Anti- Virus, Les différentes détections ajoutées sont mentionnés par une suite de lettre ou des chiffres. ou bien la taille du fichier, Antivirus Naming Scheme, Exploit.HTML, Exploit.PDF, Exploit.SWF, IM-Worm.xxx Vers se propage par messagerie instannée., HTML.IFrame, Sdbot / Rbot / Spybot : : Désigne un type de malware se propageant via des failles systèmes à distance RPC etc. (comme le faisait Blaster dans le temps)., Trojan-Spy.Win32.Banker, Trojan.DNSChanger, Trojan.Clicker, Trojan.Downloader, Trojan.Delf, Trojan.Dropper, Trojan.FakeAV, Trojan.Inject, Trojan.RogueSecurity, Trojan.PWS, Trojan.Small, Trojan.Tiny, Trojan.VB, Trojan.WinUnlock, Worms.Autorun
is a proof of concept of network security hardware device capable of translate and forward packets. Designed for high availability, Honeywall is able to provide load balancing and anti flooding. Unlike a firewall, it does not block packets. Features Building — All you need to deploy centralized services on remote Honeywalls. Managing — Create and allow administrators to manage system on the fly. Monitoring — Open source hypervisor technology over network.
Network-based intrusion prevention (NIPS):
Wireless intrusion prevention systems (WIPS):
Network behavior analysis (NBA):
Host-based intrusion prevention (HIPS):
Rate-based intrusion prevention systems implemebted with specialized hardware
Anomaly based detection systems
Traffic Monitoring, Signature Based Detection, Anomaly Based Detection, DNS Based Detection, Data Mining Based Detection
Honeypot, Malware Collection, Vulnerability Emulation
ISP, Domain registrars
(Collaboration and Cooperation)
● Common methods include ● Hosting provider de-peered – ● Example: McColo, Troyak Server hosting botnet cleans up/kicks off – Public IRC servers, free web hosting ● Compromised host cleaned up/rebuilt ● DNS Revoked ● IP of C&C server banned – Because Metus pwnz and I open a port on my router at home just like the tutorial told me!
r ́vention et d ́tection e e Cˆt ́ utilisateur et poste client oe Installation d’outils de d ́tection : e logiciel antivirus pare-feu personnel outil de d ́tection de logiciels espions e Mise ` jour r ́guli`re : a e e syst`me d’exploitation e logiciel antivirus (et s’assurer de la validit ́ de celle-ci : e d ́sactivation possible par le botnet) e navigateur web (ne pas installer de plugins non sign ́s) e client de messagerie logiciel de messagerie instantan ́ e logiciels de bureautique 27/38 D ́finition Motivations Fonctionnement Evolution Pr ́vention et d ́tection Commerce de botnets D ́monstration Conclusion S e e e e Pr ́vention et d ́tection e e Cˆt ́ utilisateur et poste client oe Pr ́cautions : e ne pas travailler en mode administrateur ne pas d ́sactiver les mises ` jour automatiques e a ne pas suivre les liens contenus dans les spam ˆtre vigilant sur les pi`ces jointes e e les correctifs logiciels ne sont jamais envoy ́s par mail e droit de lecture sur les ex ́cutables si possible et contrˆle e o d’int ́grit ́ e e ne pas t ́l ́charger n’importe quoi (cracks, etc.) ! ee 28/38 D ́finition Motivations Fonctionnement Evolution Pr ́vention et d ́tection Commerce de botnets D ́monstration Conclusion S e e e e Pr ́vention et d ́tection e e Cˆt ́ administrateur oe existence de listes noires : RBLs (Real-time Black Lists) ⇒ g ́n ́ration de filtres e e surveillance du trafic r ́seau (protocole IRC, P2P) ⇒ NDIS e (Network Intrusion Detection System) ˆtre vigilant avec les applications PHP sur serveur WEB e (failles de s ́curit ́) e e gestion stricte des mots de passe d ́finition d’une politique pour la gestion des correctifs de e s ́curit ́ e e ne pas laisser de cot ́ les ordinateurs nomades e droit restreint pour les utilisateurs analyse des journaux apr`s infections (d ́couverte nouvelles e e machines infect ́es, trouver le C&C) e mise en place de pare-feu, proxy, filtrage SMTP, VLAN
No single method Use defense in depth Watch anti-virus/anti-spyware logs Many bots are caught by anti-virus Not a 100% fool-proof plan Monitor firewall logs for C&C traffic Watch FW logs for both allowed and denied connections to common C&C services IRC (TCP 6667), P2P (varies), odd ports Use IDS to watch for: IRC/P2P/Botnet activity Attacks and DoS traffic coming FROM your network Network flow analysis Watch for increase in traffic Unusual traffic patterns Your users
Can you get forensic information on the malware? Got a copy of the executable? Submit it to anti-virus vendors http://www.virustotal.com Command and control information? Send it to the Shadowserver Foundation, ISC Handlers DO NOT CONNECT TO THE C&C CHANNEL!
Patch, patch, patch Both workstations AND servers Bots were using MS06-40 exploits 2 days after patches were released Teach users safe computing habits Safe browsing habits Not running unknown files will help prevent bot infection Maintain up to date anti-virus signatures Its not 100% effective, but important!
Begin incident response Treat it like a virus infection First priority is removal of malware If possible, determine how it got on This will help prevent further infections Prevent it from happening again Patch, user awareness, etc.
Bot infections can be costly Cleaning up 1 infection is easy. How about 1,000? Better understanding = better protection Botmasters are organized. We need to be as well.
