1 / 58

Going gets tough

Going gets tough. A tale of encounters with novel evasive malware. Marta Janus Malware Researcher. # whoami. reverse engineering adept & enthusiast malware researcher @ KL since 2009 l inux user since 2006 baldur’s gate player since 1999. Are rootkits on decline?.

guido
Download Presentation

Going gets tough

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Going gets tough A tale of encounters with novel evasive malware Marta Janus Malware Researcher

  2. # whoami • reverse engineeringadept & enthusiast • malware researcher @ KL since 2009 • linux user since 2006 • baldur’sgateplayer since 1999

  3. Are rootkits on decline?

  4. Tough times for rootkits • kernel-space no longer safe for malware • bootkits easily detected • hypervisor-level stealth too complex • shift in malware strategy

  5. Hiding vs. evasion the goals • hide from admin? • bypass detection • protect C&C infrastructure • protect the payload

  6. Case 1: Baldur "When the going gets tough, someone hold my rodent!"

  7. # Trojan.Win32.Baldur • set of classical anti-vm / anti-dbg checks • heavily based on a0rtega`s pafish • overly exciting? not really, but... • ...a textbook case :)

  8. # classic_checks

  9. # environmental_checks WinSpy? MBAM ? ???

  10. # environmental_checks

  11. # drive_size_check

  12. # game_over

  13. Case 2: CVE-0158 & Gimemo "Evil 'round every corner. Careful not to step in any."

  14. # armed-to-the-teeth http://www.securelist.com/en/analysis/204792298/The_curious_case_of_a_CVE_2012_0158_exploit • multilayered OLE objects, lots of obfuscation • multi-stage shellcode: • stage_1: ROP chain • stage_2: decryptorof stage_3 • stage_3: egg-hunter • stage_4: dropper

  15. # execute_payload

  16. # payload: decrypt_loader

  17. # skip_all_checks

  18. # trigger_exception

  19. # dummy_code

  20. # seh_routine

  21. # anti_hook, anti_bp

  22. # anti_hook, anti_bp

  23. # anti_hook, anti_bp: trampoline

  24. # the dropper & the bot

  25. Case 3: PSW & more SEH "No effect?! I need a bigger sword!"

  26. # Trojan-PSW.Win32.Multi • also spread via hardened CVE-0158 exploit • also lots of anti-* techniques • code flow of the loader fully based on exception handling blocks • payload saved as a registry value • overwrites fxsst.dll to assure persistance

  27. # malware_main; seh chain

  28. # exception_1

  29. # exception_handler

  30. # dormant_phase

  31. # check_trend_micro

  32. # exception_4

  33. # decrypt_inject

  34. Case 4: hardened Zeus "Fool me once, shame on you; fool me twice, watch it! I'm huge!"

  35. # Trojan.Win32.Zbot • samples from period of March – May 2014 • use of windows messaging system • use of SEH • multiple downloaders • each with the same set of anti-* techniques

  36. # load_cursor

  37. # process_wndmsg

  38. # seh_anti_debug

  39. # seh_anti_debug

  40. # enum_windows

  41. Case 5: even more hardened Zeus "Boo says "WHAT?"

  42. # ZeuS p2p aka Game Over • works only on Windows 7 • anti-emulation based on default values in the CPU registers • drops Necurs rootkit (!) • bypasses driver signing via setting TESTSIGNING option in BCEDIT

  43. # init_dialog

  44. # obfuscated_win7_check

More Related