Malware: The Good, the Bad and the Ugly


Published on

Pete Arzamendi, CISSP, QSA, PA-QSA, GREM, is a consultant at 403 Labs with over 10 years of experience in systems administration, computer engineering, and information systems security. Pete regularly conducts penetration testing of systems and applications, security assessments, forensic investigations, and compliance assessments for the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS).

This presentation was given at the Milwaukee InfraGard meeting held at Milwaukee Area Technical College (MATC) on August 16, 2012. In it, Pete discusses different types of malware as well as malware and memory analysis, including an overview of analysis tools and some examples pulled from his past experiences.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Behavioral – Make sure to note the use of a safe protected environment. Segmented network, VM, etc….
  • Give some examples of when you need to the software to receive an update or something like that for behavioral.
  • SSDT – Internal look up table of function calls into the kernel. When call a kernel function SYSENTER is used an index to the SSDT will be passed to SYSENTER. Example: at offset 25 in the SSDT is NtCreateFile.IDT – Hooks by registering a handler for the interrupt so when the interrupt is triggered the malicious code will run.
  • SSDT – Internal look up table of function calls into the kernel. When call a kernel function SYSENTER is used an index to the SSDT will be passed to SYSENTER. Example: at offset 25 in the SSDT is NtCreateFile.IDT – Hooks by registering a handler for the interrupt so when the interrupt is triggered the malicious code will run.
  • PslistThis walks the doubly-linked list pointed to by PsActiveProcessHead. It does not detect hidden or unlinked processes. Psscan enumerate processes using pool tag scanning
  • Malware: The Good, the Bad and the Ugly

