Few Malware Anti- Forensics e. Techniques - Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e.

Download Few Malware Anti- Forensics e. Techniques -   Malware Anti-Forensics Techniques H2HC University 2016 By Alexandre Borges 1 es – e.

Post on 06-Mar-2018

218 views

Category:

Documents

6 download

TRANSCRIPT

  • Few Malware Anti-Forensics

    Techniques H2HC University 2016

    By Alexandre Borges

    1

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide.

  • Profile and TOC

    TOC:

    Anti-Debugging Anti-Disassembly + Obfuscation Anti-VM Packers Crypto GPU, DMA, BIOS Malwares, SGX and

    WMI: few words... Malware and Security Researcher. Consultant,

    Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.

    Instructor at Oracle, (ISC)2 and EC-Council. Ex-instructor at Symantec.

    Member of the CHFI Advisory Board in EC-Council. Reviewer member of the The Journal of Digital

    Forensics, Security and Law. Refereer on Digital Investigation:The International

    Journal of Digital Forensics & Incident Response Author of Oracle Solaris Advanced Administration

    book

  • Anti-Debugging

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    3

  • Anti-Debugging

    Anti-Debugging techniques are used to determine if a debugging is running.

    In particular, there are some useful API functions and techniques to perform this job: IsDebuggingPresent( ) searches in PEB (Process Environment Block) for

    the IsDebugged field. 0:000> !peb PEB at 000007fffffdf000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: Yes ImageBaseAddress: 00000000ff510000 Ldr 0000000077742640 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00000000003e2ca0 . 00000000003e8250 ...

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    4

  • Anti-Debugging 0:000> dt nt!_PEB 000007fffffdf000 ntdll!_PEB +0x000 InheritedAddressSpace : 0 '' +0x001 ReadImageFileExecOptions : 0 '' +0x002 BeingDebugged : 0x1 '' +0x003 BitField : 0x8 '' +0x003 ImageUsesLargePages : 0y0 +0x003 IsProtectedProcess : 0y0

    code example: if (IsDebuggerPresent( )) { MessageBox(NULL, LA debugger was detected, LA Debugger was detected, MB_OK); } else { MessageBox(NULL, LA debugger was not detected, LA Debugger was not detected, MB_OK); }

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    5

  • Anti-Debugging

    NtQueryInformationProcess ( ) it is an API function from Ntdll.dll which retrieves information about a specific process.

    In special, if we input the value 0x7 (ProcessDebugPort) on second parameter, the function will tell us if the process is beging debugged or not.

    handle1 = LoadLibrary(Lntdll.dll);

    _NtQueryInformationProcess = GetProcAddress(handle1,NtQueryInformationProcess);

    h2hcstatus = (_NtQueryInformationProcess) (-1, 0x07, &check, 4, NULL);

    if (check) != 0) { MessageBox(NULL, LThe code is being debugged, MB_OK);

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    6

  • Anti-Debugging

    OutputDebugString this API function is used to send a string for a debugger for displaying. Therefore, the function behaves well when a debugger is attached.

    NTGlobalFlag PEB, offset: 68 value 0x70 indicates that the heap was

    created by a debugger.

    INT Scanning 0xCC opcode (software breakpoints). It can be easily overcome by using hardware breakpoints (there are only four).

    Inserting decoys The malware inserts 0xCC opcode into valid sections to trick debuggers.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    7

  • Anti-Debugging -- INT 2D

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    8

  • Anti-Debugging TLS Callback TLS (Thread Local Storage a separate storage area for each thread). It can be used to execute instructions before the entry point (where the debugger starts), so

    debugger doesnt see these instructions. TLS is local for each thread that runs the code. .tls section in the PE header there are not many legitimate applications that contain TLS.

    root@kali:/malwares# r2 malw2.exe -- Stop swearing! [0x00402179]> iS [Sections] idx=00 vaddr=0x00401000 paddr=0x00001000 sz=4096 vsz=621 perm=m-r-x name=tls . idx=01 vaddr=0x00402000 paddr=0x00002000 sz=20480 vsz=18680 perm=m-r-x name=.text idx=02 vaddr=0x00407000 paddr=0x00007000 sz=4096 vsz=2348 perm=m-r-- name=.rdata idx=03 vaddr=0x00408000 paddr=0x00008000 sz=12288 vsz=16060 perm=m-rw- name=.data 4 sections [0x00402179]> ie [Entrypoints] vaddr=0x00402179 paddr=0x00002179 baddr=0x00400000 laddr=0x00000000 type=program vaddr=0x00401060 paddr=0x00001060 baddr=0x00400000 laddr=0x00000000 type=tls

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    9

  • Anti-Debugging

    Checking the time When an process is being debugged, it runs slower when compared to a normal case. computing the time (rdtsc instruction) between two normal

    instructions.

    h2hc1= __rdtsc( );

    h2hc2= __rdtsc( );

    if (h2hc2 h2hc1 < number ) {....} else {...}

    computing the time before and after an exception if the process is being debugged, it will run more slowly during the exception.

