• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Adam Meyers - Obfuscation And Communications
 

Adam Meyers - Obfuscation And Communications

on

  • 1,722 views

 

Statistics

Views

Total Views
1,722
Views on SlideShare
1,718
Embed Views
4

Actions

Likes
0
Downloads
40
Comments
0

2 Embeds 4

http://a0.twimg.com 2
https://twitter.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Adam Meyers - Obfuscation And Communications Adam Meyers - Obfuscation And Communications Presentation Transcript

    • RCE: Obfuscation and CommunicationsAdam Meyers - SRA International Significant Work. Extraordinary People. SRA.
    • Agenda • Introduction • Disclaimer • Obfuscation • Analysis Techniques • Reversing Obfuscation • Conclusion • Q&ASignificant Work. Extraordinary People. SRA. 2
    • Who are you, and what are you doing here?• SRA – Leading provider of technology and strategic consulting services and solutions - including systems design, development and integration; and outsourcing and managed services. – Comprehensive cyber security practice integrating security architecture, risk assessments, and certification & accreditation. SRA’s IA practice currently rated at NSA-CMM Level 3.• Adam – Security Consultant – Penetration Test Team – Forensic Technician – Security Architect – Reverse Code AnalysisSignificant Work. Extraordinary People. SRA. 3
    • Hacker Fail • Fall 2008 a promise is made • Meet JK Benites • This ‘genius’ left his name (unobfuscated) in the malware he wrote to steal banking credentials and ended up at a certain US Government Agency im JK Benites.I like the music, i love the rock N metal, im aperson that like stranges things, like adredaline,be good with friends, make new things... i play theguitar, my guitar is my life, with she i can showthat i feel.i like the Pcs, too....Visit my profil in Hi5: http://jkprotection.hi5.comCity: PiuraHometown: Piura Significant Work. Extraordinary People. SRA. 4
    • Compliance Angry Birds lulz Cyberwar APTSignificant Work. Extraordinary People. SRA. 5
    • Agenda • Introduction • Disclaimer • Obfuscation • Analysis Techniques • Reversing Obfuscation • Conclusion • Q&ASignificant Work. Extraordinary People. SRA. 6
    • Disclaimer• Standard legal-mumbo jumbo.• You have the right to remain silent. Anything you say or do can and will be used against you in a court of law. You have the right to an attorney. If you cannot afford an attorney, one will be appointed to you.• Prohibition on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.• The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.• (2) Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—• (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);• (B) information from any department or agency of the United States; or• (C) information from any protected computer;• I pledge allegiance to the flag of the United States of America, and to the republic for which it stands, one nation under God, indivisible, with liberty and justice for all• Energy can be transformed (changed from one form to another), but cannot be created or destroyed.Significant Work. Extraordinary People. SRA. 7
    • Agenda • Introduction • Disclaimer • Obfuscation • Dynamic Techniques • Static Techniques • Reversing Obfuscation • Conclusion • Q&ASignificant Work. Extraordinary People. SRA. 8
    • Packing• This is not a presentation on unpacking• Packers are complex programs aimed at obscuring many of the indicators in malware• Obfuscated strings, code, and communications can still be packed and may require manual unpackingSignificant Work. Extraordinary People. SRA. 9
    • Why obfuscation• Malware Authors know that once malware is deployed to target environment the race is on• Obfuscation can provide extra time for the software to operate between detection and mitigation• In the case of targeted attacks this can allow additional malware/backdoors to be planted and may be critical in operational success• Obfuscation can circumvent some controls/sensors – E.G: IDS rule looking for ws2_32.dll will miss uq0]10,fnn • (ws2_32.dll ⊕ 0x2)Significant Work. Extraordinary People. SRA. 10
    • Obfuscation Math• Mono-Alphabetic Substitution – “Caesar Cipher” || “Shift Cipher” Key http://en.wikipedia.org/wiki/Caesar_cipher• eXlusive OR ⊕/^ – Logic operation “one or the other, never both” – Provides quick obfuscation Clear Text • 1⊕0=1 • ‘a’ ⊕ 1 = ‘`’ – Used as an operator in cryptography• Poly-alphabetic substitution – numerous substitution alphabets – Vigenère SquareSignificant Work. Extraordinary People. SRA. 11
    • Cryptography• Advanced malware may use advanced cryptographic concepts to conceal data• Strings are largely obfuscated and cryptography is generally reserved for command and control• Common Malware Crypto – RC4 – OpenSSL (uses algorithms like AES/DES/Blowfish/etc) – PKI - Advanced crypto• Stream Cipher versus Block CipherSignificant Work. Extraordinary People. SRA. 12
