2016 hitcon malware is in the memory · cuckoo sandbox - malware automatic analysis system -...

ⓒ Copyright 2016, blackfort security all rights reserved.

Malware is In the MemoryReal Time Malware Memory Analysis System

2016 HITCON

YoungJin Sim / BLACKFORT Security / Senior Researcher<jine@blackfortsec.com>

YoungHak Lee / BLACKFORT Security / Senior Researcher

<vstherock@blackfortsec.com>

Who we are

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

YoungJin Sim YoungHak Lee

New malware per day

Reference: http://www.redsocks.nl/blog-2/malware-statistics-march-2016/

- Per day average 425,531!

- Researcher Analysis time

average 1 hour

- 1day working hours 8 hours

- 425,531 / 8 = 53,191

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Cuckoo Sandbox

- Malware Automatic Analysis System

- Windows, OSX, Linux, Android Supported

- Trace API Calls(User Level API Hooking)

- Cuckoo Monitor.dll

- Rootkit Analysis is impossible

(example: Zero access)

- Vulnerable to Anti-VM

(example: Citadel)

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

- Reference: http://docs.cuckoosandbox.org/en/latest/introduction/what/#architecture

Why Memory Analysis?- All Programs are loaded in memory

- Malware Protector Bypass(packing, anti-debug)

- Advanced malware operates solely in memory

- Identifies system activity and overall machine state

- Memory reliability is very important

- Example: Memory Analysis, Drakvuf, Memminer

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

- Black Hat USA 2014 Arsenal Release

- Cuckoo Sandbox Dependencies

- Interval-based memory dump- Too many dumps are inefficient in analysis, time and disk space wise

- Trigger-based memory dump - API which has not been hooked cannot be analyzed

Memory Analysis

Interval-base Memory dump Trigger-based Memory dump

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

- Reference:https://github.com/djteller/MemoryAnalysis

Drakvuf- 2014 Hacktivity Release

- copy-on-write disk and memory

- extra resources allocated only when used vlan isolation

- Detect when - new process is scheduled, syscalls executed, file accessed/created/deleted, etc

Drakvuf structure

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

- Reference: http://drakvuf.com/

http://www.slideshare.net/tklengyel/drakvuf?next_slideshow=1

Drakvuf

Drakvuf Malware Analysis Result

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Memminer

- Cansecwest 2015 Release

- Agentless

- Used rekall & libvmi

- Operation System Data Dependencies cyBox

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

- Reference: http://cyboxproject.github.io/documentation/object-relationships/#Created

New Malware Analysis SystemMalware Analyst

Malware Analyst Structure

ⓒ Copyright 2016, blackfort security all rights reserved.

Malware Analyst Structure

ⓒ Copyright 2016, blackfort security all rights reserved.

Memory Analysis Engine - Use LibVMI & Volatility

- Command Analysis

- Process Analysis

- Thread Analysis

- Network Analysis

- Service Analysis

- MBR Analysis

- Rootkit Analysis

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Why do LibVMI & Volatility Use?

- Library Virtual Machine Introspection

- Too many dumps are inefficient in analysis, time and disk space wise- Memory dumps are not necessary

- Memory Direct Access

- Reliability Memory

- Memory Analysis Result is reliability

- Volatility

- Possible to analyze a memory to obtain LibVMI

- Open source

- Focused on forensics, incident response, and malware.

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Why do LibVMI & Volaility Use?

- Library Virtual Machine Introspection

- Too many dumps are inefficient in analysis, time and disk space wise- Memory dumps are not necessary

- Memory Direct Access

- Reliability Memory

- Memory Analysis Result is reliability

- Volatility

- Possible to analyze a memory to obtain LibVMI

- Open source

- Focused on forensics, incident response, and malware.

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Memory Analysis Engine

- Use LibVMI & Volatility

- Command Analysis

- Process Analysis

- Thread Analysis

- Network Analysis

- Service Analysis

- MBR Analysis

- Rootkit Analysis

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Command Analysis- Cmdscan

- _COMMAND_HISTORY- Find Windows Basic Command

- Consoles- _SCREEN_INFORMATION- Find Console I/O Data

- Shellbags- NTUSER.DAT & UsrClass.dat- Find Windows Environment, Timestamp, Installer ….

