a bestiary of
play

A Bestiary of Ugly Malware A non-scientific survey of current day - PowerPoint PPT Presentation

A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd Software that steals your data Software that destroys your data Software that abuses


  1. A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd

  2. Software that steals your data Software that destroys your data Software that abuses your machine Windows PE executables / DLLs C /C++, Delphi, .NET, VisualBasic, Java Javascript Word Macros Powershell Shellcode or commands in Windows Registry

  3. Threat Detection and Classification Issues Packers and crypters Installers Binary formats Compilers and compiler settings Programming languages Coding habits Target platforms

  4. Malware Nature benign EP section name abnormal EP section entropy too high/low Use of TLS sections API calls / KB ratio Section count too low Imphash missing targeted random

  5. Poking for Registry interaction Benign 54% - Targeted 55% - (Random 23%) Functionality File system interaction Benign 61% - Targeted 70% - (Random 34%) MS CryptoAPI Benign 5% - Targeted 2% - (Random <1%) Windows hooks Benign 5% - Targeted 31% - (Random 6%) Windows image capture APIs Benign 10% - Targeted 33% - (Random 13%)

  6. Drivers are somewhat likely to be legitimate Packed samples are somewhat likely to be malicious Non-packed files are not necessarily benign Targeted malware is more likely written in C++ than random malware Malicious files are unlikely to use UI APIs Targeted malware performs about as much Registry interaction as benign samples

  7. Ransomware Enumerate files on disk or network Encrypt any or all of it Place a ransom note

  8. Ransomware: GPCode Written in C Only 22KB big Packed with UPX Linear execution Enumerates and encrypts file shares

  9. RATs Off-the-shelf malware commercially available Primary use: Targeted espionage

  10. Peering inside a Commodity RAT XTremeRAT All traits of standard malware Multiple packer layers Code injection to system processes for stealth Persistence methods are not outstanding Functionality is straight forward No code obfuscation

  11. Peering inside a Commodity RAT XTremeRAT Sniffing of clipboard data through keylogger window by installing a viewer to receive WM_DRAWCLIPBOARD messages Download and execution of binaries via HTTP Data exfiltration via FTP Comes with a configuration file, encrypted with RC4, embedded in the .rsrc section

  12. Peering inside a Commodity RAT XTremeRAT Logs keystrokes through an invisible window, placing a global hook

  13. The Beasts in the Bestiary

  14. True Implants Compiled between 2007 - 2011 Registers as an icon handler shell extension for .lnk files Shell in this case means the program manager Server registration sets up COM server Objects being served perform actual work "You can write one in C if you (somewhat likely) written in pure C really want to, although that's a violation of the Geneva Convention on Programmer's Rights in most jurisdictions.“ – Unknown Stackoverflow user

  15. Sensitive Implants OS version detection Redundant code for different versions Fine-grained decision making - during setup - for evasion Avoids keylogging, code injection or registry interaction when certain security software is present

  16. Execution flow Terminal services notification Function arrays for execution flow obfuscation Configuration data in queues Massive amount of global variables, critical sections, pipes, etc. etc.

  17. init TEARDOWN +3 +3 +3 ... SETUP

  18. + Search for index, specified 7 + by global variable 7 + Load respective 7 .. init/handler functions . Craft arguments Call init, then handler

  19. Kaspersky evasion Diffing

  20. GPCode XtremeRAT CheshireCat Development Cheap Fair Expensive Motivation Profit oriented Potentially profit Pretty sure not oriented profit oriented Stealth Not at all Trying Super stealthy stealthy Code C C C < 100KB < 100KB < 100KB Simple Simple Complex/careful Packing „ Packed “ Packed! Not packed Distribution Manual placement E-Mail N/A

  21. Th Thre reat at De Detec tection tion File hashes System behavior Known-bad File fragments Network patterns Non known-good File behavior Abnormal system behavior Known-bad origin File properties Abnormal network Non known-good origin patterns Threat detection metrics heavily build on known fragments , while aiming to find the largely unknown .

  22. Tak akin ing Pat atter tern n Mat atch chin ing to to th the ne next Le Level el Threat evaluation vs. detection Dynamic patterns, packer detection, functionality detection Custom encryption algorithms / obfuscation Custom evasion, persistence APT research: binary similarity is nice, authorship similarity be more interesting Threat detection vs. threat development ratio trouble

  23. Thank you! Marion Marschalek | marion@0x1338.at | @pinkflawd

Recommend


More recommend