win32/flamer: reverse engineering and framework reconstruction
DESCRIPTION
In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.TRANSCRIPT
![Page 1: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/1.jpg)
Win32/Flamer: Reverse Engineering and
Framework Reconstruction
Aleksandr Matrosov
Eugene Rodionov
![Page 2: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/2.jpg)
Outline of The Presentation
Typical malware vs. Stuxnet/Flame What the difference?
Flamer code reconstruction problems C++ code reconstruction
Library code identification
Flamer framework overview
Object oriented code reconstruction
Relationship Stuxnet/Duqu/Flamer
![Page 3: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/3.jpg)
Typical Malware vs. Stuxnet/Flamer
![Page 4: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/4.jpg)
What’s the Difference?
![Page 5: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/5.jpg)
What’s the Difference?
Typical malware
Different motivation, budget …
Use 1-days for distribution
Anti-stealth for bypassing AV
Stealth timing: months
Developed in C or C++ in C style
Simple architecture for plugins
Traditional ways for obfuscation:
packers
polymorphic code
vm-based protection
…
Stuxnet/Flame … Different motivation, budget …
Use 0-days for distribution
Anti-stealth for bypassing all sec soft
Stealth timing: years
Tons of C++ code with OOP
Industrial OO framework platform
Other ways of code obfuscation:
tons of embedded static code
specific compilers/options
object oriented wrappers for typical OS utilities
![Page 6: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/6.jpg)
Stuxnet/Duqu/Flamer/Gauss Appearance
![Page 7: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/7.jpg)
Code Complexity Growth
Gauss miniFlamer Stuxnet Duqu Flamer
![Page 8: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/8.jpg)
Code Complexity Growth
![Page 9: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/9.jpg)
C++ Code REconstruction
Problems
![Page 10: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/10.jpg)
C++ Code Reconstruction Problems
Object identification Type reconstruction
Class layout reconstruction Identify constructors/destructors
Identify class members
Local/global type reconstruction
Associate object with exact method calls
RTTI reconstruction Vftable reconstruction
Associate vftable object with exact object
Class hierarchy reconstruction
![Page 11: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/11.jpg)
C++ Code Reconstruction Problems
Class A
vfPtr
a1()
a2()A::vfTable
meta
A::a1()
A::a2()
RTTI Object Locator
signature
pTypeDescriptor
pClassDescriptor
![Page 12: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/12.jpg)
C++ Code Reconstruction Problems
![Page 13: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/13.jpg)
Identify Smart Pointer Structure
![Page 14: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/14.jpg)
Identify Exact Virtual Function Call in vtable
![Page 15: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/15.jpg)
Identify Exact Virtual Function Call in vtable
![Page 16: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/16.jpg)
Identify Exact Virtual Function Call in vtable
![Page 17: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/17.jpg)
Identify Custom Type Operations
![Page 18: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/18.jpg)
Identify Objects Constructors
![Page 19: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/19.jpg)
Identify Objects Constructors
![Page 20: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/20.jpg)
Library code identification
problems
![Page 21: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/21.jpg)
Library Code Identification Problems
Compiler optimization
Wrappers for WinAPI calls
Embedded library code Library version identification problem
IDA signatures used syntax based detection methods Recompiled libraries problem
Compiler optimization problem
![Page 22: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/22.jpg)
Library Code Identification Problems
![Page 23: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/23.jpg)
Object Oriented API Wrappers and Implicit Calls
![Page 24: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/24.jpg)
Object Oriented API Wrappers and Implicit Calls
![Page 25: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/25.jpg)
Object Oriented API Wrappers and Implicit Calls
![Page 26: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/26.jpg)
Festi: OOP in kernel-mode
![Page 27: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/27.jpg)
Main Festi Functionality store in kernel mode
Win32/FestiDropper
Win32/Festikernel-mode
driver
Win32/FestiPlugin 1
Win32/FestiPlugin 2
Win32/FestiPlugin N...
