Memory - WikiLeaks

Download Report

Transcript Memory - WikiLeaks

Basic Malware Analysis Using
HBGary Responder Professional 2.0
Introductions
• Trainer
• Class participant introductions
–
–
–
–
Name
Experience in Incident Response and Reverse Engineering
Why are you here?
What would you like to learn in this class?
Class Structure
• This course is focused on Incident Response and
malware analysis using the HBGary Responder™
Professional product. Each section of this course
features the following:
–
–
–
–
Lecture
Hands-on lab exercises
Quiz
Demonstrations and videos
Class Materials
• Course DVD contains:
– videos
– slides
– malware samples
• Responder Professional with Digital DNA™
– Fully licensed version
Key
Demo video
Class exercise
A helpful analysis hint
Objectives
After completing this course, students will be able to:
• Identify the role of physical memory in Incidence
Response
• Explain Microsoft Windows Operating system internals
• Install and use HBGary Responder Professional™
• Utilize a factors-based methodology for threat
assessment
Module 1
THE ROLE OF PHYSICAL MEMORY IN
INCIDENT RESPONSE
Memory Forensics is…
• Random Access Memory (RAM)
• Contains the current state of the computer
– Very far down into the weeds
Strings are not enough… (1 of 2)
• Find all ASCII and Unicode Strings
–
–
–
–
Old school (since 2002)
Sometimes answers "what?”
Don't know when, who, where, or why?
Only physical search
• Cannot tie the content to a process and user
Strings are not enough… (1 of 2)
• Produces HUGE amounts of data
– Sometimes more than 1,000,000 ASCII strings!
– No contextual information
• Lots of good information, including:
–
–
–
–
–
Mostly on-screen messages
Open documents
Program names
Passwords
Network connection information
Why Memory Forensics?
• Encryption Keys*
– BitLocker, PGP Whole Disk Encryption, etc...
• What was happening on the system at the time of the
image:
– Running programs, open documents
– Unpacked contents of packed programs
– Network connections
• What was really happening on the system:
–
–
–
–
Not the sanitized (lying) version from the OS
Hidden programs, rootkits, injected code
Destroying the Hacker Defense
What was running ten minutes before the knock and talk
Why Memory Forensics?
A more
complete
investigation
To execute, it must exist in RAM
Traditional Forensics & Security Software
Why Live Memory Forensics?
• Today it’s easy!
• Mission-critical systems
– 99.999999% availability
• Anti-forensic techniques used by bad guys
– Hax0rs
– Cyber spies
– Cybercriminals
• Valuable information in RAM cannot be found on disk
– Passwords, encryption keys
– Network packets, screen shots
– Private chat sessions, unencrypted data, unsaved documents, etc.
Why Offline Analysis?
• No more operating system to be fooled
– Rootkits and malware lie
– Operating system cannot be trusted and cannot be used!
• Everything is re-created from the bottom up
– Physical layer
– Replicates disk forensics approach
• Can detect malware that anti-virus cannot
• Can detect malware that host-based IDS/IPS cannot
• Proactively verify the run-time state of the system
Useful Information in RAM
•
•
•
•
•
•
•
•
•
•
Processes and Drivers
Loaded Modules
Network Socket Info
Passwords
Encryption Keys
Decrypted files
Order of execution
Runtime State Information
Rootkits
Configuration Information
•
•
•
•
•
•
•
•
•
•
Logged in Users
NDIS buffers
Open Files
Unsaved Documents
Live Registry
Video Buffers – screen
shots
BIOS Memory
VOIP Phone calls
Advanced Malware
Instant Messenger chat
Bad Guys Use Memory Tricks
• Memory injection attacks never touch the disk
• Public and commercial hacker tools have used these
techniques for over 3 years
– Metasploit Framework (www.metasploit.com)
– Canvas (www.immunitysec.com)
– Core Impact (www.coresecurity.com)
• No good software detection mechanism without
physical memory preservation and offline analysis
– Remember - you cannot trust the operating system!
History of Memory Analysis
• Relatively new
– There are some imagers, but nothing solid for analysis
• Freeware scene – started in 2003
– DFRWS community, Kornblum, Carvey, others…
• Academic scene – Jan. 2008
– The Princeton video Frozen Memory
• Open source and academic projects
–
–
–
–
Perl scripts
Hex editors
Strings.exe, grep searches, manual carving
Volatility framework
Defeat the Trojan Defense
• “I didn’t do it, the Trojan horse did!”
– “the hacker controlling my PC did it”
• Used in the UK - 2003
– Plausible deniability because law enforcement didn’t image
physical memory
– Law enforcement destroyed 4 GB of evidence
• 4GB is equivalent to 1,048,576 pages of paper (2,097 reams)
• Goal: “to prove a negative”
– “No, your Honor, there was no Trojan or any other software
running on the defendant’s machine at the time in question
with the capabilities claimed by the defense…”
Live Memory Forensics Risks
• RAM Collection software relies on the host OS
– Can be subverted
• Some software more invasive than others
– Usually load about 10 modules from the operating system
Live Memory Forensics Risks
• Rootkits
– User mode
• Can modify system commands (netstat, ipconfig)
– Kernel mode
• Can hide and modify low-level blocks of memory/disk
• Can subvert software dumping of RAM
• That’s why we’re working on ICEDUMP
– Similar to the Princeton approach
– Countermeasures to kernel-mode rootkits:
• VMware snapshot files pause the processor
• Hiberfil.sys – contents of RAM are written to non-volatile storage
before the system is powered down
Counter-Measures
• Pause the processor – virtual machines
• Existing file system memory images (made by
Windows)
– Hibernation files
– Crash dumps
Hibernation
• Saves system state to disk for faster resume
• Compresses physical memory and writes it to c:\hiberfil.sys
– Space reserved when hibernation enabled
– Not cleared, contains disk free space
• No data if enabled but never used
• Once used, always some data maintained
Compressed
Memory
Disk Data
Size of Physical Memory
Hibernation
• Not enabled by default until Windows Vista
– Now called Sleep
Hibernation
• Header
– Wiped upon successful restore
• Free pages
• Page tables
• Compressed data
How To Vote via Texting
TIPS
1. Standard texting rates only (worst cast US $0.20)
2. We have no access to your phone number
3. Capitalization doesn’t matter, but spaces and spelling do
Quiz
1. What information is found in RAM, but not on disk?
a) Passwords
b) Chat sessions
c) Saved documents
2. Strings provide which of the following information?
a) Program names
b) Checking account number
c) Passwords
Quiz
3. Which of the following is NOT a countermeasure to
kernel-mode rootkits?
a) Locking your computer screensaver
b) VMware snapshot files
c) Hiberfil.sys
Module 2
HARDWARE AND OPERATING
SYSTEM DESIGN AND LAYOUT
Computers
• Desktops, PCs, Laptops…
Hardware
• Commodity PCs are built from similar, replaceable
components
–
–
–
–
Motherboard
Random Access Memory (RAM)
Hard disk drive
Peripherals (video card, keyboard, mouse)
Even Laptops?
