Introduction• Based in Montreal• Studies in computer engineering at Ecole Polytechnique• Malware analysis• Focus on investigation and understanding trends
Labs’ Objectives• Gain hands-on knowledge on malware analysis • Obfuscation • Persistence • C&C traffic• This case is *NOT* cutting edge but a good summary of common things we see nowadays
Win32/Georbot• One of our analyst reported an interesting string in a binary (.gov.ge)• Started investigation, we thought it was time sensitive and involved 3 guys for 3 days.• Interesting feature • Document stealing • Audio / Video capture • Etc
Win32/Georbot• Further analysis showed thousands of variants• We were able to track the evolution of the features• Track AV evasion techniques
Workshop Outline1. Data obfuscation2. Control flow obfuscation3. API call obfuscation4. Answer basic malware analysis questions5. C&C network protocol
Tools Required1. IDA 6.x (you can use the demo)2. Python interpreter w/ some modules for web server3. Immunity Debugger / Olly Debugger
IDA Python• Automate repetitive tasks in IDA• Read data (Byte, Word, Dword, etc)• Change data (PatchByte, PatchWord, PatchDword, etc)• Add comments (MakeComm)• Add cross references• User interaction• Etc.
Data Obfuscation• Where’s all my data?!• Debug the malware (in a controlled environment), do you see something appear? (0x407afb)• What happened? Find the procedure which decodes the data• Understand obfuscation• Implement deobfuscation with IDA Python
Control Flow Obfuscation
Control Flow Obfuscation• Identify common obfuscation patterns• Find a straight forward replacement• Implement substitutions with IDA Python• Reanalyze program, does it look better?
Control Flow ObfuscationObfuscated Deobfuscatedpush <addr>; ret Jmp <addr>Push <addr> Call <addr> (will return to addr)jmp <addr>
API Call Obfuscation• Where are all my API calls?• Find and understand hashing function• Brute force API calls and add comments to IDB using IDA Python
API Hashing Function
Let’s understand what’s going on!• Can multiple instances of the malware run at the same time?• Is the malware persistent? How?• What is the command and control server?• What is the update mechanism for binaries?• Is there a C&C fallback mechanism?
Additional work• Write a detection mechanism for an infected system• Implement a cleaner for this malware • Kill the process • Remove persistence• At what time interval does the malware probe its C&C server?
FALLBCK.com• What is this DNS query?• What can we do with it?
GUID• What is at 0x0040A03D, how is it used in program?
Conclusions• The set of questions to answer is often similar.• Don’t focus on details, remember your objective, its easy to get lost.• A mix of dynamic and static analysis is often the best solution for quick understanding of a new malware family.