Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mechanics of Malware's Darkside

5ec4e6eb2d72a75d14d267ab6216164b?s=47 MalwareAnt
November 02, 2019

Mechanics of Malware's Darkside

This presentation will introduce the basics steps of carrying out static and dynamic analysis on malware using disassemblers, debuggers, and other tools. Diving into the dark waters of dissecting malware will allow the audience to understand how to disassemble malware, identify key strings and process, and track the behavioral triggers once placed in a sandbox. It also highlights the limitation of static analysis and hints at the next phases of analyzing an obfuscated malware. The audience will be able to develop basic SNORT and YARA rule based on the information shared. Some resources on Android Malware and Linux Malware analysis have been added as a bonus.



November 02, 2019

Other Decks in Technology


  1. The Mechanics of Malware’s Darkside

  2. Who am I ? Yagneshwaran Prabagaran Student | QA Analyst

    Current Interest: • Malware Analysis • OSINT • Threat Hunting Email : yagneshwaranp@gmail.com Mechanics of Malware’s Darkside
  3. Who am I ? Laura Harris Security Analyst Current Interest:

    • Malware Analysis • Defender → Offensive • Forensics • Wearable Technology Email : lauraharris499@gmail.com Mechanics of Malware’s Darkside
  4. • We are not an Expert at Reverse Engineering. •

    We are not analyzing any complex malware. • This is more or like getting started with Malware Analysis and understanding the process. Disclaimer:
  5. Outline ❖ Intro to Malware ❖ Reasons for analyzing Malware?

    ❖ Creating a Sandbox environment ❖ Basic Static Analysis ❖ Basic Dynamic Analysis ❖ Writing Malware Signature Mechanics of Malware’s Darkside
  6. Introduction about Malware A piece of code that performs malicious

    action to steal data, spy on someone and or gain unauthorized access. Example: • Emotet • Zeus • ATMDtrack • Sodinokibi • NotPetya Mechanics of Malware’s Darkside
  7. Malware Analysis? This is the process of understanding the origin,

    functionality and impact of any given malware sample. Mechanics of Malware’s Darkside
  8. Why do we analyze malware? • To determine the purpose

    • To analyze the damage done • To collect Indicators of Compromise (IOC) Mechanics of Malware’s Darkside
  9. Why do we analyze malware? • To classify the malware

    family • To identify if any vulnerability was exploited and patch it • To create detection signatures Mechanics of Malware’s Darkside
  10. Creating a Safe Environment 1. Use virtualization to make things

    easy 2. Install Windows Image on VMware/VirtualBox etc 3. Install Linux image on Vmware/Virtualbox 4. Disable any shared folders. 5. Configure “host only” network. 6. Uncheck “Automatically connect USB devices” * *DO NOT RUN MALWARE ON YOUR OWN COMPUTER** Mechanics of Malware’s Darkside
  11. Setting up - REMnux (Linux) https://remnux.org/docs/distro/get/ Launch Fakenet Change Ip

    address to static Import File into virtualization application Download REMnux OVA file Mechanics of Malware’s Darkside
  12. Fakenet-NG • Intercepts & redirects all or specific network traffic.

    • Simulates legitimate network services. Mechanics of Malware’s Darkside
  13. Setting up - Flare VM (windows) Modify DNS and Gateway

    to point to REMnux Execute “./install.ps1” in powershell. Run PowerShell and “Set-ExecutionPolicy Unrestricted” Download Flare-VM package from GitHub https://github.com/fireeye/flare-vm Mechanics of Malware’s Darkside
  14. Mechanics of Malware’s Darkside

  15. Structure of PE filetype Mechanics of Malware’s Darkside

  16. Is a standard file format for • windows executables •

    Object code • DLLs • Font files and core dumps. Portable Executable Format (PE) Header (Technical details) Sections [contents of the executables] Mechanics of Malware’s Darkside
  17. Used to display that this is a valid binary. The

    first field, e_magic will almost always be set to value to 0x54AD ( MZ). MZ= Mark Zbikowski **Magic byte is reliable but not always an indicator of a PE file**
  18. None
  19. Defines what the rest of the file looks like -Location

    -size of code
  20. Further info about the executable -Entry point location -OS version

    -Initial Stack size
  21. Pointers to import, export and resource structures.

