Two-For-One Talk: Malware Analysis for Everyone

Two-For-One Talk: Malware Analysis for Everyone - Presentation Transcript

Paul Melson
Two-For-One Talk:Malware Analysis for Everyone

MWA-101: Five Automated Analysis Tools You should Know

Why Do Malware Analysis?
Client-side attacks that install malware are the #1 external threat.
It’s not slowing down any time soon:
“Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31% from the previous period.”
“In 2008, Symantec created 1,656,227 new malicious code signatures. This is a 265% increase over 2007.”
(Source: Symantec Internet Threat Report, April 2009)

Firewalls and Anti-Virus Have Lost
Client-side attacks against web browsers and e-mail go right through most firewall policies
Detection rates for current malware files by market leading anti-virus scanners are averaging 30-50%
If you’re not adapting some other way, you’ve lost

Malware is Adapting Quickly
Take away Local Administrator privileges?
Malware that persists in HKCU Registry keys or StartUp group
Whitelist apps with Windows Firewall?
Malware that hooks into Internet Explorer plugin APIs
Block IRC at the firewall?
Malware that uses encrypted HTTP/HTTPS back-channels

“But it’s just spyware, right?”
In the past 2 years, we’ve found malware in the wild that:
Sends hundreds of spam e-mail messages per second
Gives bot “herder” full desktop remote control
Searches files in “Documents and Settings” for SSNs, credit card numbers, and saved Internet Explorer passwords
Records all screen and text input and reports it in real-time to a server in Russia

VirusTotalhttp://www.virustotal.com
Upload a suspicious file, they scan it with 40+ different anti-virus products using current signatures
Pretty much everybody, except TrendMicro
Useful for determining if a file is malicious
Also for determining whether your anti-virus would detect a particular file
Take advantage of heuristic/edge products without all of the false positives in production
OK, but not great for brand new or custom malware
Not great for obfuscated exploits, better with binaries

CWSandboxhttp://www.cwsandbox.org
Upload a suspicious Windows executable, they run it in their sandbox and tell you what it did
Great for figuring out what a file actually does
It doesn’t establish malicious vs. benign, that’s up to you
Requires some detailed understanding of Windows Registry, processes, file system to interpret report
Some malware can detect this and other sandboxes, and won’t run
Other similar services
Norman Sandbox
JoeBox

Threat Expert http://www.threatexpert.com
Upload a suspicious Windows binary, they analyze it
Supports web submission, but also Windows applet
Must register to submit samples
Combines the features of CWSandbox and VirusTotal
Anti-virus scan
File / registry modifications
Packer identification
Browse reports and statistics from other submitted files

Wepawethttp://wepawet.iseclab.org
Upload a suspicious PDF, HTML, or Flash file, or submit a suspicious URL and it will analyze it for malicious JavaScript.
Great for working with obfuscated JavaScript where reversing and debugging is complex and time-intensive.
However, some forms of obfuscation, especially in PDF and SWF files, can be used to beat it.

Comodohttp://camas.comodo.com
Upload a suspicious Windows binary, they analyze it for you
Similar to CWSandbox
Very fast
Relatively new/unknown, so less likely to be targeted for evasion
(Assuming they use technology different enough from Norman, CWSandbox)

MWA-101: Q&A

MWA-405: Unpacking PDF Exploit Payloads

PDF Files and Malware
Malware relies on two methods to install
Exploiting a browser vulnerability
Tricking people into running a file
Adobe Acrobat Reader is, right now, the most reliably vulnerable piece of software in the world
It’s really hard to patch across the enterprise
Predecessors:
Internet Explorer
QuickTime Player
Adobe Flash Player

They Don’t Call it Pwndobe for Nothing
Tuesday’s Acrobat Reader security bulletin
That’s 29 unique vulnerabilities, in case you’re keeping score

