SlideShare a Scribd company logo

Advanced (persistent) binary planting

Source Conference
Source Conference

This document discusses binary planting techniques such as DLL hijacking. It provides examples of binary planting issues found in Real Player and Opera on Windows XP, where they load unexpected DLLs and EXEs during execution. It warns that downloading files can leave computers vulnerable if installers load DLLs from the Downloads folder, allowing for "persistent mines" to be planted months later when applications are launched. It provides guidelines for researchers and developers to prevent binary planting issues in their own software.

TechnologyNews & Politics
1 of 36
Download to read offline
ACROS PUBLIC © ACROS Advanced (Persistent) Binary Planting SOURCE Barcelona 2011 Mitja Kolsek ACROS d.o.o. mitja.kolsek@acrossecurity.com www.acrossecurity.com
ACROS PUBLIC Page 2 SOURCE Barcelona 2011 BINARY PLANTING QUICK SUMMARY (DLL hijacking, DLL preloading, Unsafe library loading...)
ACROS PUBLIC Page 3 SOURCE Barcelona 2011 DLL, EXE you bad guy
ACROS PUBLIC Page 4 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
ACROS PUBLIC Page 5 SOURCE Barcelona 2011 EXE Search Order CreateProcess(“SomeApp.exe”) 1. The directory from which the application loaded 2. Current Working Directory (CWD) 3. C:WindowsSystem32 4. C:WindowsSystem 5. C:Windows 6. PATH
ACROS PUBLIC Page 6 SOURCE Barcelona 2011 EXE Search Order ShellExecute(“SomeApp.exe”) 1. Current Working Directory (CWD) 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. PATH
ACROS PUBLIC Page 7 SOURCE Barcelona 2011 Our Past Research • Extended scope: Launching EXEs • Improved attack vector: WebDAV • We looked at 200+ leading Windows apps • Found 500+ binary planting bugs (120+ EXE, 400+ DLL) • Guidelines for developers http://www.binaryplanting.com/guidelinesDevelopers.htm • Guidelines for administrators http://www.binaryplanting.com/guidelinesAdministrators.htm • Free Online Binary Planting Exposure Test http://www.binaryplanting.com/test.htm • Advanced binary planting (COM-Servers) • Executing code through IE8 on Windows XP – two clicks only • Executing code through IE9 on Windows 7 – right click, add to archive
ACROS PUBLIC Page 8 SOURCE Barcelona 2011
ACROS PUBLIC Page 9 SOURCE Barcelona 2011 PERSISTENCE #1 - PERSISTENCE IN SOFTWARE #2 – PERSISTENCE ON COMPUTER
ACROS PUBLIC Page 10 SOURCE Barcelona 2011 #1 - PERSISTENCE IN SOFTWARE (Everywhere You Look)
ACROS PUBLIC Page 11 SOURCE Barcelona 2011 Microsoft (Sysinternals) Process Monitor 1. Filter: Path Contains <our-path> 2. Launch Application 3. Exclude irrelevant entries 4. Look for DLL and EXE accesses 5. Plant DLL/EXE 6. Re-launch Application 7. If successful, see call stack
ACROS PUBLIC Page 12 SOURCE Barcelona 2011 Example: Real Player I used to load rio500.dll from CWD. Wait... I still do. Publicly reported in February 2010 by Taeho Kwon and Zhendong Su http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
ACROS PUBLIC Page 13 SOURCE Barcelona 2011
ACROS PUBLIC Page 14 SOURCE Barcelona 2011 False Positives
ACROS PUBLIC Page 15 SOURCE Barcelona 2011
ACROS PUBLIC Page 16 SOURCE Barcelona 2011 Hidden & Remote
ACROS PUBLIC Page 17 SOURCE Barcelona 2011
ACROS PUBLIC Page 18 SOURCE Barcelona 2011 Cleaning The Table
ACROS PUBLIC Page 19 SOURCE Barcelona 2011
ACROS PUBLIC Page 20 SOURCE Barcelona 2011 Real Player on Windows XP (mpeg)
ACROS PUBLIC Page 21 SOURCE Barcelona 2011 Real Player on Windows XP (avi)
ACROS PUBLIC Page 22 SOURCE Barcelona 2011 Example: Opera I fixed a DLL hijacking bug but what the heck is this “EXE planting”? Windows XP: dwmapi.dll (fixed in 10.62)
ACROS PUBLIC Page 23 SOURCE Barcelona 2011
ACROS PUBLIC Page 24 SOURCE Barcelona 2011 Binary Planting Issues Found Real Player • WinXP: RealPlay.exe loading planted rapi.dll upon startup • Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup • RealPlay.exe loading planted rio500.dll upon exit • RealPlay.exe loading planted rio300.dll upon exit • RealShare.exe loading planted pnrs3260.dll upon startup Opera • WinXP: Opera.exe loading planted rundll32.exe upon opening a downloaded ZIP
ACROS PUBLIC Page 25 SOURCE Barcelona 2011 #2 - PERSISTENCE ON COMPUTER (Turning Downloads Folder Into a Minefield)
ACROS PUBLIC Page 26 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
ACROS PUBLIC Page 27 SOURCE Barcelona 2011
ACROS PUBLIC Page 28 SOURCE Barcelona 2011 Planting a “Persistent Mine” (cryptbase.dll)
ACROS PUBLIC Page 29 SOURCE Barcelona 2011
ACROS PUBLIC Page 30 SOURCE Barcelona 2011 Planting a “Persistent Mine” (msiexec.exe)
ACROS PUBLIC Page 31 SOURCE Barcelona 2011
ACROS PUBLIC Page 32 SOURCE Barcelona 2011 Downloads folder “mine field” problem Why is it cool? Persistent – “download today, exploit months later” Installers usually get elevated privileges Whose fault is it? Installers loading DLLs from their neighborhood is expected behavior Browsers keep downloads on disk until manually deleted Chrome download dialog is clickjackable Chrome trusts EXE files from already visited sites InstallShield calls “msiexec.exe” without full path How could it be fixed? All downloaded executables should have modified names: Cryptbase(0).dll, msiexec(0).exe
ACROS PUBLIC Page 33 SOURCE Barcelona 2011 Binary Planting: Guidelines For Researchers Stay current Make sure you’re working with the latest version of the product Make sure your O/S is up to date Try different O/S versions Different DLLs, different drivers, codecs etc. Try different data files Different formats (file extensions), different content Try it from remote ShellExecute will issue a security warning when launching from a share Locate the culprit Check the call stack to find which module is responsible for the bug, then check the module’s details to find the author
ACROS PUBLIC Page 34 SOURCE Barcelona 2011 Binary Planting: Guidelines For Developers Use only absolute paths LoadLibrary(“relative.dll”) - FAIL CreateProcess(“notepad.exe”) – FAIL ShellExecute(“cmd.exe”) - FAIL CWD use Set CWD to a safe location, quickly Call SetDllDirectory(“”) Observe file system operations on all supported O/S versions Different DLLs, different drivers, codecs etc. Maximize code coverage Different formats (file extensions), different content
ACROS PUBLIC Page 35 SOURCE Barcelona 2011 Resources Tools Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645 Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028 Files “Malicious” DLL www.binaryplanting.com/demo/windows_address_book/wab32res.dll www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll “Malicious” EXE: C:WindowsSystem32calc.exe (what else?) Knowledge www.binaryplanting.com blog.acrossecurity.com
ACROS PUBLIC Page 36 SOURCE Barcelona 2011 Pregunt(e|a)s Mitja Kolsek ACROS d.o.o. www.acrossecurity.com mitja.kolsek@acrossecurity.com Twitter: @acrossecurity

