Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Defeating antiforensics in contemporary complex threats

3,237 views

Published on

Forensic analysis plays a crucial role in cybercrime group investigation, as it allows investigators to obtain such information as bot configuration data, C&C URLs, payload, stolen data and so on. Some of the modern malware falling into the class of complex threats employs various tricks to resist forensics and conceal its presence on the infected system. This paper will present technical and in-depth analysis of the most widely used anti-forensic technique, the implementation of hidden encrypted storage, as used by complex threats currently in the wild:

Win64/Olmarik (TDL4)
Win64/Olmasco (MaxSS)
Win64/Rovnix/Carberp
Win64/Sirefef (ZeroAccess)
Win32/Hodprot
These complex threats use hidden encrypted storage areas to conceal their data and avoid relying on the file system maintained by the operating system. In the presentation the authors will focus on the details of hidden storage implementation as well as the ways in which it is maintained within the system by various kinds of malware. The analysis begins with the initialization procedure and the mechanisms behind it. It is shown which system mechanisms are used to store and retrieve data from the hidden container and the degree to which the malware depends on them. Close attention is paid to the self-defence mechanisms employed by the malware in order to conceal the content kept in its hidden storage areas and protect those contents against modification by the system or by security software. Also a detailed description of the hidden file system is presented for each threat considered, as well as a comparison of its features to the other threats analysed here.

To conclude, an approach is presented on the retrieval of data from hidden storage. We will discuss the steps that should be taken to defeat self-defence mechanisms, locate hidden storage on the hard drive and read plain data.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Defeating antiforensics in contemporary complex threats

