How to repel attackers with zero efforts?
This is a talk I gave at Bsides TLV 2016, it is a simple DIY version of my day-job @ Minerva Labs, an innovative Israeli start-up.
2. WHOAMI
• Researcher @ Minerva Labs, an Israeli startup
• Big fan of breaking stuff and putting them back together
• Expert in calling experts when failing to put stuff back together
• Fluent in C, C#, Python, Java and… Arabic
• Twitter: @Gal_B1t
4. THAT LADY IN RED
• Honeypots are that first girl to appear in a Bond movie
• From far away they look like a catch
• Up close it is clear they ain’t a bargain
11. HEAVILY FORTIFIED TARGETS
• Evading specific security products – the attacker’s advantage
• Can’t beat them all, but 90% of them is enough
• More in the live demo!
12. I KNOWZ SOFTWARE ENGEENIRINGZ
• Bugs in implementation of infection markers
• Abusing proper mechanisms
13.
14. РУ́ССКИЙ*
• Be careful with what you wish for when vaccinating!
• Russian keyboard:
• Some malware will avoid to infect you
• Others are comrade-targeted malware
*Russian
16. STATIC WINDOWS ARTIFACTS
• Registry keys
• Registry values
• Files
• Folders
Can be created persistently!
17. DYNAMIC WINDOWS ARTIFACTS
• Processes
• Mutexes
• Windows
• Requires different approach:
• Run 1,000 programs, create 1,000 windows and 1,000 mutexes!
• More clever low level solutions are at hand
18. LOW LEVEL X86 TRICKS
• “Red Pill” (11/2004)
• Timing attacks
• Hardware features
• Much more difficult to mimic
• Why bother?
By the way… Hi! I am Gal which is Hebrew for “wave” for all of you non Hebrew speaking in the crowd.
My day job is to research threats very similar to what you’ll see here today @ an Israeli startup called Minerva Labs but let’s cut that self promoting content… if you want to hear more about it just visit our website or contact me afterwards.
Since I was a lil’ boy I liked to break stuff and see what’s inside, IMHO – this is one of the most important qualities of a great researcher.
Unfortunately I wasn’t (and still not) that great at putting stuff back together again. My Sony Playstation somehow worked after I closed it but my guitar amp, PC, portable CD player and many other electronic devices weren’t so lucky.
I’m also really into learning weird languages, much more
If you wish to see more publications in the spirit of what you’ll see today – my twitter account is @Gal_B1t
You see what I did there? With the 1 and bit?
Some of you already know but let’s repeat it shortly
Disclaimer – 007 is a chauvinistic misogynistic scumbag
James bond (by Sean Connery) on the left and the classy “Xenia Onatopp” (from Goldeneye) on the right
Self defense mechanism employed by many organisms in the nature.
Disclaimer: in this demo you won’t see bees flying backwards
We are not against honeypots! We simply look after a way to repel attackers
Deadly Texan coral snake on the left
Harmless Mexican milk snake on the right
Monarch on the left is poisonous, viceroy on the right mimics it
They don’t wear black hoodies and type “color 0A & tree” but it is soon the me sort of hacking, right?
Image credit:
https://en.wikipedia.org/wiki/Monarch_butterfly#/media/File:Monarch_Viceroy_Mimicry_Comparison.jpg
Four classes of bad guys “fears” which can be used against them
Can we dress up as a poisonous butterfly?
Maybe we should paint some black, white and red stripes on our back?
What are the equivalents of poison and venom that will cause bad guys to think twice before they attack us?
First one is you guys in the audience.
BH USA 2007
https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf
some wanky string comparison implementation.
ASCII ninjas will like.
Their second fear is also you, if to be more specific – your creations.
Security products are great nowadays!
A word about the attackers advantage and intelligence collection
Their third fear is from their selves.
Credit to Sylvain Sarméjeanne
First one is 2009’s conficker.c, second one is first generation of Locky ransomware:
https://www.lexsi.com/securityhub/abusing-bugs-in-the-locky-ransomware-to-create-a-vaccine/?lang=en
Last but not least their fourth fear is from specific third parties or victims. Sometimes the logic is not 100% clear…
Maybe they’re afraid of this guy, and I’m talking about the dog, right?
Four classes of bad guys “fears” which can be used against them
Joanna Rutkowska
https://web.archive.org/web/20070110201418/http://www.invisiblethings.org/papers/redpill.html
The SIDT instruction (encoded as 0F010D[addr]) stores the contents of the interrupt descriptor table register (IDTR) in the destination operand, which is actually a memory location. What is special and interesting about SIDT instruction is that, it can be executed in non privileged mode (ring3) but it returns the contents of the sensitive register, used internally by operating system
Because there is only one IDTR register, but there are at least two OS running concurrently (i.e. the host and the guest OS), VMM needs to relocate the guest's IDTR in a safe place, so that it will not conflict with a host's one. Unfortunately, VMM cannot know if (and when) the process running in guest OS executes SIDT instruction, since it is not privileged (and it doesn't generate exception). Thus the process gets the relocated address of IDT table. It was observed that on VMWare, the relocated address of IDT is at address 0xffXXXXXX, whereas on Virtual PC it is 0xe8XXXXXX. This was tested on VMWare Workstation 4 and Virtual PC 2004, both running on Windows XP host OS.
CopyKittens copied pafish source and many low level tests but had ~50 other checks for software and static artifacts.
OK now to the live demo.
We’ll first show an execution of live malware without in a non-vaccinated machine.
Will revert the snapshot, vaccinate with our script and do it over again.
We’ll use procmon and procexp to show how it terminates. Wireshark is also a viable option.
Samples to be shown:
OLD Locky
Hash
17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2
Artifact
ESET
Teslacrypt 3
Hash
ca7cb56b9a254748e983929953df32f219905f96486d91390e8d5d641dc9916d
Artifact
ESET
IRONGATE
Hash
386ed16fece9cc24c4d123cdf91a371829098ba7abd4c8fefb40b4e376e7ac6a
Artifact
Vmmouse.sys
private sample
Hash
?????
Artifact
QEMU BIOS