Malware Analysis & Reversing 101

Transcript

1. Malware Reversing & Analysis 101 Yasin SÜRER http://twitter.com/yasinsurer

2. Why Analyze Malware? • Incident Response • finding backdoor on

   your system… • what did attacker steal… • how did attack get in… • Dissecting Malware • how it works! • how to identify it! • how to respond… • …

3. Jargon • Virus • Worm • RAT • Exploit •

   Shellcode • Rootkit • …

4. Infection Method • Attack software vulnerabilities… • Operating System Vulnerabilities

   • MS Office Vulnerabilities • Client Side Applications • Human Factor • Make hardware to execute malware (USB etc..) • P2P file sharing platforms • Social Media • Etc…

5. Malware Behavior • Create main module • Download, Create •

   Copy/Delete itself • Copy to the system folder • Persistence • Registry entry related to autorun • Startup folder • Register as a service • …

6. Modifying System • Disable Protection & Security Mechanism • Windows

   Firewall • Windows Update • Avoid Security Applications • Anti-virus • Anti-malware • Analysis Tools • Hide itself • Modifying other processes

7. Main Behavior • Steal Information • Read registry keys, config

   files… • Keylogging • Recording • Etc.. • Communicaton • Connect to C&C servers • Execute commands • Spread • Find vulnerable systems • Infect other systems

8. Advanced Persistent Threat

9. ‘’We do not call those types of threats as Advanced

   Persistent Threat since they use widely known, old-school tactics’’ Microsoft

10. Case Studies: Black Energy

11. Case Studies: Carbanak Gang

12. State-Sponsored Cyber Attacks…

13. Case Studies: Operation Transparent Tribe Attack Details  In 4th

    February 2016, researchers of Trapmine encountered a set of cyber espionage attack which targeted some journalists who are in the international media companies.  The malware has some advanced features in the system spread such as audio surveillance, keylogging, file transfer, webcam recording.  In 3rd March 2016, Proofpoint, uncovered an espionage attack which targets the military and diplomatic institutions of India in its “Operation Transparent Tribe” report.  It is thought that The Cyber Espionage Campaign stated on this report is also belong to the same APT group.

14. Case Studies: Epic Turla The Way of Propagation  Software

    Vulnerabilities/Exploits  Social Engineering Function/Purpose • Cyberespionage • Data theft • Surveillance Communication • Usage of satellite internet connection to hide command and control servers Targets • Government entities • Military • Diplomatic organizations/embassies

15. Reverse Engineering

16. What is Reverse Engineering? • Discovering undocumented system components. •

    Understanding complex software architecture • Discovering software vulnerabilities and exploit the weakness • Closed source code analysis and understanding how software works • Patch analysis and exploiting one-day vulnerabilities • Incident response and digital forensics.

17. Anti-Reverse Engineering • Anti-Virtualization and anti-emulation techniques • Anti-Debugging &

    Anti-Disassebler techniques • Implementing Entry Point Obfuscation • Executable compression & packers

18. Static vs. Dynamic Analysis Static Analysis or Reversing Static program

    analysis is the analysis of computer software that is performed without actually executing programs Dynamic Analysis or Reversing Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor.

19. x86 Assembly & Memory

20. .data • Values placed in RAM when a program loads

    • These values are static • They cannot change while the program is running • They are also global • Avaiable to any part of the program

21. .code • Instructions for the CPU • Controls what the

    program does

22. heap • Dynamic memory • Changes frequently during program execution

    • Program allocates new values, and frees them when they are no longer needed

23. stack • Local variables and parameters for functions • Helps

    program flow

24. Arithmetic Instructions mov eax, 5 ; eax=5 mov ebx, 3

    ; ebx=3 add eax, ebx ; eax = eax + ebx sub ebx, 2 ; ebx = ebx -2 mov eax, 15 imul 2 ; eax=eax*2 mov eax, 5 mov ecx, 2 div ecx ; ecx=eax/2

25. Accessing Memory cmp eax, 2 ; compare eax with 2

    je label ; if(eax == 2) ja label ; if(eax > 2) jb label ; if(eax < 2) jbe label ; if(eax <= 2) jne label ; if(eax != 2) jmp label ; jump label

26. Function Calls call function ; store return addr on the

    stack ; and jump to function! func: push esi ; save esi … pop esi ; restore esi ret ; read return addr from the stack ; and jump to it.

27. Example: ASM

28. Example: Keyloggers • Imports User32.dll and uses the function SetWindowsHookEx

    which is a popular way keyloggers receive keyboard inputs. • It exports LowLevelKeyboardProc and LowLevelMouseProc to send the data elsewhere. • It uses RegisterHotKey to define a special keystroke like Ctrl+Shift+P to harvest the collected data.