    • String Obfuscation• Malware contains strings for a variety of reasons – Command and Control – Imported/Exported functions – Logging – Crypto• String Obfuscation is trivial to include – “SOURCE Boston 2011” (Clear) – FBHEPR Obfgba 2011 (ROT13) – A]G@QW2P}af}|2 "## (XOR 0x12) – 0x7 0x27 0x3c 0x21 0x63 0x2c 0x53 0x62 0x2 0xa 0x54 0x4 0xb 0x59 0x66 0x58 0x58 0x42 (key password = “This is my key”) Significant Work. Extraordinary People. SRA.
    • Code Obfuscation• Code obfuscation is more advanced than string obfuscation, malware is coded in such a way that it makes decompilation/disassembly very difficult• MessageBoxA(0,”test”,”Hello World”,0) - (Clear)• Call Obfuscation { FARPROC obfunc; obfunc = GetProcAddress(“MessageBoxA”, LoadlibraryA (“user32.dll”)); obfunc(0,”test”,”Obfuscate World”,0); }• Create condition where a function is called via a variable (e.g.: jmp <eax>)• Create loops to build large time delays, or break analysis toolsSignificant Work. Extraordinary People. SRA. 14
    • Command and Control• Malware command and control provides communication to external entities• Typical command and control mechanisms are en claire but obfuscated – Some are encapsulated in crypto (e.g.: ssl)• Various components of C2 may be obfuscated – strings used in C2 – HTTP Post, User Agent, Host Name/IP – Content • Generally provides information back to C2 server on infected systems host name, etc...Significant Work. Extraordinary People. SRA. 15
    • Obfuscation Shortfalls• That which is obfuscated at some point will be deobfuscated• Memory analysis is a great place to identify both unpacked and unobfuscated malware• Complex obfuscation can be analyzed using readily available toolsSignificant Work. Extraordinary People. SRA. 16
    • Unveiling Obfuscation• We need to figure out where the obfuscation is – function calls – crypto libraries• Understand the implementation – Key material 1 byte XOR – Complex password with Crypto Algorithm – Public Key Cryptography• Reveal obfuscated/crypto material into clear text• Ideally make this repeatable with some code• Lets explore analysis ‘tools’ to begin revealing that which we cannot seeSignificant Work. Extraordinary People. SRA. 17
    • Agenda • Introduction • Disclaimer • Obfuscation • Analysis Techniques • Reversing Obfuscation • Conclusion • Q&ASignificant Work. Extraordinary People. SRA. 18
    • Dynamic Analysis• Several different possibilities for ‘Dynamic Analysis’• In process – Attach a debugger, set break points, step through – Some optimizations• In memory – Capture system memory during/after malware execution – Utilize a helper tool to lock memory – Execute malware inside a VM, suspend, analyze memory contents Significant Work. Extraordinary People. SRA.
    • Debugger Strategies• Import Break Pointing – Enumerate imports in debugger – Breakpoint functions likely to preceded obfuscation• Search referenced obfuscated strings and break point on access• Script obfuscation detection – ImmunitydbgSignificant Work. Extraordinary People. SRA. 20
    • Static Analysis• Static analysis is conducted without executing code• Primary of techniques available – Strings – Disassembly• Static analysis with strings is fairly difficult to accomplish in the case of obfuscation Significant Work. Extraordinary People. SRA.
    • Disassembly• Defacto tool IDA Pro – Released free version 5.0 (newer) December 2010 – Professional version 6.1• IDA uses multiple algorithms – Recursive Decent – Linear Sweep• Write your own – ( Painful + not realistic ) / IDA already exists == no reasonSignificant Work. Extraordinary People. SRA. 22
    • Obfuscated CodeSignificant Work. Extraordinary People. SRA. 23
    • Hybrid Approach• Use both Dynamic and Static• Various methodologies – Find obfuscated strings in static analysis – Identify functions referencing string location using disassembler – Breakpoint function in debugger and reverse obfuscationSignificant Work. Extraordinary People. SRA. 24
    • Concept Persistence/Registry Changes a ted u scJINO^QMDVUCPG^OKAPMQMDV^UKLFMUQ^AWPPGLV bf OTGPQKML^PWL^PWLMLAG Obfuscated Command and Control Obfuscation/Crypto(string) Ob fu sc ate d HKLMSOFTWAREMICROSOFTWINDOWS KeyLog Data/Exfil CURRENTVERSIONRUNRUNONCE Retuned Clear Text Significant Work. Extraordinary People. SRA. 25
    • ConceptJINO^QMDVUCPG^OKAPMQMDV^UKLFMUQ^AWPPGLV Persistence/Registry ChangesTGPQKML^PWL^PWLMLAG a ted sc Obfu Break Point While(string) { Obfuscated Command and Control Obfuscation/Crypto(string) ^ 0x02 clean = string[count] .... } return clean Ob fu sc ate dHKLMSOFTWAREMICROSOFTWINDOWS KeyLog Data/ExfilCURRENTVERSIONRUNRUNONCE Retuned Clear Text Significant Work. Extraordinary People. SRA. 26
    • Practical Example - Step 1 Obfuscated call breaks IDA XRefSignificant Work. Extraordinary People. SRA. 27
    • Practical Example - Step 1 Multiple XRef functions to suspected obfuscationSignificant Work. Extraordinary People. SRA. 28