    Usually, malwares forcely generates an exception and, eventually, it can use ICE (In-Circuit Exception) to force a single-step exception (where the normal code is present).

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    10

  • Anti-Debugging

    QueryPerformanceCounter ( ) based on fact that processors have appropriate registers for calculating the performance.

    QueryPerformance(&h2hc1);

    QueryPerformance($h2hc2);

    if ((h2hc2.QuadPart h2hc1.QuadPart) > number) {...}

    GitTickCount ( ) this API comes from kernel32.dll and returns the elapsed time in miliseconds.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    11

  • Anti-Disassembly

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    12

  • Anti-Disassembly

    .text:00401000 loc_401000: ; CODE XREF: _main+Fp

    .text:00401000 push ebp

    .text:00401001 mov ebp, esp

    .text:00401003 xor eax, eax

    .text:00401005 jz short near ptr loc_40100D+1

    .text:00401007 jnz near ptr loc_40100D+4

    .text:0040100D

    .text:0040100D loc_40100D: ; CODE XREF: .text:00401005j

    .text:0040100D ; .text:00401007j

    .text:0040100D jmp near ptr 0D0A8137h

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    13

  • Anti-Disassembly

    .text:00401000 push ebp

    .text:00401001 mov ebp, esp

    .text:00401003 sub esp, 4

    .text:00401009 xor eax, eax

    .text:0040100B jz short near ptr loc_40100D+1

    .text:0040100D

    .text:0040100D loc_40100D:

    .text:0040100D call near ptr 8048559Dh

    .text:00401012 cmp [esi+75h], ch

    .text:00401015 push ds

    .text:00401016 push offset byte_4010E9

    .text:0040101B call sub_401106

    .text:00401020 add esp, 4

    .text:00401026 push [ebp+arg_0]

    .text:00401029 call sub_40103C

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    14

  • Anti-Disassembly .text:0040103C .text:0040103C push ebp .text:0040103D mov ebp, esp .text:0040103F sub esp, 4 .text:00401045 push 400000h .text:0040104A add [esp+8+var_8], 1057h .text:00401055 retn .text:00401055 sub_40103C endp .text:00401055 .text:00401055 ; --------------------------------------------------------------------------- .text:00401056 dw 8BE9h .text:00401058 ; --------------------------------------------------------------------------- .text:00401058 inc ebp .text:00401059 or [eax+756A0178h], al .text:0040105F push ds .text:00401060 push offset dword_4010F0 .text:00401065 call sub_401106 .text:0040106A add esp, 4 .text:00401070 push dword ptr [ebp+8] .text:00401073 call loc_401086 .text:00401078 add esp, 4 .text:0040107E add esp, 4 .text:00401084 pop ebp .text:00401085 retn

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    15

  • Anti-Disassembly

    Remember:

    retn = pop the value from the top of stack and jump to it.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    16

  • Anti-Disassembly

    .text:00401086 loc_401086: ; CODE XREF: .text:00401073p

    .text:00401086 push ebp

    .text:00401087 mov ebp, esp

    .text:00401089 sub esp, 4

    .text:0040108F

    .text:0040108F loc_40108F: ; CODE XREF: .text:loc_40108Fj

    .text:0040108F jmp short near ptr loc_40108F+1

    .text:00401091 ; ---------------------------------------------------------------------------

    .text:00401091 ror byte ptr [eax-75h], 45h

    .text:00401095 or [eax+75680278h], al

    .text:0040109B adc [eax-7], ch

    .text:0040109E adc [eax+0], al

    .text:004010A1 call sub_401106

    .text:004010A6 add esp, 4

    .text:004010AC add esp, 4

    .text:004010B2 pop ebp

    .text:004010B3 retn

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    17

  • Anti-Disassembly *

    mov eax, [ebp 8]

    and eax, 0x0000600

    neg eax

    sbb eax, eax

    neg eax

    ret

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    18

  • Anti-Disassembly (obfuscation)

    add eax, ecx

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    19

    sub eax, C3 add eax + ecx add eax, C3

    sub eax, C3 sub eax, A3 add eax + ecx add eax, A3 push edx mov edx, 62 inc edx dec edx add edx, 61 add eax, edx pop edx

    push ebx mov ebx, C3 sub eax, ebx pop ebx sub eax, A3 sub eax, 38 add eax, ecx add eax, 38 add eax, A3 push edx push ecx mov ecx, 62 mov edx, ecx pop ecx, inc edx dec edx, 61 add eax, edx pop edx