• Yes, even laptops. The components may be integrated
together and less replaceable, but they still adhere to
standardized designs and interfaces.
Diagram
Motherboard
Memory (RAM)
CPU
FrontSide Bus
NorthBridge
AGP or PCI Express
PCI Slots
IO
Serial/Parallel
Keyboard
Mouse
SouthBridge
USB
IDE/SATA
Hard Drive
Why use Memory? Hard Drives are
much larger…
• Memory is FAST
– A read can take around 0.00000001 seconds
• Hard drives are SLOW
– A read can take around 0.01 seconds
• It comes down to electrical (Memory) vs. mechanical
(Hard Drives)
Windows Concepts
• The Windows OS is highly structured, and utilizes the
following concepts:
–
–
–
–
–
–
Kernel and User modes
Drivers
Processes
Threads
Services
Registry
Architecture Diagram
User Applications
User Applications
User Applications
User Applications
Executive
Base Kernel
Windows
API
Environment
Subsystems
Device Drivers
USER and GUI
support
System Support
Processes
HAL
Kernel mode
Services
User mode
CPU Privilege Level
• Ring 0 – Unrestricted
• Ring 1, 2 – Not used in
Windows
• Ring 3 – Restricted
Ring 0
Ring 1
Ring 2
Ring 3
Windows Kernel
• Kernel components have
unrestricted access to
the entire system
(dangerous!)
• The Windows Kernel is
Ring 0
Ring 0
Ring 1
Ring 2
Ring 3
Windows Kernel
• Windows Executive handles memory, process, thread,
security, object, IO, and networking management
• Hardware Abstraction Layer (HAL)
• USER and GUI functionality
• Device drivers provide extendable user and hardware
input/output (I/O)
What are Device Drivers?
• Dynamic, loadable modules that run in kernel mode
and can provide hardware I/O support, and/or user I/O
translation.
• Again, as with all kernel components, device drivers
have unrestricted access to the system (dangerous)!
Windows User mode
• Restricted access to the system (Ring 3)
– Must access system resources through the Windows API
• Contains:
–
–
–
–
User applications
Support processes (logon)
Service processes
Environment subsystems
Ring 0
Ring 1
Ring 2
Ring 3
What are Processes?
• Processes are containers for executing a program
–
–
–
–
Private virtual memory space
Unique identifier called a Process ID (PID)
At least one thread of execution
Security context
What is a Thread?
• A Thread is a container for execution
–
–
–
–
–
CPU registers and state
Stacks
Private storage called TLS
Unique identifier called a thread ID (TID or client ID)
Security context
Services
• User mode programs that provide functionality
independent of the current user
• For example:
– Task scheduler
– Print spooler
– Windows Update
Services
• Services.exe
• Svchost.exe
• Others (see VMWareService.exe)
Registry
• A system database that contains important system
information
• For example:
–
–
–
–
Startup settings
Hardware configurations
Application configurations
Current user data
Physical Memory vs. Virtual Memory
• Physical Memory refers to the hardware view of
memory
– Only one view of physical memory
• Virtual Memory refers to virtualized OS views of
memory
– There can be many different virtual memory spaces
Memory
Memory (RAM)
Physical Memory
Operating System
Virtual Memory(s)
Why have Virtual Memory?
• Can provide process memory isolation (security)
• Allows more “logical” memory by increasing the
addressable space (each process gets its own 4GB of
virtual memory).
• When combined with paging, can increase the total
available memory (more on this later).
Total Logical Memory
• Sum of all Virtual Memory
Physical Memory
2 GB Memory (RAM)
OS
4GB
4GB
4GB
4GB
4GB
4GB
Virtual Memory
6 x 4GB = 24 GB of Logical
Memory
How 2GB becomes 24GB (or more)
• The OS utilizes CPU features to create page directories
and page tables which can be used to divide physical
memory among multiple virtual memory spaces
Physical <-> Virtual
Page Directories and Page Tables
Physical Memory
2 GB
Virtual Memory for Process A
0 GB
4 GB
Virtual Memory for Process B
0 GB
4 GB
Virtual Memory for Process C
0 GB
0 GB
4 GB
What happens when all Physical
Memory is used?
• Paging to the hard disk drive (SLOW!)
• Pagefile.sys
0 GB
Page Directories and Page Tables
Physical Memory
2 GB
Virtual Memory for Process A
0 GB
4 GB
Virtual Memory for Process B
0 GB
4 GB
Virtual Memory for Process C
0 GB
Hard Drive
4 GB
Paging to Disk
• When Physical Memory is getting full, the least used
pages of memory are written to disk
• When those pages are needed again, they are read
back into Physical Memory and some other pages are
written to disk. This is called Swapping.
• Swapping reduces system performance.
Memory Dump
• To get a complete collection of memory you need to
collect two pieces:
– Physical Memory
– The on-disk pagefile
Unreferenced Memory
• Unreferenced Memory is a feature of Windows
Memory Management that may leave empty sections
in a memory dump
– When loading a binary from disk, the Windows Memory
Manager may decide to only read portions of the binary into
memory
– The unread portions (unreferenced pages) of the binary are
tracked
Why not read everything?
• Speed
• Reduction of actual memory usage
• Some binaries are very large but only a small section
may be commonly used
0 GB
Page Directories and Page Tables
Physical Memory
2 GB
Virtual Memory for Process A
0 GB
Virtual Memory for Process B
0 GB
Hard Drive
pagefile
4 GB
ANYFILE
4 GB
Virtual Memory Allocation
• Programs can allocate virtual memory dynamically
• The size can range from a single byte to several GBs (or
8192 GBs in x64 OS versions)
How is this tracked?
• The Windows kernel uses a data structure known as
Virtual Address Descriptors (VADs) to track virtual
memory allocations
• Responder™ combines this information with page table
data for each process, and displays it in the Memory
Map detail panel
0 GB
Page Directories and Page Tables
Physical Memory
2 GB
Virtual Memory for
Process A
0 GB
0x00C00000 –
0x00E00000
0x00CE0000 –
0x00E00000
0x00CD0000 –
0x00CDF000
PTE 0010 - 0015
0x00CE0000 –
0x00CF0000
VAD Tree
Hard Drive
4 GB
0x00D10000 –
0x00D20000
Memory Map
Memory Block
Individual Pages for this Block Unreferenced Pages
Block Length
4 GB
Virtual Memory Layout
Kernel Memory
• The upper 2GB* of every
Virtual Memory space is
reserved for the
Windows Kernel to use.
It is not accessible to user
mode processes.
