IoT malware analysis

IoT MALWARE ANALYSIS In0de

台科資安社 /CNYCTG6GEJPKECN ▸ Run in memory ▸ ELF Infected ▸
Anti-debug ▸ Anti-sandbox ▸ Packer ▸ ………

台科資安社 /CNYCTG6GEJPKECN ▸ Run in memory ▸ ELF Infected ▸
Anti-debug ▸ Anti-sandbox ▸ Packer ▸ ……… #VVCEM &GHGPF

台科資安社 %QPVGPVU ▸ ELF Format ▸ Loader ▸ Run ELF
in Memory ▸ Text Segment Infect ▸ PLT Infection ▸ Anti-debug

台科資安社 .KPWZ15 Hardware Linux Kernel Share library Custom Library Busybox
SHELL ELF Kernel Space User Space syscall

台科資安社 '.(6TCEKPI6QQNU ▸ Structure view: ELF Parser, readelf ▸ Static
analysis: IDA pro, ghidra, objdump ▸ Dynamic analysis: GDB, ltrace, strace

台科資安社 %嵿峡罉幐篾纑 % 5 1 GNH 5QWTEGEQFG #UUGODN[EQFG 1DLGEVEQFG 'ZGEWVCDNGEQFG
%QORKNG #UUGODNG .KPMGT

台科資安社 %嵿峡罉幐篾纑 % 5 5QWTEGEQFG #UUGODN[EQFG %QORKNG KPENWFGUVFKQJ KPVOCKP
XQKF ] EJCT OUIň+ O*GNNQ9QTNFŉ RTKPVH U>POUI TGVWTP _ OQXTDRTUR UWDTUR OQX3914&264=TDR?1((5'6(.#6.% OQXTCZ3914&264=TDR? OQXTFKTCZ ECNNRWVU OQXGCZ NGCXG

台科資安社 %嵿峡罉幐篾纑 5 1 #UUGODN[EQFG 1DLGEVEQFG #UUGODNG OQXTDRTUR UWDTUR OQX3914&264=TDR?1((5'6(.#6.%
OQXTCZ3914&264=TDR? OQXTFKTCZ ECNNRWVU OQXGCZ NGCXG ELF Header Section [.text] Section Header Section [.rela.text] Section [.rodata] Section [.data] Section [.bss]

台科資安社 ELF Header Section [.text] Section Header Section [.rela.text] Section
[.rodata] Section [.data] Section [.bss] Ŏ ň+ O*GNNQ9QTNFŉ %嵿峡罉幐篾纑 5 1 #UUGODN[EQFG 1DLGEVEQFG #UUGODNG

台科資安社 %嵿峡罉幐篾纑 1 GNH 1DLGEVEQFG 'ZGEWVCDNGEQFG .KPMGT ELF Header Program
Header Section [.interp] Section Header Section [.rodata] Section [.strtab] Section [.symtab] Library Info Section [.dynsym] Section [.dynstr] Section [.text] ▸ Relocation ▸ Library Link ELF Header Section [.text] Section Header Section [.rela.text] Section [.rodata] Section [.data] Section [.bss]

台科資安社 QDLFWORF/KPVGNRTQITCO object ﬁle dynamic executable ﬁle Relocation

台科資安社 '.((QTOCV ▸ ELF header ▸ Program header ▸ Section
header ▸ Section ELF Header Program Header Section [.text] Section Header Section [.rodata] Section [.shstrtab] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt]

台科資安社 4WP'.(KP/GOQT[ ▸ container.c & spy.c ▸ 偽裝 spy 執⾏的痕跡
read(spy.elf) memfd = memfd_create(‘ﬁlename’,type) fork() execve(memfd, argv, env) Wait or leave write(memfd, spyBuf, size);

台科資安社 RTQE]RKF_HF ▸ 紀錄當前 process 所有開啟的 ”⽂件”

台科資安社 4WP'.(KP/GOQT[ ▸ xxd -i ./malware > malware_array ▸ 將malware_array
放入程式 ELF Header Program Header Section [.text] Section Header Section [.rodata] Section [.shstrtab] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] Section [.data] spy.elf

台科資安社 4WP'.(KP/GOQT[

台科資安社 5GEVKQPXU5GIOGPV ELF Header Program Header Section [.text] Section Header
Section [.rodata] Section [.shstrtab] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] 6GZVUGIOGPV 4GNQECVKQP UGIOGPV &CVC UGIOGPV Section Header

