identifying and removing malwares
DESCRIPTION
null Dharmashala Chapter - July 2014 MeetTRANSCRIPT
Identifying and
Removing
Malwares FOR BEGINNERS
n|
u N
ull M
ee
t Dh
ara
msa
la
1 Ju
ly 2
01
4
Agenda
@me
Light
Operating System
User Mode
Kernel Mode
Camera
Malware
History
Types
Properties
&Action
Take
n|u Null Meet Dharamsala
2
July 2014
@me
Malware Analyst
Can protect my Web Applications.
Know of: C, C++, Java, Ruby, Python
I “google” a lot.
@_badbot
*PC Gamer*
n|u Null Meet Dharamsala
3
July 2014
Light, Camera, Action
Light
Relevant Information about OS
Some historical information
Camera
Statistics
Predictions
Action
Finding and acting on clues
Take
Recommendations
July 2014 n|u Null Meet Dharamsala
4
“Ware”
n|u Null Meet Dharamsala
5
July 2014
Malware
A software that performs
unintended actions
without user
consent.
n|u Null Meet Dharamsala
6
July 2014
Operating System
n|u Null Meet Dharamsala
7
July 2014
Operating System
Hardware
Operating System
Application
User Command
n|u Null Meet Dharamsala
8
July 2014
Operating System
Hardware
Device Driver
Kernel
Programs
n|u Null Meet Dharamsala
9
July 2014
Memory Model
Real Memory
Exact amount of installed
H/W RAM.
Fixed size.
Shared among everything
running in system.
Backed by H/W
Protected by OS
Virtual Memory
Amount of RAM perceived
by every process.
Variable size.
Owned exclusively.
Backed by OS Memory
Management.
Mixed Protection.
July 2014 n|u Null Meet Dharamsala
10
Memory Model
User Mode
Unprotected
Program code/data
Un-privileged
Exclusive for process
Swappable
Libraries(.dll, .so, …)
Kernel Mode
Protected
Kernel code/data
Privileged
Shared in real space
Mostly not-swappable
Drivers(.drv, .sys, .ko,…)
July 2014 n|u Null Meet Dharamsala
11
0x00000000-0x7FFFFFFF 0X80000000 – 0xFFFFFFFF
Windows Access Levels
July 2014 n|u Null Meet Dharamsala
12
• Own Processes
• Other User’s Processes User
• User Access
• Other User’s Processes
• Unrestricted Access Administrator
• Administrative Access.
• Unrestricted Access to Local System.
NT_AUTHORITY\
SYSTEM
Windows Registry
Configuration Database.
Key [Key] Value[or Default] = [Data]
Permanent and Transient Keys
Derived Keys
Root Keys:
CLASSES_ROOT
LOCAL_MACHINE
USERS
CURRENT_USER
CURRENT_CONFIG
July 2014 n|u Null Meet Dharamsala
13
Windows Executables
PE (based on COFF) file format.
File starts with “MZ”
Entry point defined in header.
Typically used extensions
EXE: Normal Executable
DLL: Dynamic link library
LIB: Static Library
SYS: Driver
OCX: ActiveX Controls (special purpose DLL)
July 2014 n|u Null Meet Dharamsala
14
Malware
Software programs designed to damage or do
unwanted actions on a computer system. In
Spanish, "mal" is a prefix that means "bad," making
the term "badware“.
July 2014 n|u Null Meet Dharamsala
15
Malware
Malicious Software
Malware Evolution 1948
Self-Reproducing Automata
-John Von Neumann
1970
Creeper -PDP-10
-Bob Thomas
-Reaper
1975
The Shockwave Rider -Xerox
- John Shock & John Hepps
July 2014 n|u Null Meet Dharamsala
16
Malware Evolution
1981
Elk-Cloner •Apple DOS 3.3
• 15 year old
1986
Brain •PC-DOS
• Alvi Brothers
1988
Morris • UNIX Finger
service
• Robert Morris
1995
Concept • MS Word
• Macro Virus
July 2014 n|u Null Meet Dharamsala
17
Malware Evolution
2000
I LOVE YOU •VBScript
• Reomel Lamores
20
04
Cabir •Symbian OS
20
07
- 2
00
8
Zeus
Conficker 20
10
Stuxnet • SCADA
Systems
July 2014 n|u Null Meet Dharamsala
18
Malware Evolution
2011
Duqu,
Anti Spyware 2011
2012
Flame
2013
Cyptolocker
BlackPOS
Dexter
vSkimmer
2014
Dragonfly
July 2014 n|u Null Meet Dharamsala
19
Malware Statistics
Categories that Delivered Malicious Code, 2013 : Symantec
July 2014 n|u Null Meet Dharamsala
20
Malware Statistics
July 2014 n|u Null Meet Dharamsala
21
Malware Statistics
July 2014 n|u Null Meet Dharamsala
22
Malware Predictions
More attack binaries will use stolen or valid code signature.
