This document summarizes an upcoming presentation on program analysis from a security perspective. It will cover topics like taint analysis, symbolic execution, concolic execution, disassembly, decompilation, and case studies analyzing the Tempesta tool versus CryptoPHP malware and the Ursnif malware. The presentation will be given on October 7, 2015 to the ISACA Venice Chapter by Antonio Parata and will explore program analysis techniques for understanding malicious behavior, identifying vulnerabilities, and reversing code.

1. 1
Program Analysis: a security
perspective
Antonio Parata
Venice, 07/10/2015

2. 2ISACA VENICE Chapter
Agenda
▪ Introduction
➢ Mobile world
▪ Theory
➢ Taint Analysis
➢ Symbolic Execution
➢ Concolic Execution
▪ Code De/Obfuscation
➢ Disassembler
➢ Decompiler
▪ Case Studies
➢ Tempesta Vs CryptoPHP
➢ Ursnif
07/10/2015

3. 3ISACA VENICE Chapter
Who am I?
▪ LEAD THE COMMUNICATION VALLEY R&D TEAM
▪ OWASP ITALY BOARD MEMBER
▪ PASSIONATE ABOUT SOFTWARE SECURITY AND SOFTWARE
DEVELOPMENT
▪ Developed various security tools like: Nebula, Tempesta, and so on
▪ CONTACTS
▪ Blog: http://antonioparata.blogspot.it/
▪ GitHub: https://github.com/enkomio
07/10/2015

4. 4ISACA VENICE Chapter
Introduction (1/4)
CURRENT PRACTICE FOR SOFTWARE ASSURANCE
▪ Testing
▪ PRO: Concrete failure produces issues
▪ CONS: Expensive, difficult, hard to cover all code paths
07/10/2015
Malformed Input Program Oracle
Is it correct?

5. 5ISACA VENICE Chapter
Introduction (2/4)
CURRENT PRACTICE FOR SOFTWARE ASSURANCE
▪ Code Auditing
▪ PRO: Human can generalize beyond single runs
▪ CONS: Expensive, hard, no guarantees
07/10/2015

6. 6ISACA VENICE Chapter
Introduction (3/4)
STATIC ANALYSIS
▪ Analyze program’s code without running it
➢ In a sense, we are asking a computer to do what a human does during code
review
▪ PRO: much higher coverage
➢ Reason about many possible runs of the program
➢ Reason about incomplete programs
▪ CONS:
➢ Can only analyze limited properties
➢ May miss some errors, or have false positives
➢ Can be time consuming to run
07/10/2015

7. 7ISACA VENICE Chapter
Introduction (4/4)
07/10/2015
PROGRAM ANALYSIS
▪ Program Analysis offers static compile-time techniques for predicting safe
and computable approximations to the set of values or behaviours arising
dynamically at run-time when executing a program on a computer.
▪ Program Analysis is the process of automatically analyzing the behavior of
computer programs regarding a property such as correctness,
robustness, safety and liveness. Program analysis focuses on two major
areas: program optimization and program correctness.
Principles of Program Analysis
Wikipedia
…or put in another
way…

8. 8ISACA VENICE Chapter
Mobile (Malicious) World
07/10/2015
WHY MOBILE MALWARE?
▪ Lots of personal data
▪ Lots of business data
▪ Easy access to company infrastructure (BYOD)
▪ AV can only statically scan installed apps
▪ Mobile applications run in a restricted (sandbox) environment
▪ Unable to do “dirty” things

9. 9ISACA VENICE Chapter
Mobile Malware (1/3)
07/10/2015
▪ Malware downloaded from unofficial app store
▪ Malware installed from compromised computers connected to mobile
phone
▪ …malware installed from official store (see XCodeGhost)
▪ Simplelocker

10. 10ISACA VENICE Chapter
Mobile Malware (2/3)
07/10/2015
▪ XCodeGhost: a very clever idea
▪ Upload to un-official market a trojanized version of XCode IDE
▪ XCode is the de facto standard IDE to create iOS apps
▪ Every time that a new application is compiled a trojanized version of the
core libraries is linked with the mobile app
▪ The app is uploaded on the official market (App store) without knowing
that it was trojanized
▪ Once infected the device the malware collect information that are
encrypted and sent to the C&C server
▪ The infected mobile can also receive commands from the C&C server

