Transcript
Page 1: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Few Malware Anti-Forensics

Techniques H2HC University 2016

By Alexandre Borges

1

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide.

Page 2: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Profile and TOC

TOC:

• Anti-Debugging • Anti-Disassembly + Obfuscation • Anti-VM • Packers • Crypto • GPU, DMA, BIOS Malwares, SGX and

WMI: few words... • Malware and Security Researcher. Consultant,

Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.

• Instructor at Oracle, (ISC)2 and EC-Council. Ex-instructor at Symantec.

• Member of the CHFI Advisory Board in EC-Council. • Reviewer member of the The Journal of Digital

Forensics, Security and Law. • Refereer on Digital Investigation:The International

Journal of Digital Forensics & Incident Response • Author of “Oracle Solaris Advanced Administration

book”

Page 3: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Debugging

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

3

Page 4: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Debugging

• Anti-Debugging techniques are used to determine if a debugging is running.

• In particular, there are some useful API functions and techniques to perform this job: • IsDebuggingPresent( ) searches in PEB (Process Environment Block) for

the IsDebugged field. 0:000> !peb PEB at 000007fffffdf000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: Yes ImageBaseAddress: 00000000ff510000 Ldr 0000000077742640 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00000000003e2ca0 . 00000000003e8250 ...

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

4

Page 5: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Debugging 0:000> dt nt!_PEB 000007fffffdf000 ntdll!_PEB +0x000 InheritedAddressSpace : 0 '' +0x001 ReadImageFileExecOptions : 0 '' +0x002 BeingDebugged : 0x1 '' +0x003 BitField : 0x8 '' +0x003 ImageUsesLargePages : 0y0 +0x003 IsProtectedProcess : 0y0

code example: if (IsDebuggerPresent( )) { MessageBox(NULL, L”A debugger was detected”, L”A Debugger was detected”, MB_OK); } else { MessageBox(NULL, L”A debugger was not detected”, L”A Debugger was not detected”, MB_OK); }

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

5

Page 6: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Debugging

• NtQueryInformationProcess ( ) it is an API function from Ntdll.dll which retrieves information about a specific process.

• In special, if we input the value 0x7 (ProcessDebugPort) on second parameter, the function will tell us if the process is beging debugged or not.

handle1 = LoadLibrary(L”ntdll.dll”);

_NtQueryInformationProcess = GetProcAddress(handle1,”NtQueryInformationProcess”);

h2hcstatus = (_NtQueryInformationProcess) (-1, 0x07, &check, 4, NULL);

if (check) != 0) { MessageBox(NULL, L”The code is being debugged”, MB_OK);

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

6

Page 7: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Debugging

• OutputDebugString this API function is used to send a string for a debugger for displaying. Therefore, the function behaves well when a debugger is attached.

• NTGlobalFlag • PEB, offset: 68 – value 0x70 indicates that the heap was

created by a debugger.

• INT Scanning 0xCC opcode (software breakpoints). It can be easily overcome by using hardware breakpoints (there are only four).

• Inserting decoys The malware inserts 0xCC opcode into valid sections to trick debuggers.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

7

Page 8: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Debugging -- INT 2D

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

8

Page 9: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Debugging • TLS Callback TLS (Thread Local Storage – a separate storage area for each thread). • It can be used to execute instructions before the entry point (where the debugger starts), so

debugger doesn’t see these instructions. TLS is local for each thread that runs the code. • .tls section in the PE header • there are not many legitimate applications that contain TLS.

root@kali:/malwares# r2 malw2.exe -- Stop swearing! [0x00402179]> iS [Sections] idx=00 vaddr=0x00401000 paddr=0x00001000 sz=4096 vsz=621 perm=m-r-x name=tls . idx=01 vaddr=0x00402000 paddr=0x00002000 sz=20480 vsz=18680 perm=m-r-x name=.text idx=02 vaddr=0x00407000 paddr=0x00007000 sz=4096 vsz=2348 perm=m-r-- name=.rdata idx=03 vaddr=0x00408000 paddr=0x00008000 sz=12288 vsz=16060 perm=m-rw- name=.data 4 sections [0x00402179]> ie [Entrypoints] vaddr=0x00402179 paddr=0x00002179 baddr=0x00400000 laddr=0x00000000 type=program vaddr=0x00401060 paddr=0x00001060 baddr=0x00400000 laddr=0x00000000 type=tls

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

9

Page 10: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Debugging

• Checking the time When an process is being debugged, it runs slower when compared to a normal case. • computing the time (rdtsc instruction) between two normal

instructions.

h2hc1= __rdtsc( );

h2hc2= __rdtsc( );

if (h2hc2 – h2hc1 < number ) {....} else {...}

• computing the time before and after an exception if the process is being debugged, it will run more slowly during the exception.