Browser vulnerabilities may be more common.
Cybercrime gets personal.
More targeted attacks.
More stealthier techniques for C&C.
Expect more malicious code in BIOS and firmware updates.
64bit Malwares.
Malware Diversifies and Specializes.
Sandbox Evasion.
July 2014 n|u Null Meet Dharamsala
23
Malware Classification
Worm
Propagates by itself on different machine.
Virus
Attaches itself to targets. Infects other systems when target moves.
Trojan
Masquerades itself as legitimate/useful software.
Spyware
Spies on your data and send it to controller.
Adware
Displays unwanted/unsolicited advertisements.
July 2014 n|u Null Meet Dharamsala
24
Malware Classification
Ransomware
Locks access to your systems or files and demands ransom for further access.
Backdoor(Remote Administration Toolkit):
Allows unauthorized remote user connect to and control your system.
Downloader
Primary payload for exploits. Download/Installs other malwares.
Rootkit
Interferes with kernel to hide itself from user and security tools.
July 2014 n|u Null Meet Dharamsala
25
Malware Lifecycle
Infection
It has to infect the target. First run.
Persistence
It has to persist. Cannot be downloaded every time.
Run
It has to run. Preferably without user action e.g. Boot,
Timed…
Hide
Hide itself from naked eye.
July 2014 n|u Null Meet Dharamsala
26
&Action
Almost at every stage malwares leave clues.
Identify Clues.
Identify Malware.
Remove Malware.
July 2014 n|u Null Meet Dharamsala
27
Infection
Exploitation:
Using vulnerabilities to achieve code execution.
Vulnerable program crashes/restarts most of the time.
External Media
Carried to the target system using external media e.g. USB Stick.
Un-mounting the media usually fails.
E-mail Attachments
Sent via email attachment.
Grammatical/Spelling mistakes. Duplicate e-mail. Attachments with double extension, wrong extension.
July 2014 n|u Null Meet Dharamsala
28
Persistence
Files
Stored as files.
Cryptic file names.
Known file names in unexpected locations.
Misspelled file name.
Streams
Data is stored as NTFS alternate stream.
Pathname containing ‘:’ character.
July 2014 n|u Null Meet Dharamsala
29
Run & Hide
Hiding in plain sight.
An entry in process list.
Unknown process name.
Unexpected Process.
Process binary at unusual location.
Process with unexpected user account/privilege.
Hiding deep inside
No entry in process list.
Unexpected library.
Unusual usage of system resources.
Re-appearance of some files after deletion.
July 2014 n|u Null Meet Dharamsala
30
Detection Difficulty
Hardware
Kernel
Device Driver
User Programs
July 2014 n|u Null Meet Dharamsala
31
Sysinternal Tools
Sysinternal Suite
Autoruns
ListDll
Handle
Process Explorer
Process Monitor
RootkitRevealer
Strings
July 2014 n|u Null Meet Dharamsala
32
Autoruns
July 2014 n|u Null Meet Dharamsala
33
ListDLLs
July 2014 n|u Null Meet Dharamsala
34
Handle
July 2014 n|u Null Meet Dharamsala
35
Process Explorer
July 2014 n|u Null Meet Dharamsala
36
Process Monitor
July 2014 n|u Null Meet Dharamsala
37
Rootkit Revealer
July 2014 n|u Null Meet Dharamsala
38
Strings
July 2014 n|u Null Meet Dharamsala
39
Other Tools
GMER
Redline
Kaspersky Virus Fighting Utilities
TDSS Killer
McAfee Stinger
Sophos Anti-Rootkit
Norton Power Eraser
Trend Micro House Call
July 2014 n|u Null Meet Dharamsala
40
GMER
By default downloads
with random file name.
Similar to Rootkit Revealer
More signature and
parameters to look into.
July 2014 n|u Null Meet Dharamsala
41
Redline
Separate data
collection and
analysis system.
Collector can run
from removable
media.
Verifies against
hashes of known
good modules.
Reporting
July 2014 n|u Null Meet Dharamsala
42
Take
Antivirus Not Enough
Understand
Be Updated
Be Paranoid
Don’t Trust
Protect
Backup
July 2014 n|u Null Meet Dharamsala
43
The END
All the images, statistics, data belong to their respective owners (including me).
July 2014 n|u Null Meet Dharamsala
44