Recommended

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 

Recommended

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
Felipe Prado
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
Alexandre Borges
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface Applications
Wardell Motley, NSA IAM\IEM
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
Key Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsKey Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core Applications
Damir Dobric
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
Alexandre Borges
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
Chetan Ganatra
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
DynamicInfraDays
 
Testing UAC on Windows 10
Testing UAC on Windows 10Testing UAC on Windows 10
Testing UAC on Windows 10
ErnestoFernndezProve
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
Muhammad Najmi Ahmad Zabidi
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and Ecosystem
Patrick Chanezon
 
Android..!!
Android..!!Android..!!
Android..!!
Parthik Poshiya
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3
Oleksandr Tryshchenko
 
Docker in Production - IPC 2016
Docker in Production - IPC 2016Docker in Production - IPC 2016
Docker in Production - IPC 2016
Robert Lemke
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed
 
Docker SF Meetup January 2016
Docker SF Meetup January 2016Docker SF Meetup January 2016
Docker SF Meetup January 2016
Patrick Chanezon
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
 

More Related Content

Similar to Advanced (persistent) binary planting

DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
Felipe Prado
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
Alexandre Borges
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface Applications
Wardell Motley, NSA IAM\IEM
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
Key Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsKey Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core Applications
Damir Dobric
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
Alexandre Borges
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
Chetan Ganatra
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
DynamicInfraDays
 
Testing UAC on Windows 10
Testing UAC on Windows 10Testing UAC on Windows 10
Testing UAC on Windows 10
ErnestoFernndezProve
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
Muhammad Najmi Ahmad Zabidi
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and Ecosystem
Patrick Chanezon
 
Android..!!
Android..!!Android..!!
Android..!!
Parthik Poshiya
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3
Oleksandr Tryshchenko
 
Docker in Production - IPC 2016
Docker in Production - IPC 2016Docker in Production - IPC 2016
Docker in Production - IPC 2016
Robert Lemke
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed
 
Docker SF Meetup January 2016
Docker SF Meetup January 2016Docker SF Meetup January 2016
Docker SF Meetup January 2016
Patrick Chanezon
 

Similar to Advanced (persistent) binary planting (20)

DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface Applications
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008
 
Key Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsKey Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core Applications
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
 
Testing UAC on Windows 10
Testing UAC on Windows 10Testing UAC on Windows 10
Testing UAC on Windows 10
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysis
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and Ecosystem
 
Android..!!
Android..!!Android..!!
Android..!!
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3
 
Docker in Production - IPC 2016
Docker in Production - IPC 2016Docker in Production - IPC 2016
Docker in Production - IPC 2016
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
Docker SF Meetup January 2016
Docker SF Meetup January 2016Docker SF Meetup January 2016
Docker SF Meetup January 2016
 

More from Source Conference

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
Source Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
 
JSF Security
JSF SecurityJSF Security
JSF Security
Source Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
 
Keynote
KeynoteKeynote
Keynote
Source Conference
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
Source Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Keynote
KeynoteKeynote
Keynote
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
 

Recently uploaded

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 

Recently uploaded (20)