    1. 1. Malware: The Good, the Bad and the Ugly Pete Arzamendi 403 Labs, LLC
    2. 2. About Me• Consultant and forensic investigator at 403 Labs – Qualified Security Assessor (QSA) – Payment Application Qualified Security Assessor (PA- QSA) – Certified Information Systems Security Professional (CISSP) – GIAC Reverse Engineering Malware (GREM)
    3. 3. About Me• Former packet monkey, with more than 10 years of experience in the IT field• Worked with small/medium businesses, and local and state authorities on computer forensic cases and security assessments• Hobbies include malware analysis, vulnerability research and hiking
    4. 4. About 403 Labs, LLC• Full-service information security and compliance consulting firm headquartered in Milwaukee with additional offices in Chicago and San Francisco• Experts in the Payment Card Industry (PCI) – PCI Forensics Investigator (PFI) – Qualified Security Assessor (QSA) – Payment Application Qualified Security Assessor (PA-QSA) – Approved Scanning Vendor (ASV) – Qualified Security Assessor Point to Point Encryption (QSA (P2PE)) – Payment Application Qualified Security Assessor Point to Point Encryption (PA-QSA (P2PE))
    5. 5. About 403 Labs, LLC• Compliance assessments (HIPAA, GLBA, SOX, etc.)• Computer forensic investigations• Penetration testing including web application testing and social engineering• Vulnerability scanning• Code reviews• IT audits• Risk assessments• Policies & procedures
    6. 6. Agenda• Overview of malware• Analysis approaches• User versus kernel space• Establishing persistence• Memory analysis• Examples• Tools for analysis• Resources• Questions
    7. 7. Malware• Wikipedia definition: – Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.
    8. 8. Malware Types• Data-stealing – User credentials – Credit card numbers – Transferring funds – Confidential information• Remote access – Bots• Profit-based – Ransom/extortion – Advertisements
    9. 9. Analysis Approaches• Static analysis – Review PE headers – Search for clear-text strings – Static code review• Behavioral analysis – Registry monitoring – File system monitoring – Network monitoring
    10. 10. Analysis Approaches• Which is better? – Up to you and your comfort level • People with a light programing background may choose to start with behavioral – I prefer to start with static analysis • If stuck, I move to behavioral to fill in the pieces
    11. 11. User Versus Kernel Space Malware• User space – Runs as normal user, no special privileges • Keyloggers – Uses Windows APIs GetAsyncKeyState and GetKeyState to read keyboard clicks • Process scraping for data – Accesses each process the user is running looking for data • Attempts to blend into the background – Renames executable to match known Windows executable • Easier to write and more stable than rootkits
    12. 12. User Versus Kernel Space Malware• Kernel space – Requires and runs under evaluated privileges • Rootkits – Difficult to get right – Attempts to cloak the malware » System Service Descriptor Table (SSDT) hooking by changing Nt* function pointers in the SSDT table to point to malware » Interrupt Descriptor Table (IDT) by modifying the interrupt service routine to point to malware
    13. 13. User Versus Kernel Space Malware• Modify the forwarded and back links in ListEntry in EPROCESS structure to hide process
    14. 14. Achieving Persistence• Now that the malware is installed, how do we achieve persistence?• Several ways to achieve persistence – Registry settings • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRun • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurr entVersionRun • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRunOnce • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurr entVersionRunOnce – Install Malware as service • Windows CreateService API
    15. 15. Memory Analysis• definition: – Memory analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer.• Pete’s definition: – Looking at the man behind the curtain and getting intimate with the operating system.
    16. 16. What is Memory Analysis?• Why is memory analysis useful? – Memory contains a wealth of information • Process information – What applications are running – Who is running the applications – What data is the process working with – Ability to recreate the process executable • Network information – Active connection information – Open ports activity listing • Account information – Usernames – Passwords • Encryption keys – Full disk encryption keys
    17. 17. Analyzing Memory• What are we looking for? – Malicious “stuff” • API hooks • DLL injections • Hidden process • Active listeners – Non-malicious “stuff” • Encryption keys • User account information
    18. 18. Analyzing Memory• So how do we find the goods? – Old-school way (very time consuming) • Strings • Manually rebuild each processes structure – New methods (let the tools do the heavy lifting) • Mandiant Audit Viewer/Redline • Volatility • Encase/FTK • Several others
    19. 19. Analyzing Memory• Mandiant – Audit Viewer • Requires Memoryze • Enumerates processes, drivers and dll hooking detection • Easy to use but clunky • Windows only
    20. 20. Audit Viewer
    21. 21. Analyzing Memory• Mandiant – RedLine • Easier to use the Audit Viewer • Support for other tools (IOC) • Nice graph view of what’s going on • Customizable audits • Windows only
    22. 22. RedLine
    23. 23. Analyzing memory• Volatility (awesome!) – Cross-platform written in Python – Modular design – Open source – Large development community (very smart people making modules) – Command line – Volatility from here on out! – Now supports 64 bit
    24. 24. Volatility
    25. 25. Find the Hidden Process• Compare the difference of psscan and pslist output• Easier way psdiff
    26. 26. Example 1• Resource section of the executable – Normally used for raw resource data: • Icons, bitmaps, dialog boxes• Malware sample used resource section to store email and IP addresses
    27. 27. Example 1
    28. 28. Example 2• Known and widely-used malware – Perfect Keylogger – Process scraper – hkcmd.exe• Malware sent data to foreign IP addresses via HTTP and SMTP• One of several similar cases
    29. 29. Example 2• Encoded files – Perfect Keylogger configuration file encoded with simple XOR – 0 XOR with AA = AA thus AA was the key to decrypt the configuration and data files
    30. 30. Example 2• Decode configuration file and data files• Configured to send its log information to an IP address in Canada and email address of michaeljackson***********
    31. 31. Example 2• Shipping the goods – Process scraping malware sending data via FTP – Once the malware sends the file it removes it from disk – Investigating swap and unallocated space comes in handy
    32. 32. Example 2
    33. 33. Example 2• Keep on trucking – The malware creates a registry key under HKEY_LOCAL_MACHINESOFTWAREMicrosoft WindowsCurrentVersionRun – This will cause the malware to run every time a user logs into the system • Hides under c:windows to appear legitimate
    34. 34. Example 2
    35. 35. Example 3• Malware – Known process scraping malware package – Malware was running as a service – Retrieved data via remote access
    36. 36. Example 3• Malware searching memory for credit card numbers
    37. 37. Example 3• Malware taking hold – Example of the malware installing itself as a service to survive reboots
    38. 38. What’s on the Horizon?• More browser-based attacks – Browser-specific attacks – Java – Flash• More malicious documents – Microsoft Office documents – Adobe PDFs
    39. 39. What’s on the Horizon?• More mobile device attacks – Android – Apple iOS – Windows Mobile• Stealthier malware – Resident only in memory and not on disk
    40. 40. Useful Tools – Malware Analysis in Windows• Static analysis – IDA Pro – PEiD – Peview – Volatility – RedLine
    41. 41. Useful Tools – Malware Analysis in Windows• Dynamic analysis – WinDbg – OllyDbg – Immunity debugger – SysInternals Suite (Strings, Autoruns, Process Monitor, Process Explorer) – Regshot – LoardPE
    42. 42. Resources• Microsoft Windows Developers Network –• –• Volatility –• –• Windows - Managing Virtual Memory• REMnux –
    43. 43. Resources• Intel Assembly manuals – rchitectures-software-developer-manuals.html/• IDA Blog –• IDA disassembler and debugger –• Immunity debugger and Ollydbg – –
    44. 44. Questions? Thank you for staying awake! Peter “bokojan” Arzamendiparzamendi[at]403labs[dot]com 403 Labs, LLC 877.403.LABS