reverse engineering malware: a look inside operation tovar
DESCRIPTION
Join us as we step through the reverse engineering of CryptoLocker, identifying important functionality and weaknesses. We'll demonstrate how we were able to use this information to help protect our customers months ago, the weaknesses that the Department of Justice took advantage of, and how you can do the same for other types of malware down the line.TRANSCRIPT
1
Reverse Engineering Malware: A look inside Operation TovarBrandon TanseySecurity Researcher, Lancope
© 2014 Lancope, Inc. All rights reserved.
2© 2014 Lancope, Inc. All rights reserved.
Source: 2014 Verizon DBIR
3© 2014 Lancope, Inc. All rights reserved.
75% of malware contained functionality of spyware/keyloggers
55% of malware automatically collected pre-existing data on victim computers
Source: 2013 Verizon DBIR
4© 2014 Lancope, Inc. All rights reserved.
All malware leaves behind some information of its own
5© 2014 Lancope, Inc. All rights reserved.
Malware Analysis
6
• Command and control hosts• Encryption keys• Implementation flaws• Exploits• Malware capabilities• …
© 2014 Lancope, Inc. All rights reserved.
What information is there to find?
7© 2014 Lancope, Inc. All rights reserved.
What information do you need?
8© 2014 Lancope, Inc. All rights reserved.
9© 2014 Lancope, Inc. All rights reserved.
10© 2014 Lancope, Inc. All rights reserved.
Dynamic Analysis vs. Static Analysis
11© 2014 Lancope, Inc. All rights reserved.
Initialization1. Start the malware
12© 2014 Lancope, Inc. All rights reserved.
Initialization1. Start the malware
2. Malware loads RSAenh.dll (Microsoft Enhanced Cryptographic Provider)
13© 2014 Lancope, Inc. All rights reserved.
Establishing Persistence3. Copy self to Application Data
14© 2014 Lancope, Inc. All rights reserved.
Establishing Persistence3. Copy self to Application Data
4. Open second process
15© 2014 Lancope, Inc. All rights reserved.
Establishing Persistence5. Maintain auto-start registry keys
16© 2014 Lancope, Inc. All rights reserved.
Reaching Out6. Make network calls
17© 2014 Lancope, Inc. All rights reserved.
Reaching Out6. Make network calls
7. Start looking for command and control hosts
18© 2014 Lancope, Inc. All rights reserved.
19© 2014 Lancope, Inc. All rights reserved.
Establish C2
8. Find valid C2 host
20© 2014 Lancope, Inc. All rights reserved.
Compromise9. Store public key
21© 2014 Lancope, Inc. All rights reserved.
Compromise9. Store public key
10. Scan and encrypt files
22© 2014 Lancope, Inc. All rights reserved.
23© 2014 Lancope, Inc. All rights reserved.
Close loop11. Log encrypted files and start over
24© 2014 Lancope, Inc. All rights reserved.
25
• Takes advantage of advanced public key crypto– RSAenh.dll– PublicKey registry key
• Loops through DNS requests for tons of gibberish hosts until it finds active, real one– All samples appear to create the same domains
• Does not begin encrypting until it receives public key from C2 server
© 2014 Lancope, Inc. All rights reserved.
What do we think we know?
26© 2014 Lancope, Inc. All rights reserved.
Static Analysis
27© 2014 Lancope, Inc. All rights reserved.
28© 2014 Lancope, Inc. All rights reserved.
29© 2014 Lancope, Inc. All rights reserved.
30© 2014 Lancope, Inc. All rights reserved.
Source: microsoft.com
31© 2014 Lancope, Inc. All rights reserved.
32© 2014 Lancope, Inc. All rights reserved.
33© 2014 Lancope, Inc. All rights reserved.
34© 2014 Lancope, Inc. All rights reserved.
35© 2014 Lancope, Inc. All rights reserved.
36© 2014 Lancope, Inc. All rights reserved.
37© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
38© 2014 Lancope, Inc. All rights reserved.
Operation Tovar
39© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
40© 2014 Lancope, Inc. All rights reserved.
Operational Security(OPSEC)
Source: archive.gov
41© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
42© 2014 Lancope, Inc. All rights reserved.
“In cooperation with Luxembourg law enforcement agencies, pursuant to an
MLAT request, the FBI analyzed the contents of [second level Cryptolocker]
server, discovering HTTP access logs that showed which users were accessing this
server.”
Source: justice.gov
43© 2014 Lancope, Inc. All rights reserved.
“This consistent pattern of overlapping IP addresses and user agent strings establishes
that Bogachev was the individual utilizing and managing the [Gameover] infrastructure.
Moreover, the fact that Bogachev had elevated Administrative access to the critical UK GOZ
server establishes that he is not only a participant in the GOZ conspiracy, but a
leader.” Source: justice.gov
44© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
45© 2014 Lancope, Inc. All rights reserved.
Tovar Time-out!
46© 2014 Lancope, Inc. All rights reserved.
Source: virustotal.com
47© 2014 Lancope, Inc. All rights reserved.
Source: blackhat.com
Library of SpartaTom Cross, David Raymond, Greg Conti
Wednesday, August 5th at 10:15am
48© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
49© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
50© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
51© 2014 Lancope, Inc. All rights reserved.
52© 2014 Lancope, Inc. All rights reserved.
53
• YOUR FAVORITE SEARCH ENGINE!• Process Monitor (SysInternals)• Wireshark• Inetsim (via Remnux)• IDA Pro (alt. IDA shareware, radare, Hopper, objdump)
© 2014 Lancope, Inc. All rights reserved.
Tools
54
• OpenSecurityTraining.info• Practical Malware Analysis (Michael Sikorski and Andrew Honig)• The IDA Pro Book (Chris Eagle)
<shamelessPlug>• http://lancope.com/blog• https://twitter.com/stealth_labs• https://twitter.com/lancope</shamelessPlug>
© 2014 Lancope, Inc. All rights reserved.
Want to learn more?
56© 2014 Lancope, Inc. All rights reserved.