Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

На страже ваших денег и данных

160 views

Published on

В последнее время все чаще происходят сложные целенаправленные атаки (APT) с использованием скрытой загрузки. Существующие системы автоанализа, как правило, не способны анализировать вредоносное ПО, используемое для APT-атак, и исследователи вредоносного ПО вынуждены анализировать его вручную. Докладчик представит новую систему автоанализа памяти в режиме реального времени (Malware Analyst). Данная система не генерирует дамп памяти при помощи LibVMI, а имеет непосредственный доступ в память для ускорения диагностики и четко распознает подозрительное поведение вредоносного ПО.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

На страже ваших денег и данных

  1. 1. Malware b to d PHDAYS 2017
  2. 2. Who is me ? Young Hak Lee 02
  3. 3. ? 03
  4. 4. Real time Malware spreading center detection system Threat Insight PHDAYS 2017
  5. 5. 05 Malware Life Cycle
  6. 6. 06 Malware Life Cycle
  7. 7. 07 Malware Life Cycle
  8. 8. 08 Malware Life Cycle
  9. 9. 09 Malware Life Cycle
  10. 10. Malware Life Cycle 10
  11. 11. Malware Life Cycle 11
  12. 12. Malware Life Cycle 12
  13. 13. Malware Life Cycle 13
  14. 14. Malware Life Cycle 14
  15. 15. Malware Life Cycle 15
  16. 16. Threat Insight 16
  17. 17. Threat Insight | Case Example 01 Case Example 01 | Trojan Horse Malware from Travel agency's website 17
  18. 18. Case Example 02 | Malware from bookstore and college website 18 Threat Insight | Case Example 02
  19. 19. Case Example 03 | Spread of Malware via Fishing trip agency website 19 Threat Insight | Case Example 03
  20. 20. Real Time Malware Memory Analysis System Malware Analyst PHDAYS 2017
  21. 21. 21 Malware Analyst Structure
  22. 22. 22 Analyzer Malware Analyst Structure | Analyzer
  23. 23. 23 Memory Analyzer Malware Analyst Structure | Memory Analyzer
  24. 24. 24 Log Analyzer Malware Analyst Structure | Log Analyzer
  25. 25. 25 Network Analyzer Malware Analyst Structure | Network Analyzer
  26. 26. 26 Why Memory Analysis?  All Programs are loaded in memory  Malware Protector Bypass(packing, anti-debug)  Identifies system activity and overall machine state  Memory reliability is very important.
  27. 27. 27 Memory Analysis Engine 00. Use LibVMI & Volatility 01. Command Analysis 02. Process Analysis 03. Thread Analysis 04. Network Analysis 05. Service Analysis 06. MBR Analysis 07. Rootkit Analysis 00. Use LibVMI & Volatility
  28. 28. 28 Why do we use LibVMI and Volatility?  Library Virtual Machine Introspection  Execution of memory dumps by situations is inefficient for time and disk space - LibVMI doens't need memory dumps.  Direct access to Memory - Reliable memory - Guarantee of reliable memory analysis results  Volatility - Possibility of analysis for memory that accessed to LibVMI - Open source - Advantage of forensic, correspondence, malware analysis
  29. 29. 29  Library Virtual Machine Introspection  Execution of memory dumps by situations is inefficient for time and disk space - LibVMI doens't need memory dumps.  Direct access to Memory - Reliable memory - Guarantee of reliable memory analysis results  Volatility - Possibility of analysis for memory that accessed to LibVMI - Open source - Advantage of forensic, correspondence, malware analysis Why do we use LibVMI and Volatility?
  30. 30. 30 Memory Analysis Engine 00. Use LibVMI & Volatility 01. Command Analysis 02. Process Analysis 03. Thread Analysis 04. Network Analysis 05. Service Analysis 06. MBR Analysis 07. Rootkit Analysis 01. Command Analysis
