SlideShare a Scribd company logo

Win32/Flamer: Reverse Engineering and Framework Reconstruction

Alex Matrosov
Alex Matrosov

In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.

Education
1 of 60
Download to read offline
Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
Outline of The Presentation  Typical malware vs. Stuxnet/Flame  What the difference?  Flamer code reconstruction problems  C++ code reconstruction  Library code identification  Flamer framework overview  Object oriented code reconstruction  Relationship Stuxnet/Duqu/Flamer
Typical Malware vs. Stuxnet/Flamer
What’s the Difference?
What’s the Difference?  Typical malware  Stuxnet/Flame …  Different motivation, budget …  Different motivation, budget …  Use 1-days for distribution  Use 0-days for distribution  Anti-stealth for bypassing all sec  Anti-stealth for bypassing AV soft  Stealth timing: months  Stealth timing: years  Developed in C or C++ in C style  Tons of C++ code with OOP  Simple architecture for plugins  Industrial OO framework platform  Traditional ways for obfuscation:  Other ways of code obfuscation:  packers  tons of embedded static code  polymorphic code  specific compilers/options  vm-based protection  object oriented wrappers for typical OS utilities  …
Stuxnet/Duqu/Flamer/Gauss Appearance
Code Complexity Growth Gauss miniFlamer Stuxnet Duqu Flamer
Code Complexity Growth
C++ Code REconstruction Problems
C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
C++ Code Reconstruction Problems
Identify Smart Pointer Structure
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Custom Type Operations
Identify Objects Constructors
Identify Objects Constructors
Library code identification problems
Library Code Identification Problems  Compiler optimization  Wrappers for WinAPI calls  Embedded library code  Library version identification problem  IDA signatures used syntax based detection methods  Recompiled libraries problem  Compiler optimization problem
Library Code Identification Problems
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Festi: OOP in kernel-mode
Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
Flamer Framework Overview
An overview of the Flamer Framework The main types used in Flamer Framework are:  Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers  Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer  Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.)  Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
Some of Flamer Framework Components Identifying processes in the systems corresponding to Security security software: antiviruses, HIPS, firewalls, system information utilities and etc. Microbe Leverages voice recording capabilities of the system Idler Running tasks in the background BeetleJuice Utilizes bluetooth facilities of the system Telemetry Logging of all the events Gator Communicating with C&C servers
Flamer SQL Lite Database Schema
Flamer SQL Lite Database Schema
REconstructing Flamer Framework
Data Types Being Used  Smart pointers  Strings  Vectors to maintain the objects  Custom data types: wrappers, tasks, triggers and etc.
Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements };  Used to handle the objects:  tasks  triggers  etc.
Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
Reconstructing Object’s Attributes
Reconstructing Object’s Attributes
Reconstructing Object’s Methods
Reconstructing Object’s Methods
Reconstructing Object’s Methods
DEMO
Relationship Stuxnet/Duqu/Gauss/Flamer
Source Code Base Differences
Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092 (Task Scheduler) MS11-087 (Win32k.sys)
Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
Exploit Implementations: Gauss  The payload is injected into processes from user-mode module
Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov

Recommended

09 iec t1_s1_oo_ps_session_13
09 iec t1_s1_oo_ps_session_1309 iec t1_s1_oo_ps_session_13
09 iec t1_s1_oo_ps_session_13Niit Care
 
04 iec t1_s1_oo_ps_session_05
04 iec t1_s1_oo_ps_session_0504 iec t1_s1_oo_ps_session_05
04 iec t1_s1_oo_ps_session_05Niit Care
 
05 iec t1_s1_oo_ps_session_07
05 iec t1_s1_oo_ps_session_0705 iec t1_s1_oo_ps_session_07
05 iec t1_s1_oo_ps_session_07Niit Care
 
06 iec t1_s1_oo_ps_session_08
06 iec t1_s1_oo_ps_session_0806 iec t1_s1_oo_ps_session_08
06 iec t1_s1_oo_ps_session_08Niit Care
 
11 iec t1_s1_oo_ps_session_16
11 iec t1_s1_oo_ps_session_1611 iec t1_s1_oo_ps_session_16
11 iec t1_s1_oo_ps_session_16Niit Care
 
