Win32/Flamer: Reverse Engineering and      Framework Reconstruction    Aleksandr Matrosov    Eugene Rodionov
Outline of The Presentation Typical malware vs. Stuxnet/Flame    What the difference? Flamer code reconstruction proble...
Typical Malware vs. Stuxnet/Flamer
What’s the Difference?
What’s the Difference? Typical malware                          Stuxnet/Flame …     Different motivation, budget …     ...
Stuxnet/Duqu/Flamer/Gauss Appearance
Code Complexity GrowthGauss   miniFlamer   Stuxnet   Duqu   Flamer
Code Complexity Growth
C++ Code REconstruction       Problems
C++ Code Reconstruction Problems Object identification    Type reconstruction Class layout reconstruction     Identify...
C++ Code Reconstruction Problems      Class A       vfPtr       a1()                                   A::vfTable       a2...
C++ Code Reconstruction Problems
Identify Smart Pointer Structure
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Custom Type Operations
Identify Objects Constructors
Identify Objects Constructors
Library code identification         problems
Library Code Identification Problems Compiler optimization Wrappers for WinAPI calls Embedded library code   Library v...
Library Code Identification Problems
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Festi: OOP in kernel-mode
Main Festi Functionality store in kernel mode     Win32/Festi      Dropper               Install kernel-mode              ...
Main Festi Functionality store in kernel mode     Win32/Festi      Dropper               Install kernel-mode              ...
Festi: Architecture                      Win32/Festi     Win32/Festi                      Win32/Festi                     ...
Festi: Plugin Interface         Array of pointers            to plugins                                     Plugin 1      ...
Festi: Plugins Festi plugins are volatile modules in kernel-mode address space:   downloaded each time the bot is activa...
Flamer Framework Overview
An overview of the Flamer FrameworkThe main types used in Flamer Framework are: Command Executers –the objects exposing i...
An overview of the Flamer FrameworkVector<Consumer>                  Vector<Command Executor>                   DB_Query  ...
Some of Flamer Framework Components             Identifying processes in the systems corresponding toSecurity     security...
Flamer SQL Lite Database Schema
Flamer SQL Lite Database Schema
REconstructing Flamer Framework
Data Types Being Used Smart pointers Strings Vectors to maintain the objects Custom data types: wrappers, tasks, trigg...
Data Types Being Used: Smart pointerstypedef struct SMART_PTR{   void     *pObject;    // pointer to the object   int     ...
Data Types Being Used: Stringsstruct USTRING_STRUCT{   void *vTable;             // pointer to the table   int RefNo;     ...
Data Types Being Used: Vectorsstruct VECTOR{  void *vTable;         //   pointer to the table  int NumberOfItems;    //   ...
Using Hex-Rays Decompiler Identifying constructors/destructors   Usually follow memory allocation   The pointer to obje...
Using Hex-Rays Decompiler Identifying constructors/destructors   Usually follow memory allocation   The pointer to obje...
Reconstructing Object’s Attributes
Reconstructing Object’s Attributes
Reconstructing Object’s Methods
Reconstructing Object’s Methods
Reconstructing Object’s Methods
DEMO
RelationshipStuxnet/Duqu/Gauss/Flamer
Source Code Base Differences
Exploit Implementations     Stuxnet          Duqu             Flame         Gauss   MS10-046                         MS10-...
Exploit Implementations: Stuxnet & Duqu The payload is injected into processes from both kernel-  mode driver & user-mode...
Exploit Implementations: Stuxnet & Duqu The payload is injected into processes from both kernel-  mode driver & user-mode...
Injection mechanism: Flame The payload is injected into processes from user-mode  module The injection technique is base...
Injection mechanism: Flame The payload is injected into processes from user-mode  module The injection technique is base...
Exploit Implementations: Gauss The payload is injected into processes from user-mode  module
Thank you for your attention!Eugene Rodionov         Aleksandr Matrosovrodionov@eset.sk        matrosov@eset.sk@vxradius  ...
Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstruction
Upcoming SlideShare
Loading in...5
×

Matrosov, rodionov win32 flamer. reverse engineering and framework reconstruction

415

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
415
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Matrosov, rodionov win32 flamer. reverse engineering and framework reconstruction

