malware analysis
play

Malware analysis Carberp Ralph Dolmans Wouter Katz Research - PowerPoint PPT Presentation

Jan 15, 2023 •600 likes •882 views

Malware analysis Carberp Ralph Dolmans Wouter Katz Research questions What kind of anti-forensics techniques are being used by the latest version of Carberp? What behavior does the latest version of Carberp show? Installation

  1. Malware analysis Carberp Ralph Dolmans Wouter Katz

  2. Research questions ● What kind of anti-forensics techniques are being used by the latest version of Carberp? ● What behavior does the latest version of Carberp show? – Installation – Run-time – C&C 2

  3. E-banking malware ● Steals your money ● Fake forms (HTML injection), Key logging, browser API hooks, … ● Big players: Citadel, ZeuS, SpyEye, Carberp 3

  4. Carberp - General behavior ● MITB for e-banking 4 http://malware-security-dinesh.blogspot.nl

  5. Carberp - General behavior ● VNC ● Video recording ● Extra plugins (passw.plug, stopav.plug, miniav.plug) 5

  6. Installation ● Startup folder ● Windows service (svchost.exe) ● Contacts C&C server for updates/instructions 6

  7. Anti-forensics ● Techniques used as countermeasures to forensic analysis ● In our malware sample, data hiding by means of: – Packing of the executable – Encryption of network traffic – Encryption of config files 7

  8. Executable packing ● Uses small loader to unpack the 'real' executable 8

  9. Executable packing ● How to obtain unpacked code? ● Run the executable, dump unpacked code from memory. ● Unpacked code contains references to Russian e-banking websites, VNC, password grabber, ... 9

  10. API hooks ● GMER showed 4 hooks in ntdll.dll: – ntdll.dll!NtResumeThread – ntdll.dll!NtQueryDirectoryFile – ntdll.dll!NtClose – ntdll.dll!NtDeviceIoControlFile 10

  11. API hook behavior ● How to determine what it does? 11

  12. API hook behavior ● How to determine what it does? 12

  13. Memory injection Explorer.exe Notepad.exe 1. Explorer.exe spawns notepad.exe 13

  14. Memory injection Explorer.exe Notepad.exe 1. Explorer.exe spawns notepad.exe 2. Loads ntdll.dll 3. Returns control to parent process 14

  15. Memory injection Explorer.exe Notepad.exe 1. Explorer.exe spawns notepad.exe 2. Loads ntdll.dll 3. Returns control to parent process 4. Calls NtResumeThread: Map memory region in notepad.exe Copy malicious code to notepad.exe Queue malicious code for execution Call 'real' NtResumeThread 15

  16. Memory injection Explorer.exe Notepad.exe 1. Explorer.exe spawns notepad.exe 2. Loads ntdll.dll 3. Returns control to parent process 4. Calls NtResumeThread: Map memory region in notepad.exe Copy malicious code to notepad.exe Queue malicious code for execution Call 'real' NtResumeThread 5. Run while being infected. 16

  17. Hiding files ● ntdll.dll!NtQueryDirectoryFile ● Debugger made clear this hook is for hiding files ● Hidden directory in C:\Documents and Settings\All Users\Application Data 17

  18. Config file encryption ● mnhslst32.dat in hidden directory ● Assembly decryption routine found, implemented in python script ● Key found while debugging decryption routine: HJGsdlk873d 18

  19. Config file encryption ● XOR each plaintext byte with every key byte ● Before each XOR operation: – XOR input = Previous XOR output + (XOR round * plaintext byte position in line) 1st byte: normal 2nd byte input: +1 for round 2, +2 for round 3, … 3rd byte input: +2 for round 2, +4 for round 3, … …. 19

  20. Config file encryption ● Strings in config file: – 696301E9F82608F7EC3CB37D2F44663C – 696301E9F82608F7EC3CB37D30046D2DA9 – 696301E9F82608F7EC3CB37D33046D2DA9 ● Plaintext: – defeatswirly.net – defeatswirly1.net – defeatswirly2.net 20

  21. Network encryption ● Trojan sends HTTP requests to C&C ● All POST-data is encrypted ● Use debugging of the exe to find out how... 21

  22. Network encryption ● Step through the code to find encryption algorithm ● Encrypted network traffic: – 8 byte IV, split into 2 x 4 bytes – 1st part IV+base64(RC2(plaintext))+2nd part IV – '=' or '==' in base64 always at the end ● RC2 encryption key = CD5ztnj3W1wgSH2M 22

