Going gets tough A tale of encounters with
- Slides: 58
Going gets tough A tale of encounters with novel evasive malware Marta Janus Malware Researcher
# whoami • • reverse engineering adept & enthusiast malware researcher @ KL since 2009 linux user since 2006 baldur’s gate player since 1999
Are rootkits on decline?
Tough times for rootkits • kernel-space no longer safe for malware • bootkits easily detected • hypervisor-level stealth too complex Ø shift in malware strategy
Hiding vs. evasion the goals • hide bypass from detection admin? • protect C&C infrastructure • protect the payload
Case 1: Baldur "When the going gets tough, someone hold my rodent!"
# Trojan. Win 32. Baldur • • set of classical anti-vm / anti-dbg checks heavily based on a 0 rtega`s pafish overly exciting? not really, but. . . a textbook case : )
# classic_checks
# environmental_checks Win. Spy? MBAM ? ? ? ?
# environmental_checks
# drive_size_check
# game_over
Case 2: CVE-0158 & Gimemo "Evil 'round every corner. Careful not to step in any. "
# armed-to-the-teeth http: //www. securelist. com/en/analysis/204792298/ The_curious_case_of_a_CVE_2012_0158_exploit • multilayered OLE objects, lots of obfuscation • multi-stage shellcode: ~ ~ stage_1: stage_2: stage_3: stage_4: ROP chain decryptor of stage_3 egg-hunter dropper
# execute_payload
# payload: decrypt_loader
# skip_all_checks
# trigger_exception
# dummy_code
# seh_routine
# anti_hook, anti_bp
# anti_hook, anti_bp
# anti_hook, anti_bp: trampoline
# the dropper & the bot
Case 3: PSW & more SEH "No effect? ! I need a bigger sword!"
# Trojan-PSW. Win 32. Multi • also spread via hardened CVE-0158 exploit • also lots of anti-* techniques • code flow of the loader fully based on exception handling blocks • payload saved as a registry value • overwrites fxsst. dll to assure persistance
# malware_main; seh chain
# exception_1
# exception_handler
# dormant_phase
# check_trend_micro
# exception_4
# decrypt_inject
Case 4: hardened Zeus "Fool me once, shame on you; fool me twice, watch it! I'm huge!"
# Trojan. Win 32. Zbot • • samples from period of March – May 2014 use of windows messaging system use of SEH multiple downloaders ~ each with the same set of anti-* techniques
# load_cursor
# process_wndmsg
# seh_anti_debug
# seh_anti_debug
# enum_windows
Case 5: even more hardened Zeus "Boo says "WHAT? "
# Zeu. S p 2 p aka Game Over • works only on Windows 7 • anti-emulation based on default values in the CPU registers • drops Necurs rootkit (!) • bypasses driver signing via setting TESTSIGNING option in BCEDIT
# init_dialog
# obfuscated_win 7_check
# obfuscated_win 7_check
# call_malware_main; step_17
Novel malware architecture the goals the aid • bypass detection Ø anti-emu, anti-heur • protect C&C infrastructure Ø multiple downloaders, waterholed websites • protect the payload Ø anti-re, anti-dbg, anti-vm, encryption, obfuscation, etc. . .
• packed, layered encryption, lots of anti-* loader • injects and executes the dropper code • some encryption, some anti-* dropper • decrypts and executes the downloader/bot code bot • small & simple, shellcode-like • used only to get/decrypt/run the payload(s) • downloaded from water-holed websites / pushed by C 2 payload • not stored on the disk, short-lived, controlled by C 2
Known evasion techniques • time or condition based triggers: ~ specified timeframes ~ specified settings ~ specified system events (e. g. reboot, mouse click, etc. ) • environmental checks: ~ files on disk, running processes, loaded DLLs, opened windows, mutexes, devices, registry settings. . . . • checking initial values in CPU registers at EP ~ fingerprinting the OS
Known evasion techniques • overrunning sandbox/emulator: ~ ~ dromant phase (e. g. sleep loops) junk instructions, slower inside VMs (MMX, FPU, etc. ) benign code (legitimate looking syscalls) stalling code (without the use of syscalls) • using window messaging, apc procedures, etc. • using chained Exception Handling mechanisms
Countermeasures Ø Ø stealth analysis leave no artifacts full emulation trace all instructions full exploration follow multiple execution paths bypass stalling loops detect & skip passive code
Thank You! marta. janus [at] kaspersky. com @mvjanus "We are all heroes: You and Boo and I"
- Lve
- Going through hell
- Folk character
- Christ encounters
- Traditions and encounters chapter 20
- Critical lenses english
- Chapter 5 political transformations empires and encounters
- Chapter 18 colonial encounters in asia and africa
- Encounters and foundations to 1800
- Transcontinent
- Colonial encounters in asia africa and oceania
- Chapter 23 transoceanic encounters and global connections
- Close encounters challenges
- Encounters and foundations to 1800
- Transoceanic encounters and global connections
- Transoceanic encounters and global connections
- Module 10 expansion exploration and encounters
- Chapter 22 transoceanic encounters and global connections
- Political transformations empires and encounters
- Foundations and encounters early american literature
- Transatlantic encounters in history of education download
- Chapter 22 transoceanic encounters and global connections
- Tough outer covering of bone
- Thick clear jelly that helps give the eyeball its shape
- The outsiders signposts
- Americanization is tough on macho
- What is a signpost in reading
- Pre molded nails shaped from a tough polymer
- Tough background
- Pronunciation poem i take it you already know
- Much to everyone's dislike the outspoken
- Signposts ela
- Notice and note tough questions
- Cmmi risk management
- Im strong and stiff getting through me is tough
- Notice and note anchor charts
- Strcpy adalah
- Thomas feeds his dog.
- Every system is designed to get the results it gets
- Difference between shift and rotate instructions
- Affirmative simple present tense example
- Waitress gets $4 000 tip
- A boy on a bicycle drags a wagon
- Are all first level consumers carnivores
- Quizlet
- The atlantic ocean gets about 3-5 ______ wider each year.
- The sluggard craves and gets nothing
- Social clicks
- What gets oxidized in photosynthesis
- Molly was ecstatic when she learned her family
- What are redox reactions examples
- Javelin judge
- Tcp_ip_abort_interval
- Csi-321 introduction to computing applications
- Corneal dystrophy mnemonic
- Curious george gets a talker
- Super turkey health
- Gets its energy from eating living things
- A 640 n hunter gets a rope