  1. 1. Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
  2. 2. Outline of The Presentation Typical malware vs. Stuxnet/Flame  What the difference? Flamer code reconstruction problems  C++ code reconstruction  Library code identification Flamer framework overview Object oriented code reconstruction Relationship Stuxnet/Duqu/Flamer
  3. 3. Typical Malware vs. Stuxnet/Flamer
  4. 4. What’s the Difference?
  5. 5. What’s the Difference? Typical malware  Stuxnet/Flame …  Different motivation, budget …  Different motivation, budget …  Use 1-days for distribution  Use 0-days for distribution  Anti-stealth for bypassing all sec  Anti-stealth for bypassing AV soft  Stealth timing: months  Stealth timing: years  Developed in C or C++ in C style  Tons of C++ code with OOP  Simple architecture for plugins  Industrial OO framework platform  Traditional ways for obfuscation:  Other ways of code obfuscation:  packers  tons of embedded static code  polymorphic code  specific compilers/options  vm-based protection  object oriented wrappers for typical OS utilities  …
  6. 6. Stuxnet/Duqu/Flamer/Gauss Appearance
  7. 7. Code Complexity GrowthGauss miniFlamer Stuxnet Duqu Flamer
  8. 8. Code Complexity Growth
  9. 9. C++ Code REconstruction Problems
  10. 10. C++ Code Reconstruction Problems Object identification  Type reconstruction Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
  11. 11. C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
  12. 12. C++ Code Reconstruction Problems
  13. 13. Identify Smart Pointer Structure
  14. 14. Identify Exact Virtual Function Call in vtable
  15. 15. Identify Exact Virtual Function Call in vtable
  16. 16. Identify Exact Virtual Function Call in vtable
  17. 17. Identify Custom Type Operations
  18. 18. Identify Objects Constructors
  19. 19. Identify Objects Constructors
  20. 20. Library code identification problems
  21. 21. Library Code Identification Problems Compiler optimization Wrappers for WinAPI calls Embedded library code  Library version identification problem IDA signatures used syntax based detection methods  Recompiled libraries problem  Compiler optimization problem
  22. 22. Library Code Identification Problems
  23. 23. Object Oriented API Wrappers and Implicit Calls
  24. 24. Object Oriented API Wrappers and Implicit Calls
  25. 25. Object Oriented API Wrappers and Implicit Calls
  26. 26. Festi: OOP in kernel-mode
  27. 27. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  28. 28. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  29. 29. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
  30. 30. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
  31. 31. Festi: Plugins Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
  32. 32. Flamer Framework Overview
  33. 33. An overview of the Flamer FrameworkThe main types used in Flamer Framework are: Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.) Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
  34. 34. An overview of the Flamer FrameworkVector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
  35. 35. Some of Flamer Framework Components Identifying processes in the systems corresponding toSecurity security software: antiviruses, HIPS, firewalls, system information utilities and etc.Microbe Leverages voice recording capabilities of the systemIdler Running tasks in the backgroundBeetleJuice Utilizes bluetooth facilities of the systemTelemetry Logging of all the eventsGator Communicating with C&C servers
  36. 36. Flamer SQL Lite Database Schema
  37. 37. Flamer SQL Lite Database Schema
  38. 38. REconstructing Flamer Framework
  39. 39. Data Types Being Used Smart pointers Strings Vectors to maintain the objects Custom data types: wrappers, tasks, triggers and etc.
  40. 40. Data Types Being Used: Smart pointerstypedef struct SMART_PTR{ void *pObject; // pointer to the object int *RefNo; // reference counter};
  41. 41. Data Types Being Used: Stringsstruct USTRING_STRUCT{ void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer};
  42. 42. Data Types Being Used: Vectorsstruct VECTOR{ void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements}; Used to handle the objects:  tasks  triggers  etc.
  43. 43. Using Hex-Rays Decompiler Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers) Reconstructing object’s attributes  Creating custom type in “Local Types” for an object Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  44. 44. Using Hex-Rays Decompiler Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers) Reconstructing object’s attributes  Creating custom type in “Local Types” for an object Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  45. 45. Reconstructing Object’s Attributes
  46. 46. Reconstructing Object’s Attributes
  47. 47. Reconstructing Object’s Methods
  48. 48. Reconstructing Object’s Methods
  49. 49. Reconstructing Object’s Methods
  50. 50. DEMO
  51. 51. RelationshipStuxnet/Duqu/Gauss/Flamer
  52. 52. Source Code Base Differences
  53. 53. Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092(Task Scheduler) MS11-087 (Win32k.sys)
  54. 54. Exploit Implementations: Stuxnet & Duqu The payload is injected into processes from both kernel- mode driver & user-mode module Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  55. 55. Exploit Implementations: Stuxnet & Duqu The payload is injected into processes from both kernel- mode driver & user-mode module Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  56. 56. Injection mechanism: Flame The payload is injected into processes from user-mode module The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread The injected module is disguised as shell32.dll Hooks the entry point of msvcrt.dll by modifying PEB
  57. 57. Injection mechanism: Flame The payload is injected into processes from user-mode module The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread The injected module is disguised as shell32.dll Hooks the entry point of msvcrt.dll by modifying PEB
  58. 58. Exploit Implementations: Gauss The payload is injected into processes from user-mode module
  59. 59. Thank you for your attention!Eugene Rodionov Aleksandr Matrosovrodionov@eset.sk matrosov@eset.sk@vxradius @matrosov
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×