Two-For-One Talk: Malware Analysis for Everyone


Published on

Two short talks in one deck. One on automated analysis tools for the novice. The second on reverse engineering malicious PDF files.

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Two-For-One Talk: Malware Analysis for Everyone

  1. 1. Paul Melson<br />Two-For-One Talk:Malware Analysis for Everyone<br />
  2. 2. MWA-101: Five Automated Analysis Tools You should Know<br />
  3. 3. Why Do Malware Analysis?<br />Client-side attacks that install malware are the #1 external threat.<br />It’s not slowing down any time soon:<br />“Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31% from the previous period.”<br />“In 2008, Symantec created 1,656,227 new malicious code signatures. This is a 265% increase over 2007.”<br /> (Source: Symantec Internet Threat Report, April 2009)<br />
  4. 4. Firewalls and Anti-Virus Have Lost<br />Client-side attacks against web browsers and e-mail go right through most firewall policies<br />Detection rates for current malware files by market leading anti-virus scanners are averaging 30-50%<br />If you’re not adapting some other way, you’ve lost<br />
  5. 5. Malware is Adapting Quickly<br />Take away Local Administrator privileges?<br />Malware that persists in HKCU Registry keys or StartUp group<br />Whitelist apps with Windows Firewall?<br />Malware that hooks into Internet Explorer plugin APIs<br />Block IRC at the firewall?<br />Malware that uses encrypted HTTP/HTTPS back-channels<br />
  6. 6. “But it’s just spyware, right?”<br />In the past 2 years, we’ve found malware in the wild that:<br />Sends hundreds of spam e-mail messages per second<br />Gives bot “herder” full desktop remote control<br />Searches files in “Documents and Settings” for SSNs, credit card numbers, and saved Internet Explorer passwords<br />Records all screen and text input and reports it in real-time to a server in Russia<br />
  7. 7. VirusTotal<br />Upload a suspicious file, they scan it with 40+ different anti-virus products using current signatures<br />Pretty much everybody, except TrendMicro<br />Useful for determining if a file is malicious<br />Also for determining whether your anti-virus would detect a particular file<br />Take advantage of heuristic/edge products without all of the false positives in production<br />OK, but not great for brand new or custom malware<br />Not great for obfuscated exploits, better with binaries <br />
  8. 8.
  9. 9. CWSandbox<br />Upload a suspicious Windows executable, they run it in their sandbox and tell you what it did<br />Great for figuring out what a file actually does<br />It doesn’t establish malicious vs. benign, that’s up to you<br />Requires some detailed understanding of Windows Registry, processes, file system to interpret report<br />Some malware can detect this and other sandboxes, and won’t run<br />Other similar services<br />Norman Sandbox<br />JoeBox<br />
  10. 10.
  11. 11.
  12. 12. Threat Expert<br />Upload a suspicious Windows binary, they analyze it<br />Supports web submission, but also Windows applet<br />Must register to submit samples<br />Combines the features of CWSandbox and VirusTotal<br />Anti-virus scan<br />File / registry modifications<br />Packer identification<br />Browse reports and statistics from other submitted files<br />
  13. 13.
  14. 14.
  15. 15. Wepawet<br />Upload a suspicious PDF, HTML, or Flash file, or submit a suspicious URL and it will analyze it for malicious JavaScript.<br />Great for working with obfuscated JavaScript where reversing and debugging is complex and time-intensive.<br />However, some forms of obfuscation, especially in PDF and SWF files, can be used to beat it.<br />
  16. 16.
  17. 17. Comodo<br />Upload a suspicious Windows binary, they analyze it for you<br />Similar to CWSandbox<br />Very fast<br />Relatively new/unknown, so less likely to be targeted for evasion <br />(Assuming they use technology different enough from Norman, CWSandbox)<br />
  18. 18.
  19. 19. MWA-101: Q&A<br />
  20. 20. MWA-405: Unpacking PDF Exploit Payloads<br />
  21. 21. PDF Files and Malware<br />Malware relies on two methods to install<br />Exploiting a browser vulnerability<br />Tricking people into running a file<br />Adobe Acrobat Reader is, right now, the most reliably vulnerable piece of software in the world<br />It’s really hard to patch across the enterprise<br />Predecessors:<br />Internet Explorer<br />QuickTime Player<br />Adobe Flash Player<br />
  22. 22. They Don’t Call it Pwndobe for Nothing<br />Tuesday’s Acrobat Reader security bulletin<br />That’s 29 unique vulnerabilities, in case you’re keeping score<br />
  23. 23. PDF as an Attack Vector<br />Acrobat Reader is executable from the web browser<br />Called as a browser plugin via COM<br />There is an IE killbit, but I dare you to use it in a business<br />Each version of Acrobat Reader has its own CLSID, and killbit<br />The PDF file format supports scripting and obfuscation <br />JavaScript<br />Embedding binary objects and scripts as streams<br />Compressing and encoding these streams<br />These are the same things that made Flash a good attack vector, so you may have some idea as to what’s next<br />