  • Anti-VM

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    20

  • Anti-Virtual Machine

    Usually, VMware environment leaves many artifacts on the systems, so most current malwares look for these artifacts. If they find them, so malwares change your behavior.

    VMwareService.exe

    VMwareTray.exe

    VMwareUser.exe

    VMware MAC addresses (00:0C:29, for example)

    Uninstalling the VMware Tools can be useful.

    net start | findstr VMware this is implemented in the code by malware by using functions such as CreateToolhelp32Snapshot( ) and Process32Next( ), for example.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    21

  • Anti-Virtual Machine

    Remember that instructions such as sidt, sldt and sgdt can be executed on user-mode code without being trapped and virtualized by VMware.

    Red Pill Malware executes a sidt instruction to get the IDTR registers value.

    The VMwares monitor must realocate the IDTR register from Guest to prevent a conflict with IDTR from Host.

    Remember that the sidt instruction doesnt generate a trap and it isnt virtualized, so it is invisible to VMwares monitor.

    Therefore, the IDTR for virtual machine (host) is returned and the malware compares it to IDTR from Guest to detect the VMware.

    Red Pill only works in single processor machines because each processor (or core) has its own IDT.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    22

  • Anti-Virtual Machine

    .text:004034B5 sidt fword ptr [ebp+var_308]

    .text:004034BC mov eax, dword ptr [ebp+var_308+2]

    .text:004034C2 mov [ebp+var_300], eax

    ....

    .text:004034DD mov ecx, [ebp+var_300]

    .text:004034E3 shr ecx, 18h

    .text:004034E6 cmp ecx, 0FFh ; VMware signature

    .text:004034EC jz loc_40665A

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    23

  • Anti-Virtual Machine

    No Pill:

    Based on sldt and sgdt instructions.

    LDT is associated to the processor and Windows doesnt use it.

    However, VMware provides a virtual support for LDT.

    Therefore:

    on host machine LDT is zero

    on virtual machine LDT is NOT zero

    the malware uses the sldt instruction to recover the LDT from VM.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    24

  • Anti-Virtual Machine

    I/O Communication Port

    VMware uses I/O communication ports between the virtual machine and the host (copy/past functionality)

    This special I/O communication port is queried and the value is compared to a magic number (0x564D5868 = VMXh) to prove the existence of VMware.

    in instruction (with the second operand set to VX)

    its possible to detect the type of VMware (Express, ESX, GSX and Workstation).

    To overcome this anti-vm technique, overwrite IN instructions with NOP.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    25

  • Anti-Virtual Machine

    .text:100033C5 push ecx

    .text:100033C6 push ebx

    .text:100033C7 mov eax, 564D5868h ; VMXh

    .text:100033CC mov ebx, 0

    .text:100033D1 mov ecx, 0Ah ; VX

    .text:100033D6 mov edx, 5658h

    .text:100033DB in eax, dx

    .text:100033DC cmp ebx, 564D5868h ; VMXh

    .text:100033E2 setz [ebp+var_1C]

    .text:100033E6 pop ebx

    .text:100033E7 pop ecx

    .text:100033E8 pop edx

    0xA action: get Vmware version type

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    26

  • Packers

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    27

  • Packers

    Packers usually decrease the size of the program and make the analysis more complicated. Moreover, they are used to evade protections (AV, IDS, DLP, and so on).

    If the AV uses a sandbox, so it can emulate the packer extraction.

    Some packers pack the entire executable, while other ones pack only the data section and the code.

    During the load, the unpacking stub is loaded by the operating systems and this stub loads the original program. Thus, the code entry point is the unpacking stub and it is not the original code.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    28

  • Packers

    Header

    Imports

    Exports

    .text Section

    .data Section

    .rsrc Section

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    29

    Header

    Unpacking Stub

    Packed Original Code

  • Packers

    Unfortunately, any analysis of a packed program is useless because the unpacking stub will be analyzed instead of analyzing the original code.