    • Practical Example - Step 2 Jump to Crypto Function Program jumps to Entry PointSignificant Work. Extraordinary People. SRA. 29
    • Practical Example - Step 2 Set Break Point at function preambleSignificant Work. Extraordinary People. SRA. 30
    • Practical Example - Step 2 Set Break Point at function returnSignificant Work. Extraordinary People. SRA. 31
    • Practical Example - Step 2 When BP is reached - obfuscated string in ECXSignificant Work. Extraordinary People. SRA. 32
    • Practical Example - Step 2 When second BP is reached - deobfuscated string pushed to stack 33Significant Work. Extraordinary People. SRA.
    • Other Useful Methods• Win32 Imports are very useful – Looking for Command and Control? GetHostByName() will receive unobfuscated name – Persistance - RegOpenKey()/RegCreateKey()/RegQueryKey() – Log - CreateFile()/WriteFile()/OpenFile() – Exfiltration - Send()/InternetWriteFile() – Stage2 - URLDownloadToFile()/Recv() – etc• Same routine – Find code reference to imported function – trace backwards statically to obfuscation – set break points and evaluate dynamicallySignificant Work. Extraordinary People. SRA. 34
    • Agenda • Introduction • Disclaimer • Obfuscation • Analysis Techniques • Reversing Obfuscation • Conclusion • Q&ASignificant Work. Extraordinary People. SRA. 35
    • Reversing Obfuscation• Deeper than ‘breakpoint decryption’• Need to analyze algorithm – Tedious process• Write a tool to decrypt on the fly (help your friends) Significant Work. Extraordinary People. SRA.
    • Algorithm Identification• Hunt the obfuscation function• Dynamic – Step through the function noting how transforms occur – Complicated algorithms may emerge • XOR 0x55 << 0x06 + ‘Z’ % 123• Static – Use Decompiler to review algorithm – Look for static library references • OpenSSL/PGP/Other • Manual implementation (e.g.: RC4 block cipher) – API calls (Also available via dynamic) • Crypt()Significant Work. Extraordinary People. SRA. 37
    • Components of Interest• Non-encoded strings – probable key• Loops – required to loop over multi-character encoded strings to perform transforms• Counters – Some obfuscation changes the key during iterations Crypt(string) { key = 0x12 while(string) { string[count] ^ key key++ count++ }• Malware will sometimes add each byte of the key manually – Looks weird in IDA – Protip - use ‘a’ to render hex to asciiSignificant Work. Extraordinary People. SRA. 38
    • Cheating at Code DeobfuscationSignificant Work. Extraordinary People. SRA. 39
    • Cheating at Code DeobfuscationSignificant Work. Extraordinary People. SRA. 40
    • Cheating at Code DeobfuscationSignificant Work. Extraordinary People. SRA. 41
    • Cheating at Code DeobfuscationSignificant Work. Extraordinary People. SRA. 42
    • Cheating at Code DeobfuscationSignificant Work. Extraordinary People. SRA. 43
    • Hexrays DeCompiler• One word - awesome• Makes reversing algorithms a snapSignificant Work. Extraordinary People. SRA. 44
    • Hexrays DeCompilerSignificant Work. Extraordinary People. SRA. 45
    • Script to DeObfuscateSignificant Work. Extraordinary People. SRA. 46
    • BRUXOR/VARXOR• Brute XOR Python script for IDA Pro• Simple Algorithm – XOR string against every possible value – Calculate how much of the string is in ASCII readable space – look for < 6 letters to be non-ascii – Possible Key• Not very 1337 but shows how simple scripts can help deobfuscateSignificant Work. Extraordinary People. SRA. 47
    • BruxorSignificant Work. Extraordinary People. SRA. 48
    • BruxorSignificant Work. Extraordinary People. SRA. 49
    • BruxorSignificant Work. Extraordinary People. SRA. 50
    • BruxorSignificant Work. Extraordinary People. SRA. 51
    • BruxorSignificant Work. Extraordinary People. SRA. 52
    • DeXor• Command script written for Immunity Debugger• Pointless?• Learning IMM API - more to comeSignificant Work. Extraordinary People. SRA. 53
    • Significant Work. Extraordinary People. SRA. 54
    • Agenda • Introduction • Disclaimer • Obfuscation • Analysis Techniques • Reversing Obfuscation • Conclusion • Q&ASignificant Work. Extraordinary People. SRA. 55
    • Conclusion• Obfuscated strings whether C2 or part of malware will be deobfuscated at some point• Creative use of debugger breakpoints, IDA script, and in some cases memory dumping can rapidly help deobfuscate• Obfuscated code is complicated to read – Check out Optimice (by Branko Spasojevic)• Hex Rays Disassembler rocks• Deobfuscating malware is valuable to the Incident Responder/Reverse Engineer• Hybrid approach of debugger and disassembler can make things easier Significant Work. Extraordinary People. SRA.
    • Agenda • Introduction • Disclaimer • Obfuscation • Analysis Techniques • Reversing Obfuscation • Conclusion • Q&ASignificant Work. Extraordinary People. SRA. 57
    • Questions? Adam  Meyers Adam_meyers@sra.com Twi3er:  Cyber_Adam_SRASignificant Work. Extraordinary People. SRA. 58