A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd
Software that steals your data Software that destroys your data Software that abuses your machine Windows PE executables / DLLs C /C++, Delphi, .NET, VisualBasic, Java Javascript Word Macros Powershell Shellcode or commands in Windows Registry
Threat Detection and Classification Issues Packers and crypters Installers Binary formats Compilers and compiler settings Programming languages Coding habits Target platforms
Malware Nature benign EP section name abnormal EP section entropy too high/low Use of TLS sections API calls / KB ratio Section count too low Imphash missing targeted random
Poking for Registry interaction Benign 54% - Targeted 55% - (Random 23%) Functionality File system interaction Benign 61% - Targeted 70% - (Random 34%) MS CryptoAPI Benign 5% - Targeted 2% - (Random <1%) Windows hooks Benign 5% - Targeted 31% - (Random 6%) Windows image capture APIs Benign 10% - Targeted 33% - (Random 13%)
Drivers are somewhat likely to be legitimate Packed samples are somewhat likely to be malicious Non-packed files are not necessarily benign Targeted malware is more likely written in C++ than random malware Malicious files are unlikely to use UI APIs Targeted malware performs about as much Registry interaction as benign samples
Ransomware Enumerate files on disk or network Encrypt any or all of it Place a ransom note
Ransomware: GPCode Written in C Only 22KB big Packed with UPX Linear execution Enumerates and encrypts file shares
RATs Off-the-shelf malware commercially available Primary use: Targeted espionage
Peering inside a Commodity RAT XTremeRAT All traits of standard malware Multiple packer layers Code injection to system processes for stealth Persistence methods are not outstanding Functionality is straight forward No code obfuscation
Peering inside a Commodity RAT XTremeRAT Sniffing of clipboard data through keylogger window by installing a viewer to receive WM_DRAWCLIPBOARD messages Download and execution of binaries via HTTP Data exfiltration via FTP Comes with a configuration file, encrypted with RC4, embedded in the .rsrc section
Peering inside a Commodity RAT XTremeRAT Logs keystrokes through an invisible window, placing a global hook
The Beasts in the Bestiary
True Implants Compiled between 2007 - 2011 Registers as an icon handler shell extension for .lnk files Shell in this case means the program manager Server registration sets up COM server Objects being served perform actual work "You can write one in C if you (somewhat likely) written in pure C really want to, although that's a violation of the Geneva Convention on Programmer's Rights in most jurisdictions.“ – Unknown Stackoverflow user
Sensitive Implants OS version detection Redundant code for different versions Fine-grained decision making - during setup - for evasion Avoids keylogging, code injection or registry interaction when certain security software is present
Execution flow Terminal services notification Function arrays for execution flow obfuscation Configuration data in queues Massive amount of global variables, critical sections, pipes, etc. etc.
init TEARDOWN +3 +3 +3 ... SETUP
+ Search for index, specified 7 + by global variable 7 + Load respective 7 .. init/handler functions . Craft arguments Call init, then handler
Kaspersky evasion Diffing
GPCode XtremeRAT CheshireCat Development Cheap Fair Expensive Motivation Profit oriented Potentially profit Pretty sure not oriented profit oriented Stealth Not at all Trying Super stealthy stealthy Code C C C < 100KB < 100KB < 100KB Simple Simple Complex/careful Packing „ Packed “ Packed! Not packed Distribution Manual placement E-Mail N/A
Th Thre reat at De Detec tection tion File hashes System behavior Known-bad File fragments Network patterns Non known-good File behavior Abnormal system behavior Known-bad origin File properties Abnormal network Non known-good origin patterns Threat detection metrics heavily build on known fragments , while aiming to find the largely unknown .
Tak akin ing Pat atter tern n Mat atch chin ing to to th the ne next Le Level el Threat evaluation vs. detection Dynamic patterns, packer detection, functionality detection Custom encryption algorithms / obfuscation Custom evasion, persistence APT research: binary similarity is nice, authorship similarity be more interesting Threat detection vs. threat development ratio trouble
Thank you! Marion Marschalek | marion@0x1338.at | @pinkflawd
Recommend
More recommend