Education, Computer Security Basics, Antivirus Update, Apply vendors Security updates, Relatively efficient, Good Usage of IT, Do not click on everything !, Avoid suspicisous sites, Only use legal software and licenses, No illegal download of MP3, DivX, Stop believing everyobody wants to give you money !, Merely useless: humans will be humans
Laws, Financial, Common laws against crime money, Increses risks and reduce interest for criminals, Falls into organized crime prevention methods, Efficient for 'big' business not for 10.000$ exploits, IT Specefic, Illegal behavior repression, Prevention of ressearch, Adopted by many countries, Forbid security research and publication, Leads to opposite effects, searching going underground.
Home User: Prevention
Home User: Detection
Home User: Response
TeamViewer / Hamachi / Mikpo
Permanent Connexion Between the Client and each server
Commun Features, File Manager, KeyLogger, Cam Capture, Reverse Shell
alias : (Zombies/Drones) / Loaders Similar to a backdoor, in that it allows the attacker access to the system, but all computers infected with the same botnet receive the same instructions from a single command-and-control server.
Architecture, Centralized, IRC-Based, Pros, Easy to implement, Uses IRC servers/channels/topics/messages for communication, No much bandwith required, Infrastructure already set up and maintained, Code Already exists, just drag and drop, Cons, Connexion en permanence, Serveur Central, Usually unecrypted, Easy to detect( filtrage du flux IRC), to get into and to shut down., HTTP/HTTPs-Based, Pros, Difficile à detecter (Flux HTtp + ssl), Connexion régulières vers des serveurw web entre les bot et le C&C (non permantenae) pour récupérer les ordres, Recherche des ordre dans les forums, avec des mots clé ou mm des images (stégano), IRC not always allowed through corporate firewalls, HTTP almost always is, Web servers are found everywhere, Provide Simple interface for the bnots and the botmaster, HTTP is the most stable, and has other benefits such as domain backups, and domain generation., Cons, Point central, VoIP-Based, Skype, SMS-Based in Mobiles, Why Smartphone Botnets?, Nearly 62 million smartphones sold in Q2 2010, Development is similar to standard platforms, Android = Linux iPhone = OSX Windows Mobile = Windows node, Technical specs not as good as top of the line desktops. They are capable and improving rapidly., Why SMS C&C?, Battery Management: IP runs down battery quickly, Fault Tolerant: If SMS fails it will queue and retry, Difficult for security researchers to monitor, Android, capture IMEI number, IMSI number, user id etc and send that information to a remote server., Contacts, connect with a remote server and would delete sms, make a call, steal sms etc., this malware would listen to the keypad tones by activating the phone's microphone This would allow the attackers to check for credit card numbers from the DTMF tones., send SMS to premium numbers with a text. But in the background would block the delivery report from that premium number that the user doens't know anything what is happening in the background., access to the SD Card, GPS Location, Full internet access and phone call access., Author tried to add permissions like to browse history, read, send and write sms etc., Propriety channels, Usually based on Covert Channels and/or encryption, with the adoption of PKI, Needs a private Infrastructure, Eficient at short-term but blocked, TOR to change this status 0..., Decentralized, P2P-Based, Pros, Difficile à réperer, Très difficle à neutraliser, Indépendant de l'architecture DNS, Distributed, Resilient Controle Strcuture, Resilient to failures, Harder to shutdown, Hard to discover, Hard to Defend, Hard to Enumerate, Commabd abd control location discovery, Cons, Très difficle à neutraliser, Hard to lunch large scale attacks because P2P technologies are currently only capable of supporting very small groups (<50peers), No guarantees on message dilivery or latency, Different Types, Gossiping, Overlay Network, eDonkey - DHT, Randomized (Hybrid or Mix), Commnication betwwen the bot client and C&C server using HTTP, Communication betwwen bots using TCP or encrypted ICMP, Command transmission using P2P, The detection of a single bot would never compromise the full botnet, The message latency would be exteremely high, with no gurantee of delivery, Cutsom, TCP / IP, XMPP / UNPN / ICMP-Based, Classification can be done: Based on the architecture of the botnet OR its communication protocols with the bots.