  31. 31.  Cmdscan - _SCREEN_INFORMATION - Windows Basic Command  Consoles - _SCREEN_INFORMATION - Console I/O Data  Shellbags - NTUSER.DAT & UsrClass.dat - Windows Environment, Timestamp, Installer …. Command Analysis 31
  32. 32. 32 Memory Analysis Engine 00. Use LibVMI & Volatility 01. Command Analysis 02. Process Analysis 03. Thread Analysis 04. Network Analysis 05. Service Analysis 06. MBR Analysis 07. Rootkit Analysis 02. Process Analysis
  33. 33.  Process authority analysis - Malicious code also need authority to cause undesired effects Authority Explanation SeBackupPrivilege Malicious code can copy files without authority with this. SeDebugPrivilege Malicious code need this to inject codes in User-Mode. SeLoadDriverPrivilege Malicious code can load or unload Kernel Driver with this. SeChangeNotifyPrivilege Authority which lets you register callbacks for changes of certain files or directories. Malicious code can use it to block elimination by user or security software. SeShutdownPrivilege Bootkit type of malicious codes usually use this to reboot system. 33 Process Analysis | Process authority analysis
  34. 34.  Analysis of process creation and completion - It manages process using linked list which is inside of _EPROCESS structure in Windows Kernel. - It is impossible to recall process list when malware cut linked list on purpose. Memory Windows Kernel PsActiveProcessHead ActiveProcessLinks Flink Blink _EPROCESS(b.exe) ActiveProcessLinks Flink Blink _EPROCESS(a.exe) ActiveProcessLinks Flink Blink _EPROCESS(b.exe) 34 Process Analysis | Analysis of process creation and completion
  35. 35. 35  Analysis of process creation and completion _EPROCESS Scan - Base on PsActiveProcessHead from Memory, it finds _EPROCESS structure and traces linked list for the structure. - Verification is impossible if the linked list has been broke. - Pool Scan - Information collection from Memory using Pool scan is possible. - Confirms consensus with 'Proc'Pool tag or _EPROCESS structure. - Checks whether Memory area is free or not, then confirms completion process. Process Analysis | Analysis of process creation and completion
  36. 36. 36  Substitute for malware analysis obstruction. - Original code exists in somewhere in Memory. - Detects changing signals from Malware Memory surveillance sensor. - Memory analysis engine searches _EPROCESS structure using Pool scan. - Compares data and structure contents from Memory surveillance sensor. - Checks dumping area and dumps using IMAGE_DOS_HEADER analysis. - Possible corresponds to repeated encryption/decryption of certain area because of dumps which are executed for every changes. Process Analysis | Substitute for malware analysis obstruction
  37. 37. 37  Citadel [ Citadel Malware Original Binary ] [ Citadel Malware Unpacking Binary(Use Malware Analyst) ] Process Analysis | Citadel
  38. 38. 38  Tesla Ransomware [ Tesla Ransomware Original Binary ] [ Tesla Ransomware Unpacking Binary(Use Malware Analyst) ] Process Analysis | Tesla Ransomware
  39. 39. 39 Memory Analysis Engine 00. Use LibVMI & Volatility 01. Command Analysis 02. Process Analysis 03. Thread Analysis 04. Network Analysis 05. Service Analysis 06. MBR Analysis 07. Rootkit Analysis 03. Thread Analysis
  40. 40. 40 Thread Analysis  Thread Analysis - Detects orphan Threads. - In case the start address of thread contains unidentified module address. - For initial load, Rootkits create Pool in Kernel, copy and paste codes in the Pool, then run them. Conceals operation of analyzing untagged Pool in Memory. - Various Rootkits are using Orphan Thread. examples : Tigger, Mebroot [ Tigger sample Orphan thread ]