29. MSDN

30. Demo

31. PE…

32. Portable Executable • PE: Portable Executable • Native Windows file

    format • Filetypes • EXE • DLL • SCR • SYS • … • MZ – (Mark Zbikowski)

33. Portable Executable

34. Portable Executable • Common Sections • .data • .rsrc •

    .idata • .debug

35. Malware Analysis Lab

36. None

37. Toolbag…

38. Reverser Toolbag (1) Virtual Machines (Virtualbox, VMWare, Hyper-V) A virtual

    machine (VM) is a software implemented abstraction of the underlying hardware, which is presented to the application layer of the system. Packet Sniffers (Wireshark, tcpdump) The sniffer captures packets, if needed, decodes the packet's raw data, showing the values of various fields in the packet Sysinternals Suite technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.

39. Reverser Toolbag (2) IDA Disassembler from Hex-Rays IDA is a

    disassembler for computer software which generates assembly language source code from machine-executable code OllyDbg is Free Debugger OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available Windbg from Microsoft It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode.

40. PEiD

41. Process Explorer

42. Process Monitor

43. Autoruns

44. ImpREC

45. LordPE

46. IDA Pro

47. IDA Pro (2)

48. IDA Pro (3)

49. IDA Pro (4)

50. Demo

51. Malware Analysis

52. Office Malware Analysis: RTF Exploit

53. Office Malware Analysis: RTF Exploit

54. Office Malware Analysis: RTF Exploit

55. Office Malware Analysis: RTF Exploit

56. Office Malware Analysis: RTF Exploit

57. Office Malware Analysis: RTF Exploit

58. Unpacking…

59. Unpacking Malware..

60. Unpacking Malware..

61. Unpacking Malware..

62. Unpacking Malware..

63. Unpacking Malware..

64. Unpacking Malware..

65. Unpacking Malware..

66. Unpacking Malware..

67. Unpacking Malware..

68. Unpacking Malware..

69. Unpacking Malware..

70. Unpacking Malware..

71. Unpacking Malware..

72. Unpacking Malware..

73. Unpacking Malware..

74. Unpacking Malware..

75. Unpacking Malware..

76. Malware hunting…

77. Unsigned Images • Sigcheck • Sysinternal Tools • Written by

    Mark Russinovich • Verify that images are digitally signed and dump version information with this simple command-line utility

78. Unsigned Images

79. Malware hunting.. • Examine the Programs Ran on the System

    • Review prefetch files • Windows enables prefetching to make system boots or applications startups faster • Prefetch files (*.pf) store data and files accessed during boot or application start-up • Location • C:\Windows\Prefetch • Information Provided • .pf file creation date generally shows when program first executed • .pf file last modified date shows when program last executed • Process’s file path • Process’s last run time • Process’s run count • Files accessed during start-ups

80. Malware hunting.. • Review prefetch files • winprefetchview.exe • Command:

    c:\winprefetchview>winprefetchview.exe /folder c:\windows\prefetch

81. Malware hunting.. • Review process execution • Prefetch File •

    Look at process paths for malware indicators

82. Malware hunting.. • Review process execution • Prefetch File •

    Check out the loaded modules inside the prefetch file

83. Malware hunting.. • Review process execution • Prefetch File •

    Sort by time (prefetch creation time, modification time, or last run time)

84. Malware hunting.. • Review process execution • Prefetch File •

    Look at process paths for malware indicators • Look for activity around 01/29/2017 17:32:22

85. Malware hunting.. • Confirm file is malicious • Online: VirusTotal

    • Search by hash • Upload and Scan file

86. Malware hunting.. • How did the infection ocur? • i.e:

    Zip archive was downloaded from the Internet and a program inside it was exected • What was taken? • i.e. Have malware samples to look into and research • Were we targeted or was it a random attack? • Random attack or Targeted Attack? • What can be done to reduce future occurrences • Security Awareness! • Block all unsigned executables!

87. n00b hunting… 

88. There are known knowns. These are things we know that

    we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know. - Donald Rumsfeld

89. n00b hunting…

90. n00b hunting…

91. n00b hunting…

92. n00b hunting…

93. n00b hunting…

94. n00b hunting…

95. n00b hunting…

96. n00b hunting…

97. w00t…

98. w00t

99. w00t

100. w00t

101. w00t

102. w00t

103. w00t

104. w00t

105. w00t

106. w00t

107. w00t

108. w00t

109. w00t

110. Memory Analysis…

111. Memory Acquisition • Moonsols DumpIt (Windows x86 & x64) •

     MoonSols Windows Memory Toolkit • Mandiant Redline (FireEye) • Virtual Machines • VMware (.vmem) • Microsoft HyperV (.bin) • Virtualbox (.sav) • Parallels (.mem)

112. Mandiant Redline

113. Mandiant Redline

114. Mandiant Redline

115. Mandiant Redline • Remote Connections • Sockets • IP Addresses

     • Host • Ports • Processes

116. Mandiant Redline

117. Mandiant Redline • Advandate • OpenIOC • Known good files

     • Create Signatures • Disadvantage • Buggy software! • Support problem! • False Possitive Issues!

