Advertisement
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Nov. 22, 2012•0 likes•2,422 views
3 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Education
In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.
Alex MatrosovFollow
Principal REsearch Scientist at Cylance Inc.Advertisement
Win32/Flamer: Reverse Engineering and Framework Reconstruction
- Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
- Outline of The Presentation Typical malware vs. Stuxnet/Flame What the difference? Flamer code reconstruction problems C++ code reconstruction Library code identification Flamer framework overview Object oriented code reconstruction Relationship Stuxnet/Duqu/Flamer
- Typical Malware vs. Stuxnet/Flamer
- What’s the Difference?
- What’s the Difference? Typical malware Stuxnet/Flame … Different motivation, budget … Different motivation, budget … Use 1-days for distribution Use 0-days for distribution Anti-stealth for bypassing all sec Anti-stealth for bypassing AV soft Stealth timing: months Stealth timing: years Developed in C or C++ in C style Tons of C++ code with OOP Simple architecture for plugins Industrial OO framework platform Traditional ways for obfuscation: Other ways of code obfuscation: packers tons of embedded static code polymorphic code specific compilers/options vm-based protection object oriented wrappers for typical OS utilities …
- Stuxnet/Duqu/Flamer/Gauss Appearance
- Code Complexity Growth Gauss miniFlamer Stuxnet Duqu Flamer
- Code Complexity Growth
- C++ Code REconstruction Problems
- C++ Code Reconstruction Problems Object identification Type reconstruction Class layout reconstruction Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls RTTI reconstruction Vftable reconstruction Associate vftable object with exact object Class hierarchy reconstruction
- C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
- C++ Code Reconstruction Problems
- Identify Smart Pointer Structure
- Identify Exact Virtual Function Call in vtable
- Identify Exact Virtual Function Call in vtable
- Identify Exact Virtual Function Call in vtable
- Identify Custom Type Operations
- Identify Objects Constructors
- Identify Objects Constructors
- Library code identification problems
- Library Code Identification Problems Compiler optimization Wrappers for WinAPI calls Embedded library code Library version identification problem IDA signatures used syntax based detection methods Recompiled libraries problem Compiler optimization problem
- Library Code Identification Problems
- Object Oriented API Wrappers and Implicit Calls
- Object Oriented API Wrappers and Implicit Calls
- Object Oriented API Wrappers and Implicit Calls
- Festi: OOP in kernel-mode
- Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
- Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
- Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
- Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
- Festi: Plugins Festi plugins are volatile modules in kernel-mode address space: downloaded each time the bot is activated never stored on the hard drive The plugins are capable of: sending spam – BotSpam.dll performing DDoS attacks – BotDoS.dll providing proxy service – BotSocks.dll
- Flamer Framework Overview
- An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.) Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
- An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
- Some of Flamer Framework Components Identifying processes in the systems corresponding to Security security software: antiviruses, HIPS, firewalls, system information utilities and etc. Microbe Leverages voice recording capabilities of the system Idler Running tasks in the background BeetleJuice Utilizes bluetooth facilities of the system Telemetry Logging of all the events Gator Communicating with C&C servers
- Flamer SQL Lite Database Schema
- Flamer SQL Lite Database Schema
- REconstructing Flamer Framework
- Data Types Being Used Smart pointers Strings Vectors to maintain the objects Custom data types: wrappers, tasks, triggers and etc.
- Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
- Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
- Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements }; Used to handle the objects: tasks triggers etc.
- Using Hex-Rays Decompiler Identifying constructors/destructors Usually follow memory allocation The pointer to object is passed in ecx (sometimes in other registers) Reconstructing object’s attributes Creating custom type in “Local Types” for an object Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
- Using Hex-Rays Decompiler Identifying constructors/destructors Usually follow memory allocation The pointer to object is passed in ecx (sometimes in other registers) Reconstructing object’s attributes Creating custom type in “Local Types” for an object Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
- Reconstructing Object’s Attributes
- Reconstructing Object’s Attributes
- Reconstructing Object’s Methods
- Reconstructing Object’s Methods
- Reconstructing Object’s Methods
- DEMO
- Relationship Stuxnet/Duqu/Gauss/Flamer
- Source Code Base Differences
- Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092 (Task Scheduler) MS11-087 (Win32k.sys)
- Exploit Implementations: Stuxnet & Duqu The payload is injected into processes from both kernel- mode driver & user-mode module Hooks: ZwMapViewOfSection ZwCreateSection ZwOpenFile ZwClose ZwQueryAttributesFile ZwQuerySection Executes LoadLibraryW passing as a parameter either: KERNEL32.DLL.ASLR.XXXXXXXX SHELL32.DLL.ASLR.XXXXXXXX
- Exploit Implementations: Stuxnet & Duqu The payload is injected into processes from both kernel- mode driver & user-mode module Hooks: ZwMapViewOfSection ZwCreateSection ZwOpenFile ZwClose ZwQueryAttributesFile ZwQuerySection Executes LoadLibraryW passing as a parameter either: KERNEL32.DLL.ASLR.XXXXXXXX SHELL32.DLL.ASLR.XXXXXXXX
- Injection mechanism: Flame The payload is injected into processes from user-mode module The injection technique is based on using: VirtualAllocEx WriteProcessMemoryReadProcessMemory CreateRemoteThreadRtlCreateUserThread The injected module is disguised as shell32.dll Hooks the entry point of msvcrt.dll by modifying PEB
- Injection mechanism: Flame The payload is injected into processes from user-mode module The injection technique is based on using: VirtualAllocEx WriteProcessMemoryReadProcessMemory CreateRemoteThreadRtlCreateUserThread The injected module is disguised as shell32.dll Hooks the entry point of msvcrt.dll by modifying PEB
- Exploit Implementations: Gauss The payload is injected into processes from user-mode module
- Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov
Advertisement