fit5124 advanced topics in security lecture 9 malware
play

FIT5124 Advanced Topics in Security Lecture 9: Malware - PowerPoint PPT Presentation

Oct 02, 2023 •148 likes •450 views

FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware

  1. FIT5124 Advanced Topics in Security Lecture 9: Malware – Functionality and Analysis Techniques Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 1/29

  2. Malware – Functionality and Analysis Techniques Malware: Today: A look at malware functionality and techniques for analysing malware. Plan for this lecture: Malware Functionality: Common Malware Function Overview: Backdoors, Credential Stealers, Persistence mechanisms, Covert methods Look at common Covert techniques: Covert Code Execution (Launchers): Process injection, Process hiding Covert Data Interception: Hook injection Malware Analysis Techniques and Tools: Malware Behaviour Analysis Malware Code Analysis Anti-analysis techniques Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 2/29

  3. Malware Functionality Malware comes in various flavours, depending on attacker’s goal. We mention a few common types. Backdoor: Allows attacker to remotely access target machine Usually communicate to attacker over HTTP (port 80). Often support many OS functions (e.g. enumerate displayed windows, create/open files, ...). Other variants: Reverse shell connections: Provide attacker with full shell access to target machine. (e.g. use netcat to remotely run cmd.exe) Remote Administration Tools (RATs), e.g. poisonivy Botnets Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 3/29

  4. Malware Functionality Credential Stealers: Hash dumping (e.g. pwdump) keystroke logging: kernel-based keylogging: Modify keyboard driver of OS User-space keylogging: Use Windows API services Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 4/29

  5. Malware Functionality Common types of Malware Functionality (cont.) Persistence Mechanisms: Modify the Windows Registry (e.g. HKEY LOCAL MACHINE - global settings section (key) of registry). Modify Dynamic Link Libraries (DLLs): add malicious code to empty part of DLL, jump back to original code. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 5/29

  6. Malware Functionality Common types of Malware Functionality (cont.) Covert Techniques: ‘Rootkit’ techniques: Hiding existence and actions of attacker code: Process hiding Process injection Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 6/29

  7. Malware Functionality – Covert Techniques Covert Code Execution: Process Hiding Windows OS background: Dynamic Link Libraries (DLLs) contain executable code (like .exe files), but can be shared among processes Typical memory map of a Windows process: The Process Environment Block (PEB) stores information on the location of items like DLLs, heaps, ... Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 7/29

  8. Malware Functionality – Covert Techniques Covert Code Execution: Process Hiding Hiding DLLS via unlinking DLL list: The PEB contains 3 linked lists of loaded DLLs Standard Windows system calls/utilities (e.g. listdlls) use those lists Idea: Attacker unlinks the list to skip entry for attacker’s DLL Countermeasure: Volatility tool can find trace of unlinked DLL from kernel table. (harder to modify). Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 8/29

  9. Malware Functionality – Covert Techniques Covert Code Execution: Process Injection Often, security software (such as Firewalls) blocks access to resources (e.g. Internet access) except from authorized processes. Q: How can malicious process gain access to blocked resource? Possible A: Process injection – Malicious process injects code into authorized process. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 9/29

  10. Malware Functionality – Covert Techniques Covert Code Execution: Process Injection (cont.) Several known variants of Process Injection: DLL injection: malware DLL exists on disk, get target process to load it (e.g. using Windows LoadLibrary API call). Direct Injection: Malware code written directly into target process memory and executed within target. Reflective DLL injection: Malware DLL written directly into target process memory (no Windows loader API call). Process Replacement/Hollowing: Malicious process starts new instance of legit. target process and replaces target code with malware code. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 10/29

  11. Malware Functionality – Covert Techniques DLL injection: Malware DLL exists on disk, malware process A gets target process B to run it Outline of example implementation of process A in Windows: Enable debug privilege ( SE DEBUG PRIVILEGE ): Gives A right to read and write Process B’s memory. Opens a handle to process B ( OpenProcess ): Get handle for subsequent process B read/write operations. Allocate memory inside Process B for malicious DLL ( VirtualAllocEx ). Write path Malpath to malicious DLL on disk into Process B ( WriteProcessMemory ). Start a new thread in Process B that loads malicious DLL into memory ( CreateRemoteThread ): Pass to CreateRemoteThread ptr to LoadLibrary function with argument ptr to Malpath . After malicious DLL is loaded, Windows automatically runs its DllMain function – malicious code! Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 11/29

  12. Malware Functionality – Covert Techniques DLL injection: Malware DLL exists on disk, malware process A gets target process B to load it using Windows API call (e.g. LoadLibrary). Example Windows implementation code for process A: Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 12/29

  13. Malware Functionality – Covert Techniques Direct Injection: Malware code written directly into target process memory and executed within target. Similar implementation to DLL injection, except process A copies malicious code into process B and runs it with CretateRemoteThread . Reflective DLL Injection: Hybrid of DLL and direct injection. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 13/29

  14. Malware Functionality – Covert Techniques DLL/Direct Injection is tricky to implement without crashing target process. Alternative - Process Replacement/Hollowing: Malicious process A starts new instance of legit. target process B and replaces target code with malware code. Outline of example implementation of process A in Windows: Create instance of process B in suspended execution mode. ( CreateProcess with CREATE SUSPENDED argument). Release memory used by process B headers/code ( ZwUnmapViewofSection ). Allocate above memory in Process B for malicious headers/code ( VirtualAllocEx ). Write malicious headers/code into Process B ( WriteProcessMemory ). Set start address of suspended process B thread to start of malicious code ( SetThreadContext ). Resume suspended thread of process B - run malicious code! Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 14/29 ( ResumeThread ).

  15. Malware Functionality – Covert Techniques Process Replacement/Hollowing: Malicious process A starts new instance of legit. target process B and replaces target code with malware code. Example Windows implementation code for process A: Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 15/29

  16. Malware Functionality – Covert Techniques Covert Data Interception: Hook injection Uses Windows hooks to intercept messages from Windows triggered by certain events (e.g. keystrokes). Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 16/29

  17. Malware Functionality – Covert Techniques Covert Data Interception: Hook injection Hooks usually implemented in Windows with SetWindowsHookEx function Has 4 parameters: idHook : type of hook procedure, e.g. WH CBT for keyboard/mouse events. lpfn : ptr to hook procedure. hMod : handle for DLL containing hook procedure. dwThreadId : identifier of thread associated with hook (if set to 0, all threads running in same desktop!) Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 17/29

  18. Malware Functionality – Covert Techniques Covert Data Interception: Hook injection Example SetWindowsHookEx call in Assembly: Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 18/29

Recommend

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge Proofs Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 5: Secure

729 views • 26 slides
FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 7: Hacking Techniques I

1.11k views • 25 slides
FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton School of IT Monash University March 2016 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 1/33 Plan

932 views • 39 slides
FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

Introduction FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton School of IT Monash University March 2016 Acknowledgements: Some figures sourced from Oded Regevs Lecture Notes on Lattices in

460 views • 30 slides
FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III Web Browser

2.56k views • 17 slides
CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con

920 views • 62 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Outline Introduction CS 239 Subject of class Advanced Topics in Network Class topics

Outline Introduction CS 239 Subject of class Advanced Topics in Network Class topics

Outline Introduction CS 239 Subject of class Advanced Topics in Network Class topics and organization Security Reading material Class web page Peter Reiher Grading April 3, 2006 Projects Office hours Lecture

442 views • 8 slides
Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A Threatens Privacy Threatens Try to achieve Lecture 2B: Network threats Lecture 3A: Attacks on Lecture 6A: Security Protocols Web servers, malware

381 views • 25 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime

MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime

MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime Advanced attack techniques detector Heap spraying Static detector Nozzle Heap feng shui JIT spraying Drive-by malware and browsers

1.11k views • 43 slides
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse? Virus?

470 views • 27 slides
Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security

Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security

Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security Security threats Regulators and ISP security Some headlines Davie-Besse nuclear reactor control network

482 views • 17 slides
PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst, Oracle + NetSuite Agenda Basic intro No assembly required No malware (de)obfuscation magic How does the OS look inside?

847 views • 57 slides
Review and Preview Lecture 12 Further Topics in Compilers Advanced Language features

Review and Preview Lecture 12 Further Topics in Compilers Advanced Language features

Review and Preview Lecture 12 Further Topics in Compilers Advanced Language features Object-Oriented Languages objects, classes Functional Languages function closures lazy evaluation advanced type systems

220 views • 18 slides
CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits British Airw rways Hack 2 BA last week admitted that personal and payment card info for 380,000 customers had been swiped from

840 views • 61 slides
Cryptocurrencies Course: EPL682 Advanced Security Topics Instructor: Elias Athanasopoulos

Cryptocurrencies Course: EPL682 Advanced Security Topics Instructor: Elias Athanasopoulos

Cryptocurrencies Course: EPL682 Advanced Security Topics Instructor: Elias Athanasopoulos SoK: Research perspective and challenges for Bitcoin and cryptocurrency Joseph Bonneau , Andrew Miller , Jeremy Clark, Arvind Narayanan

794 views • 43 slides
Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1 CS 236, Spring 2008 Outline Subject of class Class topics and organization Reading material Class web page Grading Projects

838 views • 50 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone users over the years Leading app stores 2019 Smartphones are becoming increasingly ubiquitous With great popularity Comes great

385 views • 37 slides
CS419 Spring 2010 Computer Security Virtual Machines and Malware Vinod Ganapathy Lecture 20

CS419 Spring 2010 Computer Security Virtual Machines and Malware Vinod Ganapathy Lecture 20

CS419 Spring 2010 Computer Security Virtual Machines and Malware Vinod Ganapathy Lecture 20 Readings: VMWare paper + Thompsons paper Course Review Forms Need one volunteer. Please turn in completed forms to the CS undergraduate

1.1k views • 76 slides

More recommend