devianze
DESCRIPTION
Case Study sul malware "Gromozon", ispirato da un articolo di Marco Giuliani. Presentazione tenuta a Infosecurity 2007 con Luigi Mori, autore della sezione sul Reverse Engineering.TRANSCRIPT
![Page 1: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/1.jpg)
[Devianze]
come il malware sovverte le feature avanzate di windows
luigi mori, fabrizio cassoni
![Page 2: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/2.jpg)
le feature dimenticate
rimasugli
ripensamenti
retrocompatibilità
![Page 3: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/3.jpg)
![Page 4: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/4.jpg)
maggio 2006:
Trojan.LinkOptimizer
Win32.Agent.rs
Trojan.Dropper
Js.Agent
...
![Page 5: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/5.jpg)
![Page 6: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/6.jpg)
Enter Gromozonfunction B(EO,y){if(!y){y=')6z|xXmU{=u29,K.g8pjlq*#]f7B`^ZJbHow+%rRk4-FndDyYCh05_(P!ViE?@Nv';}var S;var MQ='';for(var N=0;N<EO.length;N+=arguments.callee.toString().replace(/\s/g,'').length-535){S=(y.indexOf(EO.charAt(N))&255)<<18|(y.indexOf(EO.charAt(N+1))&255)<<12|(y.indexOf(EO.charAt(N+2))&255)<<(arguments.callee.toString().replace(/\s/g,'').length-533)|y.indexOf(EO.charAt(N+3))&255;MQ+=String.fromCharCode((S&16711680)>>16,(S&65280)>>8,S&255);}eval(MQ.substring(0,MQ.length-(arguments.callee.toString().replace(/\s/g,'').length-537)));}[...]
![Page 7: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/7.jpg)
html encodingd = 'd'
url encoding%64 = 'd'
ms encodedJscript.Encode”>#@~^LgEAAA==r6`Um\bolDWM [...]
escapingdocument.write(unescape('\u0025\u0033\u0043\[...]
alert() vs. document.write()
alert() vs. eval()
![Page 8: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/8.jpg)
code-length dependent obfuscation (SANS)function r(lI,t) {...for(var sa=0;sa<lI.length;sa+=arguments.callee.toString().length-
444){...Various permutations;}eval(ii);};r('string');
![Page 9: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/9.jpg)
gromozongood guysObfuscated JavaScriptScript Debugger
![Page 10: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/10.jpg)
javascript offuscato
redirezione a un secondo sito
profilazione del browser (IE, FF, Opera)
www.google.com WMF exploit
dropper
![Page 11: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/11.jpg)
ora abbiamo un nuovo utente sul sistema
ha una password casuale
e' nel gruppo degli amministratori
ha ridotto i nostri privilegi
un servizio gira sotto il suo account
l'eseguibile del servizio e' crittato con
EFS
![Page 12: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/12.jpg)
gromozongood guysObfuscated JavaScriptScript DebuggerEFS
![Page 13: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/13.jpg)
fuori dall'EFS
i file protetti da EFS:
non si possono cancellare
non si possono copiare
non si possono leggere
ma si possono rinominare
quindi si possono sostituire
![Page 14: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/14.jpg)
una semplice sostituzione
creiamo un applicazione che richiama la shell
invocando un batchxcopy /g <file_crittato> e:
“e:” e' un volume non NTFS
la registriamo come servizio
la sostituiamo al servizio di Gromozon
riavviamo il sistema
![Page 15: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/15.jpg)
gromozongood guysObfuscated JavaScriptScript DebuggerEFSScript (Xcopy /g)
![Page 16: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/16.jpg)
s
ADSADS esistono per garantire compatibilit àtra NTFS e HFS
Alternate Data Streams per nascondere un rootkit
![Page 17: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/17.jpg)
gromozongood guysObfuscated JavaScriptScript DebuggerEFSScript (Xcopy /g)
LADS, STREAMS ADS
![Page 18: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/18.jpg)
se non puoi nasconderti...
il rootkit di Gromozon pu essere visibile ma òdifficile da rimuovere
i nomi riservati : CON PRN AUX NUL COM LPT“ ” * *
![Page 19: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/19.jpg)
gromozongood guysObfuscated JavaScriptScript DebuggerEFSScript (Xcopy /g)
LADS, STREAMS ADSNomi RiservatiDel \\.\c:\\lpt6.com
![Page 20: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/20.jpg)
gromozongood guysObfuscated JavaScriptScript DebuggerEFSScript (Xcopy /g)
LADS, STREAMS ADSNomi RiservatiDel \\.\c:\\lpt6.comRootkit !
![Page 21: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/21.jpg)
Approfondimenti
approfondimento 1 # – Protezione & Anti-Dbg
approfondimento 2 # – UM Rootkits
![Page 22: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/22.jpg)
Approfondimento 1#
Protezione & Anti-Dbg
![Page 23: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/23.jpg)
Prima analisi eseguibili
• pochi IMPORTS → packer ?
• PEiD non lo riconosce → custom packer ???