Install kernel-mode driver
Download plugins
user-mode
kernel-mode
![Page 28: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/28.jpg)
Main Festi Functionality store in kernel mode
Win32/FestiDropper
Win32/Festikernel-mode
driver
Win32/FestiPlugin 1
Win32/FestiPlugin 2
Win32/FestiPlugin N...
Install kernel-mode driver
Download plugins
user-mode
kernel-mode
![Page 29: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/29.jpg)
Festi: Architecture
Win32/FestiC&C Protocol
Parser
Win32/FestiNetwork Socket
Win32/FestiPlugin Manager
Win32/FestiMemory Manager
![Page 30: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/30.jpg)
Festi: Plugin Interface
Plugin1Plugin 1
struct PLUGIN_INTERFACE
Plugin 1
struct PLUGIN_INTERFACE
Plugin2
Plugin3
PluginN
Plugin 2
struct PLUGIN_INTERFACE
Plugin 3
struct PLUGIN_INTERFACE
Plugin N
struct PLUGIN_INTERFACE
...
Array of pointers to plugins
![Page 31: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/31.jpg)
Festi: Plugins
Festi plugins are volatile modules in kernel-mode address space:
downloaded each time the bot is activated
never stored on the hard drive
The plugins are capable of:
sending spam – BotSpam.dll
performing DDoS attacks – BotDoS.dll
providing proxy service – BotSocks.dll
![Page 32: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/32.jpg)
Flamer Framework Overview
![Page 33: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/33.jpg)
An overview of the Flamer Framework
The main types used in Flamer Framework are:
Command Executers –the objects exposing interface that allows
the malware to dispatch commands received from C&C servers
Tasks – objects of these type represent tasks executed in
separate threads which constitute the backbone of the main
module of Flamer
Consumers – objects which are triggered on specific events
(creation of new module, insertion of removable media and etc.)
Delayed Tasks – these objects represent tasks which are executed
periodically with certain delay.
![Page 34: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/34.jpg)
An overview of the Flamer Framework
Vector<Command Executor>
DB_Query ClanCmd
Vector<Task>
IDLER CmdExec
Vector<DelayedTasks>
EuphoriaShare
Supplier
Vector<Consumer>
MobileConsumer
CmdConsumer
MunchSniffer FileFinder
FileCollect Driller GetConfig
LSSSender
Frog Beetlejuice
LuaConsumer
MediaConsumer
![Page 35: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/35.jpg)
Some of Flamer Framework Components
Security Identifying processes in the systems corresponding to security software: antiviruses, HIPS, firewalls, system information utilities and etc.
Microbe Leverages voice recording capabilities of the system
Idler Running tasks in the background
BeetleJuice Utilizes bluetooth facilities of the system
Telemetry Logging of all the events
Gator Communicating with C&C servers
![Page 36: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/36.jpg)
Flamer SQL Lite Database Schema
![Page 37: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/37.jpg)
Flamer SQL Lite Database Schema
![Page 38: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/38.jpg)
REconstructing Flamer Framework
![Page 39: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/39.jpg)
Data Types Being Used
Smart pointers
Strings
Vectors to maintain the objects
Custom data types: wrappers, tasks, triggers and etc.
![Page 40: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/40.jpg)
Data Types Being Used: Smart pointers
typedef struct SMART_PTR
{
void *pObject; // pointer to the object
int *RefNo; // reference counter
};
![Page 41: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/41.jpg)
Data Types Being Used: Strings
struct USTRING_STRUCT
{
void *vTable; // pointer to the table
int RefNo; // reference counter
int Initialized;
wchar_t *UnicodeBuffer; // pointer to unicode string
char *AsciiBuffer; // pointer to ASCII string
int AsciiLength; // length of the ASCII string
int Reserved;
int Length; // Length of unicode string
int LengthMax; // Size of UnicodeBuffer
};
![Page 42: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/42.jpg)
Data Types Being Used: Vectors
struct VECTOR
{
void *vTable; // pointer to the table
int NumberOfItems; // self-explanatory
int MaxSize; // self-explanatory
void *vector; // pointer to buffer with elements
};
Used to handle the objects: tasks
triggers
etc.
