanics of Malware’s Darkside

2. Who am I ? Yagneshwaran Prabagaran Student | QA Analyst

   Current Interest: • Malware Analysis • OSINT • Threat Hunting Email : [email protected] Mechanics of Malware’s Darkside

3. Who am I ? Laura Harris Security Analyst Current Interest:

   • Malware Analysis • Defender → Offensive • Forensics • Wearable Technology Email : [email protected] Mechanics of Malware’s Darkside

4. • We are not an Expert at Reverse Engineering. •

   We are not analyzing any complex malware. • This is more or like getting started with Malware Analysis and understanding the process. Disclaimer:

5. Outline ❖ Intro to Malware ❖ Reasons for analyzing Malware?

   ❖ Creating a Sandbox environment ❖ Basic Static Analysis ❖ Basic Dynamic Analysis ❖ Writing Malware Signature Mechanics of Malware’s Darkside

6. Introduction about Malware A piece of code that performs malicious

   action to steal data, spy on someone and or gain unauthorized access. Example: • Emotet • Zeus • ATMDtrack • Sodinokibi • NotPetya Mechanics of Malware’s Darkside

7. Malware Analysis? This is the process of understanding the origin,

   functionality and impact of any given malware sample. Mechanics of Malware’s Darkside

8. Why do we analyze malware? • To determine the purpose

   • To analyze the damage done • To collect Indicators of Compromise (IOC) Mechanics of Malware’s Darkside

9. Why do we analyze malware? • To classify the malware

   family • To identify if any vulnerability was exploited and patch it • To create detection signatures Mechanics of Malware’s Darkside

10. Creating a Safe Environment 1. Use virtualization to make things

    easy 2. Install Windows Image on VMware/VirtualBox etc 3. Install Linux image on Vmware/Virtualbox 4. Disable any shared folders. 5. Configure “host only” network. 6. Uncheck “Automatically connect USB devices” * *DO NOT RUN MALWARE ON YOUR OWN COMPUTER** Mechanics of Malware’s Darkside

11. Setting up - REMnux (Linux) https://remnux.org/docs/distro/get/ Launch Fakenet Change Ip

    address to static Import File into virtualization application Download REMnux OVA file Mechanics of Malware’s Darkside

12. Fakenet-NG • Intercepts & redirects all or specific network traffic.

    • Simulates legitimate network services. Mechanics of Malware’s Darkside

13. Setting up - Flare VM (windows) Modify DNS and Gateway

    to point to REMnux Execute “./install.ps1” in powershell. Run PowerShell and “Set-ExecutionPolicy Unrestricted” Download Flare-VM package from GitHub https://github.com/fireeye/flare-vm Mechanics of Malware’s Darkside

14. Mechanics of Malware’s Darkside

15. Structure of PE filetype Mechanics of Malware’s Darkside

16. Is a standard file format for • windows executables •

    Object code • DLLs • Font files and core dumps. Portable Executable Format (PE) Header (Technical details) Sections [contents of the executables] Mechanics of Malware’s Darkside

17. Used to display that this is a valid binary. The

    first field, e_magic will almost always be set to value to 0x54AD ( MZ). MZ= Mark Zbikowski **Magic byte is reliable but not always an indicator of a PE file**
18. None

19. Defines what the rest of the file looks like -Location

    -size of code

20. Further info about the executable -Entry point location -OS version

    -Initial Stack size

21. Pointers to import, export and resource structures.

22. Important content of the file is found here : •

    Code • Data • Resources • Additional exe files

23. The executable code

24. Link between the executable and windows libraries

25. Information used by the executed code.

26. Predefined Sections .text Contains executable code .data read/write data and

    global variables .rdata Read-only data .idata Import table .edata Export information .rsrc Icons,dialogs,menus,strin gs etc **Some may not need all and some may need new ones to be created**

27. CFF Explorer Import Directory: 4 dll’s are imported and functions

    such as GetProcAddress and VirtualAlloc are used.
28. None

29. Types of Analysis Mechanics of Malware’s Darkside

30. Static Analysis Is examining a file without executing it. Dissecting

    “dead” code. Benefits: It allows experts to quickly decide if a file is malicious. Provides insight into functionality Technical indicators can be used in detection signatures. Mechanics of Malware’s Darkside

31. Antivirus checks Scan new malware with up to date anti

    virus prior to analysis. 1. Have other people submitted? 2. Reduces time on analysis Note: Sample will be made publicly available once uploaded to VirusTotal Mechanics of Malware’s Darkside

32. Cryptors and Packers

33. Packers “Runtime Packer” Runtime Packers takes the malware compresses it,

    or otherwise transforms it, making the file harder to recognize. Reasons for Packing: 1. To make files smaller 2. To bypass detection or to counter analysis Mechanics of Malware’s Darkside

34. Crypters “Obfuscation” Reasons for using a Crypter: 1. Acts as

    the first layer of defense for the malware 2. Helps to defend malware against AV’s. Encrypts the uploaded malware, but in addition to encryption it offers additional options to make the executable as hard to detect as possible by security software. Mechanics of Malware’s Darkside

