fit5124 advanced topics in security lecture 9 malware
play

FIT5124 Advanced Topics in Security Lecture 9: Malware - PowerPoint PPT Presentation

Oct 02, 2023 •148 likes •450 views

FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware

  1. FIT5124 Advanced Topics in Security Lecture 9: Malware – Functionality and Analysis Techniques Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 1/29

  2. Malware – Functionality and Analysis Techniques Malware: Today: A look at malware functionality and techniques for analysing malware. Plan for this lecture: Malware Functionality: Common Malware Function Overview: Backdoors, Credential Stealers, Persistence mechanisms, Covert methods Look at common Covert techniques: Covert Code Execution (Launchers): Process injection, Process hiding Covert Data Interception: Hook injection Malware Analysis Techniques and Tools: Malware Behaviour Analysis Malware Code Analysis Anti-analysis techniques Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 2/29

  3. Malware Functionality Malware comes in various flavours, depending on attacker’s goal. We mention a few common types. Backdoor: Allows attacker to remotely access target machine Usually communicate to attacker over HTTP (port 80). Often support many OS functions (e.g. enumerate displayed windows, create/open files, ...). Other variants: Reverse shell connections: Provide attacker with full shell access to target machine. (e.g. use netcat to remotely run cmd.exe) Remote Administration Tools (RATs), e.g. poisonivy Botnets Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 3/29

  4. Malware Functionality Credential Stealers: Hash dumping (e.g. pwdump) keystroke logging: kernel-based keylogging: Modify keyboard driver of OS User-space keylogging: Use Windows API services Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 4/29

  5. Malware Functionality Common types of Malware Functionality (cont.) Persistence Mechanisms: Modify the Windows Registry (e.g. HKEY LOCAL MACHINE - global settings section (key) of registry). Modify Dynamic Link Libraries (DLLs): add malicious code to empty part of DLL, jump back to original code. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 5/29

  6. Malware Functionality Common types of Malware Functionality (cont.) Covert Techniques: ‘Rootkit’ techniques: Hiding existence and actions of attacker code: Process hiding Process injection Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 6/29

  7. Malware Functionality – Covert Techniques Covert Code Execution: Process Hiding Windows OS background: Dynamic Link Libraries (DLLs) contain executable code (like .exe files), but can be shared among processes Typical memory map of a Windows process: The Process Environment Block (PEB) stores information on the location of items like DLLs, heaps, ... Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 7/29

  8. Malware Functionality – Covert Techniques Covert Code Execution: Process Hiding Hiding DLLS via unlinking DLL list: The PEB contains 3 linked lists of loaded DLLs Standard Windows system calls/utilities (e.g. listdlls) use those lists Idea: Attacker unlinks the list to skip entry for attacker’s DLL Countermeasure: Volatility tool can find trace of unlinked DLL from kernel table. (harder to modify). Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 8/29

  9. Malware Functionality – Covert Techniques Covert Code Execution: Process Injection Often, security software (such as Firewalls) blocks access to resources (e.g. Internet access) except from authorized processes. Q: How can malicious process gain access to blocked resource? Possible A: Process injection – Malicious process injects code into authorized process. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 9/29

  10. Malware Functionality – Covert Techniques Covert Code Execution: Process Injection (cont.) Several known variants of Process Injection: DLL injection: malware DLL exists on disk, get target process to load it (e.g. using Windows LoadLibrary API call). Direct Injection: Malware code written directly into target process memory and executed within target. Reflective DLL injection: Malware DLL written directly into target process memory (no Windows loader API call). Process Replacement/Hollowing: Malicious process starts new instance of legit. target process and replaces target code with malware code. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 10/29

  11. Malware Functionality – Covert Techniques DLL injection: Malware DLL exists on disk, malware process A gets target process B to run it Outline of example implementation of process A in Windows: Enable debug privilege ( SE DEBUG PRIVILEGE ): Gives A right to read and write Process B’s memory. Opens a handle to process B ( OpenProcess ): Get handle for subsequent process B read/write operations. Allocate memory inside Process B for malicious DLL ( VirtualAllocEx ). Write path Malpath to malicious DLL on disk into Process B ( WriteProcessMemory ). Start a new thread in Process B that loads malicious DLL into memory ( CreateRemoteThread ): Pass to CreateRemoteThread ptr to LoadLibrary function with argument ptr to Malpath . After malicious DLL is loaded, Windows automatically runs its DllMain function – malicious code! Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 11/29

  12. Malware Functionality – Covert Techniques DLL injection: Malware DLL exists on disk, malware process A gets target process B to load it using Windows API call (e.g. LoadLibrary). Example Windows implementation code for process A: Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 12/29

  13. Malware Functionality – Covert Techniques Direct Injection: Malware code written directly into target process memory and executed within target. Similar implementation to DLL injection, except process A copies malicious code into process B and runs it with CretateRemoteThread . Reflective DLL Injection: Hybrid of DLL and direct injection. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 13/29

  14. Malware Functionality – Covert Techniques DLL/Direct Injection is tricky to implement without crashing target process. Alternative - Process Replacement/Hollowing: Malicious process A starts new instance of legit. target process B and replaces target code with malware code. Outline of example implementation of process A in Windows: Create instance of process B in suspended execution mode. ( CreateProcess with CREATE SUSPENDED argument). Release memory used by process B headers/code ( ZwUnmapViewofSection ). Allocate above memory in Process B for malicious headers/code ( VirtualAllocEx ). Write malicious headers/code into Process B ( WriteProcessMemory ). Set start address of suspended process B thread to start of malicious code ( SetThreadContext ). Resume suspended thread of process B - run malicious code! Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 14/29 ( ResumeThread ).

  15. Malware Functionality – Covert Techniques Process Replacement/Hollowing: Malicious process A starts new instance of legit. target process B and replaces target code with malware code. Example Windows implementation code for process A: Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 15/29

  16. Malware Functionality – Covert Techniques Covert Data Interception: Hook injection Uses Windows hooks to intercept messages from Windows triggered by certain events (e.g. keystrokes). Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 16/29

  17. Malware Functionality – Covert Techniques Covert Data Interception: Hook injection Hooks usually implemented in Windows with SetWindowsHookEx function Has 4 parameters: idHook : type of hook procedure, e.g. WH CBT for keyboard/mouse events. lpfn : ptr to hook procedure. hMod : handle for DLL containing hook procedure. dwThreadId : identifier of thread associated with hook (if set to 0, all threads running in same desktop!) Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 17/29

  18. Malware Functionality – Covert Techniques Covert Data Interception: Hook injection Example SetWindowsHookEx call in Assembly: Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware – Functionality and Analysis Techniques Mar 2014 18/29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge Proofs Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 5: Secure

729 views • 26 slides
FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 7: Hacking Techniques I

1.11k views • 25 slides
FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton School of IT Monash University March 2016 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 1/33 Plan

932 views • 39 slides
FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

Introduction FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton School of IT Monash University March 2016 Acknowledgements: Some figures sourced from Oded Regevs Lecture Notes on Lattices in

460 views • 30 slides
FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III Web Browser

2.56k views • 17 slides
CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con

920 views • 62 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Outline Introduction CS 239 Subject of class Advanced Topics in Network Class topics

Outline Introduction CS 239 Subject of class Advanced Topics in Network Class topics

Outline Introduction CS 239 Subject of class Advanced Topics in Network Class topics and organization Security Reading material Class web page Peter Reiher Grading April 3, 2006 Projects Office hours Lecture

442 views • 8 slides
Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A Threatens Privacy Threatens Try to achieve Lecture 2B: Network threats Lecture 3A: Attacks on Lecture 6A: Security Protocols Web servers, malware

381 views • 25 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime

MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime

MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime Advanced attack techniques detector Heap spraying Static detector Nozzle Heap feng shui JIT spraying Drive-by malware and browsers

1.11k views • 43 slides
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse? Virus?

470 views • 27 slides
Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security

Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security

Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security Security threats Regulators and ISP security Some headlines Davie-Besse nuclear reactor control network

482 views • 17 slides
PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst, Oracle + NetSuite Agenda Basic intro No assembly required No malware (de)obfuscation magic How does the OS look inside?

847 views • 57 slides
IC ICL Evangelism lism and Disc iscip iple lesh ship ip Timothy R. Valentino What is the

IC ICL Evangelism lism and Disc iscip iple lesh ship ip Timothy R. Valentino What is the

IC ICL Evangelism lism and Disc iscip iple lesh ship ip Timothy R. Valentino What is the gospel? We will endeavor to start answering this question over the next two weeks. Resources: Handout: Clarifying the Gospel A

1.02k views • 41 slides
Attacking a Big Data Developer Dr. Olaf Flebbe of t oflebbe.de ApacheCon Bigdata Europe

Attacking a Big Data Developer Dr. Olaf Flebbe of t oflebbe.de ApacheCon Bigdata Europe

Attacking a Big Data Developer Dr. Olaf Flebbe of t oflebbe.de ApacheCon Bigdata Europe 16.Nov.2016 Seville About me PhD in computational physics Former projects: Minix68k (68k FP Emulation), Linux libm.so.5 (High Precision FP), perl and

1.12k views • 56 slides
Yongdae Kim KAIST Admin q Student Information Survey https://goo.gl/forms/VnjAyN5N1bmswLNP2 q

Yongdae Kim KAIST Admin q Student Information Survey https://goo.gl/forms/VnjAyN5N1bmswLNP2 q

EE817/IS893 Blockchain and Cryptocurrency Peer-to-Peer Systems Yongdae Kim KAIST Admin q Student Information Survey https://goo.gl/forms/VnjAyN5N1bmswLNP2 q Paper Presentation Survey https://goo.gl/forms/pGhbDPJqBr4MNff92 q Paper

393 views • 24 slides
A Sentence is a Sentence is a Sentence? Zarah Weiss Introduction Parallels and Differences

A Sentence is a Sentence is a Sentence? Zarah Weiss Introduction Parallels and Differences

Segmenting Oral and Historical Language Data A Sentence is a Sentence is a Sentence? Zarah Weiss Introduction Parallels and Differences between the Defining Sentences Written Language Bias Segmentation of Oral and Historical Defining

1.44k views • 110 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Network Attacks, Part 1 CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin

Network Attacks, Part 1 CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin

Network Attacks, Part 1 CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 7, 2013 Announcements / Game Plan

959 views • 42 slides
Manipulation Techniques & Visualization Sanity Check Have you looked at the notes and

Manipulation Techniques & Visualization Sanity Check Have you looked at the notes and

Manipulation Techniques & Visualization Sanity Check Have you looked at the notes and started the quiz? Are you getting email notifications from Piazza? Did you enroll yourself on the Student Center? Are you in a group of

910 views • 39 slides
Volume and Surface-Enhanced Negative Ion Sources Martin P. Stockli Oak Ridge National

Volume and Surface-Enhanced Negative Ion Sources Martin P. Stockli Oak Ridge National

Volume and Surface-Enhanced Negative Ion Sources Martin P. Stockli Oak Ridge National Laboratory Oak Ridge, TN 37830, USA A Lecture of the CERN Accelerator School on "Ion Sources" in collaboration with Senec, Slovakia June 2,

543 views • 51 slides

More recommend