Pres Malware Getting Your Hands Dirty

Malware
Getting Your Hands Dirty
Christopher Low
CISSP, GSEC, OPST, OPSA, CCSE, TCI
ThinkSECURE
www.securitystartshere.net
1
About
• Chief Technology Officer, ThinkSECURE
• Over 8 years of security experience, both in government as well

as private sector
• Last 4 years have focused on IT security training & certification

programs
• ThinkSECURE
• Leading IT Security & Certification Entity

• Flagship certification programs include :
• OSWiSP – Open Source Wireless Integration Security

Professional
• OSSA – Open Source Security Analyst
2
• AIRRAID – Asia’s first wireless hacking tournament
Scope
• What are we going to run through
• Different categories of malware

• Infection modes
• Malware analysis on Windows
• Malware removal on Windows
• Prevention strategies
• We’re not going there

• How to use antivirus / antispyware etc
• Malware analysis / removal on other platforms
• How to write malware
Introduction
4
Introduction
We’ll look at the following:
- Definition
- Threats
- Categories
- Infection Modes
Introduction
Definition
Malware
“Malicious software”; a generic term covering a range of

software programs and types of programs designed to attack,
degrade or prevent the intended use of an ICT or network.
Types of malware can include viruses, worms, Trojans,

malicious active content and denial of service attacks. In
the case of invasion of privacy for the purposes of fraud or the
theft of identity, software that passively observes the use of a
computer is also malware (“spyware”).”
6
Introduction
Malicious Software
Virus
¾ Computer program which replicates itself (sometimes
evolving itself) through infecting file / system area

Worm
¾ Standalone program which replicates itself automatically
through the network. Usually does not require user

activation
Trojan
¾ Computer program with a hidden “malicious” intend
usually disguised with a “sexy” frontend
Introduction
Malicious Software
Keylogger
¾ Program which captures keystrokes
Adware / Spyware
¾ Software program in which advertising banners are
displayed while the program is running, it usually
includes code that tracks a user's personal information
and passes it on to third parties – thus spyware
Rootkit
¾ Special class of code which attempts to hide itself from
prying eyes by modifying different parts of the
operating system
8
Introduction
Introduction
Number of Viruses/Worms documented by Symantec

“extracted from Symantec Threat Report”
10
Introduction
Number of DOS Attacks documented by Symantec

11
Introduction
Number of New Bot Variants documented by Symantec

12
Introduction
Average Number of Days to patch release

13
Introduction
Threats to end users
Nuisance / Annoyance
Propaganda – religious / political
Bandwidth / resource utilization (Bots & Botnet)
Denial of Service
Privacy Invasion
Information theft / alteration / destruction
Spam relays
Malicious code for profit – recent new trend
¾ Adware download fee
¾ Botnet for hire
¾ Extortion
14
Introduction
Infection Modes
Boot Record Infection
File Infection
¾ Email
¾ P2P
¾ IM
Network infection
¾ Web browsing
¾ Known exploits
¾ No / Weak authentication access
¾ Backdoors
¾ Explicit / Implicit Trust
15
Malicious Code
Analysis
16
Malicious Code Analysis
- Symptoms
- Their Hiding Place / Identification
- Dead Code Analysis
- Live Code Analysis
17

Symptoms
- AV / Antispyware notification
- Unknown error messages
- System stops working / reboots spontaneously
- Slow / No network connectivity
- System exhibits strange behavior
Ö Browser homepage – hijacked
Ö Strange “advertisements” popping up
Ö Strange network connections
Ö AV stops functioning
Ö Several “troubleshooting” utilities stop functioning
e.g Task Manager, Registry Editor etc
18
Their Hiding Place
- Do you know where to find them ?
Identification
- Can you recognize them if you find them ?

- Where do you look for them ?
19

Step 1
• They need to “run”
For Windows XP and later systems

Prefetch is added to improve application launch
Found in %SYSTEMROOT%\Prefetch
Controlled by a registry key
Gives an idea on what applications are executed
DEMO !!
20
Step 2
• They need to “stay” somewhere
Common place
¾ %SYSTEMROOT%
¾ %SYSTEMDIRECTORY%
Find them by MAC time

¾ dir /o:d /t:c
¾ dir /o:d /t:a
¾ dir /o:d /t:w
DEMO !!
21

Step 3
• They need to “talk”
openports / netstat –an to identify “strange” connections

Take note of suspicious files / directories
Might need to disconnect machine from network
DEMO !!
22
Step 4
• They need to “start” somewhere
Common place
¾ HKLM\Software\Microsoft\Windows\CurrentVersion\Run
¾ HKLM\Software\Microsoft\Windows\CurrentVersion\Run
once\
¾ http://www.silentrunners.org/sr_launchpoints.html
¾ AutoRuns – www.sysinternals.com
DEMO !!
23

Dead Code Analysis
- How do you know they’re bad ?

- How do you find out about them ?
24
Step 5
• They need to be “signed” right
Publisher of software usually “signed” their codes

¾ Use signature checking to verify authenticity
¾ sigcheck -i <name of file>
DEMO !!
25

Step 6
• They sure “hide” something in them
Use a hex editor / strings command to see what “stuff”

they hide in their executables
DEMO !!
26
Step 7
• I’m surely not the first in the world
Google is your friend
DEMO !!
27

Live Code Analysis
- What are they doing on my system ?

