Owning Command and Control: Reverse Engineering Malware. Risk Mitigators

Transcription

1 Owning Command and Control: Reverse Engineering Malware

2 Agenda 1- About Synapse-labs a) Bio's b) Synapse-labs 2- Debuggers (Immunity & OllyDBG) 3- Assembler Primer 4- PE (Portable Executable) Structure 5- IAT (Import Address Table) 6- Packers (Upx) 7- Manually bypassing Anti-debug techniques 8- Process injection 9- Reversing The Malware Specimen (covers all above) A- Tools used in this presentation B- Conclusion

3 About Synapse-labs Biography: Sofiane Talmat (Algeria): - Founder of Synapse-labs - OSCP Ehab Hussein (Egypt): - Co-Founder of synapse-labs - Operations Network Security Manager at Tedata Carlos Mario (Colombia): - Co-Founder of synapse-labs - OSCE

4 About Synapse-labs Synapse Services Penetration Testing & Security Audits & Incident Response Software Quality Assurance & Security Testing Malware Analysis & Infection Detection Log Analysis & Reporting

5 About Synapse-labs Reversing and Exploitation Level Audit and Penetration Test Coming soon

6 Debuggers Demo Walk Through Immunity debugger Interface

7 Debuggers Demo Walk Through OllyDBG Interface

8 Assembler Primer General purpose Registers: Eax : accumulator Reg storing return values Ebx : Base Reg can be used as a pointer to memory addresses Ecx : Counter Reg used in loop iterations Edx : Data Reg I/O port access,arithmetic, some interrupt calls( An interrupt is a special type of signal that is sent to the processor)

9 Assembler Primer Index Registers: Esi: Source index register Edi: Destination index register Are used to copy a block from a location to another or you can compare for instance two strings.

10 Assembler Primer Segment Registers: * Segmentation involves composing a memory address from two parts, a segment and an offset.the segment points to the beginning of a 64 KB group of addresses and the offset determines how far from this beginning address the desired address CS Code segment DS Data segment SS Stack segment ES Extra segment Example: Segment:offset Mov eax, DS:offset mystring

11 Assembler Primer Pointer Registers: ESP - Stack pointer points to the top of the stack. EBP - Base pointer points to a specific location in the stack. EIP - Instruction pointer pointer to the next address to be executed.

12 Assembler Primer Flags: OF: Overflow Flag : indicates an overflow when set DF: Direction Flag : used for string operations to check direction SF: Sign Flag : if set, resulting number of calculation is negative ZF: Zero Flag : if set, resulting number of calculation is zero CF: Carry Flag : used to indicate when an arithmetic carry or borrow has been generated out of the most significant ALU bit position

13 Assembler Primer Masm32: * * * * * Microsoft Macro Assembler Makes Assembler As Easy As C programming the code is readable and maintainable Can Access the Windows API Functions The Sky is the Limit

14 Assembler Primer Masm32 Template:.386 ; processor arch 386, 486,586,686.model flat,stdcall ; How you call your arguments right to left option casemap:none ; not case sensitive ; include libraries include \masm32\include\windows.inc include \masm32\include\kernel32.inc includelib \masm32\lib\kernel32.lib include \masm32\include\user32.inc includelib \masm32\lib\user32.lib include \masm32\include\masm32.inc includelib \masm32\lib\masm32.lib.data ; the data section of initialized variables Mystring db Hello World, synapse,0.data? ; uninitialized variables Buffer db 100 dup (?).const ; constant variables BUFFER_SIZE equ 1024.code ; code section or refered to as.text start: ;Your code goes here! Invoke MessageBox,NULL,addr Mystring,addr Mystring,MB_OK jmp hello PUSHAD hello: mov ecx,buffer_size end start

15 PE Structure Defined in WinNT.h MZ (0x54AD) "This program cannot be run in DOS mode" IMAGE_NT_HEADER : Primary location where specifics of the PE file are stored. PE File Signature: Value 0x (PE00) IMAGE_FILE_HEADER: It contains some basic information about the file and a field describing the size of the optional data that follows it. IMAGE_OPTIONAL_HEADER: The address book for important locations within the executable. IMAGE_SECTION_HEADER: Arrays of IMAGE_SECTION_HEADER. Provides information about its associated section, including location, length, characteristics.

16 IAT ( Import Address Table) lists the functions in the Windows application programming interface (API) in alphabetical order

17 UPX Packer Packers: 1) Designed to compress executable code 2) Hide the presence of malware from antivirus scanners 3) Makes the life of a Reverse Engineer harder (NOT!).

18 UPX Packer Before

19 UPX Packer After

20 Unpack UPX Unpacking UPX Manually Demo: Demo How to bypass & unpack UPX in Ollydbg, rebuild IAT with IMPRec. Check the Malware Specimens/Specimen 1 folder

21 Anti-Debugging Techniques IsDebuggerPresent() (WinApi Function): Determines whether the calling process is being debugged. RDTSC : Read Time stamp counter, an instruction to access the CPU cycles counter. BlockInput : Blocks keyboard and mouse input events from reaching applications. TLS CallBacks (Thread Local Storage) : used for calling code execution before and after main application code execution. (thanks to ap0x from headcoders.net for the lovely example) Spoofing Packer Signatures : Used to mislead a reverse engineer into thinking that the executable is packed. * There Are many more types of anti-debugging techniques.

22 Anti-debug bybass Anti-Debugging Technique Demo: Demo: How to bypass anti debugging techniques in immunity and OLLYdbg. *Check AntiDebug Folder

23 Process Injection Demo Process Injection. Check the process injection folder

24 Reversing Malware Specimen Demo Reversing malware specimen. Check the Malware Specimens/Specimen 2 folder

25 Tools Used 1) Masm32 2) Immunity Debugger & Ollydbg with ollydump plugin + ollyadvanced 3) PEID 4) ImpRec 5) UPX 6) Beesa Process injector 7) Brain and patience

26 Conclusions Do not delete malware that you receive in your inbox. Now you know how valuable it is!!!!

27 Thanks...! For More Information checkout : Find us on Twitter Find us on FaceBook: For The complete presentation, video demos and tools goto: