Technical Workshop - Win32/Georbot Analysis

•

1 like•818 views

This document summarizes a technical workshop on analyzing the Win32/Georbot malware. The workshop covers obfuscation techniques used like data obfuscation, control flow obfuscation and API call obfuscation. It also analyzes the malware's command and control protocol and discusses how to deobfuscate and better understand the malware using IDA Python and debugging tools. The objectives are to gain hands-on experience analyzing an actual malware sample and understand common obfuscation and persistence techniques seen in the wild.

Technology

Technical Workshop - Win32/Georbot Analysis

Introduction

• Based in Montreal
• Studies in computer engineering at Ecole Polytechnique
• Malware analysis
• Focus on investigation and understanding trends

Labs’ Objectives

• Gain hands-on knowledge on malware analysis
• Obfuscation
• Persistence
• C&C traffic
• This case is *NOT* cutting edge but a good summary of common
things we see nowadays

Win32/Georbot

• One of our analyst reported an interesting string in a binary
(.gov.ge)
• Started investigation, we thought it was time sensitive and involved
3 guys for 3 days.
• Interesting feature
• Document stealing
• Audio / Video capture
• Etc

Win32/Georbot

• Further analysis showed thousands of variants
• We were able to track the evolution of the features
• Track AV evasion techniques

Workshop Outline

1. Data obfuscation
2. Control flow obfuscation
3. API call obfuscation
4. Answer basic malware analysis questions
5. C&C network protocol

Tools Required

1. IDA 6.x (you can use the demo)
2. Python interpreter w/ some modules for web server
3. Immunity Debugger / Olly Debugger

IDA Python

• Automate repetitive tasks in IDA
• Read data (Byte, Word, Dword, etc)
• Change data (PatchByte, PatchWord, PatchDword, etc)
• Add comments (MakeComm)
• Add cross references
• User interaction
• Etc.

Data Obfuscation

• Where’s all my data?!
• Debug the malware (in a controlled environment), do you see
something appear? (0x407afb)
• What happened? Find the procedure which decodes the data
• Understand obfuscation
• Implement deobfuscation with IDA Python

Control Flow Obfuscation

• Identify common obfuscation patterns
• Find a straight forward replacement
• Implement substitutions with IDA Python
• Reanalyze program, does it look better?

Control Flow Obfuscation

Obfuscated Deobfuscated
push <addr>; ret Jmp <addr>
Push <addr> Call <addr> (will return to addr)
jmp <addr>

API Call Obfuscation

• Where are all my API calls?
• Find and understand hashing function
• Brute force API calls and add comments to IDB using IDA Python

Let’s understand what’s going on!

• Can multiple instances of the malware run at the same time?
• Is the malware persistent? How?
• What is the command and control server?
• What is the update mechanism for binaries?
• Is there a C&C fallback mechanism?

Additional work

• Write a detection mechanism for an infected system
• Implement a cleaner for this malware
• Kill the process
• Remove persistence
• At what time interval does the malware probe its C&C server?

0x403AFD - cpuid

http://en.wikipedia.org/wiki/CPUID

C&C Protocol Analysis

• What’s the chain of event in the communication
• What is the information provided by the bot
• What type of answer is the bot expecting?
• What are the different actions?

C&C Commands

0A029h ; find
1675h ; dir
0A8FEh ; load?
22C4C1h ; upload
42985 ; main?
0A866h ; list?
1175972831 ; upload_dir
9C9Ch ; ddos
0B01Dh ; scan
47154 ; word
2269271 ; system
9FCCh ; dump
310946 ; photo
440F6h 18FEh ; rdp
4F5BBh ; video
3D0BD7C6h ; screenshot
741334016 ; password
0DA8B3Ch ; history

FALLBCK.com

• What is this DNS query?
• What can we do with it?

GUID

• What is at 0x0040A03D, how is it used in program?

Conclusions

• The set of questions to answer is often similar.
• Don’t focus on details, remember your objective, its easy to get lost.
• A mix of dynamic and static analysis is often the best solution for
quick understanding of a new malware family.

Jugal Parikh, Microsoft Holly Stewart, Microsoft Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be “gamed” leading to unexpected outcomes. In this talk, we’ll compare the difficulty of tampering with cloud-based models and client-based models. We then discuss how we developed stacked ensemble models to make our machine learning defenses less susceptible to tampering and significantly improve overall protection for our customers. We talk about the diversity of our base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, we’ll describe suspected tampering activity we’ve witnessed using protection telemetry from over half a billion computers, and whether our mitigation worked.