118. Memory Analysis with Volatility Framework Mustafa Kısa http://twitter.com/mustafakisa

119. Volatility Framework • “The Volatility Framework is a completely open

     collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.” • Analysis on Windows, Linux and macOS • Work with all memory image formats • http://www.volatilityfoundation.org

120. Syntax • python vol.py -f [MEMORYFILE] [PLUGIN] --profile=[PROFILE] • python

     vol.py -f memory.vmem malfind --profile=Win7SP0x64 • ... [PLUGIN] -p [PID] • ... [PLUGIN] -D [DUMPDIR] • ... [PLUGIN] -o [OFFSET] • python vol.py --help , python vol.py [PLUGIN] --help

121. Getting Information About Memory Sample • imageinfo: Getting detailed information

     about the operating system. (Service pack, hardware architecture etc.) • Assign profile to --profile argument. • python vol.py -f memory.vmem connscan --profile=Win7SP0x64

122. Identify Suspicious Process • pslist: List the running processes of

     system • python vol.py -f memory.vmem pslist • pstree: Display parent-process relationships • python vol.py -f memory.vmem pstree • psscan: Scan for hidden or terminated processes • python vol.py -f memory.vmem psscan

123. Review Network Transactions • connections: List of open TCP connections

     (Win XP) • python vol.py -f memory.vmem connections • connscan: List of TCP connections, including closed (Win XP) • python vol.py -f memory.vmem connscan • netscan: Scan for connections and sockets (Win 7) • python vol.py -f memory.vmem netscan

124. Review Network Transactions • sockets: List of listening sockets [any

     protocol] (Win XP) • python vol.py -f memory.vmem sockets • sockscan: List of sockets, including closed/unlinked (Win XP) • python vol.py -f memory.vmem sockscan

125. Looking For Code Injections • malfind: Find and extract injected

     code blocks • -p [PID] show information only for spesific PIDs • -D [DUMPDIR] dump file path • ldrmodules: Cross reference DLLs with memory mapped files (help to detect unlinked dlls) • -p [PID] show information only for spesific PIDs • -v show full paths from three DLL lists

126. Hunting Rootkit • psxview: Find hidden processes using cross-view •

     python vol.py -f memory.vmem psxview • driverscan: Scan for driver objects • python vol.py -f memory.vmem driverscan • apihooks: Scan for API hooks • python vol.py -f memory.vmem apihooks • -p [PID] show information only for spesific PIDs • -k scan kernel modules instead of user-mode objects

127. Hunting Rootkit • idt: Print the system's IDT (Interrupt Descriptor

     Table) • python vol.py -f memory.vmem idt • ssdt: List of hooks in SSDT (System Service Descriptor Table) • python vol.py -f memory.vmem ssdt • driverirp: List of IRP (I/O Request Packet) hooks • -r [REGEX] analyze drivers matching REGEX

128. Analyze Process DLLs & Handles • dllist: List of loaded

     dlls by process • python vol.py -f memory.vmem dlllist • -p [PID] show information only for spesific PIDs • getsids: Print process security identifiers • python vol.py -f memory.vmem getsids • -p [PID] show information only for spesific PIDs • svcscan: Scan for Windows Service Information • python vol.py -f memory.vmem svcscan

129. Analyze Process DLLs & Handles • handles: List of open

     handles for each process • python vol.py -f memory.vmem handles • -p [PID] show information only for spesific PIDs • -t [TYPEs] display only handles of a certain types • (Process, Thread, Key, Mutant, File, Event, Port, ...) • filescan: Scan for used/historical file objects • python vol.py -f memory.vmem filescan

130. Registry Analysis • hivelist: Find and list avaiable registry hives

     • python vol.py -f memory.vmem hivelist • hivedump: Scan for used/historical file objects • python vol.py -f memory.vmem hivedump • -o [OFFSET] offset of registry hive to dump (virtual offset from hivelist)

131. Registry Analysis • printkey: Print a registry key, subkeys, and

     values • python vol.py -f memory.vmem printkey • -K [KEY] registry key path • -o [OFFSET] only search hive at this offset (virtual offset from hivelist) • userassist: Find and parse userassist key values • python vol.py -f memory.vmem userassist

132. Dump Suspicious Process / DLLs / Drivers • procdump: Dump

     process to executable sample • python vol.py -f memory.vmem procdump • -p [PID] show information only for spesific PIDs • -D [DUMPDIR] dump file path • memdump: Dump every memory section into a file • python vol.py -f memory.vmem memdump • -p [PID] show information only for spesific PIDs • -D [DUMPDIR] dump file path

133. Dump Suspicious Process / DLLs / Drivers • dlldump: Extract

     DLLs • python vol.py -f memory.vmem dlldump • -p [PID] show information only for spesific PIDs • -r [REGEX] dump dlls matching REGEX • -D [DUMPDIR] dump file path • moddump: Exctract kernel drivers • python vol.py -f memory.vmem moddump • -o [OFFSET] dump driver using offset address (from driverscan plugin) • -r [REGEX] dump drivers matching REGEX • -D [DUMPDIR] dump file path

134. thanks…