Internal Strucutre, Monolithic, Coherent, all features in one binary, Evolution may not be trivial, Kaiten, SDBot, Spybot, Modular, Evolution voluntarily made easy, Choice of appropriate language (C++), AgoBot, Barnum, Set of heterogenous scripts, Often relies on local interpreters, PHP Bots, GTBot
Lifecycle, Spread/Propagation Phase, Activation, I'm active, you can take control of me !, Update, Add new features, Auto-Protection, Code Mutation / Self-Modifying Code, Polymorphism/Metamorphism/Oligomorphism, Bypass and Block or Kill AntiVirus / Firewalls, Managed crypting services, System Hardening, System FIle Protection Hiding, DDNS - Dynamic DNS Domain Name (Fast Fluxing), Single, Utilisateur d'un ou de plusieurs domaines, Bot : Choix de l'url destination en fonction du type de requete, Changement régulièr des IP associés au nom du domaine (NDS), Utilisatation des machines zombies en Reverse Proxy ( Trasfert des reqêtes de la victime vers le serveur réel), +, Camouflage de l'IP du serveur réél, -, @ du serveur de noms compromis, Double, +, disponibilité quasi optimale, résiste à l'arrêt d'un serveur DNS, Double évolué, Botnets run own DNS service to resolve the C&C servers., Use high port numbers to avoid detection by security devices and gateways, Quality Assurance, Server side polymorphism, File Extension Manipulation / Double Extention, Ghost RAT, Rallying mechanisms, Hard-Coded IP address, The bot communicates using C&C ip addresses that are hard-coded in it’s binary files., Easy to defend against, as ip addresses are easily detectable and blocked, which makes the bot useless., Dynamic DNS Domain Name, - Hard-coded C&C domains assigned by dynamical DNS providers. - Detection harder when botmaster randomly changes the location - Easier to resume attack with new, unblocked Domain Name - If connection fails the bot performs DNS queries to obtain the new C&C address for redirection., Distributed DNS Service, Hardest to detect & destroy. Newest mechanism. Sophisticated. Botnets run own DNS service out of reach of authorities Bots use the DNS addresses to resolve the C&C servers Use high port numbers to avoid detection by security devices and gateways, Modification du système (changeùment de regle de filtrage réseau, désactivation d'outils de sécurité., Action, Attack, Spam
Motivation, Financial Gain, Whos has the most of Bots ?, Availability of bots ?, Low User Awareness & Monitoring Capability ?, Location ?, Contries with a low probability of law enforcement officers being able to trace the bot back to the attacker, The most resilient ?, In fact, it's all about resilient !, How easy is-it to control it ?, The highest overall bandwith ?, The most high quality infected machine ?, Universities (.edu domains), Gouvernement machines, Military workstations, Large Corporations, Ideological, Retorsion, Counter-Attack, Hadopi, SOPA, PIPA, Casterecops, Challenge, Personal, Blackmail, Extortion
Taxonomy & Evolution, 1999, Sub7 / PrettyPark, Connect to an IRC Chnnal, Listen for Malicious Commands, 2000, GTbot, 1998, IRC-Based, - Runs Custom Scripts, Responds to IRC Event(s, Accesses Raw TCP and UDP Sockets, 2002, SDBot, Single Small Binary, Written in C++, Comersialized by Creator, /RxBot//UrBot/UrXBot/JrBot, AgoBot, Squensially delivers payloads via modular staged attacks, 2003, SpyBot, Log Keystores, Mines Data, Send out Spim, rBot, Used Compression & Encryption schemes, Tried to evade detection, Sinit, First p2p botnet, PolyBot, Uses Polymorphism, Bagle, 2004, Bobax, First Spam botnet, SoBig, MyTob, 2004, PhatBot, 2006, Rustock, 2006, Costrat, Send out spam, ZeuS, Stealing banking related and other financial data, 2007, Storm, Spreads via spam, aka NuWar, Specifically atrgets some security vendors/researchers, Used an encrypted implementation that was based on the eDonkey protocol, Cutwail, 2007, Aliases, Pushdo, Pandex, Intigates DDos Attacks, Send out spam, Srizbi, aka Cbeplay, aka Echanger, Send out spam, 2008, Mega-D, SMTP Slightly Modified Based, Ozdoc, Responsible for 30-35% of world's spam, Koobface, Sends out spamp on social networking sites, writes malicious posts on user's walls, Conficker, aka DOWNAD, alternative C&C server per day, ASprox, Send out spam, 2009, BredoLab, Waledac, 2010, TDSS, Armageddon, Artro, Aurora, BlackEnergy, Carberp, ClickBot, DSNX Bots, Donbot, DopeBot, EggDrop, 1993, IRC-Based, Festi, Forbot, Gaobot, Gheg, Gozi, Grum, Tedroo, Hodprot, Kaiten, Kelihos, Kraken, Lurk, Lethic, Maazben, MayDay, NuCrypt, Perl Based bots, Phatbot, Ponmocup, Q8 Bots, Qhost, Sality, Shiz, Spamthru, Spy.Ranbyus, SpyEye, SpyRanbus, Waledac, Xarvester, XtremBot, odprot, Pony, Andromeda
Terminology, Bot Master, Bot, Botnet Army, Bot Binary, Command and Control, C&C Channel, C&C Server, Push, Pull, C&C Infrastructure, Centralized, Distributed, Unstructured
Topology, Star, Multi-server, Hierrarchical, Random
Usage, Legetimate, Web crawler, Game Managing, Managing Databases, Maintaining access lists, Protect Channel, Carry out Conversations, Malicious, BitCoin, Log Keystores, Taking screen shots / Video CAM, Browser Hijacking, Sniffing Traffic, Online Fraud, Abused Click-Fraud, Online Banking Fraud, Theft of Electronic Funds, Fishing, Cashing, Host Illegal Data, Spam/Spamdexing, Spam, Pharma and conterfeits, Fake Software, Nigerian Scam .., Information Theft, Login IDs, Passwords, Clipboard content, Email addresses, Digital certtidicates, Auto-complete fileds, Identities, SSN, Applications License, Credit Card Numbers, Sensitive Information, Corporate Financials, Source Code Infection, Spread new malwares, FakeAVs, Adwares, Ransomewares, Disabling Existing Security, Selling infected Computers, Access Number Replacement, Manipulating Online Polls/Games, Using multiple identities such as multiple player at the same poker table and voting system such as music clip and contest., DDoS (Distributed Denial of Service), ICMP Flood, UDP Flood, Steam of TCP requests, Slowloris, HTTP Flood, Buy/Rent out the service of the bot to third parties, Trade Bandwidth of high speed bots / Sale of Traffic, Act as a proxy server to conceal the attacker's identity / provide anonymity, generic port redirection, HTTP Proxy, Socks Proxy, IRC Bounce, Brute-forcing Remote Machines/Distributed Password Cracking (Computing Power / Scurmping), FTP, SMPT, SSH, ..., Gov CYber aTTACK, Sold on the black market !, Sale of traffic, Sale of exploits, Sale of loaders, Anonymization, Result, Loss of revenue ;, Regulatory Compliance ;, Customer Evidence ;, Reputation ;, And even the business itself.