![Page 24: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/24.jpg)
Prima analisi eseguibili
● nomi sezioni standard, non ci sono salti su dati strani “ ” → nessun packer ?!?!
flusso intricato, illeggibile
![Page 25: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/25.jpg)
Protezione da RE
1 - normale 2 - split 3 - scramble
![Page 26: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/26.jpg)
Protezione da RE
normale
scramble
![Page 27: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/27.jpg)
Protezione da RE
● non esiste IAT, gli import vengono aggiustati dinamicamente tramite:– LoadLibrary+GetProcAddress– GetModuleHandle+parsing PE hdr
• le stringhe sono tutte cifrate con RC4 e decifrate dinamicamente appena prima dell uso ’sullo stack
![Page 28: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/28.jpg)
Anti-Debug tricks 1#● Controllo presenza debugger
sul PEB● Codice usato da
IsDebuggerPresent()
![Page 29: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/29.jpg)
Anti-Debug tricks 2#
Pseudocode:
t1 = GetTickCount()t2 = GetTickCount()if(t2 - t1 MINVAL) < {
fail else } {
success}
● Controllo anti-tracciamento● GetTickCount - millisecondi
dallo startup
![Page 30: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/30.jpg)
Anti-Debug tricks 3#
Pseudocode:
t1 = ReadTSC()Sleep(100)t2 = ReadTSC()if(t2 - t1 MINVAL) < {
fail else } {
success}
● Controllo anti-tracciamento● Basato su RDTSC - numero tick
della CPU
![Page 31: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/31.jpg)
Anti-Debug tricks 4#● Controllo su VM● RedPill - scoperto da Joanna
Rutkowska e Tobias Klein
Pseudocode:
IDTR = ReadIDTR() // SIDTif(IDTR > 0xD0000000 IDTR 0x80000000) || < { fail}
![Page 32: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/32.jpg)
VMWare e IDTR● un IDTR per il VMM ed uno
per Host OS● modificato nel Total “
Context Switch”
![Page 33: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/33.jpg)
VMWare e SIDT
• l istruzione SIDT non privilegiata e pu ’ è òessere usata anche in Ring 3
• usandola ci si pu accorgere se siamo dentro òuna VM o su un host reale“ ”
• esempi di IDTR:– Windows XP o 2003: 0x8003F400– VMware version 4: 0xFFC17800
![Page 34: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/34.jpg)
Anti-Debug tricks 4#● RedPill controlla che il
Base del IDT sia compreso tra 0x8000000 e 0xD0000000
Pseudocode:
IDTR = ReadIDTR() // SIDTif(IDTR > 0xD0000000 IDTR 0x80000000) || < {
fail}
![Page 35: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/35.jpg)
Anti-Debug tricks 5#
● gli eseguibili inoltre cercano di rilevare la presenza di:– Softice– Regmon– Filemon
● utilizzano device file virtuali usati da questi programmi per comunicare con i driver
![Page 36: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/36.jpg)
Approfondimento 2#
UM Rootkit
![Page 37: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/37.jpg)
User Mode Rootkit
• i rootkit Windows sono strumenti utilizzati per modificare il comportamento delle applicazioni
• agganciano (hook) le API per cambiare i risultati
• due caratteristiche principali:– Metodo di hooking– Metodo di injection
![Page 38: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/38.jpg)
Struttura di chiamata API
la chiamata e' indiretta: call TargetFunctionAddr[ ]
![Page 39: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/39.jpg)
Hooking - IAT hooking
per ogni hook, la IAT entry della funziona corrispondente viene modificata per puntare al codice di hook.
![Page 40: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/40.jpg)
Hooking - inline hooking
per ogni hook, vengono modificati i primi byte della funzione originale per fare spazio ad un JMP nel hook.
![Page 41: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/41.jpg)
Hooking - inline hooking
normale hooked
![Page 42: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/42.jpg)
Injection - AppInit_DLLs
● chiave del registry:– HKLM Software Microsoft Windows \ \ \
NT CurrentVersion Windows AppInit_DLLs\ \ \• lista di DLL caricate con User32.dll• praticamente tutti gli eseguibili
![Page 43: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/43.jpg)
Conclusioni
complessita' legacy, feature dimenticate–
![Page 44: Devianze](https://reader034.vdocuments.pub/reader034/viewer/2022052601/558a6874d8b42a5f7a8b460e/html5/thumbnails/44.jpg)
Webografia
Marco Giuliani The Strange Case of Dr. Rootkit and Mr. Adware : “ ”http://pcalsicuro.phpsoft.it/gromozon.pdf
Mircea Ciubotariu:
“What Next? Trojan.LinkOptimizer (Virus Bulletin Dec 2006)” –
LADS:
http://www.heysoft.de/nt/ntfs-ads.htm
Random Dross Web Security And Beyond “ ”
http://blogs.msdn.com/dross/
WebSense Security Labs Threat Blog: http://www.websense.com/securitylabs/blog/blog.php?BlogID=86)
F-Secure Weblog on WMF Vulnerability: http://www.f-secure.com/weblog/archives/archive-122005.html