• Usually, malwares forcely generates an exception and, eventually, it can use ICE (In-Circuit Exception) to force a single-step exception (where the normal code is present).

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

10

Page 11: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Debugging

• QueryPerformanceCounter ( ) based on fact that processors have appropriate registers for calculating the performance.

QueryPerformance(&h2hc1);

QueryPerformance($h2hc2);

if ((h2hc2.QuadPart – h2hc1.QuadPart) > number) {...}

• GitTickCount ( ) this API comes from kernel32.dll and returns the elapsed time in miliseconds.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

11

Page 12: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Disassembly

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

12

Page 13: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Disassembly

.text:00401000 loc_401000: ; CODE XREF: _main+Fp

.text:00401000 push ebp

.text:00401001 mov ebp, esp

.text:00401003 xor eax, eax

.text:00401005 jz short near ptr loc_40100D+1

.text:00401007 jnz near ptr loc_40100D+4

.text:0040100D

.text:0040100D loc_40100D: ; CODE XREF: .text:00401005j

.text:0040100D ; .text:00401007j

.text:0040100D jmp near ptr 0D0A8137h

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

13

Page 14: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Disassembly

.text:00401000 push ebp

.text:00401001 mov ebp, esp

.text:00401003 sub esp, 4

.text:00401009 xor eax, eax

.text:0040100B jz short near ptr loc_40100D+1

.text:0040100D

.text:0040100D loc_40100D:

.text:0040100D call near ptr 8048559Dh

.text:00401012 cmp [esi+75h], ch

.text:00401015 push ds

.text:00401016 push offset byte_4010E9

.text:0040101B call sub_401106

.text:00401020 add esp, 4

.text:00401026 push [ebp+arg_0]

.text:00401029 call sub_40103C

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

14

Page 15: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Disassembly .text:0040103C .text:0040103C push ebp .text:0040103D mov ebp, esp .text:0040103F sub esp, 4 .text:00401045 push 400000h .text:0040104A add [esp+8+var_8], 1057h .text:00401055 retn .text:00401055 sub_40103C endp .text:00401055 .text:00401055 ; --------------------------------------------------------------------------- .text:00401056 dw 8BE9h .text:00401058 ; --------------------------------------------------------------------------- .text:00401058 inc ebp .text:00401059 or [eax+756A0178h], al .text:0040105F push ds .text:00401060 push offset dword_4010F0 .text:00401065 call sub_401106 .text:0040106A add esp, 4 .text:00401070 push dword ptr [ebp+8] .text:00401073 call loc_401086 .text:00401078 add esp, 4 .text:0040107E add esp, 4 .text:00401084 pop ebp .text:00401085 retn

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

15

Page 16: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Disassembly

•Remember:

retn = pop the value from the top of stack and jump to it.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

16

Page 17: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Disassembly

.text:00401086 loc_401086: ; CODE XREF: .text:00401073p

.text:00401086 push ebp

.text:00401087 mov ebp, esp

.text:00401089 sub esp, 4

.text:0040108F

.text:0040108F loc_40108F: ; CODE XREF: .text:loc_40108Fj

.text:0040108F jmp short near ptr loc_40108F+1

.text:00401091 ; ---------------------------------------------------------------------------

.text:00401091 ror byte ptr [eax-75h], 45h

.text:00401095 or [eax+75680278h], al

.text:0040109B adc [eax-7], ch

.text:0040109E adc [eax+0], al

.text:004010A1 call sub_401106

.text:004010A6 add esp, 4

.text:004010AC add esp, 4

.text:004010B2 pop ebp

.text:004010B3 retn

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

17

Page 18: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Disassembly *

mov eax, [ebp – 8]

and eax, 0x0000600

neg eax

sbb eax, eax

neg eax

ret

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

18

Page 19: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Disassembly (obfuscation)

add eax, ecx

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

19

sub eax, C3 add eax + ecx add eax, C3

sub eax, C3 sub eax, A3 add eax + ecx add eax, A3 push edx mov edx, 62 inc edx dec edx add edx, 61 add eax, edx pop edx

push ebx mov ebx, C3 sub eax, ebx pop ebx sub eax, A3 sub eax, 38 add eax, ecx add eax, 38 add eax, A3 push edx push ecx mov ecx, 62 mov edx, ecx pop ecx, inc edx dec edx, 61 add eax, edx pop edx

Page 20: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-VM

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

20

Page 21: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Virtual Machine

• Usually, VMware environment leaves many artifacts on the systems, so most current malwares look for these artifacts. If they find them, so malwares change your behavior.