  23. Network encryption, example ● HylFFl7RmWrgu4r40KdlP4t53IoM3AEGzKJiTa obwr4ex8WAfW59Oh6yNzlcn4RKSWCwT68Ih PRPMJmEqm0NhqbGFAIDcu== – IV = HylFIDcu ● Plaintext: – uid=a022A7D5C91DCED15F&av=&md5=a574fc3d 97149bcbf8bdccd5a8a73951 23

  24. Data theft ● Several Russian banks targeted ● Browser API hooks to check if bank site is accessed ● Send CAB file with screenshot and keylog-file to C&C – Network traffic unencrypted 24

  25. CAB file 25

  26. Conclusions ● Hiding files ● Memory injection ● Encryption ● Tries to steal information 26

  27. Questions? 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide Balzarotti ACSAC, Orlando, Florida, 3-7 December 2012 Malware Analysis Scenario Analysis based on Sandboxes (API Hooking, Emulation)

798 views • 23 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim Boojoong Kang Eul Gyu Im Presented by Ruikai Zheng CISC850 Cyber Analytics 1.Introduction Malware variants developed using automated tools

206 views • 20 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

347 views • 19 slides
Pictures to Exe Version 6.5 Creating a Basic A/V presentation Setting the Project Options. Main

Pictures to Exe Version 6.5 Creating a Basic A/V presentation Setting the Project Options. Main

Morriston Camera Club Pictures to Exe Version 6.5 Creating a Basic A/V presentation Setting the Project Options. Main Ensure Synchronize music and slides is checked, and set the time interval to 5secs. Screen set the aspect ratio as

470 views • 28 slides
Logitec tech Presentation Software Silent Insta stallation Guide for Windows ws Introduction

Logitec tech Presentation Software Silent Insta stallation Guide for Windows ws Introduction

Logitec tech Presentation Software Silent Insta stallation Guide for Windows ws Introduction Logitech Presentation software are lets you configure and control the Spotligh ight Presentation Remote, and can be installed r d remotely and

196 views • 3 slides
Thrive Montgomery 2050 An update on the progress made since May 2019. Thrive Montgomery 2050

Thrive Montgomery 2050 An update on the progress made since May 2019. Thrive Montgomery 2050

Montgomery Planning 11/7/2019 Thrive Montgomery 2050 An update on the progress made since May 2019. Thrive Montgomery 2050 Update 11/7/2019 1 Outreach + Engagement Leading to the Draft Plan PREPARE EXCITE EDU DUCATE ENGAGE Plan for or

406 views • 26 slides
RECRUITMENT PROPOSAL for OUTLINE About Us Why Fortexe Recruitment Method Account

RECRUITMENT PROPOSAL for OUTLINE About Us Why Fortexe Recruitment Method Account

Local recruiting through an International Platform RECRUITMENT PROPOSAL for OUTLINE About Us Why Fortexe Recruitment Method Account Manager Code of Conduct Fees ABOUT US Industry leader in providing talent-focused

349 views • 10 slides
POSITIONED FOR EXCEPTIONAL GROWTH MINERAL COMMODITIES LTD INVESTOR PRESENTATION SEPTEMBER 2018

POSITIONED FOR EXCEPTIONAL GROWTH MINERAL COMMODITIES LTD INVESTOR PRESENTATION SEPTEMBER 2018

POSITIONED FOR EXCEPTIONAL GROWTH MINERAL COMMODITIES LTD INVESTOR PRESENTATION SEPTEMBER 2018 ASX: MRC | www.mineralcommodities.com DISCLAIMER AND COMPETENT PERSON STATEMENT disseminate any updates or revisions to any forward looking

506 views • 28 slides
Debunking paradigms in estuarine fish species richness Adam Waugh 1,2* , Michael Elliott 2 ,

Debunking paradigms in estuarine fish species richness Adam Waugh 1,2* , Michael Elliott 2 ,

Debunking paradigms in estuarine fish species richness Adam Waugh 1,2* , Michael Elliott 2 , Anita Franco 2 1. Environment Agency, Kingfisher House, Orton Way, Peterborough, PE2 5ZR 2. Institute of Estuarine & Coastal Studies, University of

291 views • 12 slides
Exe Rail Progress Report February 2017 Marsh Barton Station Construction delayed due to the

Exe Rail Progress Report February 2017 Marsh Barton Station Construction delayed due to the

Exe Rail Progress Report February 2017 Marsh Barton Station Construction delayed due to the need to revise designs to meet changing Network Rail standards. Likely to have an impact on scheme cost but this is yet to be fully

604 views • 12 slides

More recommend