  22. Important content of the file is found here : •

    Code • Data • Resources • Additional exe files
  23. The executable code

  24. Link between the executable and windows libraries

  25. Information used by the executed code.

  26. Predefined Sections .text Contains executable code .data read/write data and

    global variables .rdata Read-only data .idata Import table .edata Export information .rsrc Icons,dialogs,menus,strin gs etc **Some may not need all and some may need new ones to be created**
  27. CFF Explorer Import Directory: 4 dll’s are imported and functions

    such as GetProcAddress and VirtualAlloc are used.
  28. None
  29. Types of Analysis Mechanics of Malware’s Darkside

  30. Static Analysis Is examining a file without executing it. Dissecting

    “dead” code. Benefits: It allows experts to quickly decide if a file is malicious. Provides insight into functionality Technical indicators can be used in detection signatures. Mechanics of Malware’s Darkside
  31. Antivirus checks Scan new malware with up to date anti

    virus prior to analysis. 1. Have other people submitted? 2. Reduces time on analysis Note: Sample will be made publicly available once uploaded to VirusTotal Mechanics of Malware’s Darkside
  32. Cryptors and Packers

  33. Packers “Runtime Packer” Runtime Packers takes the malware compresses it,

    or otherwise transforms it, making the file harder to recognize. Reasons for Packing: 1. To make files smaller 2. To bypass detection or to counter analysis Mechanics of Malware’s Darkside
  34. Crypters “Obfuscation” Reasons for using a Crypter: 1. Acts as

    the first layer of defense for the malware 2. Helps to defend malware against AV’s. Encrypts the uploaded malware, but in addition to encryption it offers additional options to make the executable as hard to detect as possible by security software. Mechanics of Malware’s Darkside
  35. To identify packed executable: 1.Exeinfo PE Mechanics of Malware’s Darkside

  36. 2.PEiD

  37. 3.UPX command line Example: upx -d sample1.exe -o unpack.exe

  38. Difference in Virtual Size of the section and Raw Size

    can also be used as an indicator of packed file. Mechanics of Malware’s Darkside
  39. Strings Strings are defined as sequence of printable characters found

    in the code. (ASCII and UNICODE) Mechanics of Malware’s Darkside
  40. Strings Examining the malware for strings can contain references to

    • Filenames • URL’s • Domain Names • IP address • Attack commands • Registry keys and so on. Mechanics of Malware’s Darkside
  41. Extracting Strings Tools to Extract Strings: • String utility in

    command line ◦ Example: Strings “sample1.exe” • Right click file and select Strings utility for GUI method. • FLOSS (FireEye Labs Obfuscated String Solver) tool Mechanics of Malware’s Darkside
  42. String utility using Command Line Interface

  43. Right click select Strings for Graphical User Interface

  44. Limitations of Basic Static Analysis • Encrypted malware samples cannot

    be analyzed without understanding the type of encryption. • Strings found in the malware sample does not necessarily mean they are called during run-time. • Malware writers insert irrelevant garbage code to confuse the analysts. Mechanics of Malware’s Darkside
  45. Dynamic Analysis Allows experts to understand the behavioural indicators of

    the malware sample when executed in real time. ** Some functions may be embedded in the malware to counter analysis ** Mechanics of Malware’s Darkside
  46. Runtime Analysis - Dynamic Note: It is important to perform

    dynamic analysis on a Sandbox environment to contain the effects of malware within the virtual machine. Snapshot Feature: • Capture the state of memory, hard disk and configuration of the virtual machine. • Post Analysis, can revert back to clean state of machine. • Install new tools/update Flare VM packages and take a new snapshot when needed. Mechanics of Malware’s Darkside
  47. Persistence Mechanics of Malware’s Darkside