2 GB
*
0 GB
User Memory
Note: except with the rarely used /3GB switch
User Virtual Memory
2 GB
Process specific Windows system structures
Windows System DLLs
Windows and Application DLLs or Allocated Memory
DLLs or Allocated Memory
Application Binary
0 GB
Stack
Heap or Allocated Memory
Might be Heap
Stack
• Responder provides a
complete picture of
contents in memory
Application
DLLs
System DLLs
Quiz
1. Device drivers have what level of system access?
a) Restricted to the device the driver is written is control
b) Unrestricted!
c) No access
2. Services provide functionality for which mode?
a) User-mode
b) Kernel-mode
Quiz
3. How do programs allocate virtual memory?
a) Statically
b) Dynamically
Module 3
INTRODUCTION TO RESPONDER
PROFESSIONAL
Architecture
User View
Digital DNA™
API to access code and data flows
Reverse Engineering (RE) of all Code
API to access Memory Objects
OS Reconstruction
Physical RAM Acquisition
Creating a Physical Memory Snapshot
Project
• File  Project  New
• Five types of projects:
1.
Physical Memory Snapshot
• Live memory analysis (all
running processes)
2.
Remote Memory Snapshot
• Captures a physical memory
snapshot over TCP/IP on a
remote machine
3.
Live REcon™ session
• Records malware behavior for
further analysis
4.
Static PE Import
• Binary import and analysis
(static binaries from disk)
5.
Forensic Binary Journal
• REcon output file import project
Machine details
• Optional - Add details about the Case and Machine
Pattern Files
• Add a text (.txt) file to
search for user-specified
patterns.
• Supported pattern file
formats:
– string – the search is NOT
case sensitive
– [hex] – brackets
containing a hex pattern
Scanning process tasks
• The physical memory snapshot scanning performs the
following tasks:
–
–
–
–
–
–
Validates the page table layout and size
Identifies PAE/Non-PAE
Identifies OS and service pack
Reconstructs Object Manager
Rebuilds EPROCESS blocks
Rebuilds the virtual address descriptor table (VAD tree)
Report Tab
• The Report tab stores the human-readable results of an
analysis, and allows the user to quickly create report
items from interesting pieces of data, and to sort them
into groups or folders.
Report Panel
• Case # - User supplied
number
• Double-clicking any of
the Report folders or
Report items takes the
user to the item entry in
the Report summary
Report Summary
• The Report Summary
contains details of the
items in the Report
Panel.
• Items in the Report
Summary are designed
to be exported in html,
and can be printed.
Report Folders
• Report folders can be added, edited and deleted by
right-clicking the Report folder
Report Items
• Report items can be moved up/down, edited, deleted
and copied to the clipboard by right-clicking the Report
item
Detail Panels
• To access a detail panel for an entry in the Report or
Object tabs, perform one of the two following steps:
1. Double-click the icon in the Object tab.
2. Click View  Panels 
Detail panels
• Provide detailed information about the selected
category in the Object panel
• Data can be searched and exported to the following
formats:
– PDF
– HTML
– RTF
- XLS
- Image
• Panel contents can be locked
• Additional columns are available
- CSV
- Text
Details Panel – Column Chooser
Right-click the header bar
(where the column labels are)
and select the Column
Chooser option
Details Panel – Search
Click the Search icon to filter the
panel’s contents to only those entries
that match the search criteria
Details Panel – Export
1. Click the Export icon
2. Enter a name for the file  Click
Open
3. Locate the saved file, and
open it to view the information
Details Panel - Lock
1. Click the Lock icon to lock the Details panel
2. Double-click the All Open
Registry Keys folder again.
Since the Registry Panel is locked,
a new (unfiltered) Registry View
window is created.
Lock/unlock this window
Right-click Context-Sensitive Actions
• Every panel has a right-click context menu
– Right-click menu choices based on selected object(s)
• Common options include:
– Send to report – creates an entry in the Report panel for the
selected item
– Google™ Text Search – uses the Google™ search engine to
find internet references to the selected item
– Google™ Code Search – uses the Google™ search engine to
find source code that uses the selected item (typically a
string or symbol)
Right-click Google™ Text Search
Right-click Google™ Code Search
MSDN Query
Objects Tab
• Displays all harvested
objects
– Processes, modules, drivers
– Strings, symbols
• Macroscopic view of
object data
– Allows drill-down on most
objects
• Context-sensitive rightclick menu
• Status icons
Objects Tab
Project type
Top level folders
Leaf-node folders:
double-click these to see
details view of the folder
Expandable folders: singleclick these to expand contents
of the folder
Table: double-click this to
see contents of table.
Object Tab Icons
Package that has not been analyzed
Package that has been analyzed (disassembled
and scanned for suspicious behavior)
EXE that has not been analyzed
EXE that has been analyzed (disassembled and
scanned for suspicious behavior)
Snapshot Summary
• The Snapshot Summary panel provides specific
information related to the case. The information is
user-supplied when the project is created, or is
generated during the static import process, and can be
edited or supplemented as the analysis progresses.
Interrupt Descriptor Table
• Primary control table for the CPU, and is probably the
most important table in memory
All Modules Panel
• Displays a summary list of modules, user-mode DLLs
dynamically linked to a process, as well as operating
system drivers.
All Open Files
• Details the file handles open at the time of a physical
memory snapshot.
All Open Network Sockets Panel
• Displays all open TCP and UDP connections at the time
of the physical memory snapshot.
All Open Registry Keys Panel
• Displays all open registry keys and the process which
owns them.
Documents and Messages Panel
• Responder™ scans the imported memory and attempts
to locate document fragments. These documents
include graphics files, HTML, executables, memory
mapped files, and more.
Drivers Panel
• Device drivers are hardware-dependent, operatingsystem-specific, and they usually provide the interrupt
handling for hardware on the system.
Internet History Panel
• A URL captured in the Internet History panel does not
necessarily indicate the URL was visited by a user.
Keys and Passwords Panel
• Displays any keys and passwords found during analysis.
These keys and passwords can come from many
sources including users, administrators and malware.
Processes Panel
• Displays information about all processes running at the
time the memory image was taken.
System Service Descriptor Tables Panel
• Display the contents of the main table that controls
system calls for the operating system, and consists of
two panels:
– System Call Table – NTOSKRNL/HOOKED – The primary
system SSDT. It resides in the windows kernel NTOSKRNL.exe
– System Call Table – WIN32K – The USER32/GDI32 SSDT. This
SSDT resides in the driver win32k.sys
Pattern Matches Panel
• Displays all of the user-specified pattern matches, and
the physical offsets within the binary file where the
pattern matched.
– The pattern match file is added to the project during the
project creation
Importing and Analysis
• A Binary in Responder™ is any executable, such as an
EXE, DLL, or device driver (SYS) associated with a
process
• Binary analysis builds up a complete memory map of a
particular process, and is an important part of forensic
analysis.
• Responder™ doesn't disassemble every module by
default.
– When an analysis is requested of a module, the module is
disassembled, and suspicious information is extracted and
placed into the report
Analyzing Modules
• To extract and analyze a
driver or process, rightclick the package and
choose Package 
Analyze Binary, or you
can simply double-click
the package.
Module Post-analysis
• Analysis creates two folders:
– Function thunks
– Global
Function Thunks and Global Folders
• The Function Thunks and Global folders provide a lowlevel view of functions, and are available to explore
unnamed regions of code.