35. To identify packed executable: 1.Exeinfo PE Mechanics of Malware’s Darkside

36. 2.PEiD

37. 3.UPX command line Example: upx -d sample1.exe -o unpack.exe

38. Difference in Virtual Size of the section and Raw Size

    can also be used as an indicator of packed file. Mechanics of Malware’s Darkside

39. Strings Strings are defined as sequence of printable characters found

    in the code. (ASCII and UNICODE) Mechanics of Malware’s Darkside

40. Strings Examining the malware for strings can contain references to

    • Filenames • URL’s • Domain Names • IP address • Attack commands • Registry keys and so on. Mechanics of Malware’s Darkside

41. Extracting Strings Tools to Extract Strings: • String utility in

    command line ◦ Example: Strings “sample1.exe” • Right click file and select Strings utility for GUI method. • FLOSS (FireEye Labs Obfuscated String Solver) tool Mechanics of Malware’s Darkside

42. String utility using Command Line Interface

43. Right click select Strings for Graphical User Interface

44. Limitations of Basic Static Analysis • Encrypted malware samples cannot

    be analyzed without understanding the type of encryption. • Strings found in the malware sample does not necessarily mean they are called during run-time. • Malware writers insert irrelevant garbage code to confuse the analysts. Mechanics of Malware’s Darkside

45. Dynamic Analysis Allows experts to understand the behavioural indicators of

    the malware sample when executed in real time. ** Some functions may be embedded in the malware to counter analysis ** Mechanics of Malware’s Darkside

46. Runtime Analysis - Dynamic Note: It is important to perform

    dynamic analysis on a Sandbox environment to contain the effects of malware within the virtual machine. Snapshot Feature: • Capture the state of memory, hard disk and configuration of the virtual machine. • Post Analysis, can revert back to clean state of machine. • Install new tools/update Flare VM packages and take a new snapshot when needed. Mechanics of Malware’s Darkside

47. Persistence Mechanics of Malware’s Darkside

48. Persistence For persistence, malware often install itself in various locations

    including: 1. Windows Logon Registry Entries 2. Image File Execution Options 3. Accessibility Programs 4. Startup Service and so on. Mechanics of Malware’s Darkside

49. Process Monitor Process Monitor is a monitoring tool from the

    Sysinternals suite that shows the real-time interaction of the processes with the filesystem, registry, and process activity. Preconfigured filters can be used before capturing events to reduce the load of Process Monitor on RAM. Mechanics of Malware’s Darkside

50. • Noriben is a python script that utilises Process Monitor

    program to filter out general events • Helps in analyzing and collecting runtime indicators of the malware. Noriben Mechanics of Malware’s Darkside

51. Outputs .csv file with key indicators Mechanics of Malware’s Darkside

52. None

53. Wireshark Wireshark is an open-source network packet capture and analyzer

    tool. It is run to capture any network traffic generated by the malware once executed. Mechanics of Malware’s Darkside

54. Mechanics of Malware’s Darkside

55. Wireshark We can identify the following information from the capture

    : 1. Host Name 2. IP address to Command & Control servers 3. Domain names 4. Download of additional payloads and programs Mechanics of Malware’s Darkside

56. Identification of Domain Name Mechanics of Malware’s Darkside

57. Identification of Host Name Mechanics of Malware’s Darkside

58. Extracting executables from PCAP files File -> Export Objects ->

    HTTP Mechanics of Malware’s Darkside

59. Disassembler Disassembler is a computer program that converts Machine Language

    (high-level) to Assembly Language (low-level language). Mechanics of Malware’s Darkside

60. Mechanics of Malware’s Darkside

61. IDA Pro as Disassembler Follow the code and look for

    XOR instructions. Mechanics of Malware’s Darkside
62. None

63. Debugger Debugger is a computer program that is used to

    run an executable in a controlled manner and to halt when specific conditions are encountered. Mechanics of Malware’s Darkside

64. Ollydbg as Debugger Functions can be modified and patched live

    to avoid Anti-VM and Anti- Debugging conditions which can be a prerequisite for the malware to run. Mechanics of Malware’s Darkside

65. Creating Yara Rule YARA is a open source tool by

    which researchers identify and classify malware samples based on certain characteristics . Main purpose of YARA is to match attack patterns of malware with existing rule sets and trigger alerts to the IDS/IPS. Mechanics of Malware’s Darkside

66. Results from Basic Static Analysis Mechanics of Malware’s Darkside

67. Title: Malware_downloader status: Experimental Meta Description: ”Malicious downloader that downloads

    additional payload” Author: Laura and Yagnesh hash: AE4CA70697DF5506BC610172CFC288E7 SSDEEP: 48:a2SWLML7kulJknJmD+jtx7MBqc9xDsYjWHlJR:6Rj/kJs+jtx7MIc9xD1jWHj strings: $s0 = *wininet.dll* $s1 = *CreateService* $s2 = *InternetOpen* $s3 = *InternetOpenURL* $s4 = www.malwareanalysisbook.com $s5 = Malservice condition: 4 of ($s0, $s1, $s2 ,$s3, $s4 and $s5) Example: Mechanics of Malware’s Darkside