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 

Advanced (persistent) binary planting

  • 1. ACROS PUBLIC © ACROS Advanced (Persistent) Binary Planting SOURCE Barcelona 2011 Mitja Kolsek ACROS d.o.o. mitja.kolsek@acrossecurity.com www.acrossecurity.com
  • 2. ACROS PUBLIC Page 2 SOURCE Barcelona 2011 BINARY PLANTING QUICK SUMMARY (DLL hijacking, DLL preloading, Unsafe library loading...)
  • 3. ACROS PUBLIC Page 3 SOURCE Barcelona 2011 DLL, EXE you bad guy
  • 4. ACROS PUBLIC Page 4 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
  • 5. ACROS PUBLIC Page 5 SOURCE Barcelona 2011 EXE Search Order CreateProcess(“SomeApp.exe”) 1. The directory from which the application loaded 2. Current Working Directory (CWD) 3. C:WindowsSystem32 4. C:WindowsSystem 5. C:Windows 6. PATH
  • 6. ACROS PUBLIC Page 6 SOURCE Barcelona 2011 EXE Search Order ShellExecute(“SomeApp.exe”) 1. Current Working Directory (CWD) 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. PATH
  • 7. ACROS PUBLIC Page 7 SOURCE Barcelona 2011 Our Past Research • Extended scope: Launching EXEs • Improved attack vector: WebDAV • We looked at 200+ leading Windows apps • Found 500+ binary planting bugs (120+ EXE, 400+ DLL) • Guidelines for developers http://www.binaryplanting.com/guidelinesDevelopers.htm • Guidelines for administrators http://www.binaryplanting.com/guidelinesAdministrators.htm • Free Online Binary Planting Exposure Test http://www.binaryplanting.com/test.htm • Advanced binary planting (COM-Servers) • Executing code through IE8 on Windows XP – two clicks only • Executing code through IE9 on Windows 7 – right click, add to archive
  • 8. ACROS PUBLIC Page 8 SOURCE Barcelona 2011
  • 9. ACROS PUBLIC Page 9 SOURCE Barcelona 2011 PERSISTENCE #1 - PERSISTENCE IN SOFTWARE #2 – PERSISTENCE ON COMPUTER
  • 10. ACROS PUBLIC Page 10 SOURCE Barcelona 2011 #1 - PERSISTENCE IN SOFTWARE (Everywhere You Look)
  • 11. ACROS PUBLIC Page 11 SOURCE Barcelona 2011 Microsoft (Sysinternals) Process Monitor 1. Filter: Path Contains <our-path> 2. Launch Application 3. Exclude irrelevant entries 4. Look for DLL and EXE accesses 5. Plant DLL/EXE 6. Re-launch Application 7. If successful, see call stack
  • 12. ACROS PUBLIC Page 12 SOURCE Barcelona 2011 Example: Real Player I used to load rio500.dll from CWD. Wait... I still do. Publicly reported in February 2010 by Taeho Kwon and Zhendong Su http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
  • 13. ACROS PUBLIC Page 13 SOURCE Barcelona 2011
  • 14. ACROS PUBLIC Page 14 SOURCE Barcelona 2011 False Positives
  • 15. ACROS PUBLIC Page 15 SOURCE Barcelona 2011
  • 16. ACROS PUBLIC Page 16 SOURCE Barcelona 2011 Hidden & Remote
  • 17. ACROS PUBLIC Page 17 SOURCE Barcelona 2011
  • 18. ACROS PUBLIC Page 18 SOURCE Barcelona 2011 Cleaning The Table
  • 19. ACROS PUBLIC Page 19 SOURCE Barcelona 2011
  • 20. ACROS PUBLIC Page 20 SOURCE Barcelona 2011 Real Player on Windows XP (mpeg)
  • 21. ACROS PUBLIC Page 21 SOURCE Barcelona 2011 Real Player on Windows XP (avi)
  • 22. ACROS PUBLIC Page 22 SOURCE Barcelona 2011 Example: Opera I fixed a DLL hijacking bug but what the heck is this “EXE planting”? Windows XP: dwmapi.dll (fixed in 10.62)
  • 23. ACROS PUBLIC Page 23 SOURCE Barcelona 2011
  • 24. ACROS PUBLIC Page 24 SOURCE Barcelona 2011 Binary Planting Issues Found Real Player • WinXP: RealPlay.exe loading planted rapi.dll upon startup • Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup • RealPlay.exe loading planted rio500.dll upon exit • RealPlay.exe loading planted rio300.dll upon exit • RealShare.exe loading planted pnrs3260.dll upon startup Opera • WinXP: Opera.exe loading planted rundll32.exe upon opening a downloaded ZIP
  • 25. ACROS PUBLIC Page 25 SOURCE Barcelona 2011 #2 - PERSISTENCE ON COMPUTER (Turning Downloads Folder Into a Minefield)
  • 26. ACROS PUBLIC Page 26 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
  • 27. ACROS PUBLIC Page 27 SOURCE Barcelona 2011
  • 28. ACROS PUBLIC Page 28 SOURCE Barcelona 2011 Planting a “Persistent Mine” (cryptbase.dll)
  • 29. ACROS PUBLIC Page 29 SOURCE Barcelona 2011
  • 30. ACROS PUBLIC Page 30 SOURCE Barcelona 2011 Planting a “Persistent Mine” (msiexec.exe)
  • 31. ACROS PUBLIC Page 31 SOURCE Barcelona 2011
  • 32. ACROS PUBLIC Page 32 SOURCE Barcelona 2011 Downloads folder “mine field” problem Why is it cool? Persistent – “download today, exploit months later” Installers usually get elevated privileges Whose fault is it? Installers loading DLLs from their neighborhood is expected behavior Browsers keep downloads on disk until manually deleted Chrome download dialog is clickjackable Chrome trusts EXE files from already visited sites InstallShield calls “msiexec.exe” without full path How could it be fixed? All downloaded executables should have modified names: Cryptbase(0).dll, msiexec(0).exe
  • 33. ACROS PUBLIC Page 33 SOURCE Barcelona 2011 Binary Planting: Guidelines For Researchers Stay current Make sure you’re working with the latest version of the product Make sure your O/S is up to date Try different O/S versions Different DLLs, different drivers, codecs etc. Try different data files Different formats (file extensions), different content Try it from remote ShellExecute will issue a security warning when launching from a share Locate the culprit Check the call stack to find which module is responsible for the bug, then check the module’s details to find the author
  • 34. ACROS PUBLIC Page 34 SOURCE Barcelona 2011 Binary Planting: Guidelines For Developers Use only absolute paths LoadLibrary(“relative.dll”) - FAIL CreateProcess(“notepad.exe”) – FAIL ShellExecute(“cmd.exe”) - FAIL CWD use Set CWD to a safe location, quickly Call SetDllDirectory(“”) Observe file system operations on all supported O/S versions Different DLLs, different drivers, codecs etc. Maximize code coverage Different formats (file extensions), different content
  • 35. ACROS PUBLIC Page 35 SOURCE Barcelona 2011 Resources Tools Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645 Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028 Files “Malicious” DLL www.binaryplanting.com/demo/windows_address_book/wab32res.dll www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll “Malicious” EXE: C:WindowsSystem32calc.exe (what else?) Knowledge www.binaryplanting.com blog.acrossecurity.com
  • 36. ACROS PUBLIC Page 36 SOURCE Barcelona 2011 Pregunt(e|a)s Mitja Kolsek ACROS d.o.o. www.acrossecurity.com mitja.kolsek@acrossecurity.com Twitter: @acrossecurity