a bestiary of
play

A Bestiary of Ugly Malware A non-scientific survey of current day - PowerPoint PPT Presentation

Nov 01, 2022 •240 likes •472 views

A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd Software that steals your data Software that destroys your data Software that abuses

  1. A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd

  2. Software that steals your data Software that destroys your data Software that abuses your machine Windows PE executables / DLLs C /C++, Delphi, .NET, VisualBasic, Java Javascript Word Macros Powershell Shellcode or commands in Windows Registry

  3. Threat Detection and Classification Issues Packers and crypters Installers Binary formats Compilers and compiler settings Programming languages Coding habits Target platforms

  4. Malware Nature benign EP section name abnormal EP section entropy too high/low Use of TLS sections API calls / KB ratio Section count too low Imphash missing targeted random

  5. Poking for Registry interaction Benign 54% - Targeted 55% - (Random 23%) Functionality File system interaction Benign 61% - Targeted 70% - (Random 34%) MS CryptoAPI Benign 5% - Targeted 2% - (Random <1%) Windows hooks Benign 5% - Targeted 31% - (Random 6%) Windows image capture APIs Benign 10% - Targeted 33% - (Random 13%)

  6. Drivers are somewhat likely to be legitimate Packed samples are somewhat likely to be malicious Non-packed files are not necessarily benign Targeted malware is more likely written in C++ than random malware Malicious files are unlikely to use UI APIs Targeted malware performs about as much Registry interaction as benign samples

  7. Ransomware Enumerate files on disk or network Encrypt any or all of it Place a ransom note

  8. Ransomware: GPCode Written in C Only 22KB big Packed with UPX Linear execution Enumerates and encrypts file shares

  9. RATs Off-the-shelf malware commercially available Primary use: Targeted espionage

  10. Peering inside a Commodity RAT XTremeRAT All traits of standard malware Multiple packer layers Code injection to system processes for stealth Persistence methods are not outstanding Functionality is straight forward No code obfuscation

  11. Peering inside a Commodity RAT XTremeRAT Sniffing of clipboard data through keylogger window by installing a viewer to receive WM_DRAWCLIPBOARD messages Download and execution of binaries via HTTP Data exfiltration via FTP Comes with a configuration file, encrypted with RC4, embedded in the .rsrc section

  12. Peering inside a Commodity RAT XTremeRAT Logs keystrokes through an invisible window, placing a global hook

  13. The Beasts in the Bestiary

  14. True Implants Compiled between 2007 - 2011 Registers as an icon handler shell extension for .lnk files Shell in this case means the program manager Server registration sets up COM server Objects being served perform actual work "You can write one in C if you (somewhat likely) written in pure C really want to, although that's a violation of the Geneva Convention on Programmer's Rights in most jurisdictions.“ – Unknown Stackoverflow user

  15. Sensitive Implants OS version detection Redundant code for different versions Fine-grained decision making - during setup - for evasion Avoids keylogging, code injection or registry interaction when certain security software is present

  16. Execution flow Terminal services notification Function arrays for execution flow obfuscation Configuration data in queues Massive amount of global variables, critical sections, pipes, etc. etc.

  17. init TEARDOWN +3 +3 +3 ... SETUP

  18. + Search for index, specified 7 + by global variable 7 + Load respective 7 .. init/handler functions . Craft arguments Call init, then handler

  19. Kaspersky evasion Diffing

  20. GPCode XtremeRAT CheshireCat Development Cheap Fair Expensive Motivation Profit oriented Potentially profit Pretty sure not oriented profit oriented Stealth Not at all Trying Super stealthy stealthy Code C C C < 100KB < 100KB < 100KB Simple Simple Complex/careful Packing „ Packed “ Packed! Not packed Distribution Manual placement E-Mail N/A

  21. Th Thre reat at De Detec tection tion File hashes System behavior Known-bad File fragments Network patterns Non known-good File behavior Abnormal system behavior Known-bad origin File properties Abnormal network Non known-good origin patterns Threat detection metrics heavily build on known fragments , while aiming to find the largely unknown .

  22. Tak akin ing Pat atter tern n Mat atch chin ing to to th the ne next Le Level el Threat evaluation vs. detection Dynamic patterns, packer detection, functionality detection Custom encryption algorithms / obfuscation Custom evasion, persistence APT research: binary similarity is nice, authorship similarity be more interesting Threat detection vs. threat development ratio trouble

  23. Thank you! Marion Marschalek | marion@0x1338.at | @pinkflawd

Recommend

GrimoireLab: Bestiary CHAOSS Con, February 2nd, 2018 Miguel ngel Fernndez @mghfdez mafesan

GrimoireLab: Bestiary CHAOSS Con, February 2nd, 2018 Miguel ngel Fernndez @mghfdez mafesan

GrimoireLab: Bestiary CHAOSS Con, February 2nd, 2018 Miguel ngel Fernndez @mghfdez mafesan at bitergia dot com https://speakerdeck.com/bitergia /introducing /introducing Bestiary Analytics scope configuration made simple

391 views • 6 slides
A Bestiary of Sets and Relations arXiv:1506.05025 Stefano Gogioso Quantum Group University of

A Bestiary of Sets and Relations arXiv:1506.05025 Stefano Gogioso Quantum Group University of

Pure State Quantum Mechanics CPM and Decoherence Measurements and Locality A Bestiary of Sets and Relations arXiv:1506.05025 Stefano Gogioso Quantum Group University of Oxford 17 July 2015 Stefano Gogioso A Bestiary of Sets and Relations

1.21k views • 84 slides
The Bestiary Mindmaps Rationale My project is a Mythological Animal Museum that houses

The Bestiary Mindmaps Rationale My project is a Mythological Animal Museum that houses

Amely Koenigs VCD102 Presentation Mythological Animal Museum- The Bestiary Mindmaps Rationale My project is a Mythological Animal Museum that houses skeletons and collections of mythical animals (they are assumed to be real

180 views • 7 slides
Tools for Supersymmetric Phenomenology by Ben Allanach (University of Cambridge) Talk outline

Tools for Supersymmetric Phenomenology by Ben Allanach (University of Cambridge) Talk outline

Tools for Supersymmetric Phenomenology by Ben Allanach (University of Cambridge) Talk outline SPA project http://spa.desy.de/spa/ , http://www.ippp.dur.ac.uk/montecarlo/BSM/ Bestiary of public codes only: supposedly impartial

937 views • 36 slides
Creativity in confinement Arvid&amp;Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve

Creativity in confinement Arvid&amp;Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve

Creativity in confinement Arvid&amp;Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve 2018 The Bestiary of Autonomous Machines 2018 What is art in confinement Art in prison Russian prisoner tattoos Art in prison Art in prison

1.31k views • 32 slides

More recommend