Few Malware Anti-Forensics
Techniques H2HC University 2016
By Alexandre Borges
1
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide.
Profile and TOC
TOC:
• Anti-Debugging • Anti-Disassembly + Obfuscation • Anti-VM • Packers • Crypto • GPU, DMA, BIOS Malwares, SGX and
WMI: few words... • Malware and Security Researcher. Consultant,
Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-instructor at Symantec.
• Member of the CHFI Advisory Board in EC-Council. • Reviewer member of the The Journal of Digital
Forensics, Security and Law. • Refereer on Digital Investigation:The International
Journal of Digital Forensics & Incident Response • Author of “Oracle Solaris Advanced Administration
book”
Anti-Debugging
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
3
Anti-Debugging
• Anti-Debugging techniques are used to determine if a debugging is running.
• In particular, there are some useful API functions and techniques to perform this job: • IsDebuggingPresent( ) searches in PEB (Process Environment Block) for
the IsDebugged field. 0:000> !peb PEB at 000007fffffdf000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: Yes ImageBaseAddress: 00000000ff510000 Ldr 0000000077742640 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00000000003e2ca0 . 00000000003e8250 ...
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
4
Anti-Debugging 0:000> dt nt!_PEB 000007fffffdf000 ntdll!_PEB +0x000 InheritedAddressSpace : 0 '' +0x001 ReadImageFileExecOptions : 0 '' +0x002 BeingDebugged : 0x1 '' +0x003 BitField : 0x8 '' +0x003 ImageUsesLargePages : 0y0 +0x003 IsProtectedProcess : 0y0
code example: if (IsDebuggerPresent( )) { MessageBox(NULL, L”A debugger was detected”, L”A Debugger was detected”, MB_OK); } else { MessageBox(NULL, L”A debugger was not detected”, L”A Debugger was not detected”, MB_OK); }
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
5
Anti-Debugging
• NtQueryInformationProcess ( ) it is an API function from Ntdll.dll which retrieves information about a specific process.
• In special, if we input the value 0x7 (ProcessDebugPort) on second parameter, the function will tell us if the process is beging debugged or not.
handle1 = LoadLibrary(L”ntdll.dll”);
_NtQueryInformationProcess = GetProcAddress(handle1,”NtQueryInformationProcess”);
h2hcstatus = (_NtQueryInformationProcess) (-1, 0x07, &check, 4, NULL);
if (check) != 0) { MessageBox(NULL, L”The code is being debugged”, MB_OK);
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
6
Anti-Debugging
• OutputDebugString this API function is used to send a string for a debugger for displaying. Therefore, the function behaves well when a debugger is attached.
• NTGlobalFlag • PEB, offset: 68 – value 0x70 indicates that the heap was
created by a debugger.
• INT Scanning 0xCC opcode (software breakpoints). It can be easily overcome by using hardware breakpoints (there are only four).
• Inserting decoys The malware inserts 0xCC opcode into valid sections to trick debuggers.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
7
Anti-Debugging -- INT 2D
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
8
Anti-Debugging • TLS Callback TLS (Thread Local Storage – a separate storage area for each thread). • It can be used to execute instructions before the entry point (where the debugger starts), so
debugger doesn’t see these instructions. TLS is local for each thread that runs the code. • .tls section in the PE header • there are not many legitimate applications that contain TLS.
root@kali:/malwares# r2 malw2.exe -- Stop swearing! [0x00402179]> iS [Sections] idx=00 vaddr=0x00401000 paddr=0x00001000 sz=4096 vsz=621 perm=m-r-x name=tls . idx=01 vaddr=0x00402000 paddr=0x00002000 sz=20480 vsz=18680 perm=m-r-x name=.text idx=02 vaddr=0x00407000 paddr=0x00007000 sz=4096 vsz=2348 perm=m-r-- name=.rdata idx=03 vaddr=0x00408000 paddr=0x00008000 sz=12288 vsz=16060 perm=m-rw- name=.data 4 sections [0x00402179]> ie [Entrypoints] vaddr=0x00402179 paddr=0x00002179 baddr=0x00400000 laddr=0x00000000 type=program vaddr=0x00401060 paddr=0x00001060 baddr=0x00400000 laddr=0x00000000 type=tls
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
9
Anti-Debugging
• Checking the time When an process is being debugged, it runs slower when compared to a normal case. • computing the time (rdtsc instruction) between two normal
instructions.
h2hc1= __rdtsc( );
h2hc2= __rdtsc( );
if (h2hc2 – h2hc1 < number ) {....} else {...}
• computing the time before and after an exception if the process is being debugged, it will run more slowly during the exception.
• Usually, malwares forcely generates an exception and, eventually, it can use ICE (In-Circuit Exception) to force a single-step exception (where the normal code is present).
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
10
Anti-Debugging
• QueryPerformanceCounter ( ) based on fact that processors have appropriate registers for calculating the performance.
QueryPerformance(&h2hc1);
QueryPerformance($h2hc2);
if ((h2hc2.QuadPart – h2hc1.QuadPart) > number) {...}
• GitTickCount ( ) this API comes from kernel32.dll and returns the elapsed time in miliseconds.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
11
Anti-Disassembly
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
12
Anti-Disassembly
.text:00401000 loc_401000: ; CODE XREF: _main+Fp
.text:00401000 push ebp
.text:00401001 mov ebp, esp
.text:00401003 xor eax, eax
.text:00401005 jz short near ptr loc_40100D+1
.text:00401007 jnz near ptr loc_40100D+4
.text:0040100D
.text:0040100D loc_40100D: ; CODE XREF: .text:00401005j
.text:0040100D ; .text:00401007j
.text:0040100D jmp near ptr 0D0A8137h
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
13
Anti-Disassembly
.text:00401000 push ebp
.text:00401001 mov ebp, esp
.text:00401003 sub esp, 4
.text:00401009 xor eax, eax
.text:0040100B jz short near ptr loc_40100D+1
.text:0040100D
.text:0040100D loc_40100D:
.text:0040100D call near ptr 8048559Dh
.text:00401012 cmp [esi+75h], ch
.text:00401015 push ds
.text:00401016 push offset byte_4010E9
.text:0040101B call sub_401106
.text:00401020 add esp, 4
.text:00401026 push [ebp+arg_0]
.text:00401029 call sub_40103C
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
14
Anti-Disassembly .text:0040103C .text:0040103C push ebp .text:0040103D mov ebp, esp .text:0040103F sub esp, 4 .text:00401045 push 400000h .text:0040104A add [esp+8+var_8], 1057h .text:00401055 retn .text:00401055 sub_40103C endp .text:00401055 .text:00401055 ; --------------------------------------------------------------------------- .text:00401056 dw 8BE9h .text:00401058 ; --------------------------------------------------------------------------- .text:00401058 inc ebp .text:00401059 or [eax+756A0178h], al .text:0040105F push ds .text:00401060 push offset dword_4010F0 .text:00401065 call sub_401106 .text:0040106A add esp, 4 .text:00401070 push dword ptr [ebp+8] .text:00401073 call loc_401086 .text:00401078 add esp, 4 .text:0040107E add esp, 4 .text:00401084 pop ebp .text:00401085 retn
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
15
Anti-Disassembly
•Remember:
retn = pop the value from the top of stack and jump to it.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
16
Anti-Disassembly
.text:00401086 loc_401086: ; CODE XREF: .text:00401073p
.text:00401086 push ebp
.text:00401087 mov ebp, esp
.text:00401089 sub esp, 4
.text:0040108F
.text:0040108F loc_40108F: ; CODE XREF: .text:loc_40108Fj
.text:0040108F jmp short near ptr loc_40108F+1
.text:00401091 ; ---------------------------------------------------------------------------
.text:00401091 ror byte ptr [eax-75h], 45h
.text:00401095 or [eax+75680278h], al
.text:0040109B adc [eax-7], ch
.text:0040109E adc [eax+0], al
.text:004010A1 call sub_401106
.text:004010A6 add esp, 4
.text:004010AC add esp, 4
.text:004010B2 pop ebp
.text:004010B3 retn
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
17
Anti-Disassembly *
mov eax, [ebp – 8]
and eax, 0x0000600
neg eax
sbb eax, eax
neg eax
ret
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
18
Anti-Disassembly (obfuscation)
add eax, ecx
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
19
sub eax, C3 add eax + ecx add eax, C3
sub eax, C3 sub eax, A3 add eax + ecx add eax, A3 push edx mov edx, 62 inc edx dec edx add edx, 61 add eax, edx pop edx
push ebx mov ebx, C3 sub eax, ebx pop ebx sub eax, A3 sub eax, 38 add eax, ecx add eax, 38 add eax, A3 push edx push ecx mov ecx, 62 mov edx, ecx pop ecx, inc edx dec edx, 61 add eax, edx pop edx
Anti-VM
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
20
Anti-Virtual Machine
• Usually, VMware environment leaves many artifacts on the systems, so most current malwares look for these artifacts. If they find them, so malwares change your behavior.
• VMwareService.exe
• VMwareTray.exe
• VMwareUser.exe
• VMware MAC addresses (00:0C:29, for example)
• Uninstalling the VMware Tools can be useful.
• net start | findstr VMware this is implemented in the code by malware by using functions such as CreateToolhelp32Snapshot( ) and Process32Next( ), for example.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
21
Anti-Virtual Machine
• Remember that instructions such as sidt, sldt and sgdt can be executed on user-mode code without being trapped and virtualized by VMware.
• Red Pill • Malware executes a sidt instruction to get the IDTR register’s value.
• The VMware’s monitor must realocate the IDTR register from Guest to prevent a conflict with IDTR from Host.
• Remember that the sidt instruction doesn’t generate a trap and it isn’t virtualized, so it is invisible to VMware’s monitor.
• Therefore, the IDTR for virtual machine (host) is returned and the malware compares it to IDTR from Guest to detect the VMware.
• Red Pill only works in single processor machines because each processor (or core) has its own IDT.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
22
Anti-Virtual Machine
.text:004034B5 sidt fword ptr [ebp+var_308]
.text:004034BC mov eax, dword ptr [ebp+var_308+2]
.text:004034C2 mov [ebp+var_300], eax
....
.text:004034DD mov ecx, [ebp+var_300]
.text:004034E3 shr ecx, 18h
.text:004034E6 cmp ecx, 0FFh ; VMware signature
.text:004034EC jz loc_40665A
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
23
Anti-Virtual Machine
• No Pill:
• Based on sldt and sgdt instructions.
• LDT is associated to the processor and Windows doesn’t use it.
• However, VMware provides a virtual support for LDT.
• Therefore:
• on host machine LDT is zero
• on virtual machine LDT is NOT zero
• the malware uses the sldt instruction to recover the LDT from VM.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
24
Anti-Virtual Machine
• I/O Communication Port
• VMware uses I/O communication ports between the virtual machine and the host (copy/past functionality)
• This special I/O communication port is queried and the value is compared to a magic number (0x564D5868 = VMXh) to prove the existence of VMware.
• in instruction (with the second operand set to VX)
• it’s possible to detect the type of VMware (Express, ESX, GSX and Workstation).
• To overcome this anti-vm technique, overwrite IN instructions with NOP.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
25
Anti-Virtual Machine
.text:100033C5 push ecx
.text:100033C6 push ebx
.text:100033C7 mov eax, 564D5868h ; ‘VMXh’
.text:100033CC mov ebx, 0
.text:100033D1 mov ecx, 0Ah ; ‘VX’
.text:100033D6 mov edx, 5658h
.text:100033DB in eax, dx
.text:100033DC cmp ebx, 564D5868h ; ‘VMXh’
.text:100033E2 setz [ebp+var_1C]
.text:100033E6 pop ebx
.text:100033E7 pop ecx
.text:100033E8 pop edx
0xA action: get Vmware version type
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
26
Packers
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
27
Packers
• Packers usually decrease the size of the program and make the analysis more complicated. Moreover, they are used to evade protections (AV, IDS, DLP, and so on).
• If the AV uses a sandbox, so it can emulate the packer extraction.
• Some packers pack the entire executable, while other ones pack only the data section and the code.
• During the load, the unpacking stub is loaded by the operating systems and this stub loads the original program. Thus, the code entry point is the unpacking stub and it is not the original code.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
28
Packers
Header
Imports
Exports
.text Section
.data Section
.rsrc Section
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
29
Header
Unpacking Stub
Packed Original Code
Packers
• Unfortunately, any analysis of a packed program is useless because the unpacking stub will be analyzed instead of analyzing the original code.