11. 11ISACA VENICE Chapter
Mobile Malware (3/3)
07/10/2015
▪ How different is to analyze mobile apps?
▪ Not very different than normal (not mobile) applications
▪ Step1: get access to the application that you want to analyze
▪ Step2: create an environment where you can analyze the application (sandbox, emulator
and so on)
▪ Step3: profit
▪ Some useful tools:

12. 12ISACA VENICE Chapter
Taint Analysis (1/2)
TAINT ANALYSIS
▪ The taint analysis is a popular method which consists to check which
variables can be modified by the user input.
▪ The root cause of many attacks is trusting unvalidated input
➢ Input from user is tainted
➢ Various data is used, assuming it is untainted
▪ Examples:
07/10/2015
* http://sseblog.ec-spride.de/tools/flowdroid/

13. 13ISACA VENICE Chapter
Taint Analysis (2/2)
TAINT ANALYSIS TOOLS
07/10/2015
FlowDroid is a context-,
flow-, field-,
object-sensitive and
lifecycle-aware static
taint analysis tool for
Android applications
Taint analysis and
pattern matching with
Pin. Project part of the
Triton Framework, we will
see it later.
http://shell-storm.org/blo
g/Taint-analysis-and-patt
ern-matching-with-Pin/
Static Taint Analysis
Dynamic Taint Analysis

14. 14ISACA VENICE Chapter
Symbolic Execution (1/4)
DEFINITION
▪ A key goal of symbolic execution in the context of software testing is to
explore as many different program paths as possible in a given amount of
time, and for each path to generate a set of concrete input values
exercising that path, and check for the presence of various kinds of errors
including assertion violations, uncaught exceptions, security
vulnerabilities, and memory corruption.*
07/10/2015
* Symbolic Execution for Software Testing: Three Decades Later

15. 15ISACA VENICE Chapter
Symbolic Execution (2/4)
FORKING EXECUTION
▪ Symbolic executors can fork at branching points
➢ Happens when there are solutions to both the path condition and its negation
▪ How to systematically explore both directions?
➢ Check feasibility during execution and queue feasible path (condition)s for
later consideration
07/10/2015
* Symbolic Execution for Software Testing: Three Decades Later

16. 16ISACA VENICE Chapter
Symbolic Execution (3/4)
PATH EXPLOSION AND CONSTRAINT SOLVING PROBLEM
* How We Get There: A Context-Guided Search Strategy in Concolic Testing (FSE 2014)
▪ Path search: DFS (Depth First Search), BFS (Breadth First Search),
Random
▪ Constraint Solving: use an SMT solver
➢ A very popular SMT solver is Z3: https://github.com/Z3Prover/z3
07/10/2015

17. 17ISACA VENICE Chapter
Symbolic Execution (4/4)
KLEE LLVM EXECUTION ENGINE
▪ KLEE is a symbolic virtual machine built on top of the LLVM compiler
infrastructure
▪ Use the STP constraint solver (http://stp.github.io/)
▪ We need to modify the source code in order to run Klee
➢ We need to mark which variables should be considered as symbolic values
https://klee.github.io/
07/10/2015

18. 18ISACA VENICE Chapter
Concolic execution (1/4)
▪ Also called dynamic symbolic execution
▪ Instrument the program to do symbolic execution as the program runs
➢ Shadow concrete program state with symbolic variables
➢ Initial concrete state determines initial path, could be randomly generated
➢ Keep shadow path condition!
▪ Explore one path at a time, start to finish
➢ The next path can be determined by negating some element of the last path
condition, and solving for it, to produce concrete inputs for the next test
➢ Always have a concrete underlying value to rely on
07/10/2015

19. 19ISACA VENICE Chapter
Concolic execution (2/4)
▪ Concolic execution makes it really easy to concretize
➢ Replace symbolic variables with concrete values that satisfy the path condition
❖ Always have these around in concolic execution
▪ So, could actually do system calls!
➢ But we lose symbolic-ness at such calls
▪ And can handle cases when conditions are too complex for SMT solver
07/10/2015

20. 20ISACA VENICE Chapter
Concolic execution (3/4)
07/10/2015
http://triton.quarkslab.com/

21. 21ISACA VENICE Chapter
Concolic execution (4/4)
Triton HLA
07/10/2015

22. 22ISACA VENICE Chapter
Disassembler
DISASSEMBLER
▪ It is a computer program that translates machine language into assembly
language—the inverse operation to that of an assembler. A disassembler
differs from a decompiler, which targets a high-level language rather than
an assembly language
07/10/2015
* Symbolic Execution for Software Testing: Three Decades Later
Disassembling
Application
Assembly Code

23. 23ISACA VENICE Chapter
Decompiler (1/5)
DECOMPILER
▪ Performs the reverse operation to that of a compiler
▪ Pro: The decompilation of bytecode is very powerful
▪ Cons: But the decompilation of binary code is not that good
07/10/2015
* Symbolic Execution for Software Testing: Three Decades Later
Decompilation
Application
Source Code

24. 24ISACA VENICE Chapter
Decompiler (2/5)
ORIGINAL DECOMPILED
07/10/2015

25. 25ISACA VENICE Chapter
Decompiler (3/5)
ANTI-DECOMPILATION TRICKS
IL_0014: NOP
IL_0015: LDARG.0
IL_0016: CALL INSTANCE VOID
CONSOLEAPPLICATION.SIMPLECLASS::SAYHELLO()
IL_001B: NOP
IL_001C: LDC.I4.1
IL_001D: STLOC.0
IL_001E: BR.S IL_0024
Disassemble
▪ The if branch is never taken and
the SayHello instance method is
never invoked.
The function always return false
regardless of the input value
▪ By convention before to call an
instance function a pointer to this
must be pushed on the stack. In
this way a pointer to this can be
read with ldarg.0
07/10/2015

26. 26ISACA VENICE Chapter
Decompiler (4/5)
ANTI-DECOMPILATION TRICKS
IL_0014: NOP
// IL_0015: LDARG.0
IL_0016: CALL INSTANCE VOID
CONSOLEAPPLICATION.SIMPLECLASS::SAYHELLO()
IL_001B: NOP
IL_001C: LDC.I4.1
IL_001D: STLOC.0
IL_001E: BR.S IL_0024
Assemble
▪ Open the msil source code file with your preferred editor
▪ Comment the loading of the this pointer
(add the characters // at the line start)
▪ Assemble the file with ilasm (ilasm.exe msil.il)
▪ Open your prefered decompiler and try to decompile the IsTwo routine
Decompile
07/10/2015

27. 27ISACA VENICE Chapter
Decompiler (5/5)
07/10/2015

28. 28ISACA VENICE Chapter
Real World Program Analysis
MALWARE ANALYSIS
▪ Understand the malicious
behaviour of the program
SECURITY ASSESSMENT
▪ Identify possible vulnerabilities that
can compromise the security of
the application
REVERSE CODE ENGINEERING
▪ Understand how a specific
program works for further
analysis or to mimic the
behaviour
07/10/2015

29. 29ISACA VENICE Chapter
TEMPESTA
▪ A PHP source code analysis service, useful to quickly identify
interesting information of possible malicious PHP script
▪ Url:
➢ http://enkomio.com/tempesta/#/
➢ http://antonioparata.blogspot.it/2015/09/cryptophp-vs-tempesta.html
CRYPTOPHP
▪ CryptoPHP is a threat that uses backdoored Joomla, WordPress and
Drupal themes and plug-ins to compromise webservers on a large
scale. By publishing pirated themes and plug-ins free for anyone to
use instead of having to pay for them
▪ Info:
https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepap
er-foxsrt-v4.pdf
Case Studies – Tempesta Vs CryptoPHP (1/5)
07/10/2015

30. 30ISACA VENICE Chapter
Case Studies – Tempesta Vs CryptoPHP (2/5)
CRYPTOPHP
▪ It is tipically obfuscated (even if not with a very strong algorithm)
▪ Backdoor most common CMS in order to ensure persistence
➢ Wordpress plugin
➢ Joomla plugin
07/10/2015