68. Creating SNORT Rules Snort is an open source Intrusion Detection

    system that will be used to create rules to detect our malware communication in the network. Mechanics of Malware’s Darkside

69. Syntax: rule protocol source ip source port -> dest ip

    dest port (Rule options) Example of Petya Ransomware downloading perfc.dat file alert smb any any -> $HOME_NET any (msg: "Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "SMB";content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;) Mechanics of Malware’s Darkside

70. Resources • Reverse Engineering Workshop - https://malwareunicorn.org/workshops/re101.html • Malware Traffic

    Analysis Exercises - https://malware-traffic- analysis.net/index.html • Book - Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. - Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware Mechanics of Malware’s Darkside

71. Tools Used • Virus Total • PEiD • Exeinfo PE

    • CFF Explorer • UPX Packer • Strings • Process Monitor v3.52 **Minimum Requirements: Windows 7 Service Pack 1 • FLOSS • Noriben • Wireshark • IDA Pro • Ollydbg • YARA • SNORT Mechanics of Malware’s Darkside

72. Future Steps.. Mechanics of Malware’s Darkside

73. Obfuscated Malware Obfuscation is the process of making the files

    more difficult to analyze or detect. Mechanics of Malware’s Darkside

74. chmod command is selected through a complex process to avoid

    obvious detection Mechanics of Malware’s Darkside

75. Android Malware Targets the users with Adwares, Cryptomining and also

    Ransomware. Example: • Advertising dropper in CamScanner → https://securelist.com/dropper-in-google-play/92496/ • 42 Adware Apps with 8 Million Downloads → https://thehackernews.com/2019/10/42-adware-apps-with-8-million-downloads.html Mechanics of Malware’s Darkside

76. Resources to get started: • Android App fundamentals and ReverseEngineering

    exercises → https://maddiestone.github.io/AndroidAppRE/ • AndroL4b is an android security virtual machine which has tools and labs for reverse engineering and android malware analysis. → https://github.com/sh4hin/Androl4b Mechanics of Malware’s Darkside

77. Linux Malware Common targets are IoT devices and Linux Servers.

    Example: • Mirai Evolves From IoT Devices to Linux Servers →https://www.darkreading.com/attacks-breaches/ mirai-evolves-from-iot-devices-to-linux-servers/d/d-id/1333329 • Sophisticated HiddenWasp Malware Targets Linux →https://www.securityweek.com/sophisticated-hiddenwasp- malware-targets-linux Mechanics of Malware’s Darkside

78. Resources to get started: • Linux ELF Basics and Binary

    Analysis → https://linux-audit.com/elf-binaries-on-linux-understanding-and- analysis/ • Linux Malware Samples → https://github.com/ytisf/theZoo/tree/master/malwares/Binaries • Linux Sandbox (LISA) → https://github.com/danieluhricek/LiSa#get-started Mechanics of Malware’s Darkside

79. Interesting… Smallest PE file that downloads file from internet and

    executes it. The size of the PE file with UNC import is still only 133 bytes. https://twitter.com/cyb3rops/status/1187037377560272897 Mechanics of Malware’s Darkside

80. yarGen - Automatic Yara rule generator. The main principle is

    the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. https://github.com/Neo23x0/yarGen Mechanics of Malware’s Darkside
81. None

82. 1. https://blog.comodo.com/different-techniques-for-malware-analysis/ 2. https://github.com/fireeye/flare-vm 3. https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf 4. https://www.sciencedirect.com/science/article/pii/S1877050915002136 5. https://medium.com/practical-malware-analysis-lab-solutions/practical-malware-analysis-lab-

    solutions-static-analysis-4f892cbae9d 6. https://www.malwaretech.com/2017/11/creating-a-simple-free-malware-analysis- environment.html 7. https://resources.infosecinstitute.com/snort-rules-workshop-part-one/ 8. https://blog.rapid7.com/2016/12/09/understanding-and-configuring-snort-rules/ 9. https://isc.sans.edu/forums/diary/Developing+YARA+Rules+a+Practical+Example/24158/ 10. http://www.cs.utsa.edu/~shxu/Moustafa-PhD- Dissertation_Detection_and_Classification_of_Obfuscated_Malware.pdf 11. https://securityintelligence.com/an-example-of-common-string-and-payload-obfuscation- techniques-in-malware/ 12. https://www.reddit.com/r/MalwareAnalysis/comments/bxvw1j/analysis_of_simple_obfuscated_ office_malware/ 13. https://www.imperva.com/blog/backdoor-malware-analysis-obfuscation-techniques/ References Mechanics of Malware’s Darkside

83. Demo Mechanics of Malware’s Darkside

84. Contact Laura Harris [email protected] Yagneshwaran Prabagaran [email protected] @Angry_orcha @Black_3nergy