• The unpacking process has few phases:
• unpacks the original code into memory
• resolves all imports of original executable (done by the packer, not Windows)
• stack register are zeroed (to ensure that the PE packer has not effect on the code)
• transfers the execution to the Original Entry Point (OEP) jmp, ret or call
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
30
Packers
• Finding a packed program:
• The program has few or none imports (use pestudio,PEVIEW or CFF Explorer)
• Sometimes, there are only GetProcAddress and LoadLibrary functions.
• String table (used by compiler and linkers) is missing or corrupted.
• There are strange names of sections such as UPX0 and UPX1, por example.
• In .text section, Size of Raw Data = 0 and Virtual Size is not zero.
• Automated x Manual Unpacking
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
31
Packers
1. Locate the original OEP jump.
2. Supend the application at the OEP jump
3. Dump the executable memory image
4. Change the OEP of the dumped image (in the PE header)
5. Big problem: the new image doesn’t have an own Import Table!
6. Rebuild the IAT
• Several kind of packers: UPX, PECompact, FSG, ASPack, WinUPack, YodaCrypt, VMProtect, Themida and so on....
• Remember: Usually, the code in unpacked in the memory.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
32
Packers
• For few packers, the code is not completely unpacked in the memory. Welcome to virtualization obsfuscation!
• There are protection that uses multiples executables. For example, unpacking the executable into a new process or using a two-processes scheme which one process debugs the a altered version from the original process.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
33
original assembly code
virtualization engine
customized language / byte code
obfuscated interpreter
Packers
• The same instruction can be translated to different customized instructions (polimormic or metamorfic approach).
• Is it possible to analyze this kind of malwares by using debuggers?
• As explained in the previous slide, the x86 code is translated to a custom language then it is interpreted. Therefore, the code is never reverted (restored) anymore.
• Usually, the interpreter uses a RISC laguage. Thus, the original x86 CISC instructions are translated and interpreted by a RISC interpreted.
• One x86 (and CISC) instruction is translated to several RISC instructions.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
34
Packers
• Before performing the transition (x86 world to custom language), all x86 registries have to be saved. At end, after the packed execution, these same x86 registries must be restored for transfering the control to x86 context again.
• The protection engine is chosen at random. For example, Themida has four or more engines.
• How to break a virtualized protection?
• There are many protections that are stack-based virtual machines.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
35
Packers
.text:0040100D push ebp .text:0040100E mov ebp, esp .text:00401010 sub esp, 28h .text:00401013 mov [esp+28h+Str], offset Str ; "Hello H2HC" .text:0040101A call puts .text:0040101F mov [esp+28h+var_24], ABABABh .text:00401027 mov [esp+28h+Str], C0DE35h .text:0040102E call sub_401000 .text:00401033 mov [ebp+var_C], eax .text:00401036 mov eax, [ebp+var_C] .text:00401039 mov [esp+28h+var_24], eax .text:0040103D mov [esp+28h+Str], offset Format ; “msg = %i\n" .text:00401044 call printf .text:00401049 mov [esp+28h+Str], 0 .text:00401050 call exit .text:00401050 start endp
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
36
Packers
.text:00401000 sub_401000
.text:00401000 jmp loc_4048F7
.text:00401000 sub_401000 endp
.vmp0:004048F4 ; ---------------------------------------------------------------------------
.vmp0:004048F4 add ecx, [edx+ecx]
.vmp0:004048F7
.vmp0:004048F7 loc_4048F7:
.vmp0:004048F7 push offset word_40489A
.vmp0:004048FC call sub_404314
.vmp0:004048FC ; ---------------------------------------------------------------------------
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
37
Packers
.vmp0:00404314 push eax
.vmp0:00404315 push ecx
.vmp0:00404316 push edx
.vmp0:00404317 push ebp
.vmp0:00404318 push esi
.vmp0:00404319 push ebx
.vmp0:0040431A pushf
.vmp0:0040431B push edi
.vmp0:0040431C push edi
.vmp0:0040431D push dword_401005
.vmp0:00404323 push 0
.vmp0:00404328 mov esi, [esp+2Ch+arg_0]
.vmp0:0040432C mov ebp, esp
.vmp0:0040432E sub esp, 0C0h
.vmp0:00404334 mov edi, esp
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
38
Packers
.vmp0:00404336 loc_404336:
.vmp0:00404336 add esi, [ebp+0]
.vmp0:00404339
.vmp0:00404339 loc_404339:
.vmp0:00404339
.vmp0:00404339 mov al, [esi]
.vmp0:0040433B movzx eax, al
.vmp0:0040433E add esi, 1
.vmp0:00404341 jmp ds:off_40439C[eax*4]
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
39
Packers
add [60FF4C], C0DE35
[60FF4C]=ABABAB
• add [60FF4C], C0DE35
• [60FF4C]=ABABAB (stack)
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
40
Crypto
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
41
Crypto
• XOR, Base64 and RC4 are common for encrypting. • zlib and LZO are common for compression.
