malware: the good, the bad and the ugly
DESCRIPTION
Pete Arzamendi, CISSP, QSA, PA-QSA, GREM, is a consultant at 403 Labs with over 10 years of experience in systems administration, computer engineering, and information systems security. Pete regularly conducts penetration testing of systems and applications, security assessments, forensic investigations, and compliance assessments for the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). This presentation was given at the Milwaukee InfraGard meeting held at Milwaukee Area Technical College (MATC) on August 16, 2012. In it, Pete discusses different types of malware as well as malware and memory analysis, including an overview of analysis tools and some examples pulled from his past experiences.TRANSCRIPT
Malware: The Good, the Bad and the Ugly
Pete Arzamendi
403 Labs, LLC
About Me
• Consultant and forensic investigator at 403 Labs– Qualified Security Assessor (QSA) – Payment Application Qualified Security Assessor (PA-
QSA)– Certified Information Systems Security Professional
(CISSP)– GIAC Reverse Engineering Malware (GREM)
About Me
• Former packet monkey, with more than 10 years of experience in the IT field
• Worked with small/medium businesses, and local and state authorities on computer forensic cases and security assessments
• Hobbies include malware analysis, vulnerability research and hiking
About 403 Labs, LLC
• Full-service information security and compliance consulting firm headquartered in Milwaukee with additional offices in Chicago and San Francisco
• Experts in the Payment Card Industry (PCI)– PCI Forensics Investigator (PFI)– Qualified Security Assessor (QSA)– Payment Application Qualified Security Assessor (PA-QSA)– Approved Scanning Vendor (ASV)– Qualified Security Assessor Point to Point Encryption (QSA
(P2PE))– Payment Application Qualified Security Assessor Point to Point
Encryption (PA-QSA (P2PE))
About 403 Labs, LLC
• Compliance assessments (HIPAA, GLBA, SOX, etc.)• Computer forensic investigations• Penetration testing including web application testing
and social engineering• Vulnerability scanning• Code reviews• IT audits• Risk assessments• Policies & procedures
Agenda
• Overview of malware• Analysis approaches• User versus kernel space• Establishing persistence• Memory analysis• Examples• Tools for analysis• Resources• Questions
Malware
• Wikipedia definition:– Malware, short for malicious software, is software
designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.
Malware Types
• Data-stealing– User credentials– Credit card numbers– Transferring funds– Confidential information
• Remote access– Bots
• Profit-based– Ransom/extortion– Advertisements
Analysis Approaches
• Static analysis– Review PE headers– Search for clear-text strings– Static code review
• Behavioral analysis– Registry monitoring– File system monitoring– Network monitoring
Analysis Approaches
• Which is better?– Up to you and your comfort level
• People with a light programing background may choose to start with behavioral
– I prefer to start with static analysis• If stuck, I move to behavioral to fill in the pieces
User Versus Kernel Space Malware
• User space– Runs as normal user, no special privileges
• Keyloggers– Uses Windows APIs GetAsyncKeyState and GetKeyState to
read keyboard clicks
• Process scraping for data– Accesses each process the user is running looking for data
• Attempts to blend into the background– Renames executable to match known Windows executable
• Easier to write and more stable than rootkits
User Versus Kernel Space Malware
• Kernel space– Requires and runs under evaluated privileges
• Rootkits– Difficult to get right– Attempts to cloak the malware
» System Service Descriptor Table (SSDT) hooking by changing Nt* function pointers in the SSDT table to point to malware
» Interrupt Descriptor Table (IDT) by modifying the interrupt service routine to point to malware
User Versus Kernel Space Malware
• Modify the forwarded and back links in ListEntry in EPROCESS structure to hide process
Achieving Persistence
• Now that the malware is installed, how do we achieve persistence?
• Several ways to achieve persistence– Registry settings
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
– Install Malware as service• Windows CreateService API
Memory Analysis
• Forensicswiki.org definition:– Memory analysis is the science of using a memory
image to determine information about running programs, the operating system, and the overall state of a computer.
• Pete’s definition:– Looking at the man behind the curtain and getting
intimate with the operating system.
What is Memory Analysis?
