Transcription
Why you should never use the internet
OverviewA Different Game Infection Characteristics Techniques Detection Prevention
A Different Game The players and the game have changed Criminal organizations Governments Profit/Politically driven Multimillion dollar industry Cyber weapons FBI vs Coreflood 1 Professionally developed User manuals MaaS
Infiltration Exploit Packs Phoenix PackBlackhole source released (plus others) 4These aren’t going awayEaaS?Legitimate Host Compromise Direct: Breaking newsCelebritiesSocial 2 clicks away from malwareSearch Engine Optimization hacks 3Indirect: Advertisements May 2011: Geek.com 1April 2011: ribbs.usps.gov 2April 2010: Wordpress.comFacebook, Twitter, etcEmail: Spear Fishing
TechniquesAPI Hooking Run-time Patching Browser Content replacement Filter Drivers
API HookingAPIs are how Windows programs do justabout everything Allows malware to intercept Windows APIcalls Can be done in user or kernel space, but inkernel space it’s much more powerful
API HookingProgramDeleteFile[A W]NtDeleteFileUSER MODEKERNEL MODESystem Service Descriptor TableSSDTZwDeleteFile
API Hooking: SSDT ExampleProgramDeleteFile[A W]NtDeleteFileUSER MODEKERNEL MODESystem Service Descriptor TableSSDTfakeDeleteZwDeleteFile
API Hooking Allows malware to do a lot of nastythings Hide processes/files Hide networking (to a degree) Steal key stokes, website data, passwords,mouse clicks, etc Basically take over your systemFairly straightforward to implement However, it is easy to detect
Run-time PatchingReplaces API calls with your own bypatching the API routine itself Can achieve the same goals as APIhooking, but harder to detect Also called “detour hooks”
Run-time Patching: ExampleTarget Code
Run-time Patching: ExampleJump Back[Target Code]Detour JumpMalicious Code
Run-time PatchingCan be tricky to implement Harder to detect You have to scan the memory space If it’s not permanent, an offline analysis isn’tvery helpful
Browser Content ReplacementAllows the malware to modify what yousee and send in your web browser Can replace forms, GET requestresponses, POST data, POST locations,hide data “View Source” shows nothing:modifications are done in memory HTTPS is not relevant
Browser Content ReplacementUSERDISPLAYEN/DECRYPTSEND/ RECEIVEWEBSITE
Browser Content ReplacementUSERMALWAREDISPLAYEN/DECRYPTSEND/ RECEIVEWEBSITE
Browser Content Replacement:Zeus botnetFrom the user manual:“Intercepting HTTP/HTTPS-requests from wininet.dll(Internet Explorer, Maxton, etc.), nspr4.dll (MozillaFirefox) libraries: 1.2.3.4.5.6.7.8.9.Modification of the loaded pages content (HTTP-inject).Transparent pages redirect (HTTP-fake).Getting out of the page content the right pieces of data (forexample the bank account balance).Temporary blocking HTTP-injects and HTTP-fakes.Temporary blocking access to a certain URL.Blocking logging requests for specific URL.Forcing logging of all GET requests for specific URL.Creating a snapshot of the screen around the mouse cursorduring the click of buttons.Getting session cookies and blocking user access to specificURL.”
DetectionAV (loosing race) Monitor outbound communications TCPViewNetstatBorder monitoringOutbound watching IDS (snort)System Internals TCPView Procmon RootKitRevealer
Detection: GMERRootkit detector Detects: Hidden processes, hidden files, hidden DLLs, hidden registry keys, hidden*SSDT, IAT, EAT hooksMBR modificationSuspicious drivers lots more
Detection: GMER
PreventionUpdate software (not just Windows) Windows 7 (x64) EMET 5 Uninstall Adobe Reader, install Foxit Chrome/Firefox VMs/Linux/OSX NoScript for Firefox
Further Information Blogs F-secure: http://www.f-secure.com/weblog/ Sophos: http://nakedsecurity.sophos.com/ Inreverse: http://www.inreverse.net/ Online tools Virus Total: http://www.virustotal.com/ Anubis: http://anubis.iseclab.org/ Samples: Malware domain list:http://www.malwaredomainlist.com/ Offensive Security:http://www.offensivecomputing.net/
References1.2.3.4.5. k/2011/04/08/us postal service .com/downloads/en/details.aspx?FamilyID c6f0a6ee-05ac4eb6-acd0-362559fd2f042010 Websense Threat Report: introduction.aspx?cmpid prblogVerizon 2011 Data Breach Investigations ports/rp data-breachinvestigations-report-2011 en xg.pdf?&src /worldwide/resources/index.xml&id Microsoft Security Intelligence Report v10: http://www.microsoft.com/security/sir/Book: “The Rootkit Arsenal”, by Reverend Bill BlundenBook: “Malware Analyst’s Cookbook”, by M. Ligh, S. Adair, B. Hartstein, M.RichardBook: “Reversing: Secrets of Reverse Engineering”, by Eldad EilamMSDN Documentation: px
ContactSean McAllister (gaten)education.kills@gmail.comTwitter: @gatenub
A Different Game The players and the game have changed Criminal organizations Governments Profit/Politically driven Multimillion dollar industry Cyber weapons FBI vs Coreflood 1 Professionally developed User manuals MaaS