台科資安社 :A'.(.QCFKPI ELF Header Program Header Section [.text] Section [.rodata]
Section [.plt] Section [.plt.got] Text Segment Relocation Segment Data Segment Heap Stack Align padding Z Z Z Z Z Section [.got] Section [.got.plt] Align padding Align padding

台科資安社 :A'.(.QCFKPI ELF Header Program Header Section [.text] Section [.rodata]
Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] Text Segment Relocation Segment Data Segment Heap Stack Align padding Align padding Align padding 2TQEGUU Section Header

台科資安社 U[UAGZGEXG Loader _start __libc_start_main __libc_csu_init main exit

台科資安社櫧ㄗ⃡㚱 Text Segment Relocation Segment Data Segment Heap Stack
290 4'8'45'

台科資安社 .CD6GUV5GIOGPV%QFG+PLGEVKQP Text Segment Relocation Segment Data Segment Z Z
Z Z Z !!!!!

台科資安社 .CD6GUV5GIOGPV%QFG+PLGEVKQP Text Segment Relocation Segment Data Segment Z Z
Z Z Z 盪畘⛐⇆㠟袛↡袂

台科資安社 ELF Header Program Header Section [.text] Section [.rodata] Section
[.plt] Section [.plt.got] Section [.got] Section [.got.plt] Align padding Align padding Align padding Relocation Segment Data Segment Z Z Z Z Z Text Segment .CD6GUV5GIOGPV%QFG+PLGEVKQP

[.plt] Section [.plt.got] 0x2000 ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] 5VGR Section [.got] Section [.got.plt] Section Header Section [.shstrtab] Section [.got] Section [.got.plt] Section Header Section [.shstrtab]

[.plt] Section [.plt.got] 0x2000 5VGR㠚5GEVKQP*GCFGT QHHUGV QHHUGV Z Section [.got] Section [.got.plt] Section Header Section [.shstrtab]

[.plt] Section [.plt.got] Section [.got] Section [.got.plt] 0x2000 Section Header Section [.shstrtab] 5VGR㠚2TQITCO*GCFGT 6GZVUGIOGPV 4GNQECVKQP UGIOGPV &CVC UGIOGPV

[.plt] Section [.plt.got] 0x2000 5VGR㠚'.(*GCFGT GAUJQHH Z Section [.got] Section [.got.plt] Section Header Section [.shstrtab] GAGPVT[

[.plt] Section [.plt.got] Section [.got] Section [.got.plt] 0x2000 Section Header Section [.shstrtab] 5VGR⬿5JGNNEQFG

[.plt] Section [.plt.got] Section [.got] Section [.got.plt] 0x2000 Section Header Section [.shstrtab] 5VGR⦿GPVT[RQKPV OQXTCZTGCNAGPVT[ LORTCZ

台科資安社椥藃獌'.(*GCFGT ELF Header (Elf64_Ehdr) WPUKIPGFEJCT GAKFGPV='+A0+&'06? 'NHA*CNH GAV[RG
1DLGEVHKNGV[RG 'NHA*CNH GAOCEJKPG #TEJKVGEVWTG 'NHA9QTFGAXGTUKQP 1DLGEVHKNGXGTUKQP 'NHA#FFT GAGPVT[ 'PVT[RQKPVXKTVWCNCFFTGUU 'NHA1HH GARJQHH 2TQITCOJGCFGTVCDNGHKNGQHHUGV 'NHA1HH GAUJQHH 5GEVKQPJGCFGTVCDNGHKNGQHHUGV 'NHA9QTFGAHNCIU 2TQEGUUQTURGEKHKEHNCIU 'NHA*CNH GAGJUK\G '.(JGCFGTUK\GKPD[VGU 'NHA*CNH GARJGPVUK\G 2TQITCOJGCFGTVCDNGGPVT[UK\G 'NHA*CNH GARJPWO 2TQITCOJGCFGTVCDNGGPVT[EQWPV 'NHA*CNH GAUJGPVUK\G 5GEVKQPJGCFGTVCDNGGPVT[UK\G 'NHA*CNH GAUJPWO 5GEVKQPJGCFGTVCDNGGPVT[EQWPV 'NHA*CNH GAUJUVTPFZ 5GEVKQPJGCFGTUVTKPIVCDNGKPFGZ