Browser Helper Object Malicious Plugins
Malicious code that exists only to download other mali-cious code. Downloaders are commonly installed by attackers when they first gain access to a system. The downloader program will download and install additional malicious code.
Installing via, Web Banners, Google Sponsored Links, Fake VLC/Activix Plugins, VLC Plugins in Steaming
How it works ?, SMS Rip-Off, Repack GNU Free Software, Add Affiliate Program (Toolbars)
To Clean, HijackThis, Submit Report to PPoint, Configure your AV to block PUP, AdwCleaner
Some examples, Babylon Toolbar, Boxore, Complitly, Ezlooker, Eorezo, Incredimail Toolbar, SweetIM / SweetPack, Searchqu / Searchnu, Savings / SideKick, PCTuto / Tuto4PC, Wagram, Yontoo
Download from Trusted Sources : Clubic / 01.net
Malware designed to frighten aninfected user into buying something. It usually has a user interface that makes it look like an anti-virus or other security program. It informs users that there is malicious code on their system and that the only way to get rid of it is to buy their “software,” when in reality, the software it’s selling does nothing more than remove the scareware.
Exemples, Gimemo, Reveton, Tobfy, Lock Em All
Shadow Walker, NTIllusion, NT Rootkit, and Hacker Defender are popular and widely used, other user mode rootkits exist, such as AFX. Malicious code designed to conceal the existence of other code. Rootkits are usually paired withother malware, such as a backdoor, to allow remote access to the attacker and make the code difficult for the victim to detect. A rootkit is a set of programs and code that allows a permanent and undetectable presence on a computer. The ability to hide files, directories, drivers, processes, and registry entries are likely to be requirements of your rootkit. and config files.
Loading a driver, Using an undocumented API, The only time when this loading method is really safe is when it's specifically designed around the paging problem., Using the Service Control Manager, When a driver is loaded using the SCM, it is non-pageable. This means your callback functions, IRP-handling functions, and other important code will not vanish from memory, be paged out, or cause Blue Screens of Death. This is a Good Thing.
Surviving Reboot, Using the run key ("old reliable"), Using a Trojan or infected file, Using .ini files, Registering as a driver, Registering as an add-on to an existing application, Modifying the on-disk kernel, Modifying the boot-loader
API-Hooking, IAT-Hooking, asy to discover these types of hooks. On the other hand, hooks like these are used frequently, even by the operating system itself in a process called DLL forwarding. Even if someone is trying to detect a rootkit hook, determining what is a benign hook as opposed to a malicious hook is difficult., Another problem with this technique has to do with the binding time. Some applications do late-demand binding. With late-demand binding, function addresses are not resolved until the function is called. This reduces the amount of memory the application will use. These functions may not have addresses in the IAT when your rootkit attempts to hook them. Also, if the application uses LoadLibrary and GetProcAddress to find the addresses of functions, your IAT hook will not work.
Kernel Hooks, As a general rule, processes cannot access kernel memory. The exception to this rule is when a process has debug privileges and goes through certain debugging APIs, or when a call gate has been installed. We will not cover these exceptions here. For more information on call gates refer to the Intel Architecture Manuals.
Code / DLL Injection into a userland process, The code cave method
The Problem with Hooking, There are anti-rootkit applications that can rebuild the system call table. This can be done by reinitializing kernel memory from the original file, ntoskrnl.exe., If the system call table is rebuilt after your rootkit is installed, all hooks will be lost., To prevent this possibility, newer rootkits follow the table entries to the actual functions and patch the functions themselves to jump to their respective rootkit routines. This technique is called trampolining
Virtual Rootkit ( ring 1), BluePill (supports AMD-V and recently VT-X) SubVirt (supports VT-X) VM aware malwares. (Not a root kit, but related.)
Spyware Guard 2009
Security essentials 2011
Advanced Virus Remover
type, System Defragmenter, Anti-Spyware
Infected Users need to send a text call to get a valid serial number to remove the Trojan.
Displays a lot of warning messages, change the desktop background, detects fake infections and blocks softwares execution. It comes from fake online scanners, malicious porn sites, fake cracks and exploits.
Windows Problems Protector is a fake security application from the same family as: Windows Problems Remover, Windows Health Center, Windows Shield Center, Windows Antispyware Solution, Windows Risk Eliminator, Windows Universal Tool, Windows Utility Tool, Windows Security & Control, Windows Optimization & Security, Windows System Optimizator, Windows Optimization Center, Privacy Corrector, Privacy Guard 2010.
A new version of the multi-rogue scareware has been released. This malware is looking for the OS version (XP, Vista, Seven) and changes its name and skin: XP Anti-Spyware, XP Home Security 2011, XP Anti-Virus 2011 (...). It belongs to the Braviax family. As usual it displays fake warning messages to push users into buying a license.
WindowsTool is a fake Defragmenter tool (rogue) from the same family as: WinScan, Disk Recovery, WinDisk, Windows Disk, Windows Scan, Memory Optimizer, Disk Optimizer, Good Memory, Fast Disk, Disk OK, My Disk, Memory Fixer, HDD Fix, HDD Low, Scanner, Disk Repair, Defragmenter, HDD Tools, Smart HDD, HDD Rescue, HDD Plus, HDDDiagnostic, Hard Drive Diagnostic, HDD Scan, Win Defragmenter, Win Defrag, Win HDD, Check Disk, Ultra Defragger, Quick Defragmenter, HDD Defragmenter, System Defragmenter
Malware will modify the registry key for go into safe mode on the next reboot, and will queue your antivirus for unistallation.
Malware that infects a user’s machine and then uses that machine to send spam. This malware generates income for attackers by allowing them tosell spam-sending services.
How it works?, Bullet proof Servers, Hacked servers, Botnets, The bot received the template of the spam message, Mailing list, Webmails, Gmail, Hotmail, ...
Anti Spam, SpamPal Spamihilator SpamFighter, PharmaIncome, Drugstore
Password-Stealing Trojans (PWS)
Mailers and Mass-Mailer Worms
The action of taking the malware apart to study it in a Malware Laboratory
Controlled Environnement, All the information must be recorded for later usage
Isolmated, The malware must not be allowed to contact with any external source , but…
Full Simulated, The laboratory must provide all the resources needed by the malware
Analysis of unknown/suscpious files
Public information from antivirus & Security Companies is not complete
Private information about the malware required an expensive paid service
To determine the sophistication level of the malware author
To identify the intruder or insider that is responsible for installing the malware
Questions broken down into, Business, What is the purpose of the malware ?, How did it get here ?, Who is targetting us and how good are they ?, It is a customized malware that target small/particular organization ?, What are the risks and the consequences ?, What did they steal ?, How can I get rid of it ?, How long has it been here ?, Does it spread on its own ? How does the malware propagate ?, How can I find it in other machines ?, How can you make sure I've deleted the entire malware package and not just one part of it?, How do I prevent this from happening in the in the futur ?, If you were a virus writer, how might you improve it ?, Technicals, What are the network-based indicators that reveal the precense and activity of the malware ?, What are the host-based indicators that reveal the precense and activity of the malware ?, Is it based on any other well-known tool ?, Is it persistent ? If so, what mechanism does it use to ensure that it keeps running after a machine is rebooted ?, What affects does the malware on the Windows Registry ?, Does the malware create/tamper any files?, If so, what are the filenames and where are these files located on the file Windows file system?, What do you think these files might be used for?, When was the program written, compiled, and installed ?, What languages was used to write the program ?, Is it packed ? What packer was used ? It is a customized or a well-known packer ?, Does it have any anti-reverse engineering functionality ?, Does it include any rootkit/worm/trojan functionality ?, What was the vulnerabilities that was exploited to allow the malware to get there in the first place, How did it get here ?, or, to learn and have fun
acquisition of samples from sandboxed machines working in a honeypot samples sent in via customers either automatically or manually samples acquired from third parties including competing vendors
From Online Sandboxes & Anti virus
From honeypots, Recovered from complete machines, Automated capture systems., Nepenthes, http://nepenthes.mwcollect.org, Vulnerable service simulation (Ex: MS-RPC), ...and the good news are..., Do NOT execute the buffer overflow code, Parse the attack and simulate an infected system, Download and store those interesting payloads, Untitled
Received from another CSIRT or group
From our costumer, when handling an incident
Victim machines, In which the malware can be run., OS-Unpached, Firewall/AV disabled, Applications unpatched (Microsoft Office, Browser, ...), Consider leaving some intentional traces of normal usage, such as browsing history, cookies, documents, images etc. If a malware is designed to operate, manipulate or steal such files you’ll be able to notice it.
Support Tools for building the lab, VMTools-like
Analysis Tools, that can be used to analyze the malware, Static Analysis Tools, Pros, Getting a complete image of the code, Modern tools are available, Do not require an extensive programming or reverse engineering background, Cons, Need special skills/knowledge, Time Consuming, Code obfuscation and anti-analysis may make the task complicated, involves examining the malware without running it., Dynamic Analysis Tools, Pros, Complimentary to static analysis, Vision pas à pas de l'exécution, Cons, Need special skills/knowledge, Anti-analysis may delay the analysis, involves running the malware, Remote Analysis Tools, Outside the lab, public or private service providing automatic analysis of the files, Pros, Fast analysis of the file, Most of them keep the information for later referral., Cons, Moving to pay services, Sometimes don’t provide the required information, Malware can detect some of the systems, Example, VirusTotal.com, Analyze a file against a battery of antivirus., • Don't perform any analysis of the file, • Detection rate varies due to encryption techniques used to avoid antivirus, Most malware is encrypted / packed to, avoid analysis., UPX, http://upx.sf.net, Not possible to direclty perfom analysis based, on pattern matching ., Cryptographic checksum (MD5, SHA1, fails), • Malware change every few hours, Need to recover all the files and analyze it., Norman Sandbox, Two level model., Free, small report by email., Paid service: detailed information, How this tools works ?, se a virtual machine to execute the, malware., Perform automatic check, Windows registry, File system changes, Network activity, DLL hoocks, Replace operating system API, Malware calls the API, The new dll log the call and execute the windows, AP, Anubis, File Exploration Tools, Extraction simple de beaucoup d’informations –Les auteurs de malware cachent rarement toutes leurs traces., Ne fonctionne pas si camouflage
Network Simulation, Internet connection, DNS server, DHCP server, IRC server, SMTP server, Proxy, Web server, • Use a free address range, We can configure a linux/Unix box that, Accept traffic like a router, Respond to the DNS queries, Accept traffic to some services
How many machines do we need for our lab ?, Hardware is not only expense, but, Difficult to maintain, Too much space .., Virtualization software can be used to reduce this cost., Run different virtual machines at the same time, Run unmodified version of most operating system, Provide configurable resources, advanced disaster recovery, and isolation., Allow to have different, isolated networks for the machines, Machines can be connected to the real interfaces, Examples, VMware, is the most used, Workstation , you can build the lab in your, own laptop, or deskop , but requiere a, licence., Server , free , you can install the lab in a, remote machine and handle the binaries, remotely., Parallels, VirtualBox, Microsoft Virtual PC, Xen, ..., But ...., Your virtualisation software is not perfect, and may allow information to leak from the virtual machine to your host machine in a way you didn't expect, Malware is incorporing code to detect virtualization environment and may modify its behavior, Check for some special drivers, Check for some special devices, Sometimes we need to try with another virtualization software or use real machines or use real machines connected to the virtual lab, Or, if you have a budget, Use Norton Ghost for quickly restoring system images or any re-imaging machines softwares, Updcast, Truman, CoreProtect Card
• Machine with
Memory for running three virtual machines
Disk space for storing virtual machines ~
• Additional hardware/software
Emulator of other hardware
Only two machines:
One to simulate the net
Another to execute & analyze the tool
Subtopic 14, Windows machine, Unpatched Windows machine., To execute the malware, To analyze the malware, Tools installed in the machine, Regshot, http://regshot.blog.googlepages.com/regshot, LordPE, http://scifi.pages.at/yoda9k/LordPE/info.htm, Binhex , from foundstone tools, Ollydbg , http://www.ollydbg.de, http://ollydbg.ispana.es, Idapro , http://www.datarescue.com/idapro
Caution before executing the malware
Check that all the machines are in the correct network
Check that the lab is not connected to any other network.
Check that you are executing the malware in the correct machine
Preparation, File Fingerprinting / Hashing, Filtering (AntiVirus Scanning), Online Sandbox Services, Weeding, Quick Examination of Virus Code, Inside the PE format (header/functions/IAT), String Dump, Packer Detection, Crypto Routines, Disassembling, Black-Boxing
Unpacking, How do you know if a file is packed, no import table, sometime, in the start function, there are some xor eax, eax, no strings, a big portion of code is inside .data section, high entropy, The general way by using ESP registerHD BP on ESP register change, OllyDBG SFX Features, BP on access on the code section of the program., Tracing the program till Retn / jmp, Exceptions generated by the packer, File is packed? moddify the JMP to OEP to our own code ( code cave), patch the target, then jmp back to OEP < Inline Patching, POSHAD/POPAD method, Always verifi base of code and base of data after unpacking, so OLly won't caplain with EP outside code section, insert unexisting addresses to distract the reverse ( IAT rebuilding), To unpack it, the easier way is to put a breakpoint on WriteProcessMemory. At this breakpoint, the packer writes the unpacked binary in a new process., Most Visual Basic packers are packers on the “heap”, so we can directly recover the binary by setting breakpoints on functions like VirtualAllocEx and WriteProcessMemory,, Also LoadLibrary, LocalFree, Packers Theory, The Imports Table has been removed, the packer saves only (in a secure place) the hashes of the API names and their addresses at the IAT., The algorithm is well obfuscated and has lots of anti-debug, anti-trace..., The packer doesn’t use GetProcAddress. Instead, it implements its own algorithm to find the APIs at the exports table of the DLLs., The IAT has been redirected, Packers Theory 2, PE Packers compress the PE sections or some other data using some compression algorithms like LZMA ,LZSS,APLIB etc. So to before the running the actual malicious code the packer would, 1)Decompress the compressed code: To do this usually it allocates some space using VirtualAlloc(), VirtualAllocEx, ZwAllocateVirtualMemory().Then it will decompress the data to the allocated memory., 2)Fixes the imports: The imports are fixed so the malware can use the imported API’s . To resolve the import addresses it will use the API’ GetProcAddress() LoadLibrary() or dynamically with PEB_LDR_DATA strucuture., 3)Jump to OEP: Finally jumps to the OEP where the the actual malware code begins. Many malwares use multilevel packers., How to unpack, We can set breakpoint on VirtualAlloc() first then after the breakpoint is hit we can remove the breakpoint on VirtualAlloc() and set breakpoint GetProcAddress(). We see that GetProcAddress() would be called repetedly in the loop. This loop is used to resolve all the API’s in the dll. We bypass the loop after that continue debugging. After few lines of codes we will reach the OEP.
Disassembling and Decryption
Dynamic Analysis Techniques, File-change monitoring, Goat file-based analysis, Registry change tracking, Process and thread monitoring, CPU in use, Memory in use, Drivers/DLLs used, Network port monitoring, Network sniffing and capturing, NetBIOS, NetStat, System call tracing, Debugging, Code emulation
Automation ?, Processus manuel, fastidieux, erreurs possibles, Scripts –Reboot / Snapshots automatisés:
You don't have to follow the process as it is. Most are done because of either lack of time, skills or understanding of how to reverse malware. Some may think, why reinvent the wheel? This is all OK.
Note down your finding so you will be able to see trends or recognize similar behaviors of samples that could help in reversing future samples that exhibit similar characteristics.
Methodology of Reverse Engineering Code, Do always some investigation about the app you're reversing : EXE/DLLs + Configuration Files, Compiler, Call Stack, RET TO DISASSASEMBMER, Stack Window / Pane Window, Ressource Identifiers, Search for commands -> Push (ID number), Magic Byte / Half Byte, BP Particular APIs, KillTimer (), RegQueryKey (), GetLastError (), GetDlgItemText (), ....., Find references to @ contstant, Esthetical Patching, Protections, Server Check, KeyFile, Registry Key, Time Limit, Keygenning Routines, ADD, SUB, ROR, ROL, SHL, SHR, XOR, OR, AND, NOT, BTSWAP, MODULO, SIGMA, Simple Ciphers: Ceaser, Base64, .., Standard Ciphers, Custom Encodin Algos, Insert / replace a char between a stringcode, Generate a stringcode and use it somewhere, Algo/Math tricks: NUmber THeory, Prefect Numbers, FPU instructions : Arctan, sin, cos, puissance, ..., PI, Equations, GetComputerName() / GetLocalTime ()
Supporting Figures, Logs, Strings, Function listings, Screenshots
Observations, Behavioral analysis, Static code analysis, Dynamic code analysis, Memory analysis
Dependencies, Targeted Archiecture / OS, Targeted Format, Patch level, Required libraries, Configuration files, Scripts and executables, URLs
Sample's Characteristics, Infection capabilities, Self-preservation capacity, Spreading mechanics, Payload, Data leakage abilities, Performance degradation, Destruction of personal data to bot infection,, Remote attacker interactions
Sample's Identification, File name, type, size, File hashes, Anti-virus identifiers
Summary of the analysis, Key observations, Recommendations, Limitations, Report date and authors
don’t get too caught up in the details. Most malware programs are large and complex, and you can’t possibly understand every detail. Focus instead on the key features. When you run into difficult and complex sec-tions, try to get a general overview before you get stuck in the weeds.
remember that different tools and approaches are available for different jobs. There is no one approach. Every situation is different, and the various tools and techniques that you’lllearn will have similar and sometimes overlapping functionality. If you’re not having luck with one tool, try another. If you get stuck, don’t spend too long on any one issue; move on to some-thing else. Try analyzing the malware from a different angle, or just try a dif-ferent approach.
remember that malware analysisis like a cat-and-mouse game. As new malware analysis techniques are developed, malware authors respond with new techniques to thwart analysis. To succeed as a malware analyst, you must be able to recognize, understand, and defeat these techniques, and respond to changes in the art of malware analysis.
Target users with – Fake delivery notices – Fake IRS notices – Fake orders from online retailers
Cracks, Keygens, .. flagged as maliciours, Users think it's false positives To prevent illegal content, but they are maliciours
Exploiting One Specific vulnerability / Known multiple Vulnerabilities / 0-days, Browsers, Firefox, Chrome, IE, ..., Software, Java, Adobe, ..., OS, MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise, MS03-026 Buffer Overrun In RPC Interface Could Allow Code Execution, MS04-011 Vulnerabiility in LSASS, MS04_007 Microsoft ASN.1 Library Bitstring Heap Overflow, MS04-045 Vulnerability in WINS Could Allow Remote Code Execution, ms05017-, ms05039, WebDAV, NETBIOS, DCOM, LSAAS, VNC, Exploit-kits, Blackhole, Bleeding Life, BestPack, CritXPack (Previously Vintage Pack), CoolPack, Fiesta, ICEPack, MPack, NeoSploit, Nuclear Pack, PhenixPack, ProPack, RedKit, Sakura, Styx, Sweet Orange, Yang Pack, Anti-crawling, anti-honeyclient, Sweet Orange, Upas
BlackHat Forums, People who install whatever they asked to, To Earn Income
Profit for famous personalities/events, spread becomes easy
Forensics 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Security 569: Combating Malware in the Enterprise courses
Rootkits: Subverting the Windows Kernel
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
Hacking Exposed: Malware & Rootkits
The Art of Computer Virus Research and Defense
Malware Database & Repositiries
the number of messages sent
the number of bytes-sent
the number of bot members
The most interesting is the import table from MPR.dll.
Because security guys found it, how did they found it ?, maybe coz they advertise it, qomeone leak it, Honeypotd captured the sample and analyzed it, making so much noise, people are complaining about their data
Normal Internet USer, Surf Internet, facebook, social network, Listen to music, Watch youtube, Check News, Work in Office, Protection is done by AV chiefly !
Advanced User, Have some CS knowledge, Some Security Background, ScanFiles, Update Antivirus, Remove entries from registre, Protection is done by AV chiefly !
Malware Analyst, Avanced User +, Know how malware infection happen, and how it spreads, Know how to reverse / analyse classical malware but not advanced, He chould manage to delete it from the system if found, Protection is done by User knowledge then AV / IDS come second
Virus Expert, Antivirus Companies, Have advanced tools for monitoring § capuring malwares, Just a question of time to demystify the malicious code and write a desinfector for it !, The knowledge pure & dure !
Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history. Collecting information about the computer's network connections. Collecting information about processes and folders. Collecting information about BIOS, CMOS RAM. Collecting information about local, network and removable drives. Infecting USB drives with a spy module in order to steal information from other computers. Installing the custom Palida Narrow font (purpose unknown). Ensuring the entire toolkit's loading and operation. Interacting with the command and control server, sending the information collected to it, downloading additional modules.
Blacklisting some processes, Process Monitor, Process Explorer, Total Commander
Generic or Specific
Advapi32.RegOpenKeyExW” API and looks for keys present in “System\ControlSet001\Services\Disk\Enum”. Enum key stores values for the various drives present in the system. The malware checks for the presence of emulators through strings like vmware, vbox, virtual, qemu etc
Advapi32.RegOpenKeyExW” API and looks for keys present in “System\ControlSet001\Services\Disk\Enum”. Enum key stores values for the various drives present in the system. The malware checks for the presence of emulators through strings like vmware, vbox, virtual, qemu etc
Erasing the header
IAT Elimination / API Redirection
Write -> Execute, Some interceptors watch for write-then-exec Executing dummy just-written instruction can fool them Used by ASPack, but probably for multi-processor support
Write^Execute, Change can be detected indirectly Kernel functions return error when writing to read-only pages VirtualQuery() and VirtualProtect() return old page attributes
Invalid API parameters
"Modern" CPU instructions
File Format Tricks, Non-aligned SizeOfImage Windows will silently round up the value Overlapping structures Tools such as IDA have a problem with this Non-standard NumberOfRvaAndSizes SoftICE and OllyDbg have a problem with this Non-aligned SizeOfRawData Windows will silently round up the value Non-aligned PointerToRawData Windows will silently round down the value No section table Allowed when SectionAlignment is less than 4kb Header becomes writable and executable
Hardware Breakpoint, Context Structure
Self-Checking / Self-Validation or Integrity checking : CRC, Static : Verity only on startup, Dynamic : Repeatedly verifies its integrity as it is running
rolling checksum, CRC32, md5, sha1, adler, md4
Debug Objects, NtQueryInformationProcess(), ProcessDebugObjectHandle class, ProcessDebugFlags class, SystemKernelDebuggerInformation class (kernel), NtQueryObject (kernel)
Thread hiding, NtSetInformationThread(), HideThreadFromDebugger class
OpenProcess() & SeDebugPrivilege
UnhandledExceptionFilter(), SetUnhandledExceptionFilter ()
Guard pages / CopyMem2
Execution timing, GetTickAccount, TimeGetTime() or QueryPerformanceCounter(), RDTSC
Instruction counting, Count Hardware Breakpoint
Exceptions, Move EIP around
Process Name, CreateToolhelp32Snapshot, Process32First/Next
Device Names, SoftIce, Filemon, Regmon, Product and copyright strings can be compared to "watch list"
Soft-ICE Specific, Interrupt 1 is normally not invokable from ring 3 SoftICE hooks interrupt 1 and allows ring 3 access So wrong exception when SoftICE is running Used by SafeDisc
OllyDbg Specific, Cannot handle unusual NumberOfRvaAndSizes value Some unchecked fields allow memory allocation DoS Initial ESI register value is -1 on Windows XP Looks like a detection method It's just a coincidence, Passes user-defined data directly to _vsprintf() Leads to DoS condition Debugger window can be found by calling FindWindow("OLLYDBG"), Hide-Debug Specific :Plug-in for OllyDbg Detectable by far jump at OpenProcess()+6, OllyDBG API Redirection, http://board.flatassembler.net/topic.php?t=5820
ImmunityDebug Specific, Based on OllyDbg Shares many of the same vulnerabilities
WinDBG Specific, Debugger window can be found by calling FindWindow("WinDbgFrameClass")
Opaque Predicates are false branches, where the branch appears to be conditional, but is not. For example, if( 1==1) is an unconditional jump, but because of the way decompilers like Olly work, the fact that this is not really a conditional is not known.
hide files, directories, drivers, processes, and registry entries and config files.
Fooling OllyDBG :)
Dumphive, The Avenger, Gmer, IceSword, ComboFix, SDFix
Dynamic DNS services often used : Service which allows changing IP address of a hostnae at will allow attackers to move their c&c servers quicly and easy
Single, Utilisateur d'un ou de plusieurs domaines, Bot : Choix de l'url destination en fonction du type de requete, Changement régulièr des IP associés au nom du domaine (NDS), Utilisatation des machines zombies en Reverse Proxy ( Trasfert des reqêtes de la victime vers le serveur réel), +, Camouflage de l'IP du serveur réél, -, @ du serveur de noms compromis
Double, +, disponibilité quasi optimale, résiste à l'arrêt d'un serveur DNS
Double évolué, Botnets run own DNS service to resolve the C&C servers., Use high port numbers to avoid detection by security devices and gateways
Cybercriminals aren't solppy about their work !
Hard-Coded IP address, The bot communicates using C&C ip addresses that are hard-coded in it’s binary files., Easy to defend against, as ip addresses are easily detectable and blocked, which makes the bot useless.
Dynamic DNS Domain Name, - Hard-coded C&C domains assigned by dynamical DNS providers. - Detection harder when botmaster randomly changes the location - Easier to resume attack with new, unblocked Domain Name - If connection fails the bot performs DNS queries to obtain the new C&C address for redirection.
Distributed DNS Service, Hardest to detect & destroy. Newest mechanism. Sophisticated. Botnets run own DNS service out of reach of authorities Bots use the DNS addresses to resolve the C&C servers Use high port numbers to avoid detection by security devices and gateways
Checks for good or bad serial should be as much far as possible
adding an entry to the well-known "Run key" in the user's registry base, or creating a Windows service if the necessary privileges are available. Malware can also use Scheduled Tasks, Winlogon, AppInit, ActiveSetup