Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

1 Einführung und Landscape

No description
by

Marion Marschalek

on 25 March 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of 1 Einführung und Landscape

Malware: Analyse und Abwehrstrategien
presented by IKARUS Security Software GmbH
Jürgen Eckel
Florian Nentwich
Marion Marschalek
- österreichisches IT-Sicherheitsunternehmen
- Hauptstandort Wien
- gegründet 1986
- derzeit ca. 50 Mitarbeiter
- Unternehmensleitung Joe Pichlmayer, Sonja Fink
und David Grabenweger
- Schwerpunkte: Software Entwicklung,
Sicherheitsforschung
1. Introduction Malware Analysis
1.0 Class Overview
Exam Modalities, etc.
1.1 Malware Landscape
1.2 Windows Internals
1.3 Practical Approaches
2. Code Analysis Debugging & Function Analysis
2.0 Assembly vs. Sourcecode
2.1 Dynamical & Static Analysis in Context
3. Internal Modules & Malware Self Defence
3.0 Internal Modules
3.1 Anti-Debugging and Anti-Disassembly
3.2 Packer
3.3 Web- and Document Analysis
Überblick
Exam Modalities
Wozu Malware Analyse?
Neverending Story...
Malware Evolution
Hoax => Destruction => Profit => ... Politics?

Maßnahmen gegen statische Erkennung
Verschlüsselung und run-time packing
Code obfuscation
Polymorphe und metamorphe Transformation
Pattern Matching

Virus Data Base
Signatur vs. CRC-32
"Weapons of Match Destruction"
IKARUS VDB Size
in Bytes
since 05/2006
Malware Basics
... infiltrate the system
... mostly in userland
... capture input and steal data
... provide remote access
... load more malware
... encrypt/lock resources and demand ransom
...
file infector
embeds itself in a hostfile, typically .exe

polymorph
payload morphs itself everytime a new hostfile is infected


serverside polymorphism
a remote server performs the morphing of code,
payload doesn't contain any crypting engine
Trojans &
Multifunctional
Malware
File Infectors
& Polymorph
Malware
Worms
CreateFileA(
"\\\\.\\RealHardDisk0"
, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0x0, 0x0)
Rootkits & Bootkits
...
most popular
client-side scripting language today, implemented in
virtually every browser
without the need of third party plug-ins or additional software ...
Javascript
Java
PDF
Flash
Trojans & Multifunctional Malware
File Infectors & Polymorph Malware
Worms
Rootkits & Bootkits
Javascript
Java, PDF & Flash
Trojans...
..\User\AppData\pictures
..\User\AppData\schedule.docx
..\User\AppData\svchost.exe
..\User\AppData\blubb.gif
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Value: ..\User\AppData\svchost.exe
run trojan on startup !!
svchost.exe
listen on port 80
for communication with
command & control server
GET malicious.exe
POST userdata.db
...
execute malware
copy to user directory
start dropped .exe
delete original .exe
add startup key to registry
resolve C&C address
contact C&C
capture user input
send spam
download other .exe
wait for instructions
.. be malicious ..
Backdoor.Win32.Androm
Trojan.Win32.Zeus
Virus.Win32.Virut
Virus.Win32.Sality
Worm.Win32.Allaple
Worm.Win32.Conficker
HowTo:

.exe-Modification for File Infectors
notepad.exe vs. notepad.exe
notepad(2).exe: Direct Entry Point Modification
start ..\Desktop\virut.exe
infect ..
..\system32\notepad.exe
..\system32\control.exe
..\system32\sdclt.exe
.. wait for other
procsses to start ..
.. Infector started ..
copy payload to section object
Definition
Section Object
:
The Win32 subsystem calls it a
file mapping object
, represents a block of memory that two or more processes can share
.
map object to active process
File mapping
is the association of a file's contents with a portion of the virtual address space of a process.
hook some API functions
from ntdll.dll:
NtOpenFile
NtCreateFile
NtCreateProcess
NtCreateProcessExe
Every time someone
creates a process
or
opens an executable file
that file will be infected by the virus
Virut Case Study
C&C: IRC-Connection and Download Capabilities
The persistance issue
... and Old-School Malware Writing:
Self-Spreading:
via network, shares, e-mail, ...
Usage of
OS Vulnerabilities & Social Engineering
Conficker Case Study
Infection via
- exploitation of vulnerability MS08-067
- autorun.inf vulnerability via USB
- windows admin shares
local & remote
MS08-067
MS Windows Server Service RPC Handling

- Advisory from 23. 10. 2008
- bug in function NetprPathCanonicalize
- modification of path via „\..“ is not checked correctly
- too many steps back at once trigger the exploit
.. system infiltration ..
renaming | hiding | persistance
HTTP-Communication to
one of many C&C
self-updating via internet
* special gimmicks *
P2P communication & updating
digitally signed updates
blocking of DNS for AV/Micorosft/...
infiltration
by system modification & kernel subversion
stealth
as the key to success
userlevel & kernelspace
process modification vs. kernelcode modification
Boot
kit: injection of code to bootsector
injecting code to MBR - reboot - download executable
.. zombiieeeee ..
ZAccess Case Study
ZAccess Version 1: Kernelland Rootkit
Version 2: for UAC just Userland
chooses random driver in systemroot\system32\drivers
replaces original driver with malware module
hijacks filesystem access to original driver and redirects it to hidden volume
creates a new disk device object
sets up a new encrypted hidden volume in the system’s filesystem
saves original driver to hidden volume
Why Javascript?
get creative
- browser content modifications
- access to systems through AJAX
- down- & upload capabilities
- obfuscation, escaping, encryption
- iframe & redirects
- what not ....
.. hidden iframes ..
.. embedded exploits ..
.. obfuscated javascript ..
perfectly embeddable
into HTML, PDF, Office Files, gif, jpg, other script languages, ...
OS-Exploits vs. App-Exploits
numerous vulnerabilities, still to explore
response from software developers still too slow
portability - of documents and exploits
Exploit:
piece of software, designed to take advantage of a known or unknown
vulnerability
in a dedicated application or system module, with the goal of
privilege escalation or denial of service
Malware Infection and Spreading
Ways to infect a machine
0x88 [2.6,3.0, +3 unknown versions]
Blackhole [1.0.2, 1.1.0]
Bleeding Life v2.0
Crimepack [3.1,3.1.3, 3.1.3b]
Cry 217
Eleonore [1.1, 1.3.1, 1.4, 1.4.1, 1.4.4, 1.6]
El Fiesta [1.8, 2.0, 3.0, unknown versions]
Firepack [0.11, 0.18, +2 unknown versions]
MPack [081,086,091,099, +2 unknown versions]
MultiSploit
MyPolySploits v1.0
MySploitsKit
Neon Exploit System
Most common way to get infected
NeoSploit [2.0,2.1]
Nu-CoderDecoder
Nuke $pl0its p4ck
Phoenix [2, 2.5] RDS Sava Salopack Siberia SmartPack 1.1
Sploit25
SpyEye
TargetExploit v0.06
Tornado
Unique pack [2.1, unknown]
Yes Exploit Kit [1.0,2.0, unknown update]
Zeus [1.2.1.0, 1.2.1.8]
zoPack v1.02
Zunker
and the tools actually used:
3 Exercises:
Anti-Analysis
Unpacking
Vulnerability Exploitation
Candidates have to finish all three
prepare a Documentation
and hand it in [choose date]
Full transcript