• VMwareService.exe

• VMwareTray.exe

• VMwareUser.exe

• VMware MAC addresses (00:0C:29, for example)

• Uninstalling the VMware Tools can be useful.

• net start | findstr VMware this is implemented in the code by malware by using functions such as CreateToolhelp32Snapshot( ) and Process32Next( ), for example.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

21

Page 22: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Virtual Machine

• Remember that instructions such as sidt, sldt and sgdt can be executed on user-mode code without being trapped and virtualized by VMware.

• Red Pill • Malware executes a sidt instruction to get the IDTR register’s value.

• The VMware’s monitor must realocate the IDTR register from Guest to prevent a conflict with IDTR from Host.

• Remember that the sidt instruction doesn’t generate a trap and it isn’t virtualized, so it is invisible to VMware’s monitor.

• Therefore, the IDTR for virtual machine (host) is returned and the malware compares it to IDTR from Guest to detect the VMware.

• Red Pill only works in single processor machines because each processor (or core) has its own IDT.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

22

Page 23: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Virtual Machine

.text:004034B5 sidt fword ptr [ebp+var_308]

.text:004034BC mov eax, dword ptr [ebp+var_308+2]

.text:004034C2 mov [ebp+var_300], eax

....

.text:004034DD mov ecx, [ebp+var_300]

.text:004034E3 shr ecx, 18h

.text:004034E6 cmp ecx, 0FFh ; VMware signature

.text:004034EC jz loc_40665A

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

23

Page 24: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Virtual Machine

• No Pill:

• Based on sldt and sgdt instructions.

• LDT is associated to the processor and Windows doesn’t use it.

• However, VMware provides a virtual support for LDT.

• Therefore:

• on host machine LDT is zero

• on virtual machine LDT is NOT zero

• the malware uses the sldt instruction to recover the LDT from VM.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

24

Page 25: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Virtual Machine

• I/O Communication Port

• VMware uses I/O communication ports between the virtual machine and the host (copy/past functionality)

• This special I/O communication port is queried and the value is compared to a magic number (0x564D5868 = VMXh) to prove the existence of VMware.

• in instruction (with the second operand set to VX)

• it’s possible to detect the type of VMware (Express, ESX, GSX and Workstation).

• To overcome this anti-vm technique, overwrite IN instructions with NOP.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

25

Page 26: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Anti-Virtual Machine

.text:100033C5 push ecx

.text:100033C6 push ebx

.text:100033C7 mov eax, 564D5868h ; ‘VMXh’

.text:100033CC mov ebx, 0

.text:100033D1 mov ecx, 0Ah ; ‘VX’

.text:100033D6 mov edx, 5658h

.text:100033DB in eax, dx

.text:100033DC cmp ebx, 564D5868h ; ‘VMXh’

.text:100033E2 setz [ebp+var_1C]

.text:100033E6 pop ebx

.text:100033E7 pop ecx

.text:100033E8 pop edx

0xA action: get Vmware version type

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

26

Page 27: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

27

Page 28: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

• Packers usually decrease the size of the program and make the analysis more complicated. Moreover, they are used to evade protections (AV, IDS, DLP, and so on).

• If the AV uses a sandbox, so it can emulate the packer extraction.

• Some packers pack the entire executable, while other ones pack only the data section and the code.

• During the load, the unpacking stub is loaded by the operating systems and this stub loads the original program. Thus, the code entry point is the unpacking stub and it is not the original code.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

28

Page 29: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

Header

Imports

Exports

.text Section

.data Section

.rsrc Section

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

29

Header

Unpacking Stub

Packed Original Code

Page 30: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

• Unfortunately, any analysis of a packed program is useless because the unpacking stub will be analyzed instead of analyzing the original code.