Strings
• Strings, a data type storing a sequence of data values
expressed as a sequence of characters, provide clues to
origin and intention
– Usually in the language of the developer
– Typically use descriptive variable names
Symbols
• The Symbols panel provides information about a
binary's capabilities (by the functions that it imports),
and its utility by other applications (by the functions
that it exports).
Memory Map Panel
• The Memory Map panel displays the virtual address
ranges allocated in each specific process.
– Memory mapped files are special regions of memory that
have been mapped to the contents of a file on disk.
Threads Panel
• The Threads panel displays lists of OS threads.
Timeline Tab
(Responder Pro only)
• Illustrates the data held in a REcon™ output file (.FBJ).
– This data is organized into both a timeline and tracks.
– Tracks can be viewed by process and thread, or by sample
group.
Canvas Tab
(Responder Pro only)
• Visually renders
relationships and flow
– Control flow
– Data references
• Behavioral representation
of the binary
– Relationships are displayed
graphically
– No need to pour over
disassembly language
• Patterns can become
quickly evident
Canvas Tab Detail
Function head
Function end
Data reference
Canvas Icon Definitions
Entry point of a subroutine
Exit out of a function; return from a subroutine
idata instance (data, string)
Code block (neither entry nor exit)
Noncall transition
Data xref
Call
HTTP://www.yahoo.com
Report items (URLs)
Binary Tab
• The Binary tab displays
the raw hexadecimal
bytes that represent any
specific binary. This view
can be very useful in
identifying the
boundaries between
code and data sections.
Digital DNA
(Responder Pro only)
• The Digital DNA (DDNA) sequence appears as a series of
trait codes, that when concatenated together, describe
the behaviors of each software module residing in
memory. DDNA identifies each software module, and
ranks it by level of severity or threat.
DDNA Tab
• HBGary DDNA technology evaluates binary behavioral
characteristics and automatically provides an easy to
understand description of suspicious traits
• An excellent starting point for analyzing malware
– Sort by severity and start analyzing from the top
DDNA Traits
• Examine trait descriptions to gain a quick
understanding of a binary’s functionality.
Script Tab
(Responder Pro only)
• The Script Panel allows a
user to write C# scripts
that can automate
Responder™ features
Quiz
1. Which of the following is NOT a Responder project
type?
a) Physical Memory Snapshot
b) Logical Memory Snapshot
c) Static PE Import
2. Which of the following features is only available in
Responder Pro?
a) DDNA tab
b) Report tab
c) Objects tab
Quiz
3. Which two folders are created after a binary is
analyzed?
a) Strings
b) Symbols
c) Global
Lab Exercise Files
• Livebins
– In-memory image of a running executable
– Responder can extract any module from a memory snapshot
– These are saved to disk in livebin format
• VMEMs
– VMWare session capture of run-time data
Lab Exercise 1
Focus Creating a new Physical
Memory Snapshot project
Type Project creation
Description Creating a new project in
Responder
Time 45 minutes
Module 4
BASERULES.TXT AND MALWARE
Baserules.txt
• What is the Baserules.txt file?
– It is a malware identification file
– It can Auto-magically analyze “hits”
•
•
•
•
•
Sometime’s auto-magic is good, but sometimes it’s not
Searches for suspicious behaviors
Customizable by the end-user
Add in strings and pattern searches
Flagged binaries can be automatically extracted and disassembled for
further diagnosis
Baserules.txt
•
•
•
•
•
•
Suspicious Strings
API calls
Bytes
Assembly
*Wildcards
Example
Editing the Baserules.txt
• <Type>:<Version>:<Weight>:<Text/Arg>:<Group>:<Desc
ription>
– <Type>: The rule type
– <Version>: Rule version, 1.0
– <Weight>: 0 (benign) to 255 (critical): Severity of a match on
this rule
– <Text/Arg>: Varies by rule type. Used by the rule to
determine a match. Some rule types may have multiple
arguments
– <Group>: Group for this rule (KERNELMODE, USERMODE,
KEYBOARD, ALL, etc)
– <Description>: Text description for this rule
Editing the Baserules.txt
• Example – Storm virus which spreads via email:
– Trojan-Downloader.Win32.Small.dam
– Trojan.Downloader-647
– Trojan.DL.Tibs.Gen!Pac13
• Known process names to search for:
– FullClip.exe - GreetingCard.exe
– GreetingPostcard.exe - MoreHere.exe – FlashPostcard.exe
• Dropper process
– wincom32.exe
Editing the Baserules.txt
•
•
•
###################################
### Blacklisted Modules - Alert ###
###################################
•
•
# ADDED ENTRY – Dropper for Storm eMail Worm
SuspiciousModule:1.0:100:wincom32.exe:KERNELMODE:SuspiciousModule –
wincom32.exe, Dropper for Storm email worm
# ADDED ENTRY – Executable for Storm eMail Worm
SuspiciousModule:1.0:100:fullclip.exe:USERMODE:SuspiciousModule –fullclip.exe,
executable for Storm email worm
# ADDED ENTRY – Executable for Storm eMail Worm
SuspiciousModule:1.0:100:greetingcard.exe:USERMODE:SuspiciousModule –
greetingcard.exe, executable for Storm email worm
•
•
•
•
Lab Exercise 2
Focus Editing Baserules.txt file
Type Identifying Malware Threat
Factors
Description Edit baserules.txt file
Time 30 minutes
Module 5
INTRODUCTION TO MALWARE
THREAT FACTORS
Threat Factors Assessment Goals
• The goal of threat assessment is to:
– rapidly determine if a package is malicious, or warrants
deeper investigation
– identify specific traits of the malware, out of potentially
hundreds of traits
Threat Factors
• Threats can be broadly grouped into six behavioral
categories, or factors:
–
–
–
–
–
–
Development
Communication
Command and Control
Installation and Deployment
Information Security
Defensive
Development Factors
•
•
•
•
•
•
In what country was the malware created?
Was it professionally developed?
Are there multiple versions?
Is there a platform involved?
Is there a toolkit involved?
Are there multiple parts developed by different groups
or developers?
Communication Factors
• Where does it connect to on the Internet?
– Drop point
– IP addresses or DNS names
• Does it allow incoming connections?
• Does it use encryption?
• Does it use steganography? In other words, is it
concealed within another package?
Command and Control Factors
• How is the malware controlled by its master?
• Do commands come from a cutout site?
• What commands does it support?
–
–
–
–
Sniffing, logging, file system?
Attack?
Poison Pill - Self-destruct?
Self-uninstall / silent modes?
Installation and Deployment Factors
• Does it use the registry?
• Does it drop any files?
• Does it attempt to infect other machines on the
network?
• Does it sleep and awaken later?
Information Security Factors
• Identifies the risks associated with the binary
–
–
–
–
–
What does it steal?
Does it sniff keystrokes?
Can it destroy data?
Can it alter or inject data?
Does it download additional tools?
Defensive Factors
Does it:
• have self-defense?
• use stealth?
• bypass parts of the operating system?
• bypass virus scanners?
