SlideShare a Scribd company logo
1 of 45
Download to read offline
Reversing malware analysis training part12 rootkitanalysis
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without
any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are
solely of the trainer’s only and nothing to do with the company or the organization in which
the trainer is currently working.
However in no circumstances neither the trainer nor Cysinfo is responsible for any damage or
loss caused due to use or misuse of the information presented here.
Acknowledgement
 Special thanks to null & Garage4Hackers community for their extended support and
cooperation.
 Special thanks to ThoughtWorks for the beautiful and bigger venue.
 Thanks to all the trainers who have devoted their precious time and countless hours to make it
happen.
Reversing & Malware Analysis Training
This presentation is part of our Reverse Engineering & Malware Analysis Training
program. Currently it is delivered only during our local meet for FREE of cost.
Who am I
Monnappa K A
 Member of Cysinfo
 Info Security Investigator @ Cisco
 Reverse Engineering, Malware Analysis, Memory Forensics
 Email: monnappa22@gmail.com,
 Twitter: @monnappa22
 Linkedin: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
 What is a Rootkit?
 User Mode Rootkits
 Kernel Mode Rootkits
 Function Call cycle on Windows
 Levels of hooking/modification on Windows
 Demo 1 (mader– SSDT hook)
 Demo 2 (prolaco – DKOM)
 Demo 3 (darkmegi /waltrodock– installs device driver)
 Demo 4 (carberp– syscall patch and inline API hook)
 Program that perform system hooking or modifies functionality of OS
 Hide files, processes, other objects to conceal its presence
 Intercepts and alters the normal execution flow
 Can contain both user mode and kernel mode components
 Some rootkits can install as device drivers
 Types: User Mode and Kernel Mode Rootkits
 Runs in Ring 3
 Hooking in user space or application space
 Some common user mode Rootkit technqiues:
- IAT (Import Address Table) hooking
- Inline API hooking
 Rootkit need to perform patching in the memory space of every running application
 Runs in Ring 0
 System hooking or modification in kernel space
 Some Kernel mode Rootkit techniques:
- SSDT (System Service Descriptor Table) hooking
- DKOM (Direct Kernel Object Manipulation)
- IDT (Interrupt Descriptor Table) hooking
- Installing as Device Drivers
- Driver IRP hooking
Below screenshot shows the API lifecycle on Windows system
The below screenshot shows tables and objects that Rootkit can hook/modify to hide its presence
 Rootkit Theory and Techniques will be covered in depth in our Advanced Training Series. This
session focuses on the Rootkit Analysis.
 Because of the time constraint, the demo uses a script “sandbox.py” which automates the
behavioural analysis and memory analysis discussed in the Part 8 (Malware Memory Fornesics) and
Part 9 (Advanced Malware Analysis) of the training session.
http://nagareshwar.securityxploded.com/2012/06/16/training-session-part-8-%E2%80%93-practical-reversing-iii-memory-forensics/
http://nagareshwar.securityxploded.com/2012/07/15/training-session-part-9-%E2%80%93-practical-reversing-iv-advanced-malware-analysis/
 “sandbox.py” uses the tools CaptureBat (file, processs, registry activity), tshark (network activity),
InetSim (simulating the services like dns, http, smtp) and Volatility (Memory Forensics) to produce
the results. All these tools were discussed in Part 9 (Advanced Malware Analysis) of the training
session.
Reversing malware analysis training part12 rootkitanalysis
Executing the sample drops a driver and loads it as kernel service
The malware makes dns query and downloads additional files
Rootkit uses callbacks to monitor for process creation activity
Rootkit modifies the pointers in the SSDT to protect itself from deletion or removal
VirusTotal confirms the Rootkit after dumping and submitting the driver from memory
Reversing malware analysis training part12 rootkitanalysis
Prolaco.exe drops two files on “Googlxe.exe” and “Rundll45.exe” on the filesystem
Prevents the security products from running by looking for the security products and deleting its registry
key value
The malware sends spam invitation mails to the some of the organizations
Process id 1080 sends the spam, but the rootkits hides that process from the process listing using DKOM technique
Hides the process from process explorer
Comparing the process listing using Volatility’s “pslist” and “psscan” plugin, shows the hidden process
prolaco.exe (pid 1080)
pslist psscan
Dumping the hidden process from memory and submitting to VirusTotal confirms the presence of malicious hidden
process
Reversing malware analysis training part12 rootkitanalysis
The sample drops a driver and also invokes rundll32 and iexplore proces.
Makes dns query and download additional files
Sets kernel callbacks to montior for an Image/DLL loading
The driver creates a device and accepts control codes from usermode programs
Examining the device and driver objects shows the base address and address of DriverEntry routine
Examining the DriverEntry routine shows the presence of a DLL “com32.dll”
The DLL dumped from the memory, which was loaded by rundll32.exe
Dumping the driver after determining the Driver’s base address
VT confirms the Rootkit component after submitting the samples
VT results for dumped Driver
VT results for dumped DLL
Reversing malware analysis training part12 rootkitanalysis
The sample creates .tmp files and invokes explorer.exe and svchost.exe
Malware performs dns and http activity
Submits process information on the system to the command and control server
Patches SYSCALL in ntdll.dll to hide its presence
Hooks API calls to steal http data, the hooking functions points to unknown location
Dumping the embedded executable which was determined by examining the hooking function.
VirusTotal confirms the executable as component of Carberp
Thank You !