![Page 43: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/43.jpg)
Using Hex-Rays Decompiler
Identifying constructors/destructors Usually follow memory allocation
The pointer to object is passed in ecx (sometimes in other registers)
Reconstructing object’s attributes Creating custom type in “Local Types” for an object
Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
![Page 44: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/44.jpg)
Using Hex-Rays Decompiler
Identifying constructors/destructors Usually follow memory allocation
The pointer to object is passed in ecx (sometimes in other registers)
Reconstructing object’s attributes Creating custom type in “Local Types” for an object
Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
![Page 45: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/45.jpg)
Reconstructing Object’s Attributes
![Page 46: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/46.jpg)
Reconstructing Object’s Attributes
![Page 47: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/47.jpg)
Reconstructing Object’s Methods
![Page 48: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/48.jpg)
Reconstructing Object’s Methods
![Page 49: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/49.jpg)
Reconstructing Object’s Methods
![Page 50: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/50.jpg)
DEMO
![Page 51: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/51.jpg)
Relationship
Stuxnet/Duqu/Gauss/Flamer
![Page 52: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/52.jpg)
Source Code Base Differences
![Page 53: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/53.jpg)
Exploit Implementations
Stuxnet Duqu Flame Gauss
MS10-046 (LNK)
MS10-046 (LNK)
MS10-046 (LNK)
MS10-061 (Print Spooler)
MS10-061 (Print Spooler)
MS08-067 (RPC)
MS08-067 (RPC)
MS10-073 (Win32k.sys)
MS10-092 (Task Scheduler)
MS11-087 (Win32k.sys)
![Page 54: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/54.jpg)
Exploit Implementations: Stuxnet & Duqu
The payload is injected into processes from both kernel-mode driver & user-mode module
Hooks: ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZwQuerySection
Executes LoadLibraryW passing as a parameter either: KERNEL32.DLL.ASLR.XXXXXXXX
SHELL32.DLL.ASLR.XXXXXXXX
![Page 55: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/55.jpg)
Exploit Implementations: Stuxnet & Duqu
The payload is injected into processes from both kernel-mode driver & user-mode module
Hooks: ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZwQuerySection
Executes LoadLibraryW passing as a parameter either: KERNEL32.DLL.ASLR.XXXXXXXX
SHELL32.DLL.ASLR.XXXXXXXX
![Page 56: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/56.jpg)
Injection mechanism: Flame
The payload is injected into processes from user-mode module
The injection technique is based on using: VirtualAllocEx
WriteProcessMemory\ReadProcessMemory
CreateRemoteThread\RtlCreateUserThread
The injected module is disguised as shell32.dll
Hooks the entry point of msvcrt.dll by modifying PEB
![Page 57: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/57.jpg)
Injection mechanism: Flame
The payload is injected into processes from user-mode module
The injection technique is based on using: VirtualAllocEx
WriteProcessMemory\ReadProcessMemory
CreateRemoteThread\RtlCreateUserThread
The injected module is disguised as shell32.dll
Hooks the entry point of msvcrt.dll by modifying PEB
![Page 58: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/58.jpg)
Exploit Implementations: Gauss
The payload is injected into processes from user-mode
module
![Page 59: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/59.jpg)
![Page 60: Win32/Flamer: Reverse Engineering and Framework Reconstruction](https://reader036.vdocuments.us/reader036/viewer/2022062405/55757900d8b42adb7e8b4a5a/html5/thumbnails/60.jpg)
Thank you for your attention!
Aleksandr Matrosov [email protected] @matrosov
Eugene Rodionov [email protected] @vxradius