    The unpacking process has few phases:

    unpacks the original code into memory

    resolves all imports of original executable (done by the packer, not Windows)

    stack register are zeroed (to ensure that the PE packer has not effect on the code)

    transfers the execution to the Original Entry Point (OEP) jmp, ret or call

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    30

  • Packers

    Finding a packed program:

    The program has few or none imports (use pestudio,PEVIEW or CFF Explorer)

    Sometimes, there are only GetProcAddress and LoadLibrary functions.

    String table (used by compiler and linkers) is missing or corrupted.

    There are strange names of sections such as UPX0 and UPX1, por example.

    In .text section, Size of Raw Data = 0 and Virtual Size is not zero.

    Automated x Manual Unpacking

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    31

  • Packers

    1. Locate the original OEP jump.

    2. Supend the application at the OEP jump

    3. Dump the executable memory image

    4. Change the OEP of the dumped image (in the PE header)

    5. Big problem: the new image doesnt have an own Import Table!

    6. Rebuild the IAT

    Several kind of packers: UPX, PECompact, FSG, ASPack, WinUPack, YodaCrypt, VMProtect, Themida and so on....

    Remember: Usually, the code in unpacked in the memory.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    32

  • Packers

    For few packers, the code is not completely unpacked in the memory. Welcome to virtualization obsfuscation!

    There are protection that uses multiples executables. For example, unpacking the executable into a new process or using a two-processes scheme which one process debugs the a altered version from the original process.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    33

    original assembly code

    virtualization engine

    customized language / byte code

    obfuscated interpreter

  • Packers

    The same instruction can be translated to different customized instructions (polimormic or metamorfic approach).

    Is it possible to analyze this kind of malwares by using debuggers?

    As explained in the previous slide, the x86 code is translated to a custom language then it is interpreted. Therefore, the code is never reverted (restored) anymore.

    Usually, the interpreter uses a RISC laguage. Thus, the original x86 CISC instructions are translated and interpreted by a RISC interpreted.

    One x86 (and CISC) instruction is translated to several RISC instructions.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    34

  • Packers

    Before performing the transition (x86 world to custom language), all x86 registries have to be saved. At end, after the packed execution, these same x86 registries must be restored for transfering the control to x86 context again.

    The protection engine is chosen at random. For example, Themida has four or more engines.

    How to break a virtualized protection?

    There are many protections that are stack-based virtual machines.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    35

  • Packers

    .text:0040100D push ebp .text:0040100E mov ebp, esp .text:00401010 sub esp, 28h .text:00401013 mov [esp+28h+Str], offset Str ; "Hello H2HC" .text:0040101A call puts .text:0040101F mov [esp+28h+var_24], ABABABh .text:00401027 mov [esp+28h+Str], C0DE35h .text:0040102E call sub_401000 .text:00401033 mov [ebp+var_C], eax .text:00401036 mov eax, [ebp+var_C] .text:00401039 mov [esp+28h+var_24], eax .text:0040103D mov [esp+28h+Str], offset Format ; msg = %i\n" .text:00401044 call printf .text:00401049 mov [esp+28h+Str], 0 .text:00401050 call exit .text:00401050 start endp

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    36

  • Packers

    .text:00401000 sub_401000

    .text:00401000 jmp loc_4048F7

    .text:00401000 sub_401000 endp

    .vmp0:004048F4 ; ---------------------------------------------------------------------------

    .vmp0:004048F4 add ecx, [edx+ecx]

    .vmp0:004048F7

    .vmp0:004048F7 loc_4048F7:

    .vmp0:004048F7 push offset word_40489A

    .vmp0:004048FC call sub_404314

    .vmp0:004048FC ; ---------------------------------------------------------------------------

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    37

  • Packers

    .vmp0:00404314 push eax

    .vmp0:00404315 push ecx

    .vmp0:00404316 push edx

    .vmp0:00404317 push ebp

    .vmp0:00404318 push esi

    .vmp0:00404319 push ebx

    .vmp0:0040431A pushf

    .vmp0:0040431B push edi

    .vmp0:0040431C push edi

    .vmp0:0040431D push dword_401005

    .vmp0:00404323 push 0

    .vmp0:00404328 mov esi, [esp+2Ch+arg_0]

    .vmp0:0040432C mov ebp, esp

    .vmp0:0040432E sub esp, 0C0h

    .vmp0:00404334 mov edi, esp

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    38

  • Packers

    .vmp0:00404336 loc_404336:

