A Bestiary of Ugly Malware A non-scientific survey of current day - - PowerPoint PPT Presentation
A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd Software that steals your data Software that destroys your data Software that abuses
A non-scientific survey of current day malicious software, as seen in the wild
Marion Marschalek | marion@0x1338.at | @pinkflawd
Software that steals your data Software that destroys your data Software that abuses your machine Windows PE executables / DLLs C /C++, Delphi, .NET, VisualBasic, Java Javascript Word Macros Powershell Shellcode or commands in Windows Registry
Packers and crypters Installers Binary formats Compilers and compiler settings Programming languages Coding habits Target platforms
Malware Nature benign targeted random
EP section name abnormal EP section entropy too high/low Use of TLS sections API calls / KB ratio Section count too low Imphash missing
Registry interaction
Benign 54% - Targeted 55% - (Random 23%)
File system interaction
Benign 61% - Targeted 70% - (Random 34%)
MS CryptoAPI
Benign 5% - Targeted 2% - (Random <1%)
Windows hooks
Benign 5% - Targeted 31% - (Random 6%)
Windows image capture APIs
Benign 10% - Targeted 33% - (Random 13%)
Drivers are somewhat likely to be legitimate Packed samples are somewhat likely to be malicious Non-packed files are not necessarily benign Targeted malware is more likely written in C++ than random malware Malicious files are unlikely to use UI APIs Targeted malware performs about as much Registry interaction as benign samples
Enumerate files on disk or network Encrypt any or all of it Place a ransom note
Written in C Only 22KB big Packed with UPX Linear execution Enumerates and encrypts file shares
Off-the-shelf malware commercially available Primary use: Targeted espionage
All traits of standard malware Multiple packer layers Code injection to system processes for stealth Persistence methods are not outstanding Functionality is straight forward No code obfuscation
Sniffing of clipboard data through keylogger window by installing a viewer to receive WM_DRAWCLIPBOARD messages Download and execution of binaries via HTTP Data exfiltration via FTP Comes with a configuration file, encrypted with RC4, embedded in the .rsrc section
Logs keystrokes through an invisible window, placing a global hook
Compiled between 2007 - 2011 Registers as an icon handler shell extension for .lnk files Shell in this case means the program manager Server registration sets up COM server Objects being served perform actual work (somewhat likely) written in pure C
"You can write one in C if you really want to, although that's a violation of the Geneva Convention on Programmer's Rights in most jurisdictions.“ – Unknown Stackoverflow user
OS version detection Redundant code for different versions Fine-grained decision making
Avoids keylogging, code injection or registry interaction when certain security software is present
Terminal services notification Function arrays for execution flow obfuscation Configuration data in queues Massive amount of global variables, critical sections, pipes, etc. etc.
init SETUP TEARDOWN
+3 +3 +3 ...
+ 7 + 7 + 7 .. . Search for index, specified by global variable Load respective init/handler functions Craft arguments Call init, then handler
GPCode XtremeRAT CheshireCat Development Cheap Fair Expensive Motivation Profit oriented Potentially profit
Pretty sure not profit oriented Stealth Not at all stealthy Trying Super stealthy Code C < 100KB Simple C < 100KB Simple C < 100KB Complex/careful Packing „Packed“ Packed! Not packed Distribution Manual placement E-Mail N/A
Threat detection metrics heavily build on known fragments, while aiming to find the largely unknown.
File hashes File fragments File behavior File properties System behavior Network patterns Abnormal system behavior Abnormal network patterns Known-bad Non known-good Known-bad origin Non known-good origin
Threat evaluation vs. detection Dynamic patterns, packer detection, functionality detection Custom encryption algorithms / obfuscation Custom evasion, persistence APT research: binary similarity is nice, authorship similarity be more interesting Threat detection vs. threat development ratio trouble
Marion Marschalek | marion@0x1338.at | @pinkflawd