- What files / network connections are they using ?
28
Step 8
• They sure need to access something on my system
Filemon observes what files they access

RegMon observes what registry entries they access
Process Explorer sees how they’re related
DEMO !!
29

Step 9
• I want to “see” what they really do inside
OllyDbg, IDA Pro, WinDbg
30
Recovery
31
Recovery
- Conventional recovery techniques

- Manual recovery techniques
32
Recovery
Conventional recovery techniques
- Anti-Virus (ClamWin, AVG)

- Anti-Trojan (http://www.windowsecurity.com/trojanscan/)
- Anti-Spyware
(Ad-Aware, Hijackthis, Spybot S&D, Microsoft
AntiSpyware)
- Ask your friends
- Rebuild whole OS !!
33
Recovery
Manual recovery techniques
- Disable system restore feature

- You need to know how to suspend & kill them
Demo !!
34
Rootkit
35
Recovery
What About Rootkit ?
- “Almost” undetectable
- Fakes response (at the kernel level) to deceive
applications
- There are rootkit detectors BUT …
- More info – http://www.rootkit.com
36
Conclusion
37
Prevention
Prevention Techniques
- Run as normal non-privileged user

- Patch your machine
- Close off all unused ports
- Deploy Personal Firewall
- Implement security zoning
- Use different browsers
- Use Host List
- WinPooch
- Microsoft Port Reporter / Log Parser
- Read EULA before you install anything
38
Prevention
39
Look Carefully Before Accept!
40
41
42
Something Fun
Can you guess what this map tells us ?

http://nepenthes.sourceforge.net/visualisation
43
Resources
http://www.foundstone.com/resources/intrusion_detection.htm Fport
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

\PrefetchParameters\EnablePrefetcher = 1 or 3 Prefetch Registry Key
http://www.windows-ir.com/tools.html Pref / Pref_ver
http://www.sysinternals.com/ProcessesAndThreadsUtilities.html AutoRuns
http://www.sysinternals.com/FileAndDiskUtilities.html Sigcheck
http://www.windows-ir.com/tools.html sigs.exe (inside Tools.zip)
http://support.microsoft.com/default.aspx?scid=kb;en-us;841290 FCIV
http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm Hex Editor XVI32
http://www.sysinternals.com/Utilities/Strings.html Strings
http://www.sysinternals.com/Utilities/Filemon.html Filemon
http://www.sysinternals.com/Utilities/ProcessExplorer.html Process Explorer
http://www.sysinternals.com/Utilities/Regmon.html Regmon
http://www.ollydbg.de/ OllyDbg
http://www.programmersheaven.com/zone5/cat460/37637.htm IDA Pro Free Version
http://www.microsoft.com/whdc/devtools/debugging/default.mspx Windbg
http://www.clamwin.com/ ClamWin
http://www.download.com/3000-2144-10045910.html Ad-Aware
http://www.download.com/HijackThis/3000-8022_4-10379544.html HijackThis
http://www.safer-networking.org/en/download/ Spybot Search & Destroy
http://www.microsoft.com/athome/security/spyware/software/default.mspx Microsoft Anti-Spyware
http://winpooch.sourceforge.net/home/index.php Winpooch
http://www.mvps.org/winhelp2002/hosts.htm Host List
http://support.microsoft.com/?id=837243 Microsoft Port Reporter /

Reporter Parser
44
Q&A
Email : c.low@securitystartshere.net
Slides downloadable : www.securitystartshere.net/download
45

Pres Malware Getting Your Hands Dirty

Uploaded by

Copyright:

Available Formats

You might also like

Pres Malware Getting Your Hands Dirty

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pres Malware Getting Your Hands Dirty

Uploaded by

Copyright:

Available Formats

Malware

Getting Your Hands Dirty

• Over 8 years of security experience, both in government as well

• Last 4 years have focused on IT security training & certification

• Leading IT Security & Certification Entity

• OSWiSP – Open Source Wireless Integration Security

• Different categories of malware

• We’re not going there

We’ll look at the following:

“Malicious software”; a generic term covering a range of

Types of malware can include viruses, worms, Trojans,

evolving itself) through infecting file / system area

through the network. Usually does not require user

Number of Viruses/Worms documented by Symantec

Number of DOS Attacks documented by Symantec

Number of New Bot Variants documented by Symantec

Average Number of Days to patch release

¾ Botnet for hire

 Boot Record Infection

Malicious Code Analysis

Ö Strange “advertisements” popping up

Ö Strange network connections

Ö Several “troubleshooting” utilities stop functioning

e.g Task Manager, Registry Editor etc

- Do you know where to find them ?

- Can you recognize them if you find them ?

Malicious Code Analysis

• They need to “run”

 For Windows XP and later systems

• They need to “stay” somewhere

 Find them by MAC time

¾ dir /o:d /t:a

¾ dir /o:d /t:w

Malicious Code Analysis

• They need to “talk”

 openports / netstat –an to identify “strange” connections

• They need to “start” somewhere

Malicious Code Analysis

- How do you know they’re bad ?

• They need to be “signed” right

 Publisher of software usually “signed” their codes

¾ sigcheck -i <name of file>

Malicious Code Analysis

• They sure “hide” something in them

 Use a hex editor / strings command to see what “stuff”

• I’m surely not the first in the world

 Google is your friend

Malicious Code Analysis

- What are they doing on my system ?

• They sure need to access something on my system

 Filemon observes what files they access

Malicious Code Analysis

• I want to “see” what they really do inside

 OllyDbg, IDA Pro, WinDbg

- Conventional recovery techniques

- Anti-Virus (ClamWin, AVG)

- Disable system restore feature

Boot Record Infection

For Windows XP and later systems

Find them by MAC time

openports / netstat –an to identify “strange” connections

Publisher of software usually “signed” their codes

Use a hex editor / strings command to see what “stuff”

Google is your friend

Filemon observes what files they access

OllyDbg, IDA Pro, WinDbg