  41. 41. 41 Thread Analysis  Thread Analysis - Detects orphan Threads. - Save sizes and addresses of loaded modules in Memory. - Searches _ETHREAD structure using Pool scan in Memory. - Compares with saved data from previous after sampling start address from _ETHREAD structure. - Limitation : If malicious code is injected in existing module and it is designated as Start address, it can not be detected.
  42. 42. 42 Memory Analysis Engine 00. Use LibVMI & Volatility 01. Command Analysis 02. Process Analysis 03. Thread Analysis 04. Network Analysis 05. Service Analysis 06. MBR Analysis 07. Rootkit Analysis 04. Network Analysis
  43. 43.  Socket and Network analysis - There is separate network analyzer but network analysis is also performed in Memory. - Detects behaviors such as 127.0.0.1(localhost) communication. - Detects non-utilization of generated sockets due to code error. - There are little bit of differences of analyzing methods according to OS versions. - Used terms are not documented on official MS documents. - examples : AddrObitable, TCB table… - 43 Network Analysis | Socket and Network analysis
  44. 44. Network Analysis  Network Analysis - Upgraded structure using TCP/IP stacks from MS - Investigates _TCP_ENDPOINT, _UDP_ENDPOINT, _TCP_LISTENER structure in Netstat.exe process using Pool scan, and draws results after parsing investigation results. _TCP_ENDPOINT 0x0 : CreateTime [‘WinTimeStamp’, {‘is_utc’: True, ‘value’: 0}] 0x18 : InetAF [‘pointer’, [‘_INETAF’]] 0x20 : AddrInfo [‘pointer’,[‘_ADDRINFO’]] 0x68 : State [‘Enumeration’, {‘target’: ‘long’, ‘choices’: {0: ‘CLOSE’, 1: ‘LISTENING’, 2: ‘SYN_SENT’, 3: ‘SYN_RCVD’, 4: ‘ESTABLISHED’, 5: ‘FIN_WAIT1’, 6: ‘FIN_WAIT2’, 7: ‘CLOSE_WAIT’, 8: ‘CLOSING’, 9: ‘LAST_ACK’, 12: ‘TIME_WAIT’, 13: ‘DELETE_TCB’}] 0x6c : LocalPort [‘unsigned be short’] 0x6e : RemotePort [‘unsigned be short’] 0x238 : Owner [‘pointer’, [‘_EPROCESS’]] _UDP_ENDPOINT 0x20 : InetAF [‘pointer’, [‘_INETAF’]] 0x28 : Owner [‘pointer’, [‘_EPROCESS’]] 0x58 : CreateTime [‘WinTimeStamp’, {‘is_utc’: True}] 0x60 : LocalAddr [‘pointer’, [‘_LOCAL_ADDRESS’]] 0x80 : Port [‘unsigned be short’] _TCP_LISTENER 0x20 : CreateTime [‘WinTimeStamp’, {‘is_utc’: True}] 0x28 : Owner [‘pointer’, [‘_EPROCESS’]] 0x58 : LocalAddr [‘pointer’, [‘_LOCAL_ADDRESS’]] 0x60 : InetAF [‘pointer’, [‘_INETAF’]] 0x6a : Port [‘unsigned be short’] 44
  45. 45. 45 Memory Analysis Engine 00. Use LibVMI & Volatility 01. Command Analysis 02. Process Analysis 03. Thread Analysis 04. Network Analysis 05. Service Analysis 06. MBR Analysis 07. Rootkit Analysis 05. Service Analysis
  46. 46.  Windows Service analysis - The ways to generate services are various. - Can be hidden when the service structure's changed on purpose. - There are little bit of differences of analyzing methods according to OS versions. 46 Service Analysis | Windows Service analysis
  47. 47.  Windows Service analysis - Searches Pool which has ’sErv’, ‘serH’ Tag using PoolScan in Services.exe process. - Confirms accords of the Pool with _SERVICE_HEADER structure, then traces and compares _SERVICE_RECORD in the structure with _SERVICE_RECORD structure. _SERVICE_HEADER 0x0 : Tag [‘array’, 4, [‘unsigned char’]] 0x10 : ServiceRecord [‘pointer’, [‘_SERVICE_RECORD’]] _SERVICE_RECORD 0x0 : PrevEntry [‘pointer’, [‘_SERVICE_RECORD’]] 0x8 : ServiceName [‘pointer’, [‘String’, {‘length’: 512, ‘encoding’: ‘utf16’}]] 0x10 : DisplayName [‘pointer’, [‘String’, {‘length’: 512, ‘encoding’:’utf16’}]] 0x18 : Order [‘unsigned int’] 0x20 : Tag [‘array’, 4, [‘unsigned char’]] 0x28 : DriverName [‘pointer’, [‘String’, {‘length’: 256, ‘encoding’: ‘utf16’}]] 0x28 : ServiceProcess [‘pointer’, [‘_SERVICE_PROCESS’]] 0x30 : Type [‘Flags’, {‘bitmap’: svc_types}] 0x34 : State [‘Enumeration’, {‘target’: ‘long’, ‘choices’: svc_states}] 47 Service Analysis | Windows Service analysis
