the dark side of malware analysis - andrea pompili - codemotion rome 2015
TRANSCRIPT
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
THE DARK SIDE OF MALWARE ANALYSIS
Andrea Pompili
There are only 10 types of people in the world:
Those who understand binary, and those who don't
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
203.131.222.102:8080
217.96.33.164:8000
88.53.215.64:8000
IP Sistemi Comando e Controllo #>
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Malware Analysis?
> Per capire i danni reali
> Per scoprire gli Indicatori di Compromissione
> Per stabilire il grado di preparazione/motivazione
dell’attaccante (Sun Tzu docet)
> Per ricostruire la vulnerabilità utilizzata (Magari uno 0-day :-|)
> Per catturare il cattivo
> Per rispondere alle domande della vita…
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
La nobile arte del Reverse Engineering
Ingegneria inversa def. «processo di analisi di un sistema software esistente, eseguito al fine di crearne una rappresentazione ad alto livello di astrazione»
Altri scopi dell'ingegneria inversa comprendono: verifiche di vulnerabilità, rimozione di protezione da copia, l'aggiramento di restrizioni d'accesso
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Ideal Reverse Engineering
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Full vs Adequate Analysis
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Reversing Malware is like
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Launcher
Dropper
Downloader
Module
Command & Control
Exploit
Vector
Module <01>
Malware Architecture
Infection Stage
Malware Core Module <XX>
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Launcher
Dropper Module
Command & Control
Vector
Module <01>
Malware Architecture > Infection Stage
Malware Core Module <XX>
Exploit
Downloader
Infection Stage
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Email contenenti link
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Email contenenti Allegati
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
La cara vecchia pennetta USB
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Vector
Malware Architecture > Downloader
Infection Stage
Downloader
Exploit
Command & Control
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
How is Encoded the Communication Channel? <#1> Fixed Byte XOR (evergreen) Identificabile (basta trovare un opcode xor nel binario)
<#2> Base64 Encoding Identificabile e automaticamente reversabile
<#3> Encryption Librerie Crypto ingombranti e riconoscibili gestire le chiavi?
<#4> G Channel Dipende dal tipo prova a farlo con uno Shellcode!!!
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Communication Channel: Spazio alla fantasia
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Downloader
Command & Control
Vector
Module <01>
Malware Architecture > Persistenza
Infection Stage Module <XX>
Exploit
Launcher
Dropper
Malware Core
Module
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Downloader #1
Malware Component
Command & Control #1
Vector
Malware Architecture > Chained Modules
Infection Stage
Exploit
Downloader #2
Command & Control #2
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Moduli e Plugin
> Infostealer
> Keylogging
> Sniffer
> Spyware
> Data Exfiltration
> Remote Control
> Identity Theft
> Ransomware
> Spambot
> Network Scanner
> DDoS Agent
> Targeted attacks
> Data manipulation
> Anonymous Proxy
> DNS Attack
> Warez Archive
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Static vs Dynamic Analysis?
> Il codice non viene MAI eseguito (o almeno non dovrebbe)
> L’analisi è effettuata trasformando o ri-organizzando il codice di un
artefatto per stadi successivi
> Uso di un numero importante di tool di analisi
> Necessità di gestire strumenti di elaborazione ad-hoc
> Attenzione ad eventuali exploit per i tool di analisi utilizzati!
> Analisi limitata o molto lunga in caso di packer o offuscamenti complessi
<#1> Analisi Statica
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
First of All
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
String Revealer
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Static Malware
<#1> Formato Nativo (PE/Elf)
<#2> Intermediate Language (Java/.NET/etc.)
<#3> Documenti Attivi (PDF/Office/etc.)
<#4
Stesso risultato == Approcci MOLTO diversi
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
La realtà dei fatti #1 <#1> Formato Nativo (PE/Elf)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Interactive Disassembler
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Online Disassembler
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
How Malware Writers protect their
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
http://upx.sourceforge.net/
How Malware Writers protect their
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
How Malware Writers protect their
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
The way to Packers
Sections
DOS MZ Header
PE Header
Section Table
.text
.data
.resrc
Sections
DOS MZ Header
PE Header
Section Table
Unpacker Stub
TempSpace
Packed Data (orignal OEP)
OEP
Original Program Packed Program
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
FUD (Fully UnDetectable) Packers
UPX, Aspack, PE Compact, e il resto
http://it.wikipedia.org/wiki/Exe_Packer
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Static Resource Analyzer
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Internet helps
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
La realtà dei fatti #2 <#2> Intermediate Language (Java/.NET/etc.)
