Two-For-One Talk: Malware Analysis for Everyone

4,625 views
4,499 views

Published on

Two short talks in one deck. One on automated analysis tools for the novice. The second on reverse engineering malicious PDF files.

Published in: Technology
2 Comments
9 Likes
Statistics
Notes
No Downloads
Views
Total views
4,625
On SlideShare
0
From Embeds
0
Number of Embeds
759
Actions
Shares
0
Downloads
0
Comments
2
Likes
9
Embeds 0
No embeds

No notes for slide

Two-For-One Talk: Malware Analysis for Everyone

  1. 1. Paul Melson<br />Two-For-One Talk:Malware Analysis for Everyone<br />
  2. 2. MWA-101: Five Automated Analysis Tools You should Know<br />
  3. 3. Why Do Malware Analysis?<br />Client-side attacks that install malware are the #1 external threat.<br />It’s not slowing down any time soon:<br />“Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31% from the previous period.”<br />“In 2008, Symantec created 1,656,227 new malicious code signatures. This is a 265% increase over 2007.”<br /> (Source: Symantec Internet Threat Report, April 2009)<br />
  4. 4. Firewalls and Anti-Virus Have Lost<br />Client-side attacks against web browsers and e-mail go right through most firewall policies<br />Detection rates for current malware files by market leading anti-virus scanners are averaging 30-50%<br />If you’re not adapting some other way, you’ve lost<br />
  5. 5. Malware is Adapting Quickly<br />Take away Local Administrator privileges?<br />Malware that persists in HKCU Registry keys or StartUp group<br />Whitelist apps with Windows Firewall?<br />Malware that hooks into Internet Explorer plugin APIs<br />Block IRC at the firewall?<br />Malware that uses encrypted HTTP/HTTPS back-channels<br />
  6. 6. “But it’s just spyware, right?”<br />In the past 2 years, we’ve found malware in the wild that:<br />Sends hundreds of spam e-mail messages per second<br />Gives bot “herder” full desktop remote control<br />Searches files in “Documents and Settings” for SSNs, credit card numbers, and saved Internet Explorer passwords<br />Records all screen and text input and reports it in real-time to a server in Russia<br />
  7. 7. VirusTotalhttp://www.virustotal.com<br />Upload a suspicious file, they scan it with 40+ different anti-virus products using current signatures<br />Pretty much everybody, except TrendMicro<br />Useful for determining if a file is malicious<br />Also for determining whether your anti-virus would detect a particular file<br />Take advantage of heuristic/edge products without all of the false positives in production<br />OK, but not great for brand new or custom malware<br />Not great for obfuscated exploits, better with binaries <br />
  8. 8.
  9. 9. CWSandboxhttp://www.cwsandbox.org<br />Upload a suspicious Windows executable, they run it in their sandbox and tell you what it did<br />Great for figuring out what a file actually does<br />It doesn’t establish malicious vs. benign, that’s up to you<br />Requires some detailed understanding of Windows Registry, processes, file system to interpret report<br />Some malware can detect this and other sandboxes, and won’t run<br />Other similar services<br />Norman Sandbox<br />JoeBox<br />
  10. 10.
  11. 11.
  12. 12. Threat Expert http://www.threatexpert.com<br />Upload a suspicious Windows binary, they analyze it<br />Supports web submission, but also Windows applet<br />Must register to submit samples<br />Combines the features of CWSandbox and VirusTotal<br />Anti-virus scan<br />File / registry modifications<br />Packer identification<br />Browse reports and statistics from other submitted files<br />
  13. 13.
  14. 14.
  15. 15. Wepawethttp://wepawet.iseclab.org<br />Upload a suspicious PDF, HTML, or Flash file, or submit a suspicious URL and it will analyze it for malicious JavaScript.<br />Great for working with obfuscated JavaScript where reversing and debugging is complex and time-intensive.<br />However, some forms of obfuscation, especially in PDF and SWF files, can be used to beat it.<br />
  16. 16.
  17. 17. Comodohttp://camas.comodo.com<br />Upload a suspicious Windows binary, they analyze it for you<br />Similar to CWSandbox<br />Very fast<br />Relatively new/unknown, so less likely to be targeted for evasion <br />(Assuming they use technology different enough from Norman, CWSandbox)<br />
  18. 18.
  19. 19. MWA-101: Q&A<br />
  20. 20. MWA-405: Unpacking PDF Exploit Payloads<br />
  21. 21. PDF Files and Malware<br />Malware relies on two methods to install<br />Exploiting a browser vulnerability<br />Tricking people into running a file<br />Adobe Acrobat Reader is, right now, the most reliably vulnerable piece of software in the world<br />It’s really hard to patch across the enterprise<br />Predecessors:<br />Internet Explorer<br />QuickTime Player<br />Adobe Flash Player<br />
  22. 22. They Don’t Call it Pwndobe for Nothing<br />Tuesday’s Acrobat Reader security bulletin<br />That’s 29 unique vulnerabilities, in case you’re keeping score<br />