31. 31ISACA VENICE Chapter
Case Studies – Tempesta Vs CryptoPHP (3/5)
WHICH KIND OF INFORMATION ARE WE INTERESTED IN?
▪ We are interested in info that allow us to known where the stolen
information are sent (Data Exfiltration) or where is located the C&C
➢ IP address
➢ Contacted Emails
➢ Contacted Urls
▪ How can we extract all this kind of information from that code?
▪ Symbolic Execution to the rescue: simulate the code and follow each
branches in order to try to cover all code path
➢ Pro: all paths are followed, with an high degree of reachability
➢ Cons: may cause some false positive
07/10/2015

32. 32ISACA VENICE Chapter
Case Studies – Tempesta Vs CryptoPHP (4/5)
07/10/2015
After various calls sequences
on object instance
Hook on base64_decode
IP: 87.119.221.11
URL: eurolips.in
URL: likebugs.in
URL: trailmorey.com
URL: worldcut.biz
URL: worldcute.biz
URL: zimlooks.com
URL: sameyouto.com
URL: moongreen.inf
URL: kelmanstar.biz
URL: giveourlife.org
URL: fraudsteel.com
URL: almamatez.com
URL: ergofilling.com
URL: villagesun.in
URL: movemorey.in
URL: biofoodey.org
URL: anything2u2.org
URL: sportscen.org
URL: cuttscan.org
URL: freeaparts.org
URL: sceniceyou.pw
URL: ampm2u.pw
URL: chairguy.pw
URL: slimflicker.in
URL: thexorandor.in
URL: honeybun.in
URL: glentools.in
URL: danbarton.in
URL: bimlolgroup.in
URL: fatrats.in
URL: chansteel.in
URL: ringostar.in
URL: bringletorn.biz
URL: style.org
URL: foltimaks.biz
URL: outletginess.net
URL: rishtofish.pw
URL: travelsans.pw
URL: uniglader.biz
URL: wonderfails.net
URL: xenonstyles.net
URL: blacktitan.org
URL: hollahup.me
URL: nanogrades.net
URL: deadmary.biz
URL: dreamknow.net
URL: layfoster.net
URL: stranges.inf
URL: huntergil.biz
URL: milkaxe.biz
URL: ramakit.biz
URL: quoteboll.biz
URL: fmdons.com
URL: daramusics.com
URL: froggerbobber.com
URL: kolmens.com
URL: foosamples.com
URL: mtvboards.com
URL: nudays.biz
URL: carandflys.inf
URL: mathlow.co
URL: menko.co
URL: dynamicxor.com

33. 33ISACA VENICE Chapter
Case Studies – Tempesta Vs CryptoPHP (5/5)
STATIC ANALYSIS LIMITATION
▪ Let’s consider a very basic DGA algorithm:
▪ Who knows which are the contacted domains?
07/10/2015

34. 34ISACA VENICE Chapter
Case Studies – Ursnif malware (1/5)
URSNIF
▪ A Data-Stealing malware
▪ Info:
http://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-
multifaceted-malware/
▪ MD5: 7B6A4CB12AAC9C30D46FF6CB60CBE684
▪ The analyzed sample is packed
➢ Difficult to do static analysis without first unpacking it
▪ After unpacking the sample injects itself in explorer.exe
➢ This choice is pretty common for malware, debugging explorer.exe is not
very user friendly
07/10/2015

35. 35ISACA VENICE Chapter
Case Studies – Ursnif malware (2/5)
DATA ENCRYPTION
▪ The stolen data are sent to the C&C in an encrypted form
▪ Example of request:
thfcxcofa.php?vlxch=mPihsm98FIH4Q/a6mVUmVvTw5k0eDh9uB1o86GNW
mHbGWWERbnoeFVdNbeqhqU/W+mqbmJbkReehn41IbaAm+2V5tI1Hzl1p7
gh7enGkgUJ4XzyM5c5dWs6kIyhLmRJV0TecNh3LTWNKjn/wSiCUyS==
▪ Page name and parameter name are randomly generated, starting
from a call to GetTickCount
▪ Base64 encoded data is encrypted by using an hardcoded key
“87694321POIRYTRI”
07/10/2015

36. 36ISACA VENICE Chapter
Case Studies – Ursnif malware (3/5)
DATA ENCRYPTION
▪ We want to send special crafted data to the server in order to have
more information on the C&C
07/10/2015
014E2081 55 PUSH EBP ; encrypt
payload
014E2082 8BEC MOV EBP,ESP
014E2084 83EC 18 SUB ESP,18
014E2087 8B50 20 MOV EDX,DWORD PTR DS:[EAX+20]
; move DWORD key in EDX
014E208A 53 PUSH EBX
014E208B 8B58 28 MOV EBX,DWORD PTR DS:[EAX+28]
; move DWORD key in EBX
014E208E 56 PUSH ESI
014E208F 8B70 24 MOV ESI,DWORD PTR DS:[EAX+24]
; move DWORD key in ESI
014E2092 57 PUSH EDI
014E2093 8BF9 MOV EDI,ECX
014E2095 335F 08 XOR EBX,DWORD PTR DS:[EDI+8]
; XOR key and plain text
014E2098 3317 XOR EDX,DWORD PTR DS:[EDI]
014E209A 3377 04 XOR ESI,DWORD PTR DS:[EDI+4]
014E209D 3398 38020000 XOR EBX,DWORD PTR
DS:[EAX+238]
014E20A3 3390 30020000 XOR EDX,DWORD PTR
DS:[EAX+230]
014E20A9 33B0 34020000 XOR ESI,DWORD PTR
DS:[EAX+234]
014E20AF 8B48 2C MOV ECX,DWORD PTR DS:[EAX+2C]
014E20B2 334F 0C XOR ECX,DWORD PTR DS:[EDI+0C]
014E20B5 3388 3C020000 XOR ECX,DWORD PTR
DS:[EAX+23C]
014E20BB 8BF9 MOV EDI,ECX
014E20BD 0BCA OR ECX,EDX
014E20BF 33FE XOR EDI,ESI
014E20C1 894D FC MOV DWORD PTR SS:[EBP-4],ECX
014E20C4 8BCB MOV ECX,EBX
014E20C6 33CE XOR ECX,ESI
014E20C8 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
014E20CB 894D EC MOV DWORD PTR SS:[EBP-14],ECX
014E20CE 334D FC XOR ECX,DWORD PTR SS:[EBP-4]
014E20D1 8BFE MOV EDI,ESI
014E20D3 33FA XOR EDI,EDX
014E20D5 894D F4 MOV DWORD PTR SS:[EBP-0C],ECX
014E20D8 8BCF MOV ECX,EDI
014E20DA 237D F8 AND EDI,DWORD PTR SS:[EBP-8]
014E20DD 23CB AND ECX,EBX
014E20DF 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
014E20E2 F7D3 NOT EBX
014E20E4 0BCB OR ECX,EBX
014E20E6 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14]
014E20E9 0BDA OR EBX,EDX
014E20EB 33CB XOR ECX,EBX
014E20ED 33F9 XOR EDI,ECX
014E20EF 337D F4 XOR EDI,DWORD PTR SS:[EBP-0C]
014E20F2 33FA XOR EDI,EDX
014E20F4 8BDF MOV EBX,EDI
014E20F6 0BD9 OR EBX,ECX
014E20F8 235D FC AND EBX,DWORD PTR SS:[EBP-4]
014E20FB 33DE XOR EBX,ESI
014E20FD C1C1 0D ROL ECX,0D
014E2100 C1C3 03 ROL EBX,3
014E2103 8BF3 MOV ESI,EBX
014E2105 33F7 XOR ESI,EDI
014E2107 33F1 XOR ESI,ECX
014E2109 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
014E210C D1C6 ROL ESI,1
014E210E 8BD1 MOV EDX,ECX
014E2110 C1E2 03 SHL EDX,3
014E2113 33D3 XOR EDX,EBX
014E2115 3355 F4 XOR EDX,DWORD PTR SS:[EBP-0C]
014E2118 8BCE MOV ECX,ESI
014E211A C1E1 07 SHL ECX,7
014E211D 33CB XOR ECX,EBX
014E211F C1C2 07 ROL EDX,7
014E2122 8BDE MOV EBX,ESI
014E2124 335D F8 XOR EBX,DWORD PTR SS:[EBP-8]
014E2127 3370 34 XOR ESI,DWORD PTR DS:[EAX+34]
014E212A 33CA XOR ECX,EDX
014E212C 33DA XOR EBX,EDX
014E212E 3350 3C XOR EDX,DWORD PTR DS:[EAX+3C]
014E21EA 0B75 F4 OR ESI,DWORD PTR SS:[EBP-0C]
014E21ED 33F9 XOR EDI,ECX
014E21EF 23DA AND EBX,EDX
014E21F1 8BD3 MOV EDX,EBX
014E21F3 0B5D F4 OR EBX,DWORD PTR SS:[EBP-0C]
014E21F6 33D7 XOR EDX,EDI