Computer Network Attack
• Is it connecting to drive shares?
• Does it create a large numbers of sockets (distributed
denial of service (DDOS))?
• Is it port scanning?
Quiz
1. Which of the following is not considered malware
threat factor?
a) Communication
b) Information Security
c) Offensive
2. If malware destroys data, under which factor would
you identify it?
a) Development factor
b) Defensive factor
c) Information security factor
Lab Exercise 3
Focus Malware Threat Factors
Type Identifying Malware Threat
Factors
Description Perform analysis on .exe
modules
Time 25 minutes
Module 6
COMMON MALWARE BEHAVIOR
Communication
• Malware is often designed to communicate over
networks for various reasons:
–
–
–
–
–
–
Signal initial infection
Receive commands
Send sensitive data
Scan internal networks
Infect other machines
DDoS other machines
Malware Comms Diagram
Attacker
Internet
Targets or
Victims
Relay Point or
Jump Point
Infected Website
Server
Open Network Sockets
• Examine
Network Sockets
• Look for:
– active network
connections
– unusual processes
communicating on the
network
– unusual port numbers
• Examine IP addresses
using
http://arin.net/whois
APIC
• Asia Pacific Network Information
– http://wq.apnic.net/apnic-bin/whois.pl
Internet History
• Examine
Search
• .cn
• .ru
• others
Check Report Tab
• Examine suspicious modules
Hooking
• What is Hooking?
– Modifying important locations so that the Malware can
control OS functionality
– Many different places can be hooked
Hooking Details (1 of 2)
Normal OS Function
Table of function pointers
Hooking Details (1 of 2)
• Malware inserts itself between important functionality
to control OS behavior
Normal OS Function
Malware
Table of function pointers
IDT/SSDT Hooks
• Low-level hooks that allow the malware to:
– Hide itself (processes, files, registry keys)
– Communicate covertly
– Control the OS
• Only hides from active user, not from Responder
User-Mode Hooks
• Hooks of user-mode applications or DLLs that allow
malware to:
– Hide itself (processes, files, registry keys)
– Communicate covertly
• Only hides from active user, not from Responder
Check the Report
Hidden Objects
• Many objects can be hidden by malware. The most
common are:
– Processes
– Files
– Registry Keys
Hidden Processes
• By hooking low-level calls on certain Windows API
functions, malware can hide or remove itself from the
list of processes
• Malware can also modify low-level OS data to remove
objects (instead of hooking)
Processes Panel
• The processes panel identifies any processes that are
hidden. Responder uses a variety advanced of
techniques to locate hidden processes.
Hidden Drivers
• By hooking specific functions or modifying low level
data, malware can hide drivers
• Remember, drivers provide unrestricted access to the
system. Malware will often install a driver and then
hide it.
Drivers Panel
• The drivers panel identifies any drivers that are being
hidden within the system. Responder uses a variety
advanced of techniques to locate hidden drivers.
Quiz
1. When using the Open Network Sockets panel, look for
which of the following?
a) Active network connections
b) Unusual port numbers
c) URLs
2. Hooking details can be viewed in which of the
following panels?
a) Open Network Sockets
b) IDT/SSDT
c) Internet History
Lab Exercise 4
Focus Common Malware Behavior
Type Identifying malware behavior
Description Perform analysis on hooked and
hidden processes and drivers
Time 20 minutes
Module 7
DIFFICULTY LEVELS OF REVERSE
ENGINEERING
Reverse Engineering Levels
• The knowledge, experience and skill required to reverse
engineer (RE) software and malware threats can be
broken down into four levels:
– Level I – Recovery of a single string or symbol
– Level II – Single point reverse engineering of an API call
– Level III – Reverse engineering of a set of functions and
branches
– Level IV – Algorithm reconstruction and programming skills
Level I Reverse Engineering
• Recovery of a single string or symbol
– Responder provides automatic analysis of imported binaries
and identifies suspicious strings or symbols
Level II Reverse Engineering
• Single point reverse engineering of an API call
– Identifying arguments that are input to a function call
– Google or MSDN to identify function parameter usage
– View disassembly to identify what elements (registers, etc…)
are being used as parameters
4
2
3
1
1
2 3 4
Level III Reverse Engineering
• Reverse engineering of a set of functions and branches
– Reverse engineering of an unknown function using
disassembly (Binary view)
• What registers are being used?
• What values are inputted/outputted?
– Branches are conditional code that is executed if the
condition is satisfied
• Single-branch conditions (if)
• Two-way conditional branches (if – else)
• Multiple conditional branches (compiler adds alternate blocks
consisting of one or more logical checks)
• Compound conditional branches (checks two or more conditions to
decide if it should enter a conditional code block)
Level IV Reverse Engineering
• Algorithm reconstruction and programming skills
– Utilizing RE Levels I – III with larger chunks of disassembly
across multiple functions to get a picture of how the software
behaves
• Example: How malware command and control
structure works
– Disassembling multiple functions and data structures
– Describe how those functions interact with one another
Module 8
INTRODUCTION TO API
What is an API?
• An application programming interface (API) is:
– the interface (calling conventions) by which an application
program accesses operating system and other services.
– defined at source code level and provides a level of
abstraction between the application and the kernel (or other
privileged utilities) to ensure the portability of the code.
What is the Windows API?
• The core set of application programming interfaces for
the Windows operating system
• Provides all the functionality required to create
software on the Windows platform.
– http://msdn.microsoft.com/enus/library/aa383749(VS.85).aspx
• The Windows API allows restricted user mode
programs access to system resources
Windows API (1 of 2)
• The Windows API can be grouped into the following
eight functionality categories:
– Base Services: Access to system resources (kernel32.dll)
– Advanced Services: Access to Windows registry,
shutdown/startup, and user accounts (advapi32.dll)
– Graphics Device Interface: Output to monitors, printers, etc.
(gdi32.dll & kernel-mode win32k.sys)
– User Interface: Functionality to create and manage windows,
buttons, scrollbars, mouse and keyboard input , etc…
(comctl32.dll)
Windows API (2 of 2)
– Common Dialog Box Library: Access for opening and saving
files, choosing color, font, etc… (comdlg32.dll)
– Common Control Library: Provides programs access to
operating system advanced controls such as status bars,
progress bars, toolbars and tabs (commctrl.dll)
– Windows Shell: Application access to change and enhance
Windows shell (shell32.dll)
– Network Services: Access to network capabilities (TCP/IP,
NETBIOS, Winsocket, etc…)
API - in other words…
• Think of an API call as a trip to the DMV…
– Customers (applications, users, hardware drivers, network connections,
etc…) request various services (graphics output, creating folders,
managing mouse input, access to memory resources, etc…) that are
handled at specific counter locations (APIs) at the DMV.
New license
applications
API
License
renewal
API
Registration
renewal
API
DMV Kernel
Driving tests
API
Written tests
API
API Arguments
• Arguments are inputs to the API
– For example, an argument defines the location of the mouse
pointer in the API of the comctl32.dll
– A registry entry can also be an API argument
• For example, the Recent Documents list in many common programs
started as a registry entry, and is retrieved by the Windows API as an
argument when the program starts
How does an API work?