12 iec t1_s1_oo_ps_session_17
12 iec t1_s1_oo_ps_session_1712 iec t1_s1_oo_ps_session_17
12 iec t1_s1_oo_ps_session_17Niit Care
 
08 iec t1_s1_oo_ps_session_11
08 iec t1_s1_oo_ps_session_1108 iec t1_s1_oo_ps_session_11
08 iec t1_s1_oo_ps_session_11Niit Care
 
07 iec t1_s1_oo_ps_session_10
07 iec t1_s1_oo_ps_session_1007 iec t1_s1_oo_ps_session_10
07 iec t1_s1_oo_ps_session_10Niit Care
 

Recommended

09 iec t1_s1_oo_ps_session_13
09 iec t1_s1_oo_ps_session_1309 iec t1_s1_oo_ps_session_13
09 iec t1_s1_oo_ps_session_13Niit Care
 
04 iec t1_s1_oo_ps_session_05
04 iec t1_s1_oo_ps_session_0504 iec t1_s1_oo_ps_session_05
04 iec t1_s1_oo_ps_session_05Niit Care
 
05 iec t1_s1_oo_ps_session_07
05 iec t1_s1_oo_ps_session_0705 iec t1_s1_oo_ps_session_07
05 iec t1_s1_oo_ps_session_07Niit Care
 
06 iec t1_s1_oo_ps_session_08
06 iec t1_s1_oo_ps_session_0806 iec t1_s1_oo_ps_session_08
06 iec t1_s1_oo_ps_session_08Niit Care
 
11 iec t1_s1_oo_ps_session_16
11 iec t1_s1_oo_ps_session_1611 iec t1_s1_oo_ps_session_16
11 iec t1_s1_oo_ps_session_16Niit Care
 
12 iec t1_s1_oo_ps_session_17
12 iec t1_s1_oo_ps_session_1712 iec t1_s1_oo_ps_session_17
12 iec t1_s1_oo_ps_session_17Niit Care
 
08 iec t1_s1_oo_ps_session_11
08 iec t1_s1_oo_ps_session_1108 iec t1_s1_oo_ps_session_11
08 iec t1_s1_oo_ps_session_11Niit Care
 
07 iec t1_s1_oo_ps_session_10
07 iec t1_s1_oo_ps_session_1007 iec t1_s1_oo_ps_session_10
07 iec t1_s1_oo_ps_session_10Niit Care
 
13 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_1913 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_19Niit Care
 
10 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_1410 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_14Niit Care
 
01 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_0101 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_01Niit Care
 
.Net platform an understanding
.Net platform an understanding.Net platform an understanding
.Net platform an understanding
Binu Bhasuran
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
Vincenzo Iozzo
 
Csharp
CsharpCsharp
CsharpSwaraj Kumar
 
01 gui 01
01 gui 0101 gui 01
01 gui 01Niit Care
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#
Mohammad Faizan
 
Synapse india reviews sharing asp.net
Synapse india reviews sharing asp.netSynapse india reviews sharing asp.net
Synapse india reviews sharing asp.net
SynapseindiaComplaints
 
Java session02
Java session02Java session02
Java session02Niit Care
 
Session2 (3)
Session2 (3)Session2 (3)
Session2 (3)
DrUjwala1
 
Basics of building a blackfin application
Basics of building a blackfin applicationBasics of building a blackfin application
Basics of building a blackfin application
Pantech ProLabs India Pvt Ltd
 
Virus&malware
Virus&malwareVirus&malware
Virus&malwareRobin Garza
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
DefconRussia
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
Symantec Italia
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
Charles Nutter
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 

More Related Content

What's hot

13 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_1913 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_19Niit Care
 
10 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_1410 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_14Niit Care
 
01 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_0101 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_01Niit Care
 
.Net platform an understanding
.Net platform an understanding.Net platform an understanding
.Net platform an understanding
Binu Bhasuran
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
Vincenzo Iozzo
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#
Mohammad Faizan
 