• There are other options to compression: ntdll (RtlCompressBuffer and
RtlDecompressBuffer functions)
• Good tools used to detect Crypto and Compression: • PEiD (using KANAL plugin) • Findcrypt IDA plugin • Draca • Crypto Searcher
• Before starting analyzing crypto, It’s necessary to know about: • symmetric algorithms • asymmetric algorithms • digital certificate • digital signature
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
42
Crypto
.text:0040104D loc_40104D:
.text:0040104D mov al, byte_402158[ecx]
.text:00401053 xor al, 9Eh
.text:00401055 cmp al, byte_402170[ecx]
.text:0040105B jnz short loc_403033
.text:0040105D inc ecx
.text:0040105E cmp ecx, 18h
.text:00401061 jl short loc_40104D
for i in range (0x00402170, 0x00402188):
x = 0x9E ^ idc.Byte(i)
idc.PatchByte(i, x)
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
43
GPU, DMA, BIOS Malwares, SGX and WMI: few words...
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
44
GPU, DMA and BIOS Malwares: few words... • GPU Malwares
• They run part of their code on GPU (Graphics Process Unit), which is more powerful than CPU.
• As programming language, they can use either CUDA or OpenCL.
• Applications that use CUDA or OpenCL run part of their code on CPU and another part on GPU. Additionally, some data may be exchanged between them through shared memory.
• By using the GPU, malwares can use more complex algorithms to be packed.
• There is still not tools to analyze GPU malwares. Worst, VMware and VirtualBox does not simulate GPUs.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
45
GPU, DMA and BIOS Malwares: few words... • How does GPU malware work?
• Initial load on CPU
• Unpacking code transfered to GPU
• GPU and CPU uses shared memory
• Only few instructions being decrypted / encrypted by time.
• Different keys (stored on GPU)
• Checksumming against modification.
• Examples:
• JellyFish
• Win_Jelly
• Demon
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
46
GPU, DMA and BIOS Malwares: few words... • BIOS Malwares
• Do you manage firmware versions of your devices in your company? And BIOS?
• Legacy BIOS more difficult to hack because there is not any standard.
• UEFI BIOS easier to explore.
• System Management Mode (SMM) execution mode of x86 processors.
• The SMM’s role is to provide and set up a protected location for BIOS to load OS-Independent Code which will handle hardware management activities.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
47
GPU, DMA and BIOS Malwares: few words...
• BIOS configures hardware to call SMI (System Management Interrupts) when hardware needs attention.
• SMI calls the SMM code that was placed into SMRAM (System Management RAM).
• BIOS protects the SMRAM after inserting the SMM code there. Afterwards, no one can access this area, not event the BIOS, until next reboot.
• As SMM code has irrestricted access (reading and modifying) to all RAM and normal softwares can not access this SMRAM, so any attack that compromises the SMM code is lethal because it is more privileged than hypervisors, OS (kernel) and application running on the system.
• Finally,vulnerabilities were found that allows an attacker disclosures the SMRAM.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
48
GPU, DMA and BIOS Malwares: few words... • The fundamental concept is that devices usually have direct access
to memory (DMA).
• Therefore, any malware executed on dedicated hardware can attack to host using DMA and this attack will not be detected.
• DMA malwares can attack any kernel structures (even if ASLR is implemented).
• Video cards and network cards can be infected.
• Anti-virus are not able to detect this kind of malware.
• DAGGER is an example of DMA Malware, which attacks Windows and Linux machines.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
49
SGX – few words...
• SGX – Software Guard Extensions
• Remember that an application doesn’t have any protection against processes running with higher privileges. Therefore, if a malware is able to get administrative privileges, so it is able to access any resource and application running in the system.