• From a user mode program:
1. A call is made to an API function
2. The API function eventually calls an exported function of
NTDLL that provides the needed ability
3. The NTDLL function issues an interrupt (or SYSENTER
instruction) to pass control to kernel mode
4. The interrupt/SYSENTER handler, KiSystemService, is called
by the CPU
5. KiSystemService looks up and calls the requested service in
the System Service Descriptor Table (SSDT)
•
Note: there is also a Service Descriptor Table Shadow that handles
USER and GDI services
Windows API
Application
1. Calls WriteFile
Kernel32.DLL WriteFile
2. Calls NtWriteFile
NTDLL.DLL NtWriteFile
3. Issues a SYSENTER
instruction
NtosKrnl.exe KiSystemService
SSDT
0x84c0780
NtosKrnl.exe NtWriteFile
4. Looks up requested
service in the System
Service Descriptor Table
(SSDT)
User mode
Kernel mode
The SSDT is a table of
function pointers
6. Perform a write
7. Return to user mode caller
Google Search
• Within Responder, an API can be searched through
using the Google™ Text Search, and Google™ Code
Search features.
MSDN API Lookup
• Windows API functions found in Responder can be
quickly located in the Microsoft Developer’s Network
(MSDN) website using the Google™ Text Search
feature.
MSDN Description
• The MSDN Library
includes how-to and
reference
documentation, sample
code and technical
articles for Microsoft
developer technologies
and products.
http://msdn.microsoft.com
Quiz
1. The Windows API allows which mode access to system
resources?
a) User-mode
b) Kernel-mode
2. The kernel32.dll API provides access to what?
a) System resources
b) Output to monitor
c) Opening and saving files
Module 9
DIRECTORIES, FILES AND
DOWNLOADS
Why Installation and Deployment (I&D)
factors matter
Knowing how it installs can help in:
• Designing a cleanup script
• Scanning for other infected machines
• Detecting variants of the same malware
Objects of Interest
•
•
•
•
•
•
•
Files, file extensions, paths
.INI files
Find/Next type loops, wildcards (for example, *.*)
Command line parameters
Registry keys
TEMP directory
Checking for mutexes
– Sometimes used so they do not infect twice
Directory and File Creation
• Starts with these strings and symbols:
– CreateDirectory
– ExpandEnvironmentStrings
• %ProgramFiles%
• %SystemRoot%
– File extensions
• .exe
• .dll
• .sys
•
•
•
•
•
•
•
•
•
•
•
•
Starting points for Directory and File
Creation
CreateDirectory
GetSystemDirectory
CreateFile
DeleteFile
CopyFile
OpenFile
ExpandEnvironmentStrings
%PROGRAM FILES%
%SYSTEMROOT%
C:\
.EXE
*.*
•
•
•
•
•
•
•
•
•
•
•
•
•
\\ (double backslash)
MoveFile
\\TEMP
WINDOWS
SYSTEM32
cmd /c del
del %s
GetTempPath
.DLL
.SYS
.INI
.INF
.BAT
Directory Creation Commands
•
•
•
•
•
CreateDirectory, CreateDirectoryEx
mkdir, wmkdir, _tmkdir
_creat
system(mkdir …)
system(md …)
Environment Variables
• ExpandEnvironmentString
• GetEnvironmentVariable
• getenv, putenv
Common environment variables
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
%ALLUSERSPROFILE%
%APPDATA%
%COMPUTERNAME%
%COMSPEC%
%HOMEDRIVE%
%HOMEPATH%
%PATH%
%PATHEXT%
%PROGRAMFILES%
%PROMPT%
%SYSTEMDRIVE%
%SYSTEMROOT%
%TEMP% and %TMP%
%USERNAME%
%USERPROFILE%
%WINDIR%
%DATE%
%TIME%
%CD%
%ERRORLEVEL%
%RANDOM%
C:\Documents and Settings\All Users
C:\Documents and Settings\{username}\Application Data
{computername}
C:\Windows\System32\cmd.exe
C:
\Documents and Settings\{username}
C:\Windows\System32\;C:\Windows\;C:\Windows\System32\Wbem
.COM; .EXE; .BAT; .CMD; .VBS; .VBE; .JS ; .WSF; .WSH
Directory containing program files, usually C:\Program Files
Code for current command prompt format. Code is usually $P$G
The drive containing the Windows XP root directory, usually C:
The Windows XP root directory, usually C:\Windows
C:\DOCUME~1\{username}\LOCALS~1\Temp
{username}
C:\Documents and Settings\{username}
C:\Windows
Current date in the format determined by the Date command
Current time in the format determined by the Time command
Current directory with its full path
Number defining exit status of a previous command or program
Random number between 0 and 32767
Special Folder Locations
•
•
•
•
•
•
•
SHGetSpecialFolderLocation
CSIDL_ADMINTOOLS (FOLDERID_AdminTools) – The file system directory that is used
to store administrative tools for an individual user.
CSIDL_ALTSTARTUP (FOLDERID_Startup) – The file system directory that corresponds
to the user's nonlocalized Startup program group.
CSIDL_APPDATA (FOLDERID_RoamingAppData) – C:\Documents and
Settings\username\Application Data.
CSIDL_BITBUCKET (FOLDERID_RecycleBinFolder) – The virtual folder that contains the
objects in the user's Recycle Bin.
CSIDL_CDBURN_AREA (FOLDERID_CDBurning) – C:\Documents and
Settings\username\Local Settings\Application Data\Microsoft\CD Burning.
Use MSDN to lookup all the possible values, there is a long list…
Shell32 API
•
•
•
•
SHELL32.DLL
SHGetPathFromIDList
SHBrowseForFolder
SHGetSpecialFolderLocation
Internet Downloads
• The WININET.DLL API
–
–
–
–
InternetOpenFile
InternetReadFile
InternetOpenURL
InternetConnect
• winsock API
–
–
–
–
socket
WSASocket
connect
WSAConnect
• Addresses, URL, and web
requests
–
–
–
–
–
http://
www
.com
HTTP/1.0
Content-Type
Malware Boot Registry Keys
• Registry API
– RegCreateKey
– RegOpenKey
• Try searching…
– CurrentControlSet
– CurrentVersion
– SOFTWARE (all caps)
• Common registry keys to survive reboot
–
–
–
–
–
–
–
–
HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SYSTEM\CurrentControlSet\Services\{Service Name}
Lab Exercise 5
Focus: Canvas Tab
Livebin: Parishilton.exe
Description: Students will familiarize
themselves with the features
and functions of the Canvas Tab
Time: 15 minutes
Lab Exercise 6
Focus: Directories, Files and
Downloads
Livebin: inhold_toolbar.1.mapped
Description: Use graphing techniques to
quickly isolate installation
behavior of inhold.toolbar
Time: 25 minutes
Module 10
REGISTRY KEYS
Registry Key Creation
• Start with these:
–
–
–
–
–
–
Search symbols for “reg”
RegOpenKey
RegCreateKey
“CurrentControlSet”
“CurrentVersion”
“SOFTWARE” (all caps)
Starting points for Registry
Modification
•
•
•
•
•
•
•
•
RegCreateKey
RegOpenKey
.REG
regedit
RegCloseKey
CreateService
DeleteService
OpenSCManager
•
•
•
•
•
•
•
ServiceMain
ServiceDll
StartService
CurrentControlSet
SOFTWARE
\\ (double backslash)
CurrentVersion
Malware Boot Registry Keys
• Massive numbers of registry keys (too numerous to list
here)
– See Autoruns
– See MAP Plug-in
The Run Keys
• HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explore
r\Run
• HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explore
r\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup
• HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
User Init
• HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
• The above key takes a comma delimited list of
programs to execute. Malware may install additional
programs, or even replace the existing userinit.exe with
a trojan version. The normal location for userinit.exe
will be something like
C:\WINDOWS\system32\userinit.exe (the windows
install directory will be system specific). Any strange
looking path or additional executables should be
examined in detail.