• The unpacking process has few phases:

• unpacks the original code into memory

• resolves all imports of original executable (done by the packer, not Windows)

• stack register are zeroed (to ensure that the PE packer has not effect on the code)

• transfers the execution to the Original Entry Point (OEP) jmp, ret or call

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

30

Page 31: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

• Finding a packed program:

• The program has few or none imports (use pestudio,PEVIEW or CFF Explorer)

• Sometimes, there are only GetProcAddress and LoadLibrary functions.

• String table (used by compiler and linkers) is missing or corrupted.

• There are strange names of sections such as UPX0 and UPX1, por example.

• In .text section, Size of Raw Data = 0 and Virtual Size is not zero.

• Automated x Manual Unpacking

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

31

Page 32: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

1. Locate the original OEP jump.

2. Supend the application at the OEP jump

3. Dump the executable memory image

4. Change the OEP of the dumped image (in the PE header)

5. Big problem: the new image doesn’t have an own Import Table!

6. Rebuild the IAT

• Several kind of packers: UPX, PECompact, FSG, ASPack, WinUPack, YodaCrypt, VMProtect, Themida and so on....

• Remember: Usually, the code in unpacked in the memory.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

32

Page 33: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

• For few packers, the code is not completely unpacked in the memory. Welcome to virtualization obsfuscation!

• There are protection that uses multiples executables. For example, unpacking the executable into a new process or using a two-processes scheme which one process debugs the a altered version from the original process.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

33

original assembly code

virtualization engine

customized language / byte code

obfuscated interpreter

Page 34: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

• The same instruction can be translated to different customized instructions (polimormic or metamorfic approach).

• Is it possible to analyze this kind of malwares by using debuggers?

• As explained in the previous slide, the x86 code is translated to a custom language then it is interpreted. Therefore, the code is never reverted (restored) anymore.

• Usually, the interpreter uses a RISC laguage. Thus, the original x86 CISC instructions are translated and interpreted by a RISC interpreted.

• One x86 (and CISC) instruction is translated to several RISC instructions.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

34

Page 35: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

• Before performing the transition (x86 world to custom language), all x86 registries have to be saved. At end, after the packed execution, these same x86 registries must be restored for transfering the control to x86 context again.

• The protection engine is chosen at random. For example, Themida has four or more engines.

• How to break a virtualized protection?

• There are many protections that are stack-based virtual machines.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

35

Page 36: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

.text:0040100D push ebp .text:0040100E mov ebp, esp .text:00401010 sub esp, 28h .text:00401013 mov [esp+28h+Str], offset Str ; "Hello H2HC" .text:0040101A call puts .text:0040101F mov [esp+28h+var_24], ABABABh .text:00401027 mov [esp+28h+Str], C0DE35h .text:0040102E call sub_401000 .text:00401033 mov [ebp+var_C], eax .text:00401036 mov eax, [ebp+var_C] .text:00401039 mov [esp+28h+var_24], eax .text:0040103D mov [esp+28h+Str], offset Format ; “msg = %i\n" .text:00401044 call printf .text:00401049 mov [esp+28h+Str], 0 .text:00401050 call exit .text:00401050 start endp

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

36

Page 37: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

.text:00401000 sub_401000

.text:00401000 jmp loc_4048F7

.text:00401000 sub_401000 endp

.vmp0:004048F4 ; ---------------------------------------------------------------------------

.vmp0:004048F4 add ecx, [edx+ecx]

.vmp0:004048F7

.vmp0:004048F7 loc_4048F7:

.vmp0:004048F7 push offset word_40489A

.vmp0:004048FC call sub_404314

.vmp0:004048FC ; ---------------------------------------------------------------------------

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

37

Page 38: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

.vmp0:00404314 push eax

.vmp0:00404315 push ecx

.vmp0:00404316 push edx

.vmp0:00404317 push ebp

.vmp0:00404318 push esi

.vmp0:00404319 push ebx

.vmp0:0040431A pushf

.vmp0:0040431B push edi

.vmp0:0040431C push edi

.vmp0:0040431D push dword_401005

.vmp0:00404323 push 0

.vmp0:00404328 mov esi, [esp+2Ch+arg_0]

.vmp0:0040432C mov ebp, esp

.vmp0:0040432E sub esp, 0C0h

.vmp0:00404334 mov edi, esp

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

38

Page 39: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

.vmp0:00404336 loc_404336:

.vmp0:00404336 add esi, [ebp+0]

.vmp0:00404339

.vmp0:00404339 loc_404339:

.vmp0:00404339

.vmp0:00404339 mov al, [esi]

.vmp0:0040433B movzx eax, al

.vmp0:0040433E add esi, 1

.vmp0:00404341 jmp ds:off_40439C[eax*4]

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

39

Page 40: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Packers

add [60FF4C], C0DE35

[60FF4C]=ABABAB

• add [60FF4C], C0DE35

• [60FF4C]=ABABAB (stack)

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

40

Page 41: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Crypto

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

41

Page 42: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Crypto

• XOR, Base64 and RC4 are common for encrypting. • zlib and LZO are common for compression.