    .vmp0:00404336 add esi, [ebp+0]

    .vmp0:00404339

    .vmp0:00404339 loc_404339:

    .vmp0:00404339

    .vmp0:00404339 mov al, [esi]

    .vmp0:0040433B movzx eax, al

    .vmp0:0040433E add esi, 1

    .vmp0:00404341 jmp ds:off_40439C[eax*4]

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    39

  • Packers

    add [60FF4C], C0DE35

    [60FF4C]=ABABAB

    add [60FF4C], C0DE35

    [60FF4C]=ABABAB (stack)

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    40

  • Crypto

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    41

  • Crypto

    XOR, Base64 and RC4 are common for encrypting. zlib and LZO are common for compression.

    There are other options to compression: ntdll (RtlCompressBuffer and

    RtlDecompressBuffer functions)

    Good tools used to detect Crypto and Compression: PEiD (using KANAL plugin) Findcrypt IDA plugin Draca Crypto Searcher

    Before starting analyzing crypto, Its necessary to know about: symmetric algorithms asymmetric algorithms digital certificate digital signature

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    42

  • Crypto

    .text:0040104D loc_40104D:

    .text:0040104D mov al, byte_402158[ecx]

    .text:00401053 xor al, 9Eh

    .text:00401055 cmp al, byte_402170[ecx]

    .text:0040105B jnz short loc_403033

    .text:0040105D inc ecx

    .text:0040105E cmp ecx, 18h

    .text:00401061 jl short loc_40104D

    for i in range (0x00402170, 0x00402188):

    x = 0x9E ^ idc.Byte(i)

    idc.PatchByte(i, x)

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    43

  • GPU, DMA, BIOS Malwares, SGX and WMI: few words...

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    44

  • GPU, DMA and BIOS Malwares: few words... GPU Malwares

    They run part of their code on GPU (Graphics Process Unit), which is more powerful than CPU.

    As programming language, they can use either CUDA or OpenCL.

    Applications that use CUDA or OpenCL run part of their code on CPU and another part on GPU. Additionally, some data may be exchanged between them through shared memory.

    By using the GPU, malwares can use more complex algorithms to be packed.

    There is still not tools to analyze GPU malwares. Worst, VMware and VirtualBox does not simulate GPUs.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    45

  • GPU, DMA and BIOS Malwares: few words... How does GPU malware work?

    Initial load on CPU

    Unpacking code transfered to GPU

    GPU and CPU uses shared memory

    Only few instructions being decrypted / encrypted by time.

    Different keys (stored on GPU)

    Checksumming against modification.

    Examples:

    JellyFish

    Win_Jelly

    Demon

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    46

  • GPU, DMA and BIOS Malwares: few words... BIOS Malwares

    Do you manage firmware versions of your devices in your company? And BIOS?

    Legacy BIOS more difficult to hack because there is not any standard.

    UEFI BIOS easier to explore.

    System Management Mode (SMM) execution mode of x86 processors.

    The SMMs role is to provide and set up a protected location for BIOS to load OS-Independent Code which will handle hardware management activities.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    47

  • GPU, DMA and BIOS Malwares: few words...

    BIOS configures hardware to call SMI (System Management Interrupts) when hardware needs attention.

    SMI calls the SMM code that was placed into SMRAM (System Management RAM).

    BIOS protects the SMRAM after inserting the SMM code there. Afterwards, no one can access this area, not event the BIOS, until next reboot.

    As SMM code has irrestricted access (reading and modifying) to all RAM and normal softwares can not access this SMRAM, so any attack that compromises the SMM code is lethal because it is more privileged than hypervisors, OS (kernel) and application running on the system.

    Finally,vulnerabilities were found that allows an attacker disclosures the SMRAM.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    48

  • GPU, DMA and BIOS Malwares: few words... The fundamental concept is that devices usually have direct access

    to memory (DMA).

    Therefore, any malware executed on dedicated hardware can attack to host using DMA and this attack will not be detected.

    DMA malwares can attack any kernel structures (even if ASLR is implemented).

    Video cards and network cards can be infected.

    Anti-virus are not able to detect this kind of malware.

    DAGGER is an example of DMA Malware, which attacks Windows and Linux machines.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    49

  • SGX few words...

    SGX Software Guard Extensions

    Remember that an application doesnt have any protection against processes running with higher privileges. Therefore, if a malware is able to get administrative privileges, so it is able to access any resource and application running in the system.

