Malware Armor Blackhat Presentation 2015_08_15
-
Upload
tyler-halfpop -
Category
Technology
-
view
94 -
download
11
Transcript of Malware Armor Blackhat Presentation 2015_08_15
![Page 1: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/1.jpg)
Malware ArmorBlackhat
Tyler Halfpop, Fidelis Cybersecurity
![Page 2: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/2.jpg)
• Threat Researcher for Fidelis CyberSecurity• Working on doctorate in computer science• SANS Lethal Forensicator• Certifications – CISSP, GREM• Site: tylerhalfpop.com | Twitter: @tylerhalfpop
$ whoami
![Page 3: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/3.jpg)
Malware protections designed to:
1. Make malware more difficult to detect2. Make malware more difficult to analyze and
understand what it is doing.
What is Malware Armor?
![Page 4: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/4.jpg)
1. Dynamic Analysis – safely watch what it does2. Static Analysis – what can we learn about it without
running it
Malware Analysis
![Page 5: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/5.jpg)
(Branco, Barbosa, & Neto 2012)
Malware Armor in Wild
![Page 6: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/6.jpg)
(Branco, Barbosa, & Neto 2012)
Types of Malware Armor
![Page 7: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/7.jpg)
• Detecting virtualization artifacts or using anti-VM instructions (Red pill, no pill, etc.)
• Becoming less common because of the increased usage of virtualization
Anti-Virtualization
![Page 8: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/8.jpg)
Emotet Anti-Virtualization Example - Kaspersky
0xBCF398B5 = vboxservice.exe0x2C967737 = vmacthlp.exe0xE3EBFE44 = vmtoolsd.exe 0x61F15513 = vboxtray.exe(Shulmin, 2015)
- If detected the malware contacts fake C2 Servers to confuse analysts.(Shulmin, 2015).
![Page 9: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/9.jpg)
- Detect when under the control of a debugger or mess with debuggers- Tons of techniques, buta few are most common
- The “Ultimate” Anti-Debugging Reference by Peter Ferrie (2011) details many of the techniques in a 147 page pdf
Anti-Debugging
![Page 10: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/10.jpg)
IsDebuggerPresent() – returns nonzero if the current process is running in a debugger
Anti-Debugging Windows API
There are other APIsas well to look out for
Decompiled:
![Page 11: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/11.jpg)
Manually Checking Process Environment Block (PEB)
typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId;} PEB, *PPEB; mov eax, dword ptr fs:[30h]
mov ebx, byte ptr [eax+2] test ebx, ebx jz NoDebuggerDetected(Sikorski & Honig, 2012)
![Page 12: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/12.jpg)
time.debug > time.run
Timing Checks
rdtsc ;ticks since reboot stored in edx:eaxxor ecx, ecx add ecx, eax rdtsc sub eax, ecx cmp eax, 0xFFF jb NoDebuggerDetected rdtsc push eax ret(Sikorski & Honig, 2012)
Windows API GetTickCount()can be used in a similar fashion
![Page 13: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/13.jpg)
• Techniques to make disassemblers mess up • Disassemblers must make assumptions on how to
display code• There is no alignment and instructions have a
variable length of bytes
Anti-Disassembly
![Page 14: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/14.jpg)
• Linear (objdump)• Disassembles code straight through from the
beginning to the end• Recursive Traversal (IDA)
• Intelligently goes over and follows the code discovering what should be disassembled
Two Types of Disassemblers
![Page 15: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/15.jpg)
(Eagle, 2011)
Shiva Anti-RE
![Page 16: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/16.jpg)
(Eagle, 2011)
Shiva Anti-RE
![Page 17: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/17.jpg)
(Eagle, 2011)
Shiva Anti-RE
![Page 18: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/18.jpg)
• Obscuring programs to make them more difficult to analyze
• Simple Substitutions (Ceasar, XOR, Base64)• Real Cryptography• Custom encoding• Insert junk code
Obfuscation
![Page 19: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/19.jpg)
(Lipovsky & Cherepanov, 2015)
XOR Loop Strings
![Page 20: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/20.jpg)
• Used to shrink malware• Make detection more difficult• Make analysis more difficult• Often combine multiple armoring techniques
Packers
![Page 21: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/21.jpg)
(Branco, Barbosa, & Neto 2012)
Packers
![Page 22: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/22.jpg)
![Page 23: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/23.jpg)
(Branco, Barbosa, & Neto 2012)
Top Packers
![Page 24: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/24.jpg)
UPX
![Page 25: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/25.jpg)
UPX Unpacked
![Page 26: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/26.jpg)
• Modern malware is often armored and protected with anti-vm, anti-debugging, anti-disassembly, obfuscation, and packers.
• Malware still needs to execute it’s business, so there is usually a way for skilled analysts to make it reveal it’s secrets in order to create indicators and better understand attacks
• Malware also still needs to communicate on the network where we can pick that up
Conclusion
![Page 27: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/27.jpg)
Branco, R. R., Barbosa, G. N., & Neto, P. D. (2012). Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Black Hat USA.
Eagle, C. (2011). The IDA pro book: The unofficial guide to the world's most popular disassembler. San Francisco: No Starch Press.
Ferrie, P. (2011). The ultimate anti-debugging reference.Hale Ligh, M., Case, A., Levy, J., & Walters, A. (2014). Art of memory forensics: Detecting
malware and threats in Windows, Linux, and Mac memory.Lipovsky, R., & Cherepanov, A. (2015). OPERATION POTAO EXPRESS. Retrieved from
http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf
Sikorski, M., & Honig, A. (2012). Practical malware analysis: The hands-on guide to dissecting malicious software. San Francisco: No Starch Press.
Shulmin, A. (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved June 7, 2015, from https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/
References
![Page 28: Malware Armor Blackhat Presentation 2015_08_15](https://reader035.fdocuments.net/reader035/viewer/2022081419/55d3443ebb61eba27f8b47b8/html5/thumbnails/28.jpg)
QUESTIONS?THANK YOU!
@tylerhalfpop tylerhalfpop.com | @FidSecSys fidelissecurity.com