• Why is memory analysis useful? – Memory contains a wealth of information
• Process information– What applications are running– Who is running the applications– What data is the process working with– Ability to recreate the process executable
• Network information– Active connection information– Open ports activity listing
• Account information– Usernames– Passwords
• Encryption keys– Full disk encryption keys
Analyzing Memory
• What are we looking for?– Malicious “stuff”
• API hooks• DLL injections• Hidden process• Active listeners
– Non-malicious “stuff”• Encryption keys• User account information
Analyzing Memory
• So how do we find the goods?– Old-school way (very time consuming)
• Strings• Manually rebuild each processes structure
– New methods (let the tools do the heavy lifting)• Mandiant Audit Viewer/Redline• Volatility• Encase/FTK• Several others
Analyzing Memory
• Mandiant– Audit Viewer
• Requires Memoryze• Enumerates processes, drivers and dll hooking detection• Easy to use but clunky• Windows only
Audit Viewer
Analyzing Memory
• Mandiant– RedLine
• Easier to use the Audit Viewer• Support for other tools (IOC)• Nice graph view of what’s going on• Customizable audits• Windows only
RedLine
Analyzing memory
• Volatility (awesome!)– Cross-platform written in Python– Modular design– Open source– Large development community (very smart people
making modules)– Command line– Volatility from here on out!– Now supports 64 bit
Volatility
Find the Hidden Process
• Compare the difference of psscan and pslist output
• Easier way psdiff
Example 1
• Resource section of the executable– Normally used for raw resource data:
• Icons, bitmaps, dialog boxes
• Malware sample used resource section to store email and IP addresses
Example 1
• Known and widely-used malware– Perfect Keylogger– Process scraper – hkcmd.exe
• Malware sent data to foreign IP addresses via HTTP and SMTP
• One of several similar cases
Example 2
• Encoded files– Perfect Keylogger configuration file encoded with
simple XOR– 0 XOR with AA = AA thus AA was the key to decrypt
the configuration and data files
Example 2
Example 2
• Decode configuration file and data files• Configured to send its log information to an IP
address in Canada and email address of michaeljackson***********@yahoo.com
Example 2
• Shipping the goods– Process scraping malware sending data via FTP– Once the malware sends the file it removes it from
disk– Investigating swap and unallocated space comes in
handy
Example 2
Example 2
• Keep on trucking– The malware creates a registry key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
– This will cause the malware to run every time a user logs into the system
• Hides under c:\windows to appear legitimate
Example 2
Example 3
• Malware– Known process scraping malware package– Malware was running as a service– Retrieved data via remote access
Example 3
• Malware searching memory for credit card numbers
Example 3
• Malware taking hold– Example of the malware installing itself as a service to
survive reboots
What’s on the Horizon?
• More browser-based attacks– Browser-specific attacks– Java – Flash
• More malicious documents– Microsoft Office documents– Adobe PDFs
What’s on the Horizon?
• More mobile device attacks– Android– Apple iOS– Windows Mobile
• Stealthier malware– Resident only in memory and not on disk
Useful Tools –Malware Analysis in Windows
• Static analysis– IDA Pro– PEiD– Peview– Volatility– RedLine
Useful Tools –Malware Analysis in Windows
• Dynamic analysis– WinDbg– OllyDbg– Immunity debugger – SysInternals Suite (Strings, Autoruns, Process
Monitor, Process Explorer)– Regshot– LoardPE
Resources
• Microsoft Windows Developers Network– msdn.microsoft.com
• Openrce.org– http://www.openrce.org/articles/
• Volatility– http://code.google.com/p/volatility/
• Offensivecomputing.net– http://www.offensivecomputing.net
• Windows - Managing Virtual Memoryhttp://msdn.microsoft.com/en-us/library/ms810627.aspx
• REMnux– http://zeltser.com/remnux/
Resources
• Intel Assembly manuals– http://www.intel.com/content/www/us/en/processors/
architectures-software-developer-manuals.html/
• IDA Blog– http://www.hexblog.com/?cat=3
• IDA disassembler and debugger– http://www.hex-rays.com/products/ida/index.shtml
• Immunity debugger and Ollydbg– http://www.immunitysec.com/products-immdbg.shtml– http://www.ollydbg.de/
Questions?
Thank you for staying awake!
Peter “bokojan” Arzamendi parzamendi[at]403labs[dot]com
403 Labs, LLC
www.403labs.com
877.403.LABS