  24. 24. PDF With Malicious Payload<br />PDF file header including JavaScript trigger<br />
  25. 25. PDF With Malicious Payload<br />PDF file body showing binary FlateDecode stream<br />Note the /Filter and /Length tags<br />
  26. 26. Unpacking FlateDecode Streams <br />FlateDecode is stream compression using zlib compress()<br />Several tools can decompress and extract the streams for you<br />PDF Stream Inflater by Bobby Spasic (Malzilla)<br />Not available for download anymore<br />pdftk by Sid Steward (AccessPDF)<br />Not specifically for malware<br /><br /> by Didier Stevens<br />This guy writes all sorts of awesome tools<br /><br />
  27. 27. Unpacking FlateDecode Streams <br />Using PDF Stream Inflater to extract FlateDecode stream <br />
  28. 28. Unpacking FlateDecode Streams <br />Viewing decoded stream containing obfuscated JavaScript<br />
  29. 29. Unpacking FlateDecode Streams <br />Pipe extracted stream through Didier Stevens’ SpiderMonkey mod<br />The log files contain the output of the obfuscated JavaScript<br />
  30. 30. Unpacking FlateDecode Streams <br />Look! More JavaScript, but this time it’s readable.<br />Hmmm, I wonder…<br />
  31. 31. Unpacking FlateDecode Streams <br />Oh, look, they copied the exploit from milw0rm.<br />
  32. 32. Beyond FlateDecode<br />Different versions of the PDF file standard support additional forms of encoding streams<br />ASCIIHexDecode<br />ASCII85Decode<br />Encoding methods can be combined on a single stream<br />Order of operations matters!<br />Two methods for extracting and decoding:<br />Manually decode Hex stream to zlib binary stream, reinsert, resize header, basically recreating the PDF as if it only contained the FlateDecode stream, then extract with inflater.exe <br /> (this sucks, BTW)<br />Use<br />
  33. 33. Beyond FlateDecode<br />This stream is encoded with ASCIIHexDecode and FlateDecode<br />
  34. 34. Beyond FlateDecode<br />We decode the stream and find more obfuscated JavaScript<br />./ -f boBAn.pdf | less<br />
  35. 35. Beyond FlateDecode<br />Throw &lt;html&gt; and &lt;script&gt; tags around the obfuscated JavaScript and upload it to Wepawet<br />
  36. 36. Beyond FlateDecode<br />Ooh, second stage executable downloads!<br />
  37. 37. Beyond FlateDecode - Epilogue<br />From the time that I started this research to the time I wrote this presentation, Wepawet has added support for ASCIIHexDecode in PDF files<br />So, yes, the hours of work I did on this can be replicated in mere seconds with only a web browser<br />But this underscores the ongoing arms race between security researchers and malware vendors<br />That’s right, I said vendors<br />
  38. 38. Some Extra Fun<br />whois<br />Note the goofy domain on those name servers<br />
  39. 39. Some Extra Fun<br />So we search for that domain, and…<br />
  40. 40. Some Extra Fun<br />YES is a crimeware system made in Russia<br />This is the login page for its web console<br />
  41. 41. Network Detection<br />Easy enough to find PDF files that use encoded streams with your IDS/IPS<br />Your firewall and proxy logs are a good place to look, too<br />Most sites hosting second-stage malware are in foreign countries, especially Russia, China<br />Use language to your advantage – if your employees speak English, then documents downloaded from countries that don’t speak English could be suspicious<br />
  42. 42. Network Detection<br />alert tcp $EXTERNAL_NET 80 -&gt; $HOME_NET any (msg:&quot;LOCAL PDF mailto exploit HTTP download&quot;; flow:from_server,established; content:&quot;%PDF&quot;; nocase; content:&quot;RI(mailto:%/&quot;; nocase; classtype:trojan-activity; sid:9000140; rev:1;)<br />alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;LOCAL PDF with FlateDecode stream download&quot;; flow:from_server,established; content:&quot;%PDF&quot;; content:&quot;FlateDecode&quot;; nocase; classtype:trojan-activity; sid:90000190; rev:1;)<br />alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;LOCAL PDF with ASCIIHexDecode stream download&quot;; flow:from_server,established; content:&quot;%PDF&quot;; content:&quot;ASCIIHexDecode&quot;; nocase; classtype:trojan-activity; sid:90000191; rev:1;)<br />alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;LOCAL PDF with ASCII85Decode stream download&quot;; flow:from_server,established; content:&quot;%PDF&quot;; content:&quot;ASCII85Decode&quot;; nocase; classtype:trojan-activity; sid:90000192; rev:1;)<br />Snort rules to detect suspicious PDF files<br />
  43. 43. Network Detection<br />Firewall events for PDFs downloaded from countries other than the US, UK, and Canada<br />
  44. 44.<br /><br />Special Thanks to Sean Koessel<br />MWA-405: Q&A<br />