  48. Persistence For persistence, malware often install itself in various locations

    including: 1. Windows Logon Registry Entries 2. Image File Execution Options 3. Accessibility Programs 4. Startup Service and so on. Mechanics of Malware’s Darkside
  49. Process Monitor Process Monitor is a monitoring tool from the

    Sysinternals suite that shows the real-time interaction of the processes with the filesystem, registry, and process activity. Preconfigured filters can be used before capturing events to reduce the load of Process Monitor on RAM. Mechanics of Malware’s Darkside
  50. • Noriben is a python script that utilises Process Monitor

    program to filter out general events • Helps in analyzing and collecting runtime indicators of the malware. Noriben Mechanics of Malware’s Darkside
  51. Outputs .csv file with key indicators Mechanics of Malware’s Darkside

  52. None
  53. Wireshark Wireshark is an open-source network packet capture and analyzer

    tool. It is run to capture any network traffic generated by the malware once executed. Mechanics of Malware’s Darkside
  54. Mechanics of Malware’s Darkside

  55. Wireshark We can identify the following information from the capture

    : 1. Host Name 2. IP address to Command & Control servers 3. Domain names 4. Download of additional payloads and programs Mechanics of Malware’s Darkside
  56. Identification of Domain Name Mechanics of Malware’s Darkside

  57. Identification of Host Name Mechanics of Malware’s Darkside

  58. Extracting executables from PCAP files File -> Export Objects ->

    HTTP Mechanics of Malware’s Darkside
  59. Disassembler Disassembler is a computer program that converts Machine Language

    (high-level) to Assembly Language (low-level language). Mechanics of Malware’s Darkside
  60. Mechanics of Malware’s Darkside

  61. IDA Pro as Disassembler Follow the code and look for

    XOR instructions. Mechanics of Malware’s Darkside
  62. None
  63. Debugger Debugger is a computer program that is used to

    run an executable in a controlled manner and to halt when specific conditions are encountered. Mechanics of Malware’s Darkside
  64. Ollydbg as Debugger Functions can be modified and patched live

    to avoid Anti-VM and Anti- Debugging conditions which can be a prerequisite for the malware to run. Mechanics of Malware’s Darkside
  65. Creating Yara Rule YARA is a open source tool by

    which researchers identify and classify malware samples based on certain characteristics . Main purpose of YARA is to match attack patterns of malware with existing rule sets and trigger alerts to the IDS/IPS. Mechanics of Malware’s Darkside
  66. Results from Basic Static Analysis Mechanics of Malware’s Darkside

  67. Title: Malware_downloader status: Experimental Meta Description: ”Malicious downloader that downloads

    additional payload” Author: Laura and Yagnesh hash: AE4CA70697DF5506BC610172CFC288E7 SSDEEP: 48:a2SWLML7kulJknJmD+jtx7MBqc9xDsYjWHlJR:6Rj/kJs+jtx7MIc9xD1jWHj strings: $s0 = *wininet.dll* $s1 = *CreateService* $s2 = *InternetOpen* $s3 = *InternetOpenURL* $s4 = www.malwareanalysisbook.com $s5 = Malservice condition: 4 of ($s0, $s1, $s2 ,$s3, $s4 and $s5) Example: Mechanics of Malware’s Darkside
  68. Creating SNORT Rules Snort is an open source Intrusion Detection

    system that will be used to create rules to detect our malware communication in the network. Mechanics of Malware’s Darkside
  69. Syntax: rule protocol source ip source port -> dest ip

    dest port (Rule options) Example of Petya Ransomware downloading perfc.dat file alert smb any any -> $HOME_NET any (msg: "Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "SMB";content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;) Mechanics of Malware’s Darkside
  70. Resources • Reverse Engineering Workshop - https://malwareunicorn.org/workshops/re101.html • Malware Traffic

    Analysis Exercises - https://malware-traffic- analysis.net/index.html • Book - Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. - Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware Mechanics of Malware’s Darkside
  71. Tools Used • Virus Total • PEiD • Exeinfo PE