• For example, malwares can extract keys, password and any information directly from the memory.
• SGX is a set of instructions that enable to create enclaves in the memory.
• Enclaves are protected areas in the address space of processes that ensure confidentiality and integrity against this kind of privileged malware.
• The enclave is enabled by using special instructions and it is loaded as a DLL.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
50
SGX – few words...
• Enclaves do not allow any process running outside of enclave to read or write in its region regardless of the privilege level or CPU mode.
• The enclave memory is encrypted and the key randomly changes at boot time and when resuming from sleep and hibernation states.
• The keys are hold inside the CPU.
• Enclaves can not be debugged by software or hardware debuggers.
• Data inside the enclaves can only be accessed by code that shares the enclave.
• Remember: no kernel or hypervisor can access the enclave.
• Conclusion: it is perfect for malwares!
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
51
SGX – few words
• SGX make the dynamic and static analysis impossible.
• In a summarized way, a malware running in the enclave:
• uses an external attestation process to ensure that the enclave is setup correctly.
• as the second part, the malware can hold a code inside the enclave which decrypt and execute the malware.
• Of course, it is possible to indirectly analyze the code running inside the enclave by monitoring the system calls.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
52
WMI
• Many attackes using WMI have been performed around the world for accomplishing tasks such as reconnaissance, virtual machine detection, persistence, data thelf and lateral movement.
• Malwares have been using WMI queries for detecting virtualization engines (VMware) and evading dynamic analysis.
• Few backdoors have been created to keep the control of systems.
• Malware using WMI have good advantages such as:
• WMI is installed and running by default.
• WMI runs as System user.
• WMI uses only its repository. Thus, the malware is fileless.
• Most defenses are not ready for WMI attacks.
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
53
WMI
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
54
WMI PS C:\> Get-WmiObject Win32_BIOS -Filter 'SerialNumber Like "%VMware%"' SMBIOSBIOSVersion : 6.00 Manufacturer : Phoenix Technologies LTD Name : PhoenixBIOS 4.0 Release 6.0 SerialNumber : VMware-56 4d 5c 55 06 db fe fc-f7 f5 8b e2 1a 81 7c a7 Version : _ASUS_ - 6040000 PS C:\> Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"' ...... __SERVER : FORENSIC2 __NAMESPACE : root\cimv2 __PATH : \\FORENSIC2\root\cimv2:Win32_Process.Handle="1452" Caption : vmtoolsd.exe CommandLine : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" CreationClassName : Win32_Process CreationDate : 20161021002910.594864-180 CSCreationClassName : Win32_ComputerSystem CSName : FORENSIC2 Description : vmtoolsd.exe ExecutablePath : C:\Program Files\VMware\VMware Tools\vmtoolsd.exe ExecutionState :
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
55
WMI
PS C:\Windows\system32> Get-WmiObject Win32_Share Name Path Description ---- ---- ----------- ADMIN$ C:\Windows Administração remota C$ C:\ Recurso compartilhado padrão E$ E:\ Recurso compartilhado padrão IPC$ IPC remoto PS C:\Windows\system32> Get-WmiObject Win32_ComputerSystem Domain : WORKGROUP Manufacturer : Hewlett-Packard Model : HP ENVY dv7 Notebook PC Name : HPHACKER PrimaryOwnerName : ale TotalPhysicalMemory : 15469965312
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
56
WMI
• Easy solutions against WMI malwares:
• Disable WMI.
• In the firewall, block the WMI protocol ports.
• Check the WMI, WinRM and DCOM logs:
• Microsoft-Windows-DistributedCOM
• Microsoft-Windows-WMI-Activity/Operational
• Microsoft-Windows-WinRM/Operational
Ale
xan
dre
Bo
rges
– It
is n
ot
allo
wed
to
co
py
nei
ther
rep
rod
uce
th
is s
lide
57
Thank you for attending my lecture!
LinkedIn: http://www.linkedin.com/in/aleborges Twitter: @ale_sp_brazil Blog: http://alexandreborges.org E-mail: [email protected]
• Malware and Security Researcher. Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-instructor at Symantec.
• Member of the CHFI Advisory Board in EC-Council.
• Reviewer member of the The Journal of Digital Forensics, Security and Law
• Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response
• Author of “Oracle Solaris Advanced Administration book”