Reverse Engineering Malware: A look inside Operation Tovar

1,127 views
1,028 views

Published on

Join us as we step through the reverse engineering of CryptoLocker, identifying important functionality and weaknesses. We'll demonstrate how we were able to use this information to help protect our customers months ago, the weaknesses that the Department of Justice took advantage of, and how you can do the same for other types of malware down the line.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,127
On SlideShare
0
From Embeds
0
Number of Embeds
529
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Reverse Engineering Malware: A look inside Operation Tovar

  1. 1. Reverse Engineering Malware: A look inside Operation Tovar Brandon Tansey Security Researcher, Lancope © 2014 Lancope, Inc. All rights reserved. 1
  2. 2. © 2014 Lancope, Inc. All rights reserved. 2 Source: 2014 Verizon DBIR
  3. 3. 3© 2014 Lancope, Inc. All rights reserved. 75% of malware contained functionality of spyware/keyloggers 55% of malware automatically collected pre-existing data on victim computers Source: 2013 Verizon DBIR
  4. 4. 4© 2014 Lancope, Inc. All rights reserved. All malware leaves behind some information of its own
  5. 5. 5© 2014 Lancope, Inc. All rights reserved. Malware Analysis
  6. 6. • Command and control hosts • Encryption keys • Implementation flaws • Exploits • Malware capabilities • … 6© 2014 Lancope, Inc. All rights reserved. What information is there to find?
  7. 7. 7© 2014 Lancope, Inc. All rights reserved. What information do you need?
  8. 8. 8© 2014 Lancope, Inc. All rights reserved.
  9. 9. 9© 2014 Lancope, Inc. All rights reserved.
  10. 10. 10© 2014 Lancope, Inc. All rights reserved. Dynamic Analysis vs. Static Analysis
  11. 11. 11© 2014 Lancope, Inc. All rights reserved. Initialization 1. Start the malware
  12. 12. 12© 2014 Lancope, Inc. All rights reserved. Initialization 1. Start the malware 2. Malware loads RSAenh.dll (Microsoft Enhanced Cryptographic Provider)
  13. 13. 13© 2014 Lancope, Inc. All rights reserved. Establishing Persistence 3. Copy self to Application Data
  14. 14. 14© 2014 Lancope, Inc. All rights reserved. Establishing Persistence 3. Copy self to Application Data 4. Open second process
  15. 15. 15© 2014 Lancope, Inc. All rights reserved. Establishing Persistence 5. Maintain auto-start registry keys
  16. 16. 16© 2014 Lancope, Inc. All rights reserved. Reaching Out 6. Make network calls
  17. 17. 17© 2014 Lancope, Inc. All rights reserved. Reaching Out 6. Make network calls 7. Start looking for command and control hosts
  18. 18. 18© 2014 Lancope, Inc. All rights reserved.
  19. 19. 19© 2014 Lancope, Inc. All rights reserved. Establish C2 8. Find valid C2 host
  20. 20. 20© 2014 Lancope, Inc. All rights reserved. Compromise 9. Store public key
  21. 21. 21© 2014 Lancope, Inc. All rights reserved. Compromise 9. Store public key 10. Scan and encrypt files
  22. 22. 22© 2014 Lancope, Inc. All rights reserved.
  23. 23. 23© 2014 Lancope, Inc. All rights reserved. Close loop 11. Log encrypted files and start over
  24. 24. 24© 2014 Lancope, Inc. All rights reserved.
  25. 25. • Takes advantage of advanced public key crypto – RSAenh.dll – PublicKey registry key • Loops through DNS requests for tons of gibberish hosts until it finds active, real one – All samples appear to create the same domains • Does not begin encrypting until it receives public key from C2 server 25© 2014 Lancope, Inc. All rights reserved. What do we think we know?
  26. 26. 26© 2014 Lancope, Inc. All rights reserved. Static Analysis
  27. 27. 27© 2014 Lancope, Inc. All rights reserved.
  28. 28. 28© 2014 Lancope, Inc. All rights reserved.
  29. 29. 29© 2014 Lancope, Inc. All rights reserved.
  30. 30. 30© 2014 Lancope, Inc. All rights reserved. Source: microsoft.com
  31. 31. 31© 2014 Lancope, Inc. All rights reserved.
  32. 32. 32© 2014 Lancope, Inc. All rights reserved.
  33. 33. 33© 2014 Lancope, Inc. All rights reserved.
  34. 34. 34© 2014 Lancope, Inc. All rights reserved.
  35. 35. 35© 2014 Lancope, Inc. All rights reserved.
  36. 36. 36© 2014 Lancope, Inc. All rights reserved.
  37. 37. 37© 2014 Lancope, Inc. All rights reserved. Source: justice.gov
  38. 38. 38© 2014 Lancope, Inc. All rights reserved. Operation Tovar
  39. 39. 39© 2014 Lancope, Inc. All rights reserved. Source: justice.gov
  40. 40. 40© 2014 Lancope, Inc. All rights reserved. Operational Security (OPSEC) Source: archive.gov
  41. 41. 41© 2014 Lancope, Inc. All rights reserved. Source: justice.gov
  42. 42. 42© 2014 Lancope, Inc. All rights reserved. “In cooperation with Luxembourg law enforcement agencies, pursuant to an MLAT request, the FBI analyzed the contents of [second level Cryptolocker] server, discovering HTTP access logs that showed which users were accessing this server.” Source: justice.gov
  43. 43. 43© 2014 Lancope, Inc. All rights reserved. “This consistent pattern of overlapping IP addresses and user agent strings establishes that Bogachev was the individual utilizing and managing the [Gameover] infrastructure. Moreover, the fact that Bogachev had elevated Administrative access to the critical UK GOZ server establishes that he is not only a participant in the GOZ conspiracy, but a leader.” Source: justice.gov
  44. 44. 44© 2014 Lancope, Inc. All rights reserved. Source: justice.gov
  45. 45. 45© 2014 Lancope, Inc. All rights reserved. Tovar Time-out!
  46. 46. 46© 2014 Lancope, Inc. All rights reserved. Source: virustotal.com
  47. 47. 47© 2014 Lancope, Inc. All rights reserved. Source: blackhat.com Library of Sparta Tom Cross, David Raymond, Greg Conti Wednesday, August 5th at 10:15am
  48. 48. 48© 2014 Lancope, Inc. All rights reserved. Source: justice.gov
  49. 49. 49© 2014 Lancope, Inc. All rights reserved. Source: justice.gov
  50. 50. 50© 2014 Lancope, Inc. All rights reserved. Source: justice.gov
  51. 51. 51© 2014 Lancope, Inc. All rights reserved.
  52. 52. 52© 2014 Lancope, Inc. All rights reserved.
  53. 53. • YOUR FAVORITE SEARCH ENGINE! • Process Monitor (SysInternals) • Wireshark • Inetsim (via Remnux) • IDA Pro (alt. IDA shareware, radare, Hopper, objdump) 53© 2014 Lancope, Inc. All rights reserved. Tools
  54. 54. • OpenSecurityTraining.info • Practical Malware Analysis (Michael Sikorski and Andrew Honig) • The IDA Pro Book (Chris Eagle) <shamelessPlug> • http://lancope.com/blog • https://twitter.com/stealth_labs • https://twitter.com/lancope </shamelessPlug> 54© 2014 Lancope, Inc. All rights reserved. Want to learn more?
  55. 55. THANK YOU © 2014 Lancope, Inc. All rights reserved. Brandon Tansey Security Researcher btansey@lancope.com 55
  56. 56. © 2014 Lancope, Inc. All rights reserved. 56

×