    For example, malwares can extract keys, password and any information directly from the memory.

    SGX is a set of instructions that enable to create enclaves in the memory.

    Enclaves are protected areas in the address space of processes that ensure confidentiality and integrity against this kind of privileged malware.

    The enclave is enabled by using special instructions and it is loaded as a DLL.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    50

  • SGX few words...

    Enclaves do not allow any process running outside of enclave to read or write in its region regardless of the privilege level or CPU mode.

    The enclave memory is encrypted and the key randomly changes at boot time and when resuming from sleep and hibernation states.

    The keys are hold inside the CPU.

    Enclaves can not be debugged by software or hardware debuggers.

    Data inside the enclaves can only be accessed by code that shares the enclave.

    Remember: no kernel or hypervisor can access the enclave.

    Conclusion: it is perfect for malwares!

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    51

  • SGX few words

    SGX make the dynamic and static analysis impossible.

    In a summarized way, a malware running in the enclave:

    uses an external attestation process to ensure that the enclave is setup correctly.

    as the second part, the malware can hold a code inside the enclave which decrypt and execute the malware.

    Of course, it is possible to indirectly analyze the code running inside the enclave by monitoring the system calls.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    52

  • WMI

    Many attackes using WMI have been performed around the world for accomplishing tasks such as reconnaissance, virtual machine detection, persistence, data thelf and lateral movement.

    Malwares have been using WMI queries for detecting virtualization engines (VMware) and evading dynamic analysis.

    Few backdoors have been created to keep the control of systems.

    Malware using WMI have good advantages such as:

    WMI is installed and running by default.

    WMI runs as System user.

    WMI uses only its repository. Thus, the malware is fileless.

    Most defenses are not ready for WMI attacks.

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    53

  • WMI

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    54

  • WMI PS C:\> Get-WmiObject Win32_BIOS -Filter 'SerialNumber Like "%VMware%"' SMBIOSBIOSVersion : 6.00 Manufacturer : Phoenix Technologies LTD Name : PhoenixBIOS 4.0 Release 6.0 SerialNumber : VMware-56 4d 5c 55 06 db fe fc-f7 f5 8b e2 1a 81 7c a7 Version : _ASUS_ - 6040000 PS C:\> Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"' ...... __SERVER : FORENSIC2 __NAMESPACE : root\cimv2 __PATH : \\FORENSIC2\root\cimv2:Win32_Process.Handle="1452" Caption : vmtoolsd.exe CommandLine : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" CreationClassName : Win32_Process CreationDate : 20161021002910.594864-180 CSCreationClassName : Win32_ComputerSystem CSName : FORENSIC2 Description : vmtoolsd.exe ExecutablePath : C:\Program Files\VMware\VMware Tools\vmtoolsd.exe ExecutionState :

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    55

  • WMI

    PS C:\Windows\system32> Get-WmiObject Win32_Share Name Path Description ---- ---- ----------- ADMIN$ C:\Windows Administrao remota C$ C:\ Recurso compartilhado padro E$ E:\ Recurso compartilhado padro IPC$ IPC remoto PS C:\Windows\system32> Get-WmiObject Win32_ComputerSystem Domain : WORKGROUP Manufacturer : Hewlett-Packard Model : HP ENVY dv7 Notebook PC Name : HPHACKER PrimaryOwnerName : ale TotalPhysicalMemory : 15469965312

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    56

  • WMI

    Easy solutions against WMI malwares:

    Disable WMI.

    In the firewall, block the WMI protocol ports.

    Check the WMI, WinRM and DCOM logs:

    Microsoft-Windows-DistributedCOM

    Microsoft-Windows-WMI-Activity/Operational

    Microsoft-Windows-WinRM/Operational

    Ale

    xan

    dre

    Bo

    rges

    It

    is n

    ot

    allo

    wed

    to

    co

    py

    nei

    ther

    rep

    rod

    uce

    th

    is s

    lide

    57

  • Thank you for attending my lecture!

    LinkedIn: http://www.linkedin.com/in/aleborges Twitter: @ale_sp_brazil Blog: http://alexandreborges.org E-mail: alexandreborges@blackstormsecurity.com

    Malware and Security Researcher. Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.

    Instructor at Oracle, (ISC)2 and EC-Council. Ex-instructor at Symantec.

    Member of the CHFI Advisory Board in EC-Council.

    Reviewer member of the The Journal of Digital Forensics, Security and Law

    Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response

    Author of Oracle Solaris Advanced Administration book

Recommended

View more >