  1. 1.      
  2. 2.  • • • •
  3. 3.      
  4. 4. One of the most frequently used droppers in 2011 for deliveringbanking trojans in Russia: Carberp, Sheldor, RDPdoor.Relies on system registry to keep its modules and payloadHKLMSOFTWARESettings Win32/Hodprot Loader Code Main Module C&C URLs ErrorControl CoreSettings HashSeed
  5. 5. One of the most frequently used droppers in 2011 for deliveringbanking trojans in Russia: Carberp, Sheldor, RDPdoor.Relies on system registry to keep its modules and payloadHKLMSOFTWARESettings Win32/Hodprot Loader Code Main Module C&C URLs ErrorControl CoreSettings HashSeed
  6. 6. Winlogon Address Browser Address Space Space Setupapi.dll Assemble Payload Inject Payload Update Payload sfcfiles.dll Payload System Registry User-mode Kernel-mode Inject Payload Install & Load Assemble Payload Driver sfc.sys
  7. 7. Configuration data are stored in a resource of the Flame main moduleConfiguration data are encrypted with custom algorithm andcompressed with DEFLATE algorithm Block Data BYTE Length Data 1 Byte 4 Byte Data Length Bytes Block Data Offset of the block with Offset of the next item Unicode string (name of the item) BYTE Length item data block 1 Byte 4 Byte Data Length Bytes
  8. 8. Configuration data are stored in a resource of the Flame main moduleConfiguration data are encrypted with custom algorithm andcompressed with DEFLATE algorithm Block Data BYTE Length Data 1 Byte 4 Byte Data Length Bytes Block Data Offset of the block with Offset of the next item Unicode string (name of the item) BYTE Length item data block 1 Byte 4 Byte Data Length Bytes
  9. 9. Applications Malware payload user-mode address space kernel-mode address space Malicious kernel-mode driver File system interfaceOS file system driver Physical storage interface OS storage device driver stack Hidden FS Hard drive area
  10. 10. Process1 Process2 Process3 ProcessN Payload1 Payload2 Payload3 PayloadN user-mode kernel-mode Kernel- mode driver Bootkit hidden storage Payload1 Payload2 Payload3 PayloadN
  11. 11. First widely spread bootkit targeting Microsoft Windows x64 platformInfects MBR of the bootable hard drive to receive control before OSAbuses Windows PE (Preinstallation Environment) boot mode todisable kernel-mode code signing policyKeeps payload in the hidden file systemHijacks pointer to the driver object of the lowest device object instorage device stack
  12. 12. One One Variable length Not more than 8 Mb sector sector Infected MBR Disk partitions TDL4 Hidden FS Growth directiontypedef struct _TDL4_FS_ROOT_DIRECTORY typedef struct _TDL4_FS_FILE_ENTRY {{ // File name - null terminated string // Signature of the block char FileName[16]; WORD Signature; // Offset from beginning of the file system to file // Set to zero DWORD FileBlockOffset; DWORD Reserved; // Reserved DWORD dwFileSize; // Array of entries corresponding to files in FS // Time and Date of file creation TDL4_FS_FILE_ENTRY FileTable[15]; FILETIME CreateTime;}TDL4_FS_ROOT_DIRECTORY, *PTDL4_FS_ROOT_DIRECTORY; }TDL4_FS_FILE_ENTRY, *PTDL4_FS_FILE_ENTRY;
  13. 13. Visible to payload Maintained by rootkit DriverPnpManager TDL4 Driver object Driver objectDeviceXXXXXXXX UnnamedTDL4 Volume TDL4 Physicaldevice object device object DriverObject DriverObject ... Vpb ... ... Volume parameter block DeviceObject RealDevice XXXXXXXX – random 32-bit hexadecimal integer
  14. 14. MBR Code MBR Code Partition Table Entry #1 Partition Table Entry #1 Partition Table Entry #2 Partition Table Entry #2Employs the same approach for Partition Table Entry #3 Partition Table Entry #4 Partition Table Entry #3 Partition Table Entry #4disabling kernel-mode signing policy MBR Data MBR Data Bootmgr Partition Bootmgr Partitionas TDL4 bootkit OS Partition OS PartitionModifies partition table of the Unpartitioned Space Olmasco Partitionbootable hard drive to createmalicious partition and mark it active Before Infecting After Infecting Empty Partition Entry Active Partition Entry Existing Partition Entry
  15. 15. MBR Code MBR Code Partition Table Entry #1 Partition Table Entry #1 Partition Table Entry #2 Partition Table Entry #2Employs the same approach for Partition Table Entry #3 Partition Table Entry #4 Partition Table Entry #3 Partition Table Entry #4disabling kernel-mode signing policy MBR Data MBR Data Bootmgr Partition Bootmgr Partitionas TDL4 bootkit OS Partition OS PartitionModifies partition table of the Unpartitioned Space Olmasco Partitionbootable hard drive to createmalicious partition and mark it active Before Infecting After Infecting Empty Partition Entry Active Partition Entry Existing Partition Entry
  16. 16. typedef struct _OLMASCO_FS_ROOT_DIRECTORY typedef struct _OLMASCO_FS_FILE_ENTRY{ { // Signature of the block // File name - null terminated string // DC - root directory char FileName[16]; DWORD Signature; // Offset from beginning of the file system to file // Set to zero DWORD OffsetInClusters; DWORD Reserved1; // Size of the file in clusters // Set to zero DWORD SizeInClusters; DWORD Reserved2; // Size of the file in bytes // Set to zero DWORD SizeInBytes; DWORD Reserved3; // Checksum // Size of the file system cluster DWORD Crc32; DWORD ClusterSize; }OLMASCO_FS_FILE_ENTRY, *POLMASCO_FS_FILE_ENTRY; // Size of file table in clusters DWORD SizeOfSysTableInClusters; // Size of file table in bytes DWORD SizeOfSysTableInBytes; // Checksum of file table DWORD SysTableCRC32; // Array of entries corresponding to files in FS OLMASCO_FS_FILE_ENTRY FileTable[];}OLMASCO_FS_ROOT_DIRECTORY, *POLMASCO_FS_ROOT_DIRECTORY;
  17. 17. Mounts a file containing payload & configuration dataas NTFS volume with transparent encryption VS.Keeps payload & configuration data encrypted in“C:windows$NtUninstallKB35373$” directory
  18. 18. ZeroAccess NTFS Driver Object Driver ObjectHidden Volume Name ZeroAccess Related Device Volume Device Object DriverObject DriverObject ... ... File with data File Object
  19. 19. First known bootkit which infects VBR (Volume Boot Record) withpolymorphic malicious bootstrap codeIt utilizes debugging facilities of the hardware (debugging registers) topersists among processor execution mode switching and set up hooksRovnix bootkit employs modification of FAT16 for hidden partitionRovnix bootkit was used in Carberp banking trojan
  20. 20. •   MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap Hidden MBR VBR File System Data Unsigned Code Code Partition Driver NTFS bootstrap code (15 sectors)
  21. 21. Employs advanced bootkit techniques to load unsigned maliciouskernel-mode driver on 64-bit version of Windows OSCombines bootkit techniques present in Olmarik (TDL4) & RovnixBypasses PatchGuard by means of modifying kernel before integrityenforcement service is startedGoblin hidden implements hidden file system in a similar way toOlmarik (TDL4)
  22. 22. Olmarik Sirefef Rovnix Goblin Olmascofunctionality (TDL4) (ZeroAccess) (Cidox) (XPAJ) (MaxSS)MBR     modificationVBR     modificationHidden file FAT16 Custom Custom NTFS Customsystem type modification (TDL4 based)encryption Custom RC6 XOR/RC4 RC4 algorithm (XOR+ROL) modificationcompression   aPlib aPlib algorithm
  23. 23.         
  24. 24. 
  25. 25. eset.com/download/utilities/detail/family/173/
  26. 26.      
  27. 27. 
  28. 28. Aleksandr Matrosov Eugene Rodionovmatrosov@eset.sk rodionov@eset.sk@matrosov @vxradius

×