Synapse india reviews sharing asp.net
Synapse india reviews sharing asp.netSynapse india reviews sharing asp.net
Synapse india reviews sharing asp.net
SynapseindiaComplaints
 
Java session02
Java session02Java session02
Java session02Niit Care
 
Session2 (3)
Session2 (3)Session2 (3)
Session2 (3)
DrUjwala1
 
Basics of building a blackfin application
Basics of building a blackfin applicationBasics of building a blackfin application
Basics of building a blackfin application
Pantech ProLabs India Pvt Ltd
 

What's hot (12)

13 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_1913 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_19
 
10 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_1410 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_14
 
01 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_0101 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_01
 
.Net platform an understanding
.Net platform an understanding.Net platform an understanding
.Net platform an understanding
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
 
Csharp
CsharpCsharp
Csharp
 
01 gui 01
01 gui 0101 gui 01
01 gui 01
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#
 
Synapse india reviews sharing asp.net
Synapse india reviews sharing asp.netSynapse india reviews sharing asp.net
Synapse india reviews sharing asp.net
 
Java session02
Java session02Java session02
Java session02
 
Session2 (3)
Session2 (3)Session2 (3)
Session2 (3)
 
Basics of building a blackfin application
Basics of building a blackfin applicationBasics of building a blackfin application
Basics of building a blackfin application
 

Viewers also liked

Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
DefconRussia
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
Symantec Italia
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
Charles Nutter
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
Corporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligenceCorporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligence
Martin Brunet
 
Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio
kennywhite
 
10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit
WhatRunsWhere
 
Human as a virus
Human as a virusHuman as a virus
Human as a virusYaniv sela
 

Viewers also liked (20)

Virus&malware
Virus&malwareVirus&malware
Virus&malware
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
 
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
Corporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligenceCorporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligence
 
Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio
 
10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit
 
Human as a virus
Human as a virusHuman as a virus
Human as a virus
 

Similar to Win32/Flamer: Reverse Engineering and Framework Reconstruction

Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
Sasha Goldshtein
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
Bala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
Understand study
Understand studyUnderstand study
Understand study
Antonio Costa aka Cooler_
 
Presentation On Com Dcom
Presentation On Com DcomPresentation On Com Dcom
Presentation On Com Dcom
Bharat Kumar Katur
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
LicensingLive! - SafeNet
 
Asp dot net
Asp dot netAsp dot net
Asp dot net
husnara mohammad
 
Win rt fundamentals
Win rt fundamentalsWin rt fundamentals
Win rt fundamentals
Kevin Stumpf
 
.Net Session Overview
.Net Session Overview.Net Session Overview
.Net Session Overview
Logu Thanigachalam
 
Inside .net framework
Inside .net frameworkInside .net framework
Inside .net frameworkFaisal Aziz
 
jhkghj
jhkghjjhkghj
jhkghjAdmin
 
test2PPT
test2PPTtest2PPT
test2PPTAdmin
 
Asp net
Asp netAsp net
Asp net
MohitKumar1985
 
Implementation
ImplementationImplementation
Implementation
hcicourse
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET Platform
Peter R. Egli
 

Similar to Win32/Flamer: Reverse Engineering and Framework Reconstruction (20)

Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
 
Android cameraoverview
Android cameraoverviewAndroid cameraoverview
Android cameraoverview
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
C# tutorial
C# tutorialC# tutorial
C# tutorial
 
Understand study
Understand studyUnderstand study
Understand study
 
Presentation On Com Dcom
Presentation On Com DcomPresentation On Com Dcom
Presentation On Com Dcom
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Asp dot net
Asp dot netAsp dot net
Asp dot net
 
Win rt fundamentals
Win rt fundamentalsWin rt fundamentals
Win rt fundamentals
 
.Net Session Overview
.Net Session Overview.Net Session Overview
.Net Session Overview
 
Inside .net framework
Inside .net frameworkInside .net framework
Inside .net framework
 
jhkghj
jhkghjjhkghj
jhkghj
 
test2PPT
test2PPTtest2PPT
test2PPT
 
Asp net
Asp netAsp net
Asp net
 
Implementation
ImplementationImplementation
Implementation
 
CFInterop
CFInteropCFInterop
CFInterop
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET Platform
 