• There are other options to compression: ntdll (RtlCompressBuffer and

RtlDecompressBuffer functions)

• Good tools used to detect Crypto and Compression: • PEiD (using KANAL plugin) • Findcrypt IDA plugin • Draca • Crypto Searcher

• Before starting analyzing crypto, It’s necessary to know about: • symmetric algorithms • asymmetric algorithms • digital certificate • digital signature

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

42

Page 43: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Crypto

.text:0040104D loc_40104D:

.text:0040104D mov al, byte_402158[ecx]

.text:00401053 xor al, 9Eh

.text:00401055 cmp al, byte_402170[ecx]

.text:0040105B jnz short loc_403033

.text:0040105D inc ecx

.text:0040105E cmp ecx, 18h

.text:00401061 jl short loc_40104D

for i in range (0x00402170, 0x00402188):

x = 0x9E ^ idc.Byte(i)

idc.PatchByte(i, x)

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

43

Page 44: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

GPU, DMA, BIOS Malwares, SGX and WMI: few words...

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

44

Page 45: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

GPU, DMA and BIOS Malwares: few words... • GPU Malwares

• They run part of their code on GPU (Graphics Process Unit), which is more powerful than CPU.

• As programming language, they can use either CUDA or OpenCL.

• Applications that use CUDA or OpenCL run part of their code on CPU and another part on GPU. Additionally, some data may be exchanged between them through shared memory.

• By using the GPU, malwares can use more complex algorithms to be packed.

• There is still not tools to analyze GPU malwares. Worst, VMware and VirtualBox does not simulate GPUs.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

45

Page 46: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

GPU, DMA and BIOS Malwares: few words... • How does GPU malware work?

• Initial load on CPU

• Unpacking code transfered to GPU

• GPU and CPU uses shared memory

• Only few instructions being decrypted / encrypted by time.

• Different keys (stored on GPU)

• Checksumming against modification.

• Examples:

• JellyFish

• Win_Jelly

• Demon

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

46

Page 47: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

GPU, DMA and BIOS Malwares: few words... • BIOS Malwares

• Do you manage firmware versions of your devices in your company? And BIOS?

• Legacy BIOS more difficult to hack because there is not any standard.

• UEFI BIOS easier to explore.

• System Management Mode (SMM) execution mode of x86 processors.

• The SMM’s role is to provide and set up a protected location for BIOS to load OS-Independent Code which will handle hardware management activities.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

47

Page 48: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

GPU, DMA and BIOS Malwares: few words...

• BIOS configures hardware to call SMI (System Management Interrupts) when hardware needs attention.

• SMI calls the SMM code that was placed into SMRAM (System Management RAM).

• BIOS protects the SMRAM after inserting the SMM code there. Afterwards, no one can access this area, not event the BIOS, until next reboot.

• As SMM code has irrestricted access (reading and modifying) to all RAM and normal softwares can not access this SMRAM, so any attack that compromises the SMM code is lethal because it is more privileged than hypervisors, OS (kernel) and application running on the system.

• Finally,vulnerabilities were found that allows an attacker disclosures the SMRAM.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

48

Page 49: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

GPU, DMA and BIOS Malwares: few words... • The fundamental concept is that devices usually have direct access

to memory (DMA).

• Therefore, any malware executed on dedicated hardware can attack to host using DMA and this attack will not be detected.

• DMA malwares can attack any kernel structures (even if ASLR is implemented).

• Video cards and network cards can be infected.

• Anti-virus are not able to detect this kind of malware.

• DAGGER is an example of DMA Malware, which attacks Windows and Linux machines.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

49

Page 50: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

SGX – few words...

• SGX – Software Guard Extensions

• Remember that an application doesn’t have any protection against processes running with higher privileges. Therefore, if a malware is able to get administrative privileges, so it is able to access any resource and application running in the system.

• For example, malwares can extract keys, password and any information directly from the memory.

• SGX is a set of instructions that enable to create enclaves in the memory.

