reverse engineering malware and mitigation techniques jacek milunski – nato computer incident...
TRANSCRIPT
Reverse Engineering Malware and Mitigation TechniquesJacek Milunski – NATO Computer Incident Response CenterAndrzej Dereszowski – NATO Computer Incident Response CenterRaf Cox – Microsoft BeLux
SIA404
Overview
Who are we?Why malware reverse-engineering is importantMitigation techniquesDemos:
Malware-dropper versus AppLockerShellCode versus EAF (EMET)Buffer-overrun versus DEP (EMET)Buffer-overrun versus Heapspray-preallocation (EMET)ROP-exploit versus DEP and Mandatory ASLR (EMET)
Conclusions
NATO Computer Incident Response Capability
NTM-I
OPERATIONOCEAN SHIELD
DARFUR
Support African Union
KFOR
ISAF
OUP
Libya
Norfolk
NaplesLisbon
EUFOR
Brunssum
NATO HQ & Agencies
• NATO HQ• NC3A• NAMSA• NETMA•……..
Mons
Incident Response ServicesSystem Engineering
System hardeningEnterprise-wide security tools Forensics analysisAdvice to projects
Incident Detection & Response
Intrusion detectionIncident handlingWeb site monitoringEmail monitoring
Vulnerability Management
Assessments and testingSecurity awarenessCyber Defence Exercises
Prevent
Detect
RespondRecover
Feedback
Mitigation techniques
Malware blocked by:
PatchingAntivirusStandard UserSystem HardeningAdvanced migitationStill vulnerable
Overview
We will deep-dive into actual malware code:How does it work? What exploit techniques does it use?Look under the hoods what’s going on and how the malware executes
How do countermeasures block these exploits?Focus on AppLocker , DEP, Heapspray allocation & mandatory ASLR (last 3 enforced through EMET)
• DO NOT TRY THIS AT HOME OR AT THE OFFICE!• We’ve selected actual malware targeted at
NATO that has been analyzed (so we know what it does)
• Testing malware can will infect your systems• Malware testing and reverse engineering
must only be done on fully isolated systems• We selected a few (real) samples that are
relevant for the purpose of this presentation (mainly based on older PDF exploits)
WARNING
Case 1: malware-dropperversus AppLocker
targeted PDF with CVE-2010-2883 (Adobe Reader Cooltype TTF vulnerability)
Winword.js
Adobe.pdf
~temqp.tmp
OWNED!
Malware-dropper
Application Control policiesControls the execution environmentSupports multiple scenarios:
Blacklisting (deny specific known-bad apps)Whitelisting (only allow approved apps)Code-signed Apps onlyLocation-based (e.g. only allow apps to run from %programfiles% and %windir%)
AppLocker Rules:Block or allowApply to <user> or <group>Rule-type: path, publisher (code-signed) or hashExceptions (combination of rule-types)
Malware-dropper blocked by AppLocker
Enhanced Mitigation Experience Toolkit
In the following samples, we will use several advanced protection mechanisms that are build-in into the OS or enforced through EMETEMET (Enhanced Mitigation Experience Toolkit) is a free tool that will
enhance existing memory-protection mechanisms (e.g. mandatory ASLR, DEP opt-in, …)Introduce new protection mechanisms (EAF, heapspray-allocation,…)
http://www.microsoft.com/en-us/download/details.aspx?id=29851
Case 2: ShellCode sample
We use a proof-of-concept exploit code (http://skypher.com/index.php/2010/11/17/bypassing-eaf/)
Test-application (w32-testival) loads shell-code sample in memory (RWE-access) Jumps to Shell-code
Process
Code
Stack
Heap
ShellCode
NTDLL
Kernel32
EAT
EAT
EATShellCode
Case 2: ShellCode vs EAF protection (EMET)
EMET will set a hardware breakpoint on Export Address Tables of NTDLL and Kernel32If code originates from code-pages or application-modules succeedIf originates from stack or heap STOPCan be circumvented by evading hardware breakpoints…
Process
Code
Stack
Heap
ShellCode
NTDLL
Kernel32
EAT
EAT
EAT
Malware scanning Extended Address Tables versus EAF
Case 3: buffer-overrun vs DEP
Targeted malicious PDF document fires a CVE-2009-4324 exploit
Adobe Reader this.MediaPlayer.new() vulnerabilityThe exploit uses classic heap spraying to prepare execution of the shellcodeSuccessfully executed on Windows XPSP3 with Adobe Reader 8 (works also with 9)
Case 3: Heap spraying explained
Process
Code
Heap
exploit
0c0c0csc
0c0c0csc
0c0c0csc
0c0c0csc
0c0c0csc
0c0c0csc
0c0c0csc
0c0c0csc
0c0c0csc
0c0c0csc
0c0c0csc
0c0c0csc
nop slide
…
shellcode
Buffer overflow
Case 3 buffer-overrun vs DEP (EMET enabled)
After enabling DEP with EMET, the exploit fails to execute
Access violation exception when executing address 0x0c0c0c0c
DEP blocks the execution of code located on the heap
Buffer overflow (EMET DEP enabled)
Case 4: How about heap spraying allocation ?
The same PDF is used to test if the HeapSpray protection stops the attackAdobe Reader wants to jump to 0x0c0c0c0c but … there is no memory allocated at this addressHeapSpray protection stops the attack as wellCan be employed as a second layer to block this attackDrawback: easy to circumvent if the attacker knows we are using it
Buffer overflow (EMET HeapSpraying enabled)
Case 5: Fixed ROP gadgets vs ASLR
Available since Windows VistaExploit: targeted PDF with CVE-2010-2883 (Adobe Reader Cooltype TTF vulnerability)Despite DEP enabled and default ASLR settings the exploit successfully executes (thanks to ROP shellcode and not relocated DLL: icucnv36.dll)
Case 5: ROP explained
Buffer overflow with ROP exploit (EMET DEP enabled)
Case 5: Fixed ROP gadgets vs ASLR (DEP + Mandatory ASLR enabled)
DEP + Mandatory ASLR stops the exploit !The program jumps into nonexistent address: the shellcode had hardcoded addresses into icucnv36.dllEMET forces icucnv36.dll to be relocated
Adobe Reader jumps into the void …
Buffer overflow with ROP exploit (EMET DEP + Mandatory ASLR enabled)
ConclusionsYou still need to patch, have up-to-date AV, run as standard user and harden systemsAppLocker effective to counter drive-by downloads and social engineering (not against 0-day exploits)EMET is quite effective as additional protection against 0-days, although not perfect
It will break some techniques which are considered as “universal DEP and ASLR bypass” by forcing all DLLs to be randomized (see www.corelan.be)Mandatory ASLR+DEP together makes exploit writing much more challenging (see Object Confusion technique with CVE-2011-0609 on Vupen’s blog)
Track Resources
www.microsoft.com/twc
www.microsoft.com/security
www.microsoft.com/privacy
www.microsoft.com/reliability
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.