  48. 48. 48 Memory Analysis Engine 00. Use LibVMI & Volatility 01. Command Analysis 02. Process Analysis 03. Thread Analysis 04. Network Analysis 05. Service Analysis 06. MBR Analysis 07. Rootkit Analysis 06. MBR Analysis
  49. 49. MBR Analysis  MBR Analysis - Correspondence to Bootkit malware. - Searches area which has MBR signature in Memory. - Compares the area with Partition table and recognizes it as MBR when it confirms accords. Partition Table 0x0 : Boot Indicator [“Byte” : “0x80”] 0x1 : Starting CHS values [“Byte”] 0x4 : Partition-type Descriptor [“Byte”] 0x5 : Ending CHS values [“Byte”] 0x8 : Starting Section [“Byte”] 0x12 : Partition Size [“Unsigned Int”] - Limitation : It is impossible to analyze GPT 49
  50. 50. 50 Memory Analysis Engine 00. Use LibVMI & Volatility 01. Command Analysis 02. Process Analysis 03. Thread Analysis 04. Network Analysis 05. Service Analysis 06. MBR Analysis 07. Rootkit Analysis 07. Rootkit Analysis
  51. 51.  DriverIRP Analysis - Driver IRP is for communication between User-level Application and Kernel-level Driver. - Malware can interrupt the communication by overwriting IRP table. - example : Malicious code can interrupt data buffer which is accessing network or disk by overwriting IRP_MJ_WRITE. - Searches DRIVER_OBJECT in kernel. - Analyzes IRP data which is in offset area of MaiorFunction in DRIVER_OBJECT. 51 Rootkit Analysis | DriverIRP Analysis
  52. 52.  Driver Stratum analysis - Windows system uses stratum to process I/O request. - Able to interrupt communication by putting malware higher level than normal Driver, not interrupting IRP. 52 Rootkit Analysis | Driver Stratum Analysis
  53. 53.  Driver Stratum analysis - Searches _DEVICE_OBJECT in kernel - Continuously traces until the value of Nextdevice reaches to O in _DEVICE_OBJECT. - Analyzes stratum using value of AttachedDevice. _DEVICE_OBJECT 0x0 : Type [‘short’] 0x2 : Size [‘unsigned short’] 0x4 : ReferenceCount [‘long’] 0x8 : DriverObject[‘pointer’, [‘_DRIVER_OBJECT’]] 0xc : NextDevice [‘pointer’, [‘_DEVICE_OBJECT’]] 0x10 : AttachedDevice [‘pointer’, [_DEVICE_OBJECT’]] 0x14 : CurrentIRP [‘pointer’, [‘_IRP’] 0x18 : Timer [‘pointer’, [‘_IO_TIMER’]] 0x1c : Flags [‘unsigned int’] 생략 0xb0 : DeviceObjectExtension [‘pointer’, [‘_DEVOBJ_EXTENSION’]] 0xb4 : Reserved [‘pointer’, [‘void’]] 53 Rootkit Analysis | Driver Stratum Analysis
  54. 54.  Analysis Callbacks - Searches and analyzes Callback Object using PoolScan. Type API Process Creation PsSetCreateProcessNotifyRoutine Thread Creation PsSetCreateThreadNotifyRoutine (BlackEnergy used) Image Load PsSetLoadImageNotifyRoutine (stuxnet used) Registry Modification CmRegisterCallback(XP), CmRegisterCallbackEx(Vista later) (Ascesso used) Bugchecks KeRegisterBugChecknCallback, KeRegisterBugCheckReasonCallback 54 Rootkit Analysis | Analysis Callbacks
  55. 55. Malware information sharing platform Merkava PHDAYS 2017
  56. 56. Merkava Platform 56
  57. 57. Merkava Platform 57
  58. 58. Merkava Platform 58
  59. 59. Merkava Platform 59
  60. 60. Merkava Platform 60
  61. 61. Merkava Platform 61
  62. 62. Merkava Platform 62
  63. 63. Merkava Platform 63
  64. 64. Thank you :) Email – vstherock@blackfortsec.com

×