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
> Metadati devono essere espliciti
(nomi Constant-Pool, variabili, metodi e classi)
> Gli opcode sono molto vicini ai costrutti del codice sorgente
(es. tableswitch)
> Non si può usare self-modifying code
> Non è possibile effettuare il branching su location arbitrarie,
ma solo all‘inizio di un‘istruzione, con il limite dello scope del
metodo corrente (controllato dal verifier)
Why Decompilation is easier
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
The «Easy» way to Source Code
JD-GUI http://jd.benow.ca/
JAD http://varaneckas.com/jad/
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
http://set.ee/jbe/
ByteCode Analysis & Manipulation
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
But things can go in the wrong
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Get your own ZKM String Custom Tool
java -jar ZKMTools.jar <CLASS_FILE>
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
What is Dynamic Analysis?
<#2> Live Execution Analysis
<#3> Sandbox based Analysis
<#1> Debugging
Non usare MAI il tuo PC per
eseguire Malware!!!
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Snapshot is the Way
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Debugging Principles <#1> Debugging
OllyDbg Debugger http://www.ollydbg.de/
Immunity Debugger http://www.immunitysec.com/products-immdbg.shtml
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Debugging World
x86 Ring 0
x86 Ring3
I Ring sono dei livelli di privilegio e/o di sicurezza forniti dal processore
Usermode
Kernel
HyperDbg, WinDbg, SoftICE http://www.woodmann.com/collaborative/ tools/index.php/Category:Ring_0_Debuggers
http://www.woodmann.com/collaborative/ tools/index.php/Category:Ring_3_Debuggers
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Two Assembler things you have to know Registri base x86/x64:
EAX registro general purpose #1 RAX a 64bit
EBX registro general purpose #2 RBX a 64bit
ECX registro general purpose #3 RCX a 64bit
EDX registro general purpose #4 RDX a 64bit
ESI puntatore sorgente operazioni su stringhe RSI a 64bit
EDI puntatore destinazione operazioni su stringhe RDI a 64bit
ESP puntatore alla posizione attuale dello stack RSP a 64bit
EBP puntatore alla base dello stack RBP a 64bit
EIP (Extended Instruction Pointer) puntatore
alla successiva istruzione da eseguire
Registri generici 64-bit mode-only
R8-R15
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Two Assembler things you have to know Stack x86/x64:
» Struttura LIFO (Last In First Out) mappata sulla memoria
» ESP punta alla posizione attuale in memoria
» EBP viene utilizzato come «marcatore»
per gestire il successivo stackframe
» I dati possono essere caricati mediante
istruzioni PUSH e POP
» Automaticamente salva l’indirizzo di ritorno
delle CALL
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
> Run-time stack (Stackframe)
> Contiene le variabili locali
> ESP punta al primo elemento dello stack
> EBP punta alla base dello Stackframe
> Ad ogni chiamata di procedura viene
riservato un nuovo stackframe (scope
della funzione) spostando ESP ed EBP
Instructions (.text)
global data (.data)
run-time stack
Device Registers
x0200
xFFFF
EPC
R4
ESP
EBP
x0000
xFE00
Trap Vectors
Op Sys
x3000
Heap
Intr Vectors x0100
Two Assembler things you have to know
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
» Usare il Debugger (es. OllyDbg o IDA Pro con Bochs) attraverso le varie routine di decryption impostando Breakpoint al termine di ogni ciclo
» Effettuare il Dump della memoria al termine del processo (e.g. OllyDumpEx)
Defeat Packers using Dubuggers
Best Practices: > Molti processi non sono resilienti (si eseguono ed escono subito) > Interrompere il processo al momento giusto > Step over istruzione per istruzione fino
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
<#2> Live Execution Analysis
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Start Debugging during Execution
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
How to Fake Servers during Execution
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
How to Monitor Traffic during Execution
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
<#3> Sandbox based Analysis
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Detailed Artifact Execution
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Screenshots Available!!!
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
The Online Cuckoo Service
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
but be careful to fully Understand Objectives!
Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
[email protected] – Xilogic Corp.
ROME 27-28.03.2015 www.codemotionworld.com
Domande? Italian
مطالب أيةArabic
¿Preguntas? Spanish
Questions? English
tupoQghachmey Klingon
Sindarin
Japanese
Ερωτήσεις? Greek
вопросы? Russian