014E21F8 0B7D F8 OR EDI,DWORD PTR SS:[EBP-8]
014E21FB 23FB AND EDI,EBX
014E21FD 337D FC XOR EDI,DWORD PTR SS:[EBP-4]
014E2200 8BDF MOV EBX,EDI
014E2202 33F3 XOR ESI,EBX
014E2204 C145 F8 0D ROL DWORD PTR SS:[EBP-8],0D
014E2208 3375 F0 XOR ESI,DWORD PTR SS:[EBP-10]
014E220B 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
014E220E C1C3 03 ROL EBX,3
014E2211 33F3 XOR ESI,EBX
014E2213 3375 F8 XOR ESI,DWORD PTR SS:[EBP-8]
014E2216 C1E1 03 SHL ECX,3
014E2219 33F2 XOR ESI,EDX
014E221B D1C6 ROL ESI,1
014E221D 33CB XOR ECX,EBX
014E221F 8BFE MOV EDI,ESI
014E2221 33CA XOR ECX,EDX
014E2223 C1E6 07 SHL ESI,7
014E2226 33F3 XOR ESI,EBX
014E2228 C1C1 07 ROL ECX,7
014E222B 33F1 XOR ESI,ECX
014E222D C1C6 16 ROL ESI,16
014E2230 3370 58 XOR ESI,DWORD PTR DS:[EAX+58]
014E2233 8BD7 MOV EDX,EDI
014E2235 3355 F8 XOR EDX,DWORD PTR SS:[EBP-8]
014E2238 3378 54 XOR EDI,DWORD PTR DS:[EAX+54]
014E223B 33D1 XOR EDX,ECX
014E223D 3348 5C XOR ECX,DWORD PTR DS:[EAX+5C]
014E2240 C1C2 05 ROL EDX,5
014E2243 3350 50 XOR EDX,DWORD PTR DS:[EAX+50]
014E2246 8BDA MOV EBX,EDX
014E2248 0BD9 OR EBX,ECX
014E224A 895D FC MOV DWORD PTR SS:[EBP-4],EBX
014E224D 8BDF MOV EBX,EDI
014E224F 23DA AND EBX,EDX
014E2251 895D F4 MOV DWORD PTR SS:[EBP-0C],EBX
014E2254 8BDE MOV EBX,ESI
014E2256 33DA XOR EBX,EDX
014E2258 235D FC AND EBX,DWORD PTR SS:[EBP-4]
014E225B 23D1 AND EDX,ECX
014E225D 0BD7 OR EDX,EDI
014E225F 33D3 XOR EDX,EBX
014E2261 895D EC MOV DWORD PTR SS:[EBP-14],EBX
014E2264 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-0C]
014E2267 0BDE OR EBX,ESI
014E2269 335D EC XOR EBX,DWORD PTR SS:[EBP-14]
014E226C 33DF XOR EBX,EDI
014E226E 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
014E2271 33D9 XOR EBX,ECX
014E2273 23FB AND EDI,EBX
014E2275 337D F4 XOR EDI,DWORD PTR SS:[EBP-0C]
014E2278 33FE XOR EDI,ESI
014E227A 8BF7 MOV ESI,EDI
014E227C F7D6 NOT ESI
014E227E 23F2 AND ESI,EDX
014E2280 3375 F4 XOR ESI,DWORD PTR SS:[EBP-0C]
014E2283 3375 FC XOR ESI,DWORD PTR SS:[EBP-4]
014E2286 C1C6 0D ROL ESI,0D
014E2289 C1C7 03 ROL EDI,3
014E228C 8BCF MOV ECX,EDI
014E228E 33CA XOR ECX,EDX
014E2290 33CE XOR ECX,ESI
014E2292 8BD6 MOV EDX,ESI
014E2294 C1E2 03 SHL EDX,3
014E2297 33D3 XOR EDX,EBX
014E2299 33D7 XOR EDX,EDI
014E229B D1C1 ROL ECX,1
014E229D C1C2 07 ROL EDX,7
014E22A0 8BD9 MOV EBX,ECX
014E22A2 C1E3 07 SHL EBX,7
014E22A5 33DA XOR EBX,EDX
014E22A7 33DF XOR EBX,EDI
014E22A9 8B78 6C MOV EDI,DWORD PTR DS:[EAX+6C]
014E22AC C1C3 16 ROL EBX,16
014E22AF 895D F8 MOV DWORD PTR SS:[EBP-8],EBX
014E22B2 8BDA MOV EBX,EDX
014E22B4 33D9 XOR EBX,ECX
014E22B6 3348 64 XOR ECX,DWORD PTR DS:[EAX+64]
014E22B9 33DE XOR EBX,ESI
014E22BB 33FA XOR EDI,EDX
014E22BD C1C3 05 ROL EBX,5
014E22C0 3358 60 XOR EBX,DWORD PTR DS:[EAX+60]
014E22C3 8BF1 MOV ESI,ECX
014E22C5 33F3 XOR ESI,EBX
014E22C7 33FB XOR EDI,EBX
014E22C9 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
014E22CC 0BF7 OR ESI,EDI
014E22CE 3370 68 XOR ESI,DWORD PTR DS:[EAX+68]

