identifying and removing malwares

Identifying and

Removing

Malwares FOR BEGINNERS

n|

u N

ull M

ee

t Dh

ara

msa

la

1 Ju

ly 2

01

4

Agenda

@me

Light

Operating System

User Mode

Kernel Mode

Camera

Malware

History

Types

Properties

&Action

Take

n|u Null Meet Dharamsala

2

July 2014

@me

Malware Analyst

Can protect my Web Applications.

Know of: C, C++, Java, Ruby, Python

I “google” a lot.

[email protected]

@_badbot

*PC Gamer*


3

July 2014

mailto:[email protected]

Light, Camera, Action

Light

Relevant Information about OS

Some historical information

Camera

Statistics

Predictions

Action

Finding and acting on clues

Take

Recommendations

July 2014 n|u Null Meet Dharamsala

4

“Ware”


5

July 2014

http://www.google.co.in/imgres?imgurl=http://icons.iconarchive.com/icons/gakuseisean/radium/256/User-Computer-icon.png&imgrefurl=http://www.iconarchive.com/show/radium-icons-by-gakuseisean/User-Computer-icon.html&h=256&w=256&tbnid=7A_WGtnpPhLc7M:&zoom=1&docid=HGTcEzGpURWhyM&ei=uwTFU664LMuWuASEyIKQAg&tbm=isch&client=firefox-a&ved=0CBoQMygAMAA&iact=rc&uact=3&dur=92&page=1&start=0&ndsp=10

Malware

A software that performs

unintended actions

without user

consent.


6

July 2014

Operating System


7

July 2014

Operating System

Hardware

Operating System

Application

User Command


8

July 2014

Operating System

Hardware

Device Driver

Kernel

Programs


9

July 2014

Memory Model

Real Memory

Exact amount of installed

H/W RAM.

Fixed size.

Shared among everything

running in system.

Backed by H/W

Protected by OS

Virtual Memory

Amount of RAM perceived

by every process.

Variable size.

Owned exclusively.

Backed by OS Memory

Management.

Mixed Protection.


10

Memory Model

User Mode

Unprotected

Program code/data

Un-privileged

Exclusive for process

Swappable

Libraries(.dll, .so, …)

Kernel Mode

Protected

Kernel code/data

Privileged

Shared in real space

Mostly not-swappable

Drivers(.drv, .sys, .ko,…)


11

0x00000000-0x7FFFFFFF 0X80000000 – 0xFFFFFFFF

Windows Access Levels


12

• Own Processes

• Other User’s Processes User

• User Access

• Other User’s Processes

• Unrestricted Access Administrator

• Administrative Access.

• Unrestricted Access to Local System.

NT_AUTHORITY\

SYSTEM

Windows Registry

Configuration Database.

Key [Key] Value[or Default] = [Data]

Permanent and Transient Keys

Derived Keys

Root Keys:

CLASSES_ROOT

LOCAL_MACHINE

USERS

CURRENT_USER

CURRENT_CONFIG


13

Windows Executables

PE (based on COFF) file format.

File starts with “MZ”

Entry point defined in header.

Typically used extensions

EXE: Normal Executable

DLL: Dynamic link library

LIB: Static Library

SYS: Driver

OCX: ActiveX Controls (special purpose DLL)


14

Malware

Software programs designed to damage or do

unwanted actions on a computer system. In

Spanish, "mal" is a prefix that means "bad," making

the term "badware“.