Live in the ATM Trenches

Kaspersky

In 2016 Kaspersky Lab employees participated in incident response cases that took place in dozens of financial institutions around the globe. In most cases we had to provide forensics analysis of ATMs. When Carbanak attack details were announced at #TheSAS2015, criminals also found this information useful. Other criminal groups eagerly adopted the same TTPs. Banks started to suffer from attacks on ATMs including both, malware and physical access. These are: • Direct attacks on the peripherals and low-level hardware protocols • Hacker movie-style hardware drops in bank offices • Carbanak-like software attacks on ATM software layer • Bluetooth HID dongles implanted in ATMs instead of black boxes We will provide details about each of these cases and present a cheap and simple hardware design that (when applied with a bit of physical labor) can empty one of the most popular ATM models in the world. https://sas.kaspersky.com

Automatic tool for static analysis

Chong-Kuan Chen

This document discusses tools for static analysis of files, including ClamAV and YARA. ClamAV is an open-source antivirus engine that uses signatures to detect malware. Signatures can include strings, hashes, and byte patterns. YARA allows for more flexible identification of malware through rules that can detect strings, regular expressions, and byte patterns. Examples of ClamAV and YARA signatures are provided.

Spo2 t19 spo2-t19

SelectedPresentations

This document summarizes an expert talk on advanced malware detection techniques. It discusses how malware exploits constraints on analysis time and memory space to evade detection. Current detection methods are outlined along with ways malware bypass them, such as packing, obfuscation, and anti-analysis techniques. The talk then presents novel detection techniques such as detecting internal data structure modifications, subverting malware attempts to enumerate security processes, tapping browsers to detect obfuscated drive-by downloads, and preemptively subverting analysis machines to detect anti-VM techniques. Future directions discussed include using machine learning to detect internal threats based on behavioral profiles.

Analisis Estatico y de Comportamiento de un Binario Malicioso

Conferencias FIST

This document summarizes a presentation on analyzing malware binaries through static and behavioral analysis. The presentation covers setting up a lab with virtual machines, performing static analysis to extract metadata and strings from the binary, and behavioral analysis by monitoring the malware's processes, connections, and registry activities when run in a virtual machine. It emphasizes comparing results with others and fully categorizing findings from static analysis, and provides examples of tools used for behavioral analysis on Windows and Linux systems.

PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...

CODE BLUE

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Priyanka Aash

This document discusses improving the communication of malware analysis by providing reproducible analyses using the malware itself. It proposes supplementing written analyses with demonstrations that instrument the malware. As a case study, it analyzes a piece of POS malware called JackPOS. The document describes setting up the malware's command and control infrastructure and memory scraping functionality. It concludes by demonstrating how to instrument the malware using Python scripts to trace its network communication and track data collection in a reproducible way.

Malware analysis

xabean

This document discusses malware analysis collaboration and automation. It describes setting up a virtualized malware analysis environment using QEMU/KVM with light-weight, copy-on-write disk clones for consistency and efficiency. It also covers automating tasks like provisioning new virtual machines, inserting and extracting files from guests, and capturing and replaying virtual machine sessions for collaborative training.

Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period. The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations. The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods. This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.

Fantastic Red Team Attacks and How to Find Them

Ross Wolf

Presented at Black Hat 2019 https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540 Casey Smith (Red Canary) Ross Wolf (Endgame) bit.ly/fantastic19 Abstract: Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible. This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events. Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Priyanka Aash

This document discusses hacking mainframe systems like IBM z/OS. It describes how the speaker was able to gain access to mainframes through methods like credential theft, exploiting vulnerabilities in programs like Tivoli NetView, and escalating privileges using tools to ultimately achieve root access. The speaker demonstrates hacking tools they have created like BIRP, TShocker, and Maintp that can be used to conduct reconnaissance of mainframes and execute code through techniques like FTP.

BlueHat v18 || Linear time shellcode detection using state machines and opera...

BlueHat Security Conference

Aditya Joshi, Microsoft Abhishek Singh, Microsoft Shellcode detection is critical in the identification of persistent threats. Attackers employ them in exploitation, post-exploitation toolkits and macro-based malware routinely to evade detection. Our research also shows that shellcode in the wild are evolving to defeat many of the static analysis techniques employed to detect them. We will present a fast, platform agnostic approach (Windows/Linux) that been successful in detecting many real world shellcode compromises as part of the ASC Fileless attack feature (Process Investigator). Our approach employs state machines, virtual stack/register representation and operand expression heuristics to identify suspicious machine code patterns in milliseconds. We identify the basic heuristics that are commonly employed in shellcode. This allows us to be more robust against attackers that constantly evolve to thwart pure signature or byte stream sequence based approaches. Each instruction is passed to a series of activation functions that look for platform specific patterns generally needed in Stage 1 shellcode. As we process the stream of instructions we scan for hashing loops, in-segment/out-segment calls/jumps, current instruction pointer determination, system calls, locating system data structures, anti-debugging and anti-hooking behaviors in the machine code. We then correlate these findings to give a maliciousness score. We will deep dive into the concepts and demo obfuscated shellcodes.