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Memory Analysis Engine - Use LibVMI & Volatility

- Command Analysis

- Process Analysis

- Thread Analysis

- Network Analysis

- Service Analysis

- MBR Analysis

- Rootkit Analysis

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Process Analysis - Privs

- Malware has the necessary permissions for malicious behavior

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Privileges Comment

SeBackupPrivilege Malware can leverage this privilege to copy locked files

SeDebugPrivilege Practically all malware that performs code injection from user

mode relies on enabling this privilege

SeLoadDriverPrivilege Malware can load or unload kernel drivers(Rootkit Load)

SeChangeNotifyPrivilege Malware can use this to determine immediately when one of

their configuration or executable files are removed by antivirus

or users

SeShutdownPrivilege Bootkit modify the Master Boot Record(MBR). Bootkit doesn’t

activate until the next time the system boots

Dangerous Privileges

Process Analysis - Auditpol

- Global audit policy

- Pstree

- Find and walks the doubly linked list

- Psscan

- _EPROCESS Objects instead of relying on the linked list

- Find Terminate Process & Hidden Process in Kernel Memory

- Procdump

- Find PE Header in Kernel Memory

Malware Analyst Process Tree image

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Process Analysis

Citadel Malware Original Binary Citadel Malware Unpacking Binary(Use Malware Analyst)

- Procdump

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Process Analysis

Tesla Ransomware Original Binary Tesla Ransomware Unpacking Binary(Use Malware Analyst)

- Procdump

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Memory Analysis Engine - Use LibVMI & Volatility

- Command Analysis

- Process Analysis

- Thread Analysis

- Network Analysis

- Service Analysis

- MBR Analysis

- Rootkit Analysis

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Thread Analysis- Threads

- Find Orphan Thread

- loaded modules by walking the doubly lined list and records their base address

and size

- _ETHREAD.StartAddress value is within the range of one of the modules

- Many Rootkit Uses Orphan Thread

- Example: Tigger, Mebroot

Tigger sample Orphan thread

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Memory Analysis Engine - Use LibVMI & Volatility

- Command Analysis

- Process Analysis

- Thread Analysis

- Network Analysis

- Service Analysis

- MBR Analysis

- Rootkit Analysis

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Network Analysis- Sockets & Connections

- Windows XP/2003

- _ADDRESS_OBJECT & _TCPT_OBJECT

structures are undocumented By MS

but many hackers have reverse-engineered

them in the past

- Netscan

- Windows Vista and later

- Finds _TCP_ENDPOINT

- Finds _TCP_LISTENER

- Finds _UDP_ENDPOINT

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

_Addr_Obj_Table _TCBTable

_ADDRESS_OBJECT _TCPT_OBJECT

Socket Search Connection Search

sockscan connections

Memory Analysis Engine - Use LibVMI & Volatility

- Command Analysis

- Process Analysis

- Thread Analysis

- Network Analysis

- Service Analysis

- MBR Analysis

- Rootkit Analysis

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Service Analysis- Svcscan

- sErv tag, serH tag find in Kernel Memory services.exe

- Tags are embedded in merbers of each _SERVICE_RECORD

- Find all instances of the structures even if they’ve been unlinked from the list

- Compare the entries found by scanning with the ones found

via list walking and determine exactly what services have been

maliciously unlinked

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Memory Analysis Engine - Use LibVMI & Volatility

- Command Analysis

- Process Analysis

- Thread Analysis

- Network Analysis

- Service Analysis

- MBR Analysis

- Rootkit Analysis

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

MBR Analysis- Mbrparser

- MBR (signature: \x55\xaa)Finds in Kernel Memory

- Compare the partition table to MBR Scan result

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Memory Analysis Engine - Use LibVMI & Volatility

- Command Analysis

- Process Analysis

- Thread Analysis

- Network Analysis

- Service Analysis

- MBR Analysis

- Rootkit Analysis

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Rootkit Analysis- Driverirp

- _DRIVER_OBJECT struct finds in kernel memory

- Read the 28 values in the MajorFunction array and determine where they point.