PDF as an Attack Vector
Acrobat Reader is executable from the web browser
Called as a browser plugin via COM
There is an IE killbit, but I dare you to use it in a business
Each version of Acrobat Reader has its own CLSID, and killbit
The PDF file format supports scripting and obfuscation
JavaScript
Embedding binary objects and scripts as streams
Compressing and encoding these streams
These are the same things that made Flash a good attack vector, so you may have some idea as to what’s next

PDF With Malicious Payload
PDF file header including JavaScript trigger

PDF With Malicious Payload
PDF file body showing binary FlateDecode stream
Note the /Filter and /Length tags

Unpacking FlateDecode Streams
FlateDecode is stream compression using zlib compress()
Several tools can decompress and extract the streams for you
PDF Stream Inflater by Bobby Spasic (Malzilla)
Not available for download anymore
pdftk by Sid Steward (AccessPDF)
Not specifically for malware
http://www.accesspdf.com/pdftk/
pdf-parser.py by Didier Stevens
This guy writes all sorts of awesome tools
http://blog.didierstevens.com/programs/pdf-tools/

Using PDF Stream Inflater to extract FlateDecode stream

Viewing decoded stream containing obfuscated JavaScript

Pipe extracted stream through Didier Stevens’ SpiderMonkey mod
The log files contain the output of the obfuscated JavaScript

Look! More JavaScript, but this time it’s readable.
Hmmm, I wonder…

Oh, look, they copied the exploit from milw0rm.

Beyond FlateDecode
Different versions of the PDF file standard support additional forms of encoding streams
ASCIIHexDecode
ASCII85Decode
Encoding methods can be combined on a single stream
Order of operations matters!
Two methods for extracting and decoding:
Manually decode Hex stream to zlib binary stream, reinsert, resize header, basically recreating the PDF as if it only contained the FlateDecode stream, then extract with inflater.exe
(this sucks, BTW)
Use pdf-parser.py

Beyond FlateDecode
This stream is encoded with ASCIIHexDecode and FlateDecode

Beyond FlateDecode
We decode the stream and find more obfuscated JavaScript
./pdf-parser.py -f boBAn.pdf | less

Beyond FlateDecode
Throw <html> and <script> tags around the obfuscated JavaScript and upload it to Wepawet

Beyond FlateDecode
Ooh, second stage executable downloads!

Beyond FlateDecode - Epilogue
From the time that I started this research to the time I wrote this presentation, Wepawet has added support for ASCIIHexDecode in PDF files
So, yes, the hours of work I did on this can be replicated in mere seconds with only a web browser
But this underscores the ongoing arms race between security researchers and malware vendors
That’s right, I said vendors

Some Extra Fun
whois goodshoot1.com
Note the goofy domain on those name servers

Some Extra Fun
So we search malwareurl.com for that domain, and…

Some Extra Fun
YES is a crimeware system made in Russia
This is the login page for its web console

Network Detection
Easy enough to find PDF files that use encoded streams with your IDS/IPS
Your firewall and proxy logs are a good place to look, too
Most sites hosting second-stage malware are in foreign countries, especially Russia, China
Use language to your advantage – if your employees speak English, then documents downloaded from countries that don’t speak English could be suspicious

Network Detection
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL PDF mailto exploit HTTP download"; flow:from_server,established; content:"%PDF"; nocase; content:"RI(mailto:%/"; nocase; classtype:trojan-activity; sid:9000140; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with FlateDecode stream download"; flow:from_server,established; content:"%PDF"; content:"FlateDecode"; nocase; classtype:trojan-activity; sid:90000190; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with ASCIIHexDecode stream download"; flow:from_server,established; content:"%PDF"; content:"ASCIIHexDecode"; nocase; classtype:trojan-activity; sid:90000191; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with ASCII85Decode stream download"; flow:from_server,established; content:"%PDF"; content:"ASCII85Decode"; nocase; classtype:trojan-activity; sid:90000192; rev:1;)
Snort rules to detect suspicious PDF files

Network Detection
Firewall events for PDFs downloaded from countries other than the US, UK, and Canada

pmelson@gmail.com
http://pmelson.blogspot.com
Special Thanks to Sean Koessel
MWA-405: Q&A