Services Creation
• Creating a service via API calls simply creates registry
keys under the hood
– CreateService
• One alternative way to load a device driver is the
SystemLoadAndCallImage method
– ZwSetSystemInformation api call
Services Registry Key
• HKLM\SYSTEM\CurrentControlSet\Services\{Service Name}
• For any given service, there may be a value called
ImagePath that indicates the path to the file that
implements the service. If the file in question ends in .sys,
there is a good chance that it’s a kernel mode driver. To be
sure, check the type value:
– 1: Kernel mode driver
– 2: File system driver
– 4: Adapter Arguments
– 8: File system service
– 16: Win32 program that runs as it's own process
– 32: Win32 program that shares a process w/ other services
(think services.exe)
Services Start Value
• The start value can tell you when the service is started:
–
–
–
–
0: Boot, very early during startup
1: System, after Boot, but still while booting Windows
2: Automatic, after System, but still while booting Windows
3: Manual, doesn't run unless the user or another program
starts it
– 4: Disabled
Lab Exercise 7
Focus Registry Keys
Type Beizhu_2.vmem
Description Use graphing techniques to
quickly isolate the temporary
path used with runonce key
Time 25 minutes
Module 11
RECONSTRUCTING FORMAT
STRINGS OPERATIONS
Format strings
• Format strings are important to understand because
you will encounter them so often.
• What are they?
Basic format strings
•
•
•
•
•
•
•
•
%s – a string (also %S)
%c – a character
%d – a number (also %i)
%x – a number in hex (also %02x, %08X, etc)
%f – a number in float
%l – a number (long) (also %ul)
%% - a percent character
There are many variants of the above
Functions that use format strings
Function
Format String
printf
%s
sprintf
%c
fprintf
%f
snprintf
%i
swprintf
%d
wsprintf
%l
vsprintf
%lu
… variants of the above …
…etc…
Path Creation
GetSystemDirectory
• Target: CreateRemoteThread livebin
– Is used to place files in the windows/system32 directory
– If, within a subroutine, grow up to see what kind of
arguments are passed in
• Construction of a string under the Services key
means this file could be registered as a service.
• Target: CreateRemoteThread livebin
Search registry for this
• Creates a directory in the Program Files directory.
• Target: inhold toolbar
Call setup
4
2
3
1
The arguments to a format
string are almost always
pushed directly before the
format string in disassembly
(reverse order)
1 2 3 4
Batch Files
• %1, %2, %3, etc…
• Used to indicate arguments passed to a batch file
• Look for .bat extension in strings
Using format strings as hints
• It is very likely that esi+4 stores a pointer to the
nickname used in IRC channel
Lab Exercise 8
Focus Reconstructing Format
String Operations
Type VIRUS.vmem
Description Use graphing techniques to
quickly isolate the Installation
and Deployment Factors
associated with both a memory
image, and a packed piece of
malware.
Time 25 minutes
Module 12
DROPPERS &
MULTI-STAGE EXECUTION
What is a Dropper?
• Malware is delivered in steps
– Dropper is initial downloaded package
– Can be a Trojan or embedded exploit
• The dropper carries the malware in a payload
• Once dropped, the dropper decompresses and
executes a secondary payload
Steps in Malware Deployment
Dropper
Embedded
Resource
Embedded Resource
Decompressed to
Disk
Embedded Resource
is Launched as an
EXE
Multi-Stage Execution
• Child Process Spawning
– CreateProcess
– ShellExecute
• Creating Files
– WriteFile
– CopyFile
Launching External Processes
• Typical APIs used to launch processes
– RunDLL32.exe
– Shell32.dll
– Control_RunDLL
• Can be used to run a shell script
– Command line shows the path to the file on disk
Starting points for Process Creation
•
•
•
•
•
CreateProcess
Rundll32.exe
cmd.exe
cmd /c
command.com /c %s
•
•
•
•
•
•
•
•
ShellExec
ShellExecute
ShellExecuteA
WinExec
Shell32.DLL
exec
execve
system
Cleanup using BAT files
•
•
•
•
•
•
@echo off
:%s
del %%1
if exist %%1
goto %s
rem %s"
Lab Exercise 9
Focus Droppers & Multi-stage
Execution
Type inhold_toolbar.1.mapped.livebin
Description Recover ShellExecute
arguments used within inhold
toolbar
Time 25 minutes
Multi-Stage Execution
• Resource Extraction
– OpenResource
• Use of temporary directory
– GetTempDirectory
• Consult execution history in Flypaper
Resource Extraction
Starting points for Resource
Extraction
Possible embedded kernel
drivers
• FindResource
• SizeOfResource
•
•
•
•
•
•
•
•
•
•
•
PsCreateSystemThread
\\DosDevices
.sys
drivers
IoCreateSymbolicLink
IoDeleteSymbolicLink
IoCreateDevice
IoDeleteDevice
KeInitialize
SpinLock
ObReferenceObjectByHandle
Child Processes
• All of the child processes
are available in the
memory snapshot.
Examine them all and
compare them to one
another.
Loaded Modules
• Note how the copy of
the process has more
loaded modules
Compare Copies
• Compare the secondary execution against the first one
– Different number of loaded modules
– The one with more modules implies that it has progressed
farther in the execution lifetime
• Compare strings and symbols of both copies
– There may be additional unpacking in the secondary copy
Unpacked Modules
RunDLL32
• Executes a subroutine exported from a DLL
RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>
Example:
RUNDLL32.EXE SHELL32.DLL,Control_RunDLL desk.cpl,,0
void CALLBACK EntryPoint(
HWND hwnd,
HINSTANCE hinst,
LPSTR lpszCmdLine,
int nCmdShow);
Module 13
KEYLOGGING, PASSWORDS AND
DATA THEFT
Information Security Factors
• Goal: Rapidly identify if the malware can steal
information
–
–
–
–
Passwords
Keystrokes
Login credentials
Intellectual property/secrets
What is Being Stolen?