.Net + novas tecnologias + win8
.Net + novas tecnologias + win8.Net + novas tecnologias + win8
.Net + novas tecnologias + win8
 

More from Alex Matrosov

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Cybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesCybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and Issues
Alex Matrosov
 

More from Alex Matrosov (10)

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Cybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesCybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and Issues
 
Stuxnet msu
Stuxnet msuStuxnet msu
Stuxnet msu
 
RusCrypto'2009
RusCrypto'2009RusCrypto'2009
RusCrypto'2009
 

Recently uploaded

Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
Jheel Barad
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
kaushalkr1407
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
Tamralipta Mahavidyalaya
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
Peter Windle
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
Anna Sz.
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 

Recently uploaded (20)

Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 

Win32/Flamer: Reverse Engineering and Framework Reconstruction

  • 1. Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
  • 2. Outline of The Presentation  Typical malware vs. Stuxnet/Flame  What the difference?  Flamer code reconstruction problems  C++ code reconstruction  Library code identification  Flamer framework overview  Object oriented code reconstruction  Relationship Stuxnet/Duqu/Flamer
  • 3. Typical Malware vs. Stuxnet/Flamer
  • 5. What’s the Difference?  Typical malware  Stuxnet/Flame …  Different motivation, budget …  Different motivation, budget …  Use 1-days for distribution  Use 0-days for distribution  Anti-stealth for bypassing all sec  Anti-stealth for bypassing AV soft  Stealth timing: months  Stealth timing: years  Developed in C or C++ in C style  Tons of C++ code with OOP  Simple architecture for plugins  Industrial OO framework platform  Traditional ways for obfuscation:  Other ways of code obfuscation:  packers  tons of embedded static code  polymorphic code  specific compilers/options  vm-based protection  object oriented wrappers for typical OS utilities  …
  • 7. Code Complexity Growth Gauss miniFlamer Stuxnet Duqu Flamer
  • 10. C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
  • 11. C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
  • 14. Identify Exact Virtual Function Call in vtable
  • 15. Identify Exact Virtual Function Call in vtable
  • 16. Identify Exact Virtual Function Call in vtable
  • 17. Identify Custom Type Operations
  • 21. Library Code Identification Problems  Compiler optimization  Wrappers for WinAPI calls  Embedded library code  Library version identification problem  IDA signatures used syntax based detection methods  Recompiled libraries problem  Compiler optimization problem
  • 23. Object Oriented API Wrappers and Implicit Calls
  • 24. Object Oriented API Wrappers and Implicit Calls
  • 25. Object Oriented API Wrappers and Implicit Calls
  • 26. Festi: OOP in kernel-mode
  • 27. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 28. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 29. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
  • 30. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
  • 31. Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
  • 33. An overview of the Flamer Framework The main types used in Flamer Framework are:  Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers  Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer  Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.)  Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
  • 34. An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
  • 35. Some of Flamer Framework Components Identifying processes in the systems corresponding to Security security software: antiviruses, HIPS, firewalls, system information utilities and etc. Microbe Leverages voice recording capabilities of the system Idler Running tasks in the background BeetleJuice Utilizes bluetooth facilities of the system Telemetry Logging of all the events Gator Communicating with C&C servers
  • 36. Flamer SQL Lite Database Schema
  • 37. Flamer SQL Lite Database Schema
  • 39. Data Types Being Used  Smart pointers  Strings  Vectors to maintain the objects  Custom data types: wrappers, tasks, triggers and etc.
  • 40. Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
  • 41. Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
  • 42. Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements };  Used to handle the objects:  tasks  triggers  etc.
  • 43. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 44. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 50. DEMO
  • 52. Source Code Base Differences
  • 53. Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092 (Task Scheduler) MS11-087 (Win32k.sys)
  • 54. Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  • 55. Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  • 56. Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
  • 57. Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
  • 58. Exploit Implementations: Gauss  The payload is injected into processes from user-mode module
  • 59.
  • 60. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov