Get Started. It's Free
or sign up with your email address
Rocket clouds
Malware by Mind Map: Malware

1. Spreading mechanism

1.1. sequentiell

1.2. random

1.3. hitlist

1.3.1. via special searchengine terms

1.3.2. predefined list of (favorite) targets

2. Debugging

2.1. Breakpoints

2.1.1. 3 different types

2.1.1.1. Soft BP

2.1.1.1.1. most common

2.1.1.1.2. replaces first byte of original instruction

2.1.1.1.3. original byte must be stored in table

2.1.1.1.4. single bye interrupt 3 instruction (0xCC)

2.1.1.1.5. 2 different types

2.1.1.1.6. drawbacks

2.1.1.2. Hardware BP

2.1.1.2.1. done at CPU level via registers

2.1.1.2.2. raises interrupt 1 (like single stepping)

2.1.1.2.3. limitations

2.1.1.3. Memory BP

2.1.1.3.1. not really BPs, just changes page permissions

2.1.1.3.2. set guard page flag for memory page

2.1.1.3.3. the program code isn't changed

2.1.2. halting process to inspect variables, stack and memory

2.2. Stack

2.2.1. LIFO structure

2.2.2. grows from high memory addresses to low

2.3. Registers

2.3.1. General Purpose

2.3.1.1. EAX

2.3.1.1.1. accumulator register

2.3.1.2. EDX

2.3.1.2.1. data register

2.3.1.3. ECX

2.3.1.3.1. count register

2.3.1.4. ESI

2.3.1.4.1. source index

2.3.1.5. EDI

2.3.1.5.1. destination index

2.3.1.6. ESP

2.3.1.6.1. stack pointer

2.3.1.7. EBP

2.3.1.7.1. base pointer

2.3.1.8. EBX

2.3.1.8.1. nothing specific

2.3.1.8.2. extra storage

2.3.2. EIP

2.3.2.1. instruction pointer

2.3.2.1.1. points to current instruction being executed

3. Rootkits

3.1. stealth

3.1.1. trying to ring no bells so that a real forensic analysis is never applied

3.2. a rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer

3.3. 2 primary functions

3.3.1. remote command and control

3.3.1.1. control over files

3.3.1.2. command shell

3.3.1.3. general system access and control like reboots

3.3.2. software eavesdropping

3.3.2.1. sniffing packets

3.3.2.2. intercepting keystrokes

3.3.2.3. reading mails/documents

3.3.2.4. capture passwords

3.3.2.5. gain cryptokeys

3.4. rootkits usually use deifferent modification methods

3.4.1. patching

3.4.1.1. replacing parts of binaries to change their behaviour

3.4.2. source-code modifications

3.4.2.1. built in hidden backdoor by developer, may be disguised as a bug

3.4.3. spyware modifications

3.4.3.1. e.g. hooking into existing programs

4. Vulnerability Classes

4.1. Buffer Overflows

4.1.1. Stack Overflows

4.1.1.1. caused by neglect to perform bounds checking on incoming data

4.1.1.2. stack variables have fixed size, cuz compiler preallocates space in machine code

4.1.1.2.1. preallocates max expected data

4.1.1.3. problem

4.1.1.3.1. how to determine correct return address to injected code

4.1.1.4. possibilities to overtake process

4.1.1.4.1. overwriting return address

4.1.1.4.2. change function pointers

4.1.1.4.3. change execution chain of exception handlers

4.1.1.5. automated finding

4.1.1.5.1. 1. search for large stack frames

4.1.1.5.2. 2. find where pointer is used

4.1.1.5.3. 3. make sure access is aware of the size

4.1.1.6. protection

4.1.1.6.1. using a stack canary

4.1.1.6.2. nonexecutable memory

4.1.2. Heap Overflows

4.1.2.1. same idea as stack overflow

4.1.2.1.1. copying data into too small buffers

4.1.2.1.2. may also cause a takeover of the system

4.1.2.1.3. utilize linked list to overwrite memory in process's address space

4.1.2.1.4. less common than stack overflow

4.1.2.2. heap is usually organized as a linked list

4.1.2.2.1. entries store pointers to next and prev entries

4.1.2.3. main problem: miscalculation of buffer size

4.1.2.4. possibility to overwrite data structures of adjacent heap blocks

4.1.2.4.1. variables

4.1.2.4.2. function pointer

4.1.2.4.3. security tokens

4.1.2.4.4. any important data structure stored in heap

4.1.2.5. detection

4.1.2.5.1. program notices not until affected heap blocks are accessed by the program

4.1.2.5.2. e.g. windows allows developers to activate heap verification

4.2. Integer Overflows

4.2.1. result from incorrect treatment of integers

4.2.2. can lead to buffer overflows

4.2.3. safe integer checking is not as trivial as it seems

4.2.3.1. signedness

4.2.3.1.1. JG indicates signed integer comparison

4.2.3.1.2. JA indicates unsigned integer comparison

4.2.3.1.3. signed buffer length variables make no sense

4.2.3.1.4. functions with buffer size can't use signed int

4.2.3.2. arithmetic operations

4.2.3.2.1. arithmetics with user supplied length

4.2.3.2.2. overflown integer will be truncated by processor

4.2.3.2.3. if size of buffer is used to copy data into the new buffer created with overflown int, the new buffer will be overflown

4.2.3.2.4. solution

4.3. Type Conversion Errors

4.3.1. occurs on mishandling of incoming data types and incorrect conversions on them

4.3.2. in C(++) signed will be converted to larger data type as signed no matter what target data type is

4.3.2.1. called signed extending

4.3.3. solution

4.3.3.1. usage of signed and unsigned integers consistently

4.4. Format String Attacks

4.4.1. %n enables to write data to memory

4.4.2. %s enables to read memory until a NULL byte is hit

5. Exploit Counter Measures

5.1. detect memory corruption

5.1.1. GS

5.1.1.1. Guard Stack

5.1.1.1.1. stack cookies/canaries

5.1.2. SEH chain validation

5.1.3. heap corruption detection

5.2. stop common exploitation patterns

5.2.1. ASLR

5.2.1.1. Address Space Layout Randomization

5.2.1.1.1. Stack

5.2.1.1.2. Heap

5.2.1.1.3. images?

5.2.1.1.4. special structures like TEB and PEB on windows

5.2.1.2. the attacker cannot know where exactly stuff is

5.2.2. DEP

5.2.2.1. Data Execute Prevention

5.2.2.2. NX bit

5.2.2.2.1. tells processor which memory isn't executable

5.2.3. SafeSEH

5.2.3.1. Safe Structured Exception Handler

5.2.3.2. Exception function is checked if registered in function table in application

6. Anti-Reversing Methods

6.1. virtual machine detection

6.1.1. changed system behaviour in virtualised environment

6.1.1.1. nonvirtualizabel instructions

6.1.1.1.1. popf instruction

6.1.1.2. resource discrepancies

6.1.1.2.1. TLB (translation look-aside buffer)

6.1.1.3. timing discrepancies

6.1.1.3.1. latency of any two operations may change over time

6.1.1.3.2. resources (like a pci device register) may be available in only a single cycle instead of maybe hundreds cuz of caching

6.1.2. virtual devices may leak information of being in virtual environment

6.1.2.1. name of driver/manufacturer

6.1.2.2. values set in device

6.1.2.2.1. mac address of network card registered to VM product or unregistered at all

6.1.2.3. BIOS versions

6.1.3. some VMs have I/O backdoors to communicate with outside

6.1.4. failures in exactly implementing cpu behaviour

6.1.4.1. easter eggs

6.1.4.1.1. using CPUID with EAX 0x8FFFFFFF on AMD K8 returns IT'S HAMMER TIME in EBX, ECX and EDX

6.2. debugger detection

6.2.1. often platform or debugger specific

6.2.2. IsDebuggerPresent API in PEB

6.2.2.1. SystemKernelDebuggerInformation for kernel debuggers

6.2.3. check if exceptions are "swallowed"

6.2.4. code checksums

6.2.4.1. code is changed when soft breakpoints are set

6.3. anti-debugger code

6.3.1. perform operations that would somehow damage or disable a debugger

6.4. software breakpoint detection

6.5. hardware breakpoint detection

6.5.1. ?

6.6. anti-disassembler tricks

6.6.1. linear sweep disassembler traverse code from top to bottom

6.6.2. recursive traversal take jumps into account when disassembling

6.6.2.1. opaque predicates

6.6.2.1.1. filling junk bytes in nonreachable branches

6.7. eliminating symbolic information

6.7.1. bytecode programs usually contain many textual informations from the source code

6.7.2. export all functions by ordinals rather than name

6.8. obfuscation

6.8.1. control flow transformations

6.8.1.1. inserting opaque predicates

6.8.1.1.1. one branch is never reached

6.8.1.2. table interpretation

6.8.1.2.1. break code sequence into multiple short chunks

6.8.1.3. inlining functions

6.8.1.4. outlining

6.8.1.4.1. create new function for code sequence

6.8.1.5. interleaving code

6.8.1.5.1. split functions into segments and interleave them with opaque predicates

6.8.1.6. ordering transformations

6.8.1.6.1. randomly reorder non-codependent operations to confuse the reverser

6.8.2. data transformations

6.8.2.1. modifying variable encoding

6.8.2.1.1. e.g. shifting loop counter variables all one bit to the left

6.8.2.2. restructuring arrays

6.8.2.2.1. modify arrays preserving functionality but confuse reverser

6.8.2.2.2. merge several arrays to one

6.8.2.2.3. split up array into several

6.9. packing/encrypting code

6.9.1. creates another hurdle for reverser needing to first decrypt or unpack program

7. Malware Analysis

7.1. automated malware must be analyzed in an automated fashion to keep up

7.2. 3 criteria

7.2.1. automatically

7.2.1.1. no user intervention needed

7.2.1.2. generating detailed analysis report

7.2.1.3. machine readable report may be used to initiate automated repsonse procedures like new IDS signatures

7.2.1.4. techniques

7.2.1.4.1. static analysis

7.2.1.4.2. dynamic analysis

7.2.2. effectively

7.2.2.1. all relevant behaviour must be logged

7.2.2.2. no executed functionality of malware should be overlooked

7.2.2.3. techniques

7.2.2.3.1. API hooking

7.2.2.3.2. vm inspection

7.2.3. correctly

7.2.3.1. all logged actions have to be initiated by malware sample

7.2.3.2. techniques

7.2.3.2.1. DLL code injection

7.3. relevant system behaviour

7.3.1. file creation and modification

7.3.2. registry modifications

7.3.3. loaded DLLs

7.3.4. virtual memory access

7.3.5. created processes

7.3.6. network connections

7.3.6.1. destinations

7.3.6.2. contents

7.4. 2 approaches

7.4.1. code analysis

7.4.1.1. static analysis

7.4.1.1.1. source/machine code is analysed in contrast to analysing the behaviour

7.4.1.1.2. sometimes ASCII or UNICODE strings contained in binary reveal functionality and/or insight into MW

7.4.1.1.3. imported libraries and functions disclose included functionality

7.4.2. behaviour analysis

7.4.2.1. dynamic analysis

7.4.2.1.1. execution in simulated/sandboxed environment

7.4.2.1.2. malware is treated as black box

7.4.2.1.3. is similar to HP anlysis

7.4.2.1.4. similar to hi interaction HPs executing malware may affect other systems

7.4.2.1.5. 2 approaches

7.4.2.1.6. completely automated process

7.5. hashing of binaries can be used for unique sample identification

7.5.1. malware countering AV approach

7.5.1.1. polymorhpism

7.5.1.1.1. encrypting or xoring program with changing keys, therefore changing also signature and hash

7.5.1.2. metamorphism

7.5.1.2.1. change whole program without changing programs behaviour

7.6. using virtual environment

7.6.1. system can be easily brought back into clean state

7.6.2. drawbacks

7.6.2.1. detectable

7.6.2.2. slower execution

7.7. same procedure applied to original process must be applied to all subsequently started processes