•
•
•
•
File scans
Keystrokes
Usernames and passwords
Screen shots / screen scraping
Recently Used Passwords
• Common Targets
–
–
–
–
GUIDs for Saved Passwords
Outlook
Internet Explorer
Pstore.dll
File Searching
• Used for a variety of reasons
–
–
–
–
–
Locate intellectual property
Locate password files
Search out DLL’s and executables
Find files to infect
Cleanup temporary files after installation
File Searching
• Typical API Calls
– FindFirst( )
– FindNext( )
• Strings
– Wildcards
– File Extensions
Target: soysauce
View Code
Keystroke Logging
•
•
•
•
•
Windows Message Hooking
Polling
Interrupt Hooking
IRP hooking
8042 Keyboard Controller
– Port 60, 64
Lab Exercise 10
Focus Keylogging, Passwords and
Data Theft
Type keylogger.1.mapped.livebin
Description How is the malware sniffing
keystrokes?
Time 25 minutes
Lab Exercise 11
Focus Keylogging, Passwords and
Data Theft
Type FindFile.1.mapped.livebin
Description What DLL naming scheme is
being used by the malware?
Time 25 minutes
Module 14
SHELL EXTENSIONS
The Shell
• Malware can install one or more DLLs on the system
that are tied into your shell, menus, mouseclicks,
actions, browsing – almost anything you can imagine
Starting Points for Detecting Shell
Injection
•
•
•
•
•
•
•
Shell
ShellEx
Classes\Folder
Classes\CSLID
InProcServer32
shell\open
shell\open\command
•
•
•
•
exefile
batfile
comfile
ddeexec
Shell Column Handlers
• HKCR\Software\Classes\Folder\Shellex\ColumnHandler
s\{GUID}
• To find the actual program that is handling the column
extension, locate the GUID elsewhere in the registry. It
will likely be located under the Classes folder:
– HKLM\SOFTWARE\Classes\CLSID\{GUID}
• Check the InProcServer32 subkey to find a path to the
DLL that is implementing the column extension.
Shell Open Commands (1 of 2)
• Malware can register itself as the handler for certain file
extension types, controlled from the HKEY_CLASSES_ROOT
(HKCR) folder and the HKLM\Software\Classes folder.
There are many file extension types under these folders,
but the following are well known hook points for malware:
–
–
–
–
–
–
HKCR\batfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\exefile\shell\open\command
HKLM\Software\Classes\batfile\shell\open\command
HKLM\Software\Classes\comfile\shell\open\command
HKLM\Software\Classes\exefile\shell\open\command
Shell Open Commands (2 of 2)
• The default value for the command key should be "%1"
%*, but malware can modify the entry to contain
something like “malware.exe” “%1” %*, causing the
malware program to execute if someone double-click
launches one of the infected file extensions.
Command and DDE Exec
• HKCU\Software\Classes\<some registered
extension/path>\shell\<path>\ddeexec\
• These keys have the same problems as described above
for Shell Open Commands. In addition, you may notice
a neighboring command key, which can also be altered
or infected by malware.
• HKCU\Software\Classes\<some registered
extension/path>\shell\<path>\command\
Module 15
BROWSER EXTENSIONS
The Browser
• Malware can install one or more DLL’s that are tied into
your browser, browsing events, keylogging, user
interface, and more
•
•
•
•
•
•
•
•
•
•
•
•
•
Starting points for detecting Browser
Injection
\Internet Explorer
\Extensions
\Explorer Bars
\Script
\Exec
\Browser Helper Objects
InprocServer32
URLSearchHook
Implemented Categories\
{00021494-0000-0000-C000-000000000046}
{00021493-0000-0000-C000-000000000046}
{4D5C8C2A-D075-11d0-B416-00C04FB90376}
InitPropertyBag\Url
Browser Extensions (1 of 2)
• This includes adding menus and shortcuts, additional
toolbars, explorer bars, and browser helper objects. A
simple way to add an additional menu item or button is
to register a GUID under the following key:
– HKCU\Software\Microsoft\Internet
Explorer\Extensions\{GUID}
– HKLM\Software\Microsoft\Internet
Explorer\Extensions\{GUID}
Browser Extensions (2 of 2)
• You may also find subkeys that path to an executable or
script:
– HKLM\Software\Microsoft\Internet
Explorer\Extensions\{GUID}\Script
– HKLM\Software\Microsoft\Internet
Explorer\Extensions\{GUID}\Exec
• The values stored under these keys may lead you to a
program that implements whatever command is
indicated by the menu item or button.
Browser Helper Objects (1 of 2)
• The term BHO is used loosely in the security
community, and commonly describes any malware that
extends the browser – even if the malware is not
specifically a BHO. Just remember that a BHO is just
one of many ways malware can inject into the browser.
• A BHO is registered by adding a GUID to the following
registry key:
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo
rer
– \Browser Helper Objects\{GUID}
Browser Helper Objects (2 of 2)
• Similar to all the other GUID based extensions, the
GUID can be looked up elsewhere in the registry to
determine which DLL handles it. It is likely to be found
in HKCR\CLSID\{GUID}
• And, as usual, the InprocServer32 key reveals which DLL
is used to implement the BHO.
Lab Exercise 12
Focus Incident Response
Type Infected machine
Description Search for indications of
compromise on a VMware
image
Time 30 minutes
Module 16
DLL AND THREAD INJECTION
Process Enumeration
• For any process to write to another process, it needs a
handle to the target
– To get a handle to a process, the process must be located
from the list of all processes
• Process enumeration primarily occurs using
– ToolHelp API
– NtQuerySystemInformation( )
• Undocumented API
DLL & Thread Injection
• Look for ToolHelp library usage
– This will be used to enumerate running processes when
finding one to inject into
• Look for CreateRemoteThread
– This is used to inject the code that will load the injected DLL
• Look for EnableDebug or AdjustPriv
– The process will need certain access rights to be able to
perform the injection
DLL Injection
• Injected DLLs stand out clearly if they use:
– Non-standard paths
– Unusual or odd-sounding names
DLLs in Responder
Strings ending in .dll
All modules
Remote Threads
• A remote thread is created in a second process, not
part of the first process
• A remote thread is typically used to inject a DLL into
another process, but not always
• A remote thread can also operate without a DLL
injection
– This is a more advanced technique
Clear indication of process injection
Page Protections
• In order to inject against another process, memory
protections will need to be unlocked
– This is done via the VirtualQuery API
• Use Google™ Text Search to get the API arguments
Starting points for DLL and Thread
Injection
•
•
•
•
•
•
•
CreateRemoteThread
OpenProcess
VirtualAlloc
WriteProcessMemory
WaitForSingleObject
explorer.exe
SeDebugPrivilege
• CreateToolhelp32Snaps
hot
• CreateEvent
• Process32First
• Process32Next
• Module32First
• Module32Next
Lab Exercise 13
Focus DLL & Thread Injection
Type DLL & Thread Injection
Description What is being injected into the
remote process?
Time 25 minutes