Going gets tough A tale of encounters with

























































![Thank You! marta. janus [at] kaspersky. com @mvjanus "We are all heroes: You and Thank You! marta. janus [at] kaspersky. com @mvjanus "We are all heroes: You and](https://slidetodoc.com/presentation_image_h/c61ff3d2988516faafb61415e1b1180d/image-58.jpg)
- Slides: 58

Going gets tough A tale of encounters with novel evasive malware Marta Janus Malware Researcher

# whoami • • reverse engineering adept & enthusiast malware researcher @ KL since 2009 linux user since 2006 baldur’s gate player since 1999

Are rootkits on decline?



Tough times for rootkits • kernel-space no longer safe for malware • bootkits easily detected • hypervisor-level stealth too complex Ø shift in malware strategy

Hiding vs. evasion the goals • hide bypass from detection admin? • protect C&C infrastructure • protect the payload

Case 1: Baldur "When the going gets tough, someone hold my rodent!"

# Trojan. Win 32. Baldur • • set of classical anti-vm / anti-dbg checks heavily based on a 0 rtega`s pafish overly exciting? not really, but. . . a textbook case : )

# classic_checks

# environmental_checks Win. Spy? MBAM ? ? ? ?

# environmental_checks

# drive_size_check

# game_over

Case 2: CVE-0158 & Gimemo "Evil 'round every corner. Careful not to step in any. "

# armed-to-the-teeth http: //www. securelist. com/en/analysis/204792298/ The_curious_case_of_a_CVE_2012_0158_exploit • multilayered OLE objects, lots of obfuscation • multi-stage shellcode: ~ ~ stage_1: stage_2: stage_3: stage_4: ROP chain decryptor of stage_3 egg-hunter dropper




# execute_payload

# payload: decrypt_loader

# skip_all_checks

# trigger_exception

# dummy_code

# seh_routine

# anti_hook, anti_bp

# anti_hook, anti_bp

# anti_hook, anti_bp: trampoline

# the dropper & the bot

Case 3: PSW & more SEH "No effect? ! I need a bigger sword!"

# Trojan-PSW. Win 32. Multi • also spread via hardened CVE-0158 exploit • also lots of anti-* techniques • code flow of the loader fully based on exception handling blocks • payload saved as a registry value • overwrites fxsst. dll to assure persistance

# malware_main; seh chain

# exception_1

# exception_handler

# dormant_phase

# check_trend_micro

# exception_4

# decrypt_inject

Case 4: hardened Zeus "Fool me once, shame on you; fool me twice, watch it! I'm huge!"

# Trojan. Win 32. Zbot • • samples from period of March – May 2014 use of windows messaging system use of SEH multiple downloaders ~ each with the same set of anti-* techniques

# load_cursor

# process_wndmsg

# seh_anti_debug

# seh_anti_debug

# enum_windows

Case 5: even more hardened Zeus "Boo says "WHAT? "

# Zeu. S p 2 p aka Game Over • works only on Windows 7 • anti-emulation based on default values in the CPU registers • drops Necurs rootkit (!) • bypasses driver signing via setting TESTSIGNING option in BCEDIT


# init_dialog

# obfuscated_win 7_check

# obfuscated_win 7_check

# call_malware_main; step_17

Novel malware architecture the goals the aid • bypass detection Ø anti-emu, anti-heur • protect C&C infrastructure Ø multiple downloaders, waterholed websites • protect the payload Ø anti-re, anti-dbg, anti-vm, encryption, obfuscation, etc. . .

• packed, layered encryption, lots of anti-* loader • injects and executes the dropper code • some encryption, some anti-* dropper • decrypts and executes the downloader/bot code bot • small & simple, shellcode-like • used only to get/decrypt/run the payload(s) • downloaded from water-holed websites / pushed by C 2 payload • not stored on the disk, short-lived, controlled by C 2

Known evasion techniques • time or condition based triggers: ~ specified timeframes ~ specified settings ~ specified system events (e. g. reboot, mouse click, etc. ) • environmental checks: ~ files on disk, running processes, loaded DLLs, opened windows, mutexes, devices, registry settings. . . . • checking initial values in CPU registers at EP ~ fingerprinting the OS

Known evasion techniques • overrunning sandbox/emulator: ~ ~ dromant phase (e. g. sleep loops) junk instructions, slower inside VMs (MMX, FPU, etc. ) benign code (legitimate looking syscalls) stalling code (without the use of syscalls) • using window messaging, apc procedures, etc. • using chained Exception Handling mechanisms

Countermeasures Ø Ø stealth analysis leave no artifacts full emulation trace all instructions full exploration follow multiple execution paths bypass stalling loops detect & skip passive code
![Thank You marta janus at kaspersky com mvjanus We are all heroes You and Thank You! marta. janus [at] kaspersky. com @mvjanus "We are all heroes: You and](https://slidetodoc.com/presentation_image_h/c61ff3d2988516faafb61415e1b1180d/image-58.jpg)
Thank You! marta. janus [at] kaspersky. com @mvjanus "We are all heroes: You and Boo and I"
Lve
Going through hell
Folk character
Christ encounters
Traditions and encounters chapter 20
Critical lenses english
Chapter 5 political transformations empires and encounters
Chapter 18 colonial encounters in asia and africa
Encounters and foundations to 1800
Transcontinent
Colonial encounters in asia africa and oceania
Chapter 23 transoceanic encounters and global connections
Close encounters challenges
Encounters and foundations to 1800
Transoceanic encounters and global connections
Transoceanic encounters and global connections
Module 10 expansion exploration and encounters
Chapter 22 transoceanic encounters and global connections
Political transformations empires and encounters
Foundations and encounters early american literature
Transatlantic encounters in history of education download
Chapter 22 transoceanic encounters and global connections
Tough outer covering of bone
Thick clear jelly that helps give the eyeball its shape
The outsiders signposts
Americanization is tough on macho
What is a signpost in reading
Pre molded nails shaped from a tough polymer
Tough background
Pronunciation poem i take it you already know
Much to everyone's dislike the outspoken
Signposts ela
Notice and note tough questions
Cmmi risk management
Im strong and stiff getting through me is tough
Notice and note anchor charts
Strcpy adalah
Thomas feeds his dog.
Every system is designed to get the results it gets
Difference between shift and rotate instructions
Affirmative simple present tense example
Waitress gets $4 000 tip
A boy on a bicycle drags a wagon
Are all first level consumers carnivores
Quizlet
The atlantic ocean gets about 3-5 ______ wider each year.
The sluggard craves and gets nothing
Social clicks
What gets oxidized in photosynthesis
Molly was ecstatic when she learned her family
What are redox reactions examples
Javelin judge
Tcp_ip_abort_interval
Csi-321 introduction to computing applications
Corneal dystrophy mnemonic
Curious george gets a talker
Super turkey health
Gets its energy from eating living things
A 640 n hunter gets a rope