• Enclaves are protected areas in the address space of processes that ensure confidentiality and integrity against this kind of privileged malware.

• The enclave is enabled by using special instructions and it is loaded as a DLL.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

50

Page 51: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

SGX – few words...

• Enclaves do not allow any process running outside of enclave to read or write in its region regardless of the privilege level or CPU mode.

• The enclave memory is encrypted and the key randomly changes at boot time and when resuming from sleep and hibernation states.

• The keys are hold inside the CPU.

• Enclaves can not be debugged by software or hardware debuggers.

• Data inside the enclaves can only be accessed by code that shares the enclave.

• Remember: no kernel or hypervisor can access the enclave.

• Conclusion: it is perfect for malwares!

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

51

Page 52: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

SGX – few words

• SGX make the dynamic and static analysis impossible.

• In a summarized way, a malware running in the enclave:

• uses an external attestation process to ensure that the enclave is setup correctly.

• as the second part, the malware can hold a code inside the enclave which decrypt and execute the malware.

• Of course, it is possible to indirectly analyze the code running inside the enclave by monitoring the system calls.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

52

Page 53: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

WMI

• Many attackes using WMI have been performed around the world for accomplishing tasks such as reconnaissance, virtual machine detection, persistence, data thelf and lateral movement.

• Malwares have been using WMI queries for detecting virtualization engines (VMware) and evading dynamic analysis.

• Few backdoors have been created to keep the control of systems.

• Malware using WMI have good advantages such as:

• WMI is installed and running by default.

• WMI runs as System user.

• WMI uses only its repository. Thus, the malware is fileless.

• Most defenses are not ready for WMI attacks.

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

53

Page 54: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

WMI

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

54

Page 55: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

WMI PS C:\> Get-WmiObject Win32_BIOS -Filter 'SerialNumber Like "%VMware%"' SMBIOSBIOSVersion : 6.00 Manufacturer : Phoenix Technologies LTD Name : PhoenixBIOS 4.0 Release 6.0 SerialNumber : VMware-56 4d 5c 55 06 db fe fc-f7 f5 8b e2 1a 81 7c a7 Version : _ASUS_ - 6040000 PS C:\> Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"' ...... __SERVER : FORENSIC2 __NAMESPACE : root\cimv2 __PATH : \\FORENSIC2\root\cimv2:Win32_Process.Handle="1452" Caption : vmtoolsd.exe CommandLine : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" CreationClassName : Win32_Process CreationDate : 20161021002910.594864-180 CSCreationClassName : Win32_ComputerSystem CSName : FORENSIC2 Description : vmtoolsd.exe ExecutablePath : C:\Program Files\VMware\VMware Tools\vmtoolsd.exe ExecutionState :

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

55

Page 56: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

WMI

PS C:\Windows\system32> Get-WmiObject Win32_Share Name Path Description ---- ---- ----------- ADMIN$ C:\Windows Administração remota C$ C:\ Recurso compartilhado padrão E$ E:\ Recurso compartilhado padrão IPC$ IPC remoto PS C:\Windows\system32> Get-WmiObject Win32_ComputerSystem Domain : WORKGROUP Manufacturer : Hewlett-Packard Model : HP ENVY dv7 Notebook PC Name : HPHACKER PrimaryOwnerName : ale TotalPhysicalMemory : 15469965312

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

56

Page 57: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

WMI

• Easy solutions against WMI malwares:

• Disable WMI.

• In the firewall, block the WMI protocol ports.

• Check the WMI, WinRM and DCOM logs:

• Microsoft-Windows-DistributedCOM

• Microsoft-Windows-WMI-Activity/Operational

• Microsoft-Windows-WinRM/Operational

Ale

xan

dre

Bo

rges

– It

is n

ot

allo

wed

to

co

py

nei

ther

rep

rod

uce

th

is s

lide

57

Page 58: Few Malware Anti- Forensics e. Techniques -  · PDF fileFew Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e

Thank you for attending my lecture!

LinkedIn: http://www.linkedin.com/in/aleborges Twitter: @ale_sp_brazil Blog: http://alexandreborges.org E-mail: [email protected]

• Malware and Security Researcher. Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.

• Instructor at Oracle, (ISC)2 and EC-Council. Ex-instructor at Symantec.

• Member of the CHFI Advisory Board in EC-Council.

• Reviewer member of the The Journal of Digital Forensics, Security and Law

• Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response

• Author of “Oracle Solaris Advanced Administration book”


Top Related