37. 37ISACA VENICE Chapter
Case Studies – Ursnif malware (4/5)
DATA ENCRYPTION
▪ Try to understand that amount of code is very difficult if you don’t
have at least one hint on which type of algorithm is used
➢ You can try to identify it, e.g. by using YARA rules
❖ https://github.com/Yara-Rules/rules/blob/master/crypto.yar
▪ Emulate the code with a CPU Emulator
http://www.unicorn-engine.org/ https://github.com/buffer/pylibemu
07/10/2015

38. 38ISACA VENICE Chapter
Case Studies – Ursnif malware (5/5)
DATA ENCRYPTION
▪ By using the Unicorn engine we are able, with a “simple” python
script, to encrypt arbitrary data
# Initialize emulator
mu = Uc(UC_ARCH_X86, UC_MODE_32)
# map 2MB of memory for this emulation
CODE_BASE = 0x01000000
CODE_SIZE = 128 * 128
mu.mem_map(CODE_BASE, CODE_SIZE)
mu.mem_write(CODE_BASE, encrypt_data_code)
# Map the key value
KEY_MEM_SIZE = 1 * 128 * 128
KEY_MEM_BASE = 0x06000000
mu.mem_map(KEY_MEM_BASE, KEY_MEM_SIZE)
mu.mem_write(KEY_MEM_BASE + 0x100, used_key)
mu.reg_write(X86_REG_EAX, KEY_MEM_BASE + 0x100)
# Map the plaintext value
PLAINTEXT_MEM_BASE = 0x04000000
PLAINTEXT_MEM_SIZE = 1 * 128 * 128
mu.mem_map(PLAINTEXT_MEM_BASE, PLAINTEXT_MEM_SIZE)
mu.mem_write(PLAINTEXT_MEM_BASE, plaintex_string)
mu.reg_write(X86_REG_ECX, PLAINTEXT_MEM_BASE)
# Map the encrypted result memory
RESULT_MEM_BASE = 0x02000000
RESULT_MEM_SIZE = 1 * 128 * 128
mu.mem_map(RESULT_MEM_BASE, RESULT_MEM_SIZE)
# set-up stack memory
STACK_SIZE = 1 * 128 * 128
STACK_BASE = 0x7FFF0000
mu.mem_map(STACK_BASE, STACK_SIZE)
mu.reg_write(X86_REG_EBP, STACK_BASE + 0x1000)
mu.reg_write(X86_REG_ESP, STACK_BASE + 0x100)
mu.mem_write(STACK_BASE + 0x100 + 4, b"x00x00x00x02")
try:
mu.emu_start(CODE_BASE, CODE_BASE +
len(encrypt_data_code))
# read the result
result_mem = mu.mem_read(0x02000000, 0x10)
# read updated key
result_key = mu.mem_read(KEY_MEM_BASE + 0x100,
len(used_key))
except UcError as e:
print("ERROR: %s" % e)
return result_mem, result_key
07/10/2015

39. 39ISACA VENICE Chapter
Q&A?
07/10/2015