  23. 23. PDF as an Attack Vector<br />Acrobat Reader is executable from the web browser<br />Called as a browser plugin via COM<br />There is an IE killbit, but I dare you to use it in a business<br />Each version of Acrobat Reader has its own CLSID, and killbit<br />The PDF file format supports scripting and obfuscation <br />JavaScript<br />Embedding binary objects and scripts as streams<br />Compressing and encoding these streams<br />These are the same things that made Flash a good attack vector, so you may have some idea as to what’s next<br />
  24. 24. PDF With Malicious Payload<br />PDF file header including JavaScript trigger<br />
  25. 25. PDF With Malicious Payload<br />PDF file body showing binary FlateDecode stream<br />Note the /Filter and /Length tags<br />
  26. 26. Unpacking FlateDecode Streams <br />FlateDecode is stream compression using zlib compress()<br />Several tools can decompress and extract the streams for you<br />PDF Stream Inflater by Bobby Spasic (Malzilla)<br />Not available for download anymore<br />pdftk by Sid Steward (AccessPDF)<br />Not specifically for malware<br />http://www.accesspdf.com/pdftk/<br />pdf-parser.py by Didier Stevens<br />This guy writes all sorts of awesome tools<br />http://blog.didierstevens.com/programs/pdf-tools/<br />
  27. 27. Unpacking FlateDecode Streams <br />Using PDF Stream Inflater to extract FlateDecode stream <br />
  28. 28. Unpacking FlateDecode Streams <br />Viewing decoded stream containing obfuscated JavaScript<br />
  29. 29. Unpacking FlateDecode Streams <br />Pipe extracted stream through Didier Stevens’ SpiderMonkey mod<br />The log files contain the output of the obfuscated JavaScript<br />
  30. 30. Unpacking FlateDecode Streams <br />Look! More JavaScript, but this time it’s readable.<br />Hmmm, I wonder…<br />
  31. 31. Unpacking FlateDecode Streams <br />Oh, look, they copied the exploit from milw0rm.<br />
  32. 32. Beyond FlateDecode<br />Different versions of the PDF file standard support additional forms of encoding streams<br />ASCIIHexDecode<br />ASCII85Decode<br />Encoding methods can be combined on a single stream<br />Order of operations matters!<br />Two methods for extracting and decoding:<br />Manually decode Hex stream to zlib binary stream, reinsert, resize header, basically recreating the PDF as if it only contained the FlateDecode stream, then extract with inflater.exe <br /> (this sucks, BTW)<br />Use pdf-parser.py<br />
  33. 33. Beyond FlateDecode<br />This stream is encoded with ASCIIHexDecode and FlateDecode<br />
  34. 34. Beyond FlateDecode<br />We decode the stream and find more obfuscated JavaScript<br />./pdf-parser.py -f boBAn.pdf | less<br />
  35. 35. Beyond FlateDecode<br />Throw &lt;html&gt; and &lt;script&gt; tags around the obfuscated JavaScript and upload it to Wepawet<br />
  36. 36. Beyond FlateDecode<br />Ooh, second stage executable downloads!<br />
  37. 37. Beyond FlateDecode - Epilogue<br />From the time that I started this research to the time I wrote this presentation, Wepawet has added support for ASCIIHexDecode in PDF files<br />So, yes, the hours of work I did on this can be replicated in mere seconds with only a web browser<br />But this underscores the ongoing arms race between security researchers and malware vendors<br />That’s right, I said vendors<br />
  38. 38. Some Extra Fun<br />whois goodshoot1.com<br />Note the goofy domain on those name servers<br />
  39. 39. Some Extra Fun<br />So we search malwareurl.com for that domain, and…<br />
  40. 40. Some Extra Fun<br />YES is a crimeware system made in Russia<br />This is the login page for its web console<br />
  41. 41. Network Detection<br />Easy enough to find PDF files that use encoded streams with your IDS/IPS<br />Your firewall and proxy logs are a good place to look, too<br />Most sites hosting second-stage malware are in foreign countries, especially Russia, China<br />Use language to your advantage – if your employees speak English, then documents downloaded from countries that don’t speak English could be suspicious<br />
  42. 42. Network Detection<br />alert tcp $EXTERNAL_NET 80 -&gt; $HOME_NET any (msg:&quot;LOCAL PDF mailto exploit HTTP download&quot;; flow:from_server,established; content:&quot;%PDF&quot;; nocase; content:&quot;RI(mailto:%/&quot;; nocase; classtype:trojan-activity; sid:9000140; rev:1;)<br />alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;LOCAL PDF with FlateDecode stream download&quot;; flow:from_server,established; content:&quot;%PDF&quot;; content:&quot;FlateDecode&quot;; nocase; classtype:trojan-activity; sid:90000190; rev:1;)<br />alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;LOCAL PDF with ASCIIHexDecode stream download&quot;; flow:from_server,established; content:&quot;%PDF&quot;; content:&quot;ASCIIHexDecode&quot;; nocase; classtype:trojan-activity; sid:90000191; rev:1;)<br />alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;LOCAL PDF with ASCII85Decode stream download&quot;; flow:from_server,established; content:&quot;%PDF&quot;; content:&quot;ASCII85Decode&quot;; nocase; classtype:trojan-activity; sid:90000192; rev:1;)<br />Snort rules to detect suspicious PDF files<br />
  43. 43. Network Detection<br />Firewall events for PDFs downloaded from countries other than the US, UK, and Canada<br />
  44. 44. pmelson@gmail.com<br />http://pmelson.blogspot.com<br />Special Thanks to Sean Koessel<br />MWA-405: Q&A<br />

×