More Related Content

Viewers also liked

Reversing malware analysis training part2 introduction to windows internals
Reversing malware analysis training part2 introduction to windows internalsReversing malware analysis training part2 introduction to windows internals
Reversing malware analysis training part2 introduction to windows internalsCysinfo Cyber Security Community
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesCysinfo Cyber Security Community
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresCysinfo Cyber Security Community
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedCysinfo Cyber Security Community
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidCysinfo Cyber Security Community
 
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Cysinfo Cyber Security Community
 
Advanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisAdvanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisCysinfo Cyber Security Community
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsCysinfo Cyber Security Community
 
Malware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesMalware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesArshadRaja786
 
Web ve Mobil Uygulama Güvenlik Testleri Eğitimi Uygulama Kitabı
Web ve Mobil Uygulama Güvenlik Testleri Eğitimi Uygulama KitabıWeb ve Mobil Uygulama Güvenlik Testleri Eğitimi Uygulama Kitabı
Web ve Mobil Uygulama Güvenlik Testleri Eğitimi Uygulama KitabıBGA Cyber Security
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisEMC
 

Viewers also liked (19)

Reversing malware analysis training part2 introduction to windows internals
Reversing malware analysis training part2 introduction to windows internalsReversing malware analysis training part2 introduction to windows internals
Reversing malware analysis training part2 introduction to windows internals
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guide
 
Hollow process injection
Hollow process injectionHollow process injection
Hollow process injection
 
Advanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniquesAdvanced malware analysis training session4 anti-analysis techniques
Advanced malware analysis training session4 anti-analysis techniques
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...
 
Advanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysisAdvanced malware analysis training session6 malware sandbox analysis
Advanced malware analysis training session6 malware sandbox analysis
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1
 
Linux Malware Analysis
Linux Malware Analysis	Linux Malware Analysis
Linux Malware Analysis
 
Security Analytics using ELK stack
Security Analytics using ELK stack	Security Analytics using ELK stack
Security Analytics using ELK stack
 
Malware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning TechniquesMalware Detection Using Machine Learning Techniques
Malware Detection Using Machine Learning Techniques
 
Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis	Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning	Malware Detection using Machine Learning
Malware Detection using Machine Learning
 
Web ve Mobil Uygulama Güvenlik Testleri Eğitimi Uygulama Kitabı
Web ve Mobil Uygulama Güvenlik Testleri Eğitimi Uygulama KitabıWeb ve Mobil Uygulama Güvenlik Testleri Eğitimi Uygulama Kitabı
Web ve Mobil Uygulama Güvenlik Testleri Eğitimi Uygulama Kitabı
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth Analysis
 

More from Cysinfo Cyber Security Community

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques   	monnappa k aUnderstanding evasive hollow process injection techniques   	monnappa k a
Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication  by ajithkumar vyasaraoSecurity challenges in d2d communication  by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community
 

More from Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay AjayanUnicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
 
Analysis of android apk using adhrit by Abhishek J.M
 Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques   	monnappa k aUnderstanding evasive hollow process injection techniques   	monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication  by ajithkumar vyasaraoSecurity challenges in d2d communication  by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
S2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna aS2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna a
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr   siddharth muraleeDynamic binary analysis using angr   siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc -	ashutosh ahelleyaBit flipping attack on aes cbc -	ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation	Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat	ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack	XXE - XML External Entity Attack
XXE - XML External Entity Attack
 
POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?
 

