Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Why you should never use the internet
Overview
A Different Game
Infection
Characteristics
Techniques
Detection
Prevention
A Different Game
The players and the game have changed Criminal organizations
Governments
Profit/Politically driven Multimillion dollar industry
Cyber weapons
FBI vs Coreflood 1
Professionally developed User manuals
MaaS
Infiltration
Exploit Packs Phoenix Pack
Blackhole source released (plus others) 4
These aren’t going away
EaaS?
Legitimate Host Compromise Direct:
○ May 2011: Geek.com 1
○ April 2011: ribbs.usps.gov 2
○ April 2010: Wordpress.com 3
Indirect: Advertisements○ ~2 clicks away from malware
Search Engine Optimization hacks Breaking news
Celebrities
Social Facebook, Twitter, etc
Email: Spear Fishing
Techniques
API Hooking
Run-time Patching
Browser Content replacement
Filter Drivers
API Hooking
APIs are how Windows programs do just
about everything
Allows malware to intercept Windows API
calls
Can be done in user or kernel space, but in
kernel space it’s much more powerful
API Hooking
Program
KERNEL MODE
USER MODE
DeleteFile[A|W]
NtDeleteFile
ZwDeleteFile
System Service Descriptor Table
SSDT
API Hooking: SSDT Example
Program
KERNEL MODE
USER MODE
DeleteFile[A|W]
NtDeleteFile
ZwDeleteFile
System Service Descriptor Table
SSDT
fakeDelete
API Hooking
Allows malware to do a lot of nasty
things
Hide processes/files
Hide networking (to a degree)
Steal key stokes, website data, passwords,
mouse clicks, etc
Basically take over your system
Fairly straightforward to implement
However, it is easy to detect
Run-time Patching
Replaces API calls with your own by
patching the API routine itself
Can achieve the same goals as API
hooking, but harder to detect
Also called “detour hooks”
Run-time Patching: Example
Target Code
Run-time Patching: Example
Detour Jump Malicious Code
[Target Code]
Jump Back
Run-time Patching
Can be tricky to implement
Harder to detect
You have to scan the memory space
If it’s not permanent, an offline analysis isn’t
very helpful
Browser Content Replacement
Allows the malware to modify what you
see and send in your web browser
Can replace forms, GET request
responses, POST data, POST locations,
hide data…
“View Source” shows nothing:
modifications are done in memory
HTTPS is not relevant
Browser Content Replacement
WEBSITESEND/ RECEIVE
USER
DISPLAY EN/DECRYPT
Browser Content Replacement
WEBSITESEND/ RECEIVE
MALWARE
USER
DISPLAY EN/DECRYPT
Browser Content Replacement:
Zeus botnet From the user manual:“Intercepting HTTP/HTTPS-requests from wininet.dll
(Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries:1. Modification of the loaded pages content (HTTP-inject).
2. Transparent pages redirect (HTTP-fake).
3. Getting out of the page content the right pieces of data (for example the bank account balance).
4. Temporary blocking HTTP-injects and HTTP-fakes.
5. Temporary blocking access to a certain URL.
6. Blocking logging requests for specific URL.
7. Forcing logging of all GET requests for specific URL.
8. Creating a snapshot of the screen around the mouse cursor during the click of buttons.
9. Getting session cookies and blocking user access to specific URL.”
Detection
AV (loosing race)
Monitor outbound communications TCPView
Netstat
Border monitoring
Outbound watching IDS (snort)
System Internals TCPView
Procmon
RootKitRevealer
Detection: GMER
Rootkit detector
Detects:
Hidden processes, hidden files, hidden
DLLs, hidden registry keys, hidden*
SSDT, IAT, EAT hooks
MBR modification
Suspicious drivers
…lots more
Detection: GMER
Prevention
Update software (not just Windows)
Windows 7 (x64)
EMET 5
Uninstall Adobe Reader, install Foxit
Chrome/Firefox
VMs/Linux/OSX
NoScript for Firefox
Further Information
Blogs F-secure: http://www.f-secure.com/weblog/
Sophos: http://nakedsecurity.sophos.com/
Inreverse: http://www.inreverse.net/
Online tools Virus Total: http://www.virustotal.com/
Anubis: http://anubis.iseclab.org/
Samples: Malware domain list:
http://www.malwaredomainlist.com/
Offensive Security: http://www.offensivecomputing.net/
References
1. http://arstechnica.com/tech-policy/news/2011/04/fbi-vs-coreflood-botnet-round-one-goes-to-the-feds.ars
2. http://research.zscaler.com/2011/05/geekcom-hacked-with-exploit-kit.html
3. http://www.theregister.co.uk/2011/04/08/us_postal_service_exploit/
4. http://www.thehackernews.com/2011/05/blackhole-exploit-kit-download.html
5. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04
2010 Websense Threat Report: http://www.websense.com/content/threat-report-2010-introduction.aspx?cmpid=prblog
Verizon 2011 Data Breach Investigations Report: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf?&src=/worldwide/resources/index.xml&id=
Microsoft Security Intelligence Report v10: http://www.microsoft.com/security/sir/
Book: “The Rootkit Arsenal”, by Reverend Bill Blunden
Book: “Malware Analyst’s Cookbook”, by M. Ligh, S. Adair, B. Hartstein, M. Richard
Book: “Reversing: Secrets of Reverse Engineering”, by Eldad Eilam
MSDN Documentation: http://msdn.microsoft.com/en-us/library/default.aspx