    • CFF Explorer • UPX Packer • Strings • Process Monitor v3.52 **Minimum Requirements: Windows 7 Service Pack 1 • FLOSS • Noriben • Wireshark • IDA Pro • Ollydbg • YARA • SNORT Mechanics of Malware’s Darkside
  72. Future Steps.. Mechanics of Malware’s Darkside

  73. Obfuscated Malware Obfuscation is the process of making the files

    more difficult to analyze or detect. Mechanics of Malware’s Darkside
  74. chmod command is selected through a complex process to avoid

    obvious detection Mechanics of Malware’s Darkside
  75. Android Malware Targets the users with Adwares, Cryptomining and also

    Ransomware. Example: • Advertising dropper in CamScanner → https://securelist.com/dropper-in-google-play/92496/ • 42 Adware Apps with 8 Million Downloads → https://thehackernews.com/2019/10/42-adware-apps-with-8-million-downloads.html Mechanics of Malware’s Darkside
  76. Resources to get started: • Android App fundamentals and ReverseEngineering

    exercises → https://maddiestone.github.io/AndroidAppRE/ • AndroL4b is an android security virtual machine which has tools and labs for reverse engineering and android malware analysis. → https://github.com/sh4hin/Androl4b Mechanics of Malware’s Darkside
  77. Linux Malware Common targets are IoT devices and Linux Servers.

    Example: • Mirai Evolves From IoT Devices to Linux Servers →https://www.darkreading.com/attacks-breaches/ mirai-evolves-from-iot-devices-to-linux-servers/d/d-id/1333329 • Sophisticated HiddenWasp Malware Targets Linux →https://www.securityweek.com/sophisticated-hiddenwasp- malware-targets-linux Mechanics of Malware’s Darkside
  78. Resources to get started: • Linux ELF Basics and Binary

    Analysis → https://linux-audit.com/elf-binaries-on-linux-understanding-and- analysis/ • Linux Malware Samples → https://github.com/ytisf/theZoo/tree/master/malwares/Binaries • Linux Sandbox (LISA) → https://github.com/danieluhricek/LiSa#get-started Mechanics of Malware’s Darkside
  79. Interesting… Smallest PE file that downloads file from internet and

    executes it. The size of the PE file with UNC import is still only 133 bytes. https://twitter.com/cyb3rops/status/1187037377560272897 Mechanics of Malware’s Darkside
  80. yarGen - Automatic Yara rule generator. The main principle is

    the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. https://github.com/Neo23x0/yarGen Mechanics of Malware’s Darkside
  81. None
  82. 1. https://blog.comodo.com/different-techniques-for-malware-analysis/ 2. https://github.com/fireeye/flare-vm 3. https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf 4. https://www.sciencedirect.com/science/article/pii/S1877050915002136 5. https://medium.com/practical-malware-analysis-lab-solutions/practical-malware-analysis-lab-

    solutions-static-analysis-4f892cbae9d 6. https://www.malwaretech.com/2017/11/creating-a-simple-free-malware-analysis- environment.html 7. https://resources.infosecinstitute.com/snort-rules-workshop-part-one/ 8. https://blog.rapid7.com/2016/12/09/understanding-and-configuring-snort-rules/ 9. https://isc.sans.edu/forums/diary/Developing+YARA+Rules+a+Practical+Example/24158/ 10. http://www.cs.utsa.edu/~shxu/Moustafa-PhD- Dissertation_Detection_and_Classification_of_Obfuscated_Malware.pdf 11. https://securityintelligence.com/an-example-of-common-string-and-payload-obfuscation- techniques-in-malware/ 12. https://www.reddit.com/r/MalwareAnalysis/comments/bxvw1j/analysis_of_simple_obfuscated_ office_malware/ 13. https://www.imperva.com/blog/backdoor-malware-analysis-obfuscation-techniques/ References Mechanics of Malware’s Darkside
  83. Demo Mechanics of Malware’s Darkside

  84. Contact Laura Harris lauraharris499@gmail.com Yagneshwaran Prabagaran yagneshwaranp@gmail.com @Angry_orcha @Black_3nergy