台科資安社椥藃獌5GEVKQP*GCFGT 'NHA9QTFUJAPCOG 5GEVKQPPCOG UVTKPIVDNKPFGZ 'NHA9QTFUJAV[RG
5GEVKQPV[RG 'NHA:YQTF UJAHNCIU 5GEVKQPHNCIU 'NHA#FFT UJACFFT 5GEVKQPXKTVWCNCFFTCVGZGEWVKQP 'NHA1HH UJAQHHUGV 5GEVKQPHKNGQHHUGV 'NHA:YQTF UJAUK\G 5GEVKQPUK\GKPD[VGU 'NHA9QTFUJANKPM .KPMVQCPQVJGTUGEVKQP 'NHA9QTFUJAKPHQ #FFKVKQPCNUGEVKQPKPHQTOCVKQP 'NHA:YQTF UJACFFTCNKIP 5GEVKQPCNKIPOGPV 'NHA:YQTF UJAGPVUK\G 'PVT[UK\GKHUGEVKQPJQNFUVCDNG Section Header 'NHA5JFT

台科資安社椥藃獌2TQITCO*GCFGT 'NHA9QTFRAV[RG 5GIOGPVV[RG 'NHA9QTFRAHNCIU
5GIOGPVHNCIU 'NHA1HH RAQHHUGV 5GIOGPVHKNGQHHUGV 'NHA#FFT RAXCFFT 5GIOGPVXKTVWCNCFFTGUU 'NHA#FFT RARCFFT 5GIOGPVRJ[UKECNCFFTGUU 'NHA:YQTF RAHKNGU\ 5GIOGPVUK\GKPHKNG 'NHA:YQTF RAOGOU\ 5GIOGPVUK\GKPOGOQT[ 'NHA:YQTF RACNKIP 5GIOGPVCNKIPOGPV Program Header 'NHA2JFT

Take a break~8:25

台科資安社 5JCTG.KDTCT[TWPVKOGDKPFKPI puts@plt LOR RWVU"IQVRNV RWUJZ LORZH .text ECNNRWVU"RNV [email protected]
RWVU"RNV

台科資安社 puts@plt LOR RWVU"IQVRNV RWUJZ LORZH PLT0 RWUJ )16
LOR )16 .text ECNNRWVU"RNV [email protected] RWVU"RNV AFNATWPVKOGATGUQNXG NKPMAOCRAQDLTGNQEAKPFGZ 5JCTG.KDTCT[TWPVKOGDKPFKPI

台科資安社 .KDTCT[TWPVKOGDKPFKPI .text ECNNRWVU"RNV puts@plt LOR RWVU"IQVRNV RWUJZ LORZH PLT0
RWUJ )16 LOR )16 dl_resolve %CNNHKZAWR [email protected] RWVU"RNV

台科資安社 .text ECNNRWVU"RNV puts@plt LOR RWVU"IQVRNV RWUJZ LORZH PLT0 RWUJ
)16 LOR )16 dl_resolve %CNNHKZAWR [email protected] RWVUNKDECFFTGUU 5JCTG.KDTCT[TWPVKOGDKPFKPI

台科資安社 .CD2.65GEVKQP+PHGEVGF ELF Header Program Header Section [.text] Section [.rodata]
Section [.plt] Section [.plt.got] Section [.got] Section [.got.plt] Section Header Section [.shstrtab] PLT0 RWUJ )16 LOR )16 puts@plt LOR RWVU"IQVRNV RWUJZ LORZH

台科資安社 .CD2.65GEVKQP+PHGEVGF PLT0 RWUJ )16 LOR )16
puts@plt LOR RWVU"IQVRNV RWUJZ LORUJGNNEQFG ELF Header Program Header Section [.text] Section [.rodata] Section [.plt] Section [.plt.got] 0x2000 Section [.got] Section [.got.plt] Section Header Section [.shstrtab] 獑獑獑

台科資安社 .CD2.65GEVKQP+PHGEVGF UKNXKQVGUVARTQITCOUCORNGUJGNNEQFGXKTWUZHD

台科資安社ㄙ屬CPVKFGDWI ▸ ptrace anti-debug ▸ /proc/self/status ▸ Clean section
header ▸ https://github.com/JonathanSalwan/stuffz/blob/master/elf-corruption-little-anti-debug.c

台科資安社禮荽茞徿 ▸ mail: [email protected]

IoT malware analysis

IoT malware analysis

More Decks by In0de

Other Decks in Education

Featured

Transcript