Recently uploaded

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 

Recently uploaded (20)

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 

Reversing malware analysis training part12 rootkitanalysis

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.
  • 3. Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Special thanks to ThoughtWorks for the beautiful and bigger venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen.
  • 4. Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost.
  • 5. Who am I Monnappa K A  Member of Cysinfo  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com,  Twitter: @monnappa22  Linkedin: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
  • 6.  What is a Rootkit?  User Mode Rootkits  Kernel Mode Rootkits  Function Call cycle on Windows  Levels of hooking/modification on Windows  Demo 1 (mader– SSDT hook)  Demo 2 (prolaco – DKOM)  Demo 3 (darkmegi /waltrodock– installs device driver)  Demo 4 (carberp– syscall patch and inline API hook)
  • 7.  Program that perform system hooking or modifies functionality of OS  Hide files, processes, other objects to conceal its presence  Intercepts and alters the normal execution flow  Can contain both user mode and kernel mode components  Some rootkits can install as device drivers  Types: User Mode and Kernel Mode Rootkits
  • 8.  Runs in Ring 3  Hooking in user space or application space  Some common user mode Rootkit technqiues: - IAT (Import Address Table) hooking - Inline API hooking  Rootkit need to perform patching in the memory space of every running application
  • 9.  Runs in Ring 0  System hooking or modification in kernel space  Some Kernel mode Rootkit techniques: - SSDT (System Service Descriptor Table) hooking - DKOM (Direct Kernel Object Manipulation) - IDT (Interrupt Descriptor Table) hooking - Installing as Device Drivers - Driver IRP hooking
  • 10. Below screenshot shows the API lifecycle on Windows system
  • 11. The below screenshot shows tables and objects that Rootkit can hook/modify to hide its presence
  • 12.  Rootkit Theory and Techniques will be covered in depth in our Advanced Training Series. This session focuses on the Rootkit Analysis.  Because of the time constraint, the demo uses a script “sandbox.py” which automates the behavioural analysis and memory analysis discussed in the Part 8 (Malware Memory Fornesics) and Part 9 (Advanced Malware Analysis) of the training session. http://nagareshwar.securityxploded.com/2012/06/16/training-session-part-8-%E2%80%93-practical-reversing-iii-memory-forensics/ http://nagareshwar.securityxploded.com/2012/07/15/training-session-part-9-%E2%80%93-practical-reversing-iv-advanced-malware-analysis/  “sandbox.py” uses the tools CaptureBat (file, processs, registry activity), tshark (network activity), InetSim (simulating the services like dns, http, smtp) and Volatility (Memory Forensics) to produce the results. All these tools were discussed in Part 9 (Advanced Malware Analysis) of the training session.
  • 14. Executing the sample drops a driver and loads it as kernel service
  • 15. The malware makes dns query and downloads additional files
  • 16. Rootkit uses callbacks to monitor for process creation activity
  • 17. Rootkit modifies the pointers in the SSDT to protect itself from deletion or removal
  • 18. VirusTotal confirms the Rootkit after dumping and submitting the driver from memory
  • 20. Prolaco.exe drops two files on “Googlxe.exe” and “Rundll45.exe” on the filesystem
  • 21. Prevents the security products from running by looking for the security products and deleting its registry key value
  • 22. The malware sends spam invitation mails to the some of the organizations
  • 23. Process id 1080 sends the spam, but the rootkits hides that process from the process listing using DKOM technique
  • 24. Hides the process from process explorer
  • 25. Comparing the process listing using Volatility’s “pslist” and “psscan” plugin, shows the hidden process prolaco.exe (pid 1080) pslist psscan
  • 26. Dumping the hidden process from memory and submitting to VirusTotal confirms the presence of malicious hidden process
  • 28. The sample drops a driver and also invokes rundll32 and iexplore proces.
  • 29. Makes dns query and download additional files
  • 30. Sets kernel callbacks to montior for an Image/DLL loading
  • 31. The driver creates a device and accepts control codes from usermode programs
  • 32. Examining the device and driver objects shows the base address and address of DriverEntry routine
  • 33. Examining the DriverEntry routine shows the presence of a DLL “com32.dll”
  • 34. The DLL dumped from the memory, which was loaded by rundll32.exe
  • 35. Dumping the driver after determining the Driver’s base address
  • 36. VT confirms the Rootkit component after submitting the samples VT results for dumped Driver VT results for dumped DLL
  • 38. The sample creates .tmp files and invokes explorer.exe and svchost.exe
  • 39. Malware performs dns and http activity
  • 40. Submits process information on the system to the command and control server
  • 41. Patches SYSCALL in ntdll.dll to hide its presence
  • 42. Hooks API calls to steal http data, the hooking functions points to unknown location
  • 43. Dumping the embedded executable which was determined by examining the hooking function.
  • 44. VirusTotal confirms the executable as component of Carberp