1

Reverse Engineering Malware: A look inside Operation TovarBrandon TanseySecurity Researcher, Lancope

© 2014 Lancope, Inc. All rights reserved.

2© 2014 Lancope, Inc. All rights reserved.

Source: 2014 Verizon DBIR

3© 2014 Lancope, Inc. All rights reserved.

75% of malware contained functionality of spyware/keyloggers

55% of malware automatically collected pre-existing data on victim computers

Source: 2013 Verizon DBIR

4© 2014 Lancope, Inc. All rights reserved.

All malware leaves behind some information of its own

5© 2014 Lancope, Inc. All rights reserved.

Malware Analysis

6

• Command and control hosts• Encryption keys• Implementation flaws• Exploits• Malware capabilities• …

© 2014 Lancope, Inc. All rights reserved.

What information is there to find?

7© 2014 Lancope, Inc. All rights reserved.

What information do you need?

8© 2014 Lancope, Inc. All rights reserved.

9© 2014 Lancope, Inc. All rights reserved.

10© 2014 Lancope, Inc. All rights reserved.

Dynamic Analysis vs. Static Analysis

11© 2014 Lancope, Inc. All rights reserved.

Initialization1. Start the malware

12© 2014 Lancope, Inc. All rights reserved.

Initialization1. Start the malware

2. Malware loads RSAenh.dll (Microsoft Enhanced Cryptographic Provider)

13© 2014 Lancope, Inc. All rights reserved.

Establishing Persistence3. Copy self to Application Data

14© 2014 Lancope, Inc. All rights reserved.

Establishing Persistence3. Copy self to Application Data

4. Open second process

15© 2014 Lancope, Inc. All rights reserved.

Establishing Persistence5. Maintain auto-start registry keys

16© 2014 Lancope, Inc. All rights reserved.

Reaching Out6. Make network calls

17© 2014 Lancope, Inc. All rights reserved.

Reaching Out6. Make network calls

7. Start looking for command and control hosts

18© 2014 Lancope, Inc. All rights reserved.

19© 2014 Lancope, Inc. All rights reserved.

Establish C2

8. Find valid C2 host

20© 2014 Lancope, Inc. All rights reserved.

Compromise9. Store public key

21© 2014 Lancope, Inc. All rights reserved.

Compromise9. Store public key

10. Scan and encrypt files

22© 2014 Lancope, Inc. All rights reserved.

23© 2014 Lancope, Inc. All rights reserved.

Close loop11. Log encrypted files and start over

24© 2014 Lancope, Inc. All rights reserved.

25

• Takes advantage of advanced public key crypto– RSAenh.dll– PublicKey registry key

• Loops through DNS requests for tons of gibberish hosts until it finds active, real one– All samples appear to create the same domains

• Does not begin encrypting until it receives public key from C2 server

© 2014 Lancope, Inc. All rights reserved.

What do we think we know?

26© 2014 Lancope, Inc. All rights reserved.

Static Analysis

27© 2014 Lancope, Inc. All rights reserved.

28© 2014 Lancope, Inc. All rights reserved.

29© 2014 Lancope, Inc. All rights reserved.

30© 2014 Lancope, Inc. All rights reserved.

Source: microsoft.com

31© 2014 Lancope, Inc. All rights reserved.

32© 2014 Lancope, Inc. All rights reserved.

33© 2014 Lancope, Inc. All rights reserved.

34© 2014 Lancope, Inc. All rights reserved.

35© 2014 Lancope, Inc. All rights reserved.

36© 2014 Lancope, Inc. All rights reserved.

37© 2014 Lancope, Inc. All rights reserved.

Source: justice.gov

38© 2014 Lancope, Inc. All rights reserved.

Operation Tovar

39© 2014 Lancope, Inc. All rights reserved.

Source: justice.gov

40© 2014 Lancope, Inc. All rights reserved.

Operational Security(OPSEC)

Source: archive.gov

41© 2014 Lancope, Inc. All rights reserved.

Source: justice.gov

42© 2014 Lancope, Inc. All rights reserved.

“In cooperation with Luxembourg law enforcement agencies, pursuant to an

MLAT request, the FBI analyzed the contents of [second level Cryptolocker]

server, discovering HTTP access logs that showed which users were accessing this

server.”

Source: justice.gov

43© 2014 Lancope, Inc. All rights reserved.

“This consistent pattern of overlapping IP addresses and user agent strings establishes

that Bogachev was the individual utilizing and managing the [Gameover] infrastructure.

Moreover, the fact that Bogachev had elevated Administrative access to the critical UK GOZ

server establishes that he is not only a participant in the GOZ conspiracy, but a

leader.” Source: justice.gov

44© 2014 Lancope, Inc. All rights reserved.

Source: justice.gov

45© 2014 Lancope, Inc. All rights reserved.

Tovar Time-out!

46© 2014 Lancope, Inc. All rights reserved.

Source: virustotal.com

47© 2014 Lancope, Inc. All rights reserved.

Source: blackhat.com

Library of SpartaTom Cross, David Raymond, Greg Conti

Wednesday, August 5th at 10:15am

48© 2014 Lancope, Inc. All rights reserved.

Source: justice.gov

49© 2014 Lancope, Inc. All rights reserved.

Source: justice.gov

50© 2014 Lancope, Inc. All rights reserved.

Source: justice.gov

51© 2014 Lancope, Inc. All rights reserved.

52© 2014 Lancope, Inc. All rights reserved.

53

• YOUR FAVORITE SEARCH ENGINE!• Process Monitor (SysInternals)• Wireshark• Inetsim (via Remnux)• IDA Pro (alt. IDA shareware, radare, Hopper, objdump)

© 2014 Lancope, Inc. All rights reserved.

Tools

54

• OpenSecurityTraining.info• Practical Malware Analysis (Michael Sikorski and Andrew Honig)• The IDA Pro Book (Chris Eagle)

<shamelessPlug>• http://lancope.com/blog• https://twitter.com/stealth_labs• https://twitter.com/lancope</shamelessPlug>

© 2014 Lancope, Inc. All rights reserved.

Want to learn more?

55

THANK YOU

© 2014 Lancope, Inc. All rights reserved.

Brandon TanseySecurity Researcherbtansey@lancope.com

56© 2014 Lancope, Inc. All rights reserved.