Recommended
More Related Content
Similar to Vaccination - The Anti-Honeypot Approach @ Bsides TLV
Similar to Vaccination - The Anti-Honeypot Approach @ Bsides TLV (20)
Recently uploaded
Recently uploaded (20)
Vaccination - The Anti-Honeypot Approach @ Bsides TLV
- 1. VACCINATION THE ANTI-HONEYPOT APPROACH GAL BITENSKY
- 2. WHOAMI • Researcher @ Minerva Labs, an Israeli startup • Big fan of breaking stuff and putting them back together • Expert in calling experts when failing to put stuff back together • Fluent in C, C#, Python, Java and… Arabic • Twitter: @Gal_B1t
- 3. WHAT IS A HONEYPOT?
- 4. THAT LADY IN RED • Honeypots are that first girl to appear in a Bond movie • From far away they look like a catch • Up close it is clear they ain’t a bargain
- 6. NATURAL APPROACH FOR REPELLING ATTACKERS • Can you tell the difference?
- 7. EVEN BUTTERFLIES TRY TO FIND HACKS
- 8. KNOW YOUR ENEMY’S FEARS - FOUR WAYS TO REPEL BAD GUYS
- 9. VIRTUALIZEDANALYSIS ENVIRONMENT • Goals: • Misleading the poor reverser directly • Fooling analysis tools • Seeking after hints for the presence of: • Static and dynamic analysis tools • Virtualization or emulation infrastructure
- 10. 53 41 4E 44 42 4F 58 ??? S A N D B O X !!!
- 11. HEAVILY FORTIFIED TARGETS • Evading specific security products – the attacker’s advantage • Can’t beat them all, but 90% of them is enough • More in the live demo!
- 12. I KNOWZ SOFTWARE ENGEENIRINGZ • Bugs in implementation of infection markers • Abusing proper mechanisms
- 14. РУ́ССКИЙ* • Be careful with what you wish for when vaccinating! • Russian keyboard: • Some malware will avoid to infect you • Others are comrade-targeted malware *Russian
- 15. HOW BAD GUYS KNOW WHEN TO BUG OUT?
- 16. STATIC WINDOWS ARTIFACTS • Registry keys • Registry values • Files • Folders Can be created persistently!
- 17. DYNAMIC WINDOWS ARTIFACTS • Processes • Mutexes • Windows • Requires different approach: • Run 1,000 programs, create 1,000 windows and 1,000 mutexes! • More clever low level solutions are at hand
- 18. LOW LEVEL X86 TRICKS • “Red Pill” (11/2004) • Timing attacks • Hardware features • Much more difficult to mimic • Why bother?
- 20. QUESTIONS?
Editor's Notes
- By the way… Hi! I am Gal which is Hebrew for “wave” for all of you non Hebrew speaking in the crowd. My day job is to research threats very similar to what you’ll see here today @ an Israeli startup called Minerva Labs but let’s cut that self promoting content… if you want to hear more about it just visit our website or contact me afterwards. Since I was a lil’ boy I liked to break stuff and see what’s inside, IMHO – this is one of the most important qualities of a great researcher. Unfortunately I wasn’t (and still not) that great at putting stuff back together again. My Sony Playstation somehow worked after I closed it but my guitar amp, PC, portable CD player and many other electronic devices weren’t so lucky. I’m also really into learning weird languages, much more If you wish to see more publications in the spirit of what you’ll see today – my twitter account is @Gal_B1t You see what I did there? With the 1 and bit?
- Some of you already know but let’s repeat it shortly
- Disclaimer – 007 is a chauvinistic misogynistic scumbag James bond (by Sean Connery) on the left and the classy “Xenia Onatopp” (from Goldeneye) on the right
- Self defense mechanism employed by many organisms in the nature. Disclaimer: in this demo you won’t see bees flying backwards
- We are not against honeypots! We simply look after a way to repel attackers Deadly Texan coral snake on the left Harmless Mexican milk snake on the right
- Monarch on the left is poisonous, viceroy on the right mimics it They don’t wear black hoodies and type “color 0A & tree” but it is soon the me sort of hacking, right? Image credit: https://en.wikipedia.org/wiki/Monarch_butterfly#/media/File:Monarch_Viceroy_Mimicry_Comparison.jpg
- Four classes of bad guys “fears” which can be used against them Can we dress up as a poisonous butterfly? Maybe we should paint some black, white and red stripes on our back? What are the equivalents of poison and venom that will cause bad guys to think twice before they attack us?
- First one is you guys in the audience. BH USA 2007 https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf
- some wanky string comparison implementation. ASCII ninjas will like.
- Their second fear is also you, if to be more specific – your creations. Security products are great nowadays! A word about the attackers advantage and intelligence collection
- Their third fear is from their selves.
- Credit to Sylvain Sarméjeanne First one is 2009’s conficker.c, second one is first generation of Locky ransomware: https://www.lexsi.com/securityhub/abusing-bugs-in-the-locky-ransomware-to-create-a-vaccine/?lang=en
- Last but not least their fourth fear is from specific third parties or victims. Sometimes the logic is not 100% clear… Maybe they’re afraid of this guy, and I’m talking about the dog, right?
- Four classes of bad guys “fears” which can be used against them
- Joanna Rutkowska https://web.archive.org/web/20070110201418/http://www.invisiblethings.org/papers/redpill.html The SIDT instruction (encoded as 0F010D[addr]) stores the contents of the interrupt descriptor table register (IDTR) in the destination operand, which is actually a memory location. What is special and interesting about SIDT instruction is that, it can be executed in non privileged mode (ring3) but it returns the contents of the sensitive register, used internally by operating system Because there is only one IDTR register, but there are at least two OS running concurrently (i.e. the host and the guest OS), VMM needs to relocate the guest's IDTR in a safe place, so that it will not conflict with a host's one. Unfortunately, VMM cannot know if (and when) the process running in guest OS executes SIDT instruction, since it is not privileged (and it doesn't generate exception). Thus the process gets the relocated address of IDT table. It was observed that on VMWare, the relocated address of IDT is at address 0xffXXXXXX, whereas on Virtual PC it is 0xe8XXXXXX. This was tested on VMWare Workstation 4 and Virtual PC 2004, both running on Windows XP host OS. CopyKittens copied pafish source and many low level tests but had ~50 other checks for software and static artifacts.
- OK now to the live demo. We’ll first show an execution of live malware without in a non-vaccinated machine. Will revert the snapshot, vaccinate with our script and do it over again. We’ll use procmon and procexp to show how it terminates. Wireshark is also a viable option. Samples to be shown: OLD Locky Hash 17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2 Artifact ESET Teslacrypt 3 Hash ca7cb56b9a254748e983929953df32f219905f96486d91390e8d5d641dc9916d Artifact ESET IRONGATE Hash 386ed16fece9cc24c4d123cdf91a371829098ba7abd4c8fefb40b4e376e7ac6a Artifact Vmmouse.sys private sample Hash ????? Artifact QEMU BIOS
- Question time