15

Malware

Malicious Software

Malware Evolution 1948

Self-Reproducing Automata

-John Von Neumann

1970

Creeper -PDP-10

-Bob Thomas

-Reaper

1975

The Shockwave Rider -Xerox

- John Shock & John Hepps


16

Malware Evolution

1981

Elk-Cloner •Apple DOS 3.3

• 15 year old

1986

Brain •PC-DOS

• Alvi Brothers

1988

Morris • UNIX Finger

service

• Robert Morris

1995

Concept • MS Word

• Macro Virus


17

Malware Evolution

2000

I LOVE YOU •VBScript

• Reomel Lamores

20

04

Cabir •Symbian OS

20

07

- 2

00

8

Zeus

Conficker 20

10

Stuxnet • SCADA

Systems


18

Malware Evolution

2011

Duqu,

Anti Spyware 2011

2012

Flame

2013

Cyptolocker

BlackPOS

Dexter

vSkimmer

2014

Dragonfly


19

Malware Statistics

Categories that Delivered Malicious Code, 2013 : Symantec


20

Malware Statistics


21

Malware Statistics


22

Malware Predictions

More attack binaries will use stolen or valid code signature.

Browser vulnerabilities may be more common.

Cybercrime gets personal.

More targeted attacks.

More stealthier techniques for C&C.

Expect more malicious code in BIOS and firmware updates.

64bit Malwares.

Malware Diversifies and Specializes.

Sandbox Evasion.


23

Malware Classification

Worm

Propagates by itself on different machine.

Virus

Attaches itself to targets. Infects other systems when target moves.

Trojan

Masquerades itself as legitimate/useful software.

Spyware

Spies on your data and send it to controller.

Adware

Displays unwanted/unsolicited advertisements.


24

Malware Classification

Ransomware

Locks access to your systems or files and demands ransom for further access.

Backdoor(Remote Administration Toolkit):

Allows unauthorized remote user connect to and control your system.

Downloader

Primary payload for exploits. Download/Installs other malwares.

Rootkit

Interferes with kernel to hide itself from user and security tools.


25

Malware Lifecycle

Infection

It has to infect the target. First run.

Persistence

It has to persist. Cannot be downloaded every time.

Run

It has to run. Preferably without user action e.g. Boot,

Timed…

Hide

Hide itself from naked eye.


26

&Action

Almost at every stage malwares leave clues.

Identify Clues.

Identify Malware.

Remove Malware.


27

Infection

Exploitation:

Using vulnerabilities to achieve code execution.

Vulnerable program crashes/restarts most of the time.

External Media

Carried to the target system using external media e.g. USB Stick.

Un-mounting the media usually fails.

E-mail Attachments

Sent via email attachment.

Grammatical/Spelling mistakes. Duplicate e-mail. Attachments with double extension, wrong extension.


28

Persistence

Files

Stored as files.

Cryptic file names.

Known file names in unexpected locations.

Misspelled file name.

Streams

Data is stored as NTFS alternate stream.

Pathname containing ‘:’ character.


29

Run & Hide

Hiding in plain sight.

An entry in process list.

Unknown process name.

Unexpected Process.

Process binary at unusual location.

Process with unexpected user account/privilege.

Hiding deep inside

No entry in process list.

Unexpected library.

Unusual usage of system resources.

Re-appearance of some files after deletion.


30

Detection Difficulty

Hardware

Kernel

Device Driver

User Programs


31

Sysinternal Tools

Sysinternal Suite

Autoruns

ListDll

Handle

Process Explorer

Process Monitor

RootkitRevealer

Strings


32

Autoruns


33

ListDLLs


34

Handle


35

Process Explorer


36

Process Monitor


37

Rootkit Revealer


38

Strings


39

Other Tools

GMER

Redline

Kaspersky Virus Fighting Utilities

TDSS Killer

McAfee Stinger

Sophos Anti-Rootkit

Norton Power Eraser

Trend Micro House Call


40

GMER

By default downloads

with random file name.

Similar to Rootkit Revealer

More signature and

parameters to look into.


41

Redline

Separate data

collection and

analysis system.

Collector can run

from removable

media.

Verifies against

hashes of known

good modules.

Reporting


42

Take

Antivirus Not Enough

Understand

Be Updated

Be Paranoid

Don’t Trust

Protect

Backup


43

The END

All the images, statistics, data belong to their respective owners (including me).


44

identifying and removing malwares

Education

ware nu null meet dharamsala

malware evolution

user current

malware analyst

malware software programs

user consent

malware malicious software

os virtual memory