Metasploit Framework Executable Encoding

technology_flow

Building next gen malware behavioural analysis environment

isc2-hellenic

This document discusses building an automated malware behavioral analysis environment. It covers types of malware analysis, taxonomy of analysis platforms, analysis phases and checks, and evaluation strategies. Static and dynamic automated analysis are described as well as their pros, cons, and limitations. The analysis phases of submission, analysis, and reporting are outlined. Key challenges like modularity, fingerprinting, stalling, social engineering, and decoys are examined. Examples of analysis platforms and tools are provided.

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli

Priyanka Aash

The document discusses techniques for bypassing security controls and gaining persistent access to a secured remote desktop server. It proposes infecting a client's workstation, stealing RDP credentials, and using various tools to bypass firewalls, application whitelisting, and other defenses in order to install malware and establish command and control of the target server. Specific bypass methods involve abusing Microsoft Word macros, exploiting Windows services, installing kernel drivers, and manipulating TCP source ports. The presentation demonstrates new attack tools and methods for pentesters and warns blue teams of challenges in detecting such advanced intrusions.

Network Forensics and Practical Packet Analysis

Priyanka Aash

Malware analysis

Prakashchand Suthar

- Malware analysis involves both static and dynamic analysis techniques to understand malware behavior and assess potential damage. Static analysis involves disassembling and reviewing malware code and structure without executing it. Dynamic analysis observes malware behavior when executed in an isolated virtual environment. - Tools for static analysis include file hashing, string extraction, and PE header examination. Dynamic analysis tools monitor the registry, file system, processes, and network traffic created by malware runtime behavior. These include Process Monitor, Wireshark, Process Explorer, and network sniffers. - To safely conduct malware analysis, one should create an isolated virtual lab separated from production networks, and install behavioral monitoring and code analysis tools like OllyDbg, Process Monitor, and Wiresh

The Hunter Games: How to Find the Adversary with Event Query Language

Ross Wolf

Circle City Con 2019 and BSides SATX 2019 Abstract: How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic. In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.

CheckPlease: Payload-Agnostic Targeted Malware

Brandon Arvanaghi

CheckPlease is a tool that provides payload-agnostic checks to determine if malware is running in a targeted environment or sandbox. It evolved from signatures to behavioral detection as malware changed languages and used obfuscation. CheckPlease implements over 70 checks across multiple languages to validate processes, user behavior, system metadata and environment matches the target before executing malicious code. The presenters demonstrate various checks and encourage integrating CheckPlease with frameworks like Veil to automatically generate targeted malware payloads.

C Cpres

ramya5a

The document discusses network protocol analysis, including defining a protocol as rules determining data format and transmission. It describes network protocol analysis as decoding protocol headers and trailers to analyze network problems, detect intrusions, monitor usage, and gather statistics. The document lists potential users as programmers, network administrators, company managers, parents, and website owners wanting to monitor employee internet usage. It provides an overview of IP and TCP packet structures.

Chapter 8 security tools ii

Syaiful Ahdan

This document provides a summary of 47 different security tools, including their main purposes and capabilities. It covers tools for tasks like system monitoring (ProcessExplorer, Autoruns), network scanning (Nmap, Nessus, Retina), password cracking (L0phtcrack, John the Ripper), packet analysis (Wireshark, TCPDump), vulnerability assessment (Nessus, WebInspect), and more. Many of the tools are open source while others like Core Impact are commercial products. The document serves as a reference guide for penetration testers and security researchers.

Basic Malware Analysis

Albert Hui

This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.

Static code analysis

Rune Sundling

Static code analysis involves using tools to analyze source code for potential issues. It can find bugs, code quality issues, and other problems but is not a replacement for testing. Several experts note that combining static analysis, inspections, and testing leads to better defect removal than only using testing. Common static analysis tools include FxCop, StyleCop, ReSharper, and NDepend. Integrating static analysis into the development process can provide benefits but obstacles like resources and unrealistic expectations must be addressed.

Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac

Priyanka Aash

During the past year IR teams and security researchers around the world witnessed a rise in the use of legitimate tools and common scripts in malware and APT attacks. This talk will explore the presenters’ research that focused on automating the analysis of PowerShell and Macro/VBA/VBS attacks by building a heuristic-based compiler engine that determines whether a script is malicious or not. (Source: RSA Conference USA 2017)

The Future of Automated Malware Generation

Stephan Chenette

The document discusses the current and future states of automated malware generation and malware defense techniques. It describes how malware distribution networks currently work and trends showing rising malware samples. The future of malware defense is proposed to apply more machine learning and statistical techniques to model malware behaviors and attributes in order to handle growing sample volumes. This would involve training machine learning classifiers on features identified by human experts to classify and cluster malware more effectively.

Red Team Methodology - A Naked Look

Jason Lang

The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.

андрей дугинPositive Hack Days

Sms bankPositive Hack Days

PhdaysPositive Hack Days

как разработать защищенное веб приложение и не сойти с ума. владимир кочетковPositive Hack Days