- Rootkit driver can hook entires in a driver’s IRP function table

- For example overwrite the IRP_MJ_Create function in a driver’s IRP table,

a rootkit can inspect create file, create process….

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Rootkit Analysis- Devicetree

- Windows uses a layered architecture for handling I/O requests

- Multiple drivers can handle the same IRP

- Instead of hooking a target driver’s IRP function, as previously described,

a rootkit can just insert, or attach, to the target device’s stack.

- Drivermodule

- DriverIRP Data finds in kernel memory

- Get Driver name & Driver Display name

- After find new driver modules and dump driver modules

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Rootkit Analysis- Callbacks

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Type API

Process Creation PsSetCreateProcessNotifyRoutine API

Thread Creation PsSetCreateThreadNotifyRoutine API

(BlackEnergy used)

Image Load PsSetLoadImageNotifyRoutine API

(stuxnet used)

Registry Modification CmRegisterCallback(XP), CmRegisterCallbackEx(Vista later)

(Ascesso used)

Bugchecks KeRegisterBugChecknCallback,

KeRegisterBugCheckReasonCallback

Callback to use rootkit

- A callback rootkit does not use well have Shutdown, DebugMesage, FileSystem, PnP callbacks.

Malware Analyst Structure

ⓒ Copyright 2016, blackfort security all rights reserved.

Mamon- Detect Process change, File change, Registry change

- API Function Argument Monitoring

- Operation System Data Dependencies CyBox

- Reg, Process, File ….

- Why does Kernel-Level Hooking Use?

- Anti-VM Bypass(VM-Hardening)

- Rootkit Analyze

- CmRegisterCallback(XP), CmRegisterCallbackEx(Vista later) used

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Mamon- Detect Process change, File change, Registry change

- API Function Argument Monitoring

- Operation System Data Dependencies CyBox

- Reg, Process, File ….

- Why does Kernel-Level Hooking Use?

- Anti-VM Bypass(VM-Hardening)

- Rootkit Analyze

- Windows Driver Kit uses

- Mamon runs in a virtual machine.

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Malware Analyst Structure

ⓒ Copyright 2016, blackfort security all rights reserved.

Network Analyze- MITM Proxy & TCPDump use

- Why do use MITM Proxy

- Decrypt SSL, HTTPS

- Classifies each packet protocols.

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

1. Connection

2. Redirection

3. Initiate SSL

handshake with SNI

6. Complete SSL

handshake

7. Request

4. Initiate SSL

handshake with SNI

5. CN & SANs

8. Request

Client

Server

MITM proxy example data(https://www.google.com)MITM Proxy Structure

Reference: http://docs.mitmproxy.org/en/stable/howmitmproxy.html#transparent-https

Network Analyze

- HTTP Replay Use

- Download Meta-File(image, flash, sound ….)

- Drawing Network Flow

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Citadel Network Analyze result

Citadel Network Flow image file

DemoCitadel, Memory Hacking Rootkit malware, Tesla ransomware

DemoCitadel, Memory Hacking Rootkit malware, Tesla ransomware

Limitation of Malware Analyst- Only Supported 32bit Windows

- Anti Memory Forensic

- Another Anti-VM

- Hooking Detect Malware

- ETC

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

Benefits of Malware Analyst- Unpacking Binary

- Decrypt Network Packet Data(HTTPS, TLS ….)

- Malware Run Behaviors Timeline

- Rootkit Analyze

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

FutureThreat Insight & Malware Analyst

Future- Supported x64 Windows and Anti-VM, Anti-Memory Forensic research

- Supported create IOC pattern file

- Threat Insight

- Web Site Thread Detect System

- Malware Analyst and Thread Insight will cooperate

- New Malware Database Platform

ⓒ Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com

New Malware Database Platform!

ⓒ Copyright 2016, blackfort security all rights reserved.

Thank you

Reference: The Art of MEMORY FORENSIC BOOK