Intro to Reversing Malware

•

0 likes•276 views

Abdullah Joseph in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The video and other presentations can be found on https://def.camp/archive

Technology

BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL •
SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE

2
About Me
‣ Security Analyst
‣ Former Software Engineer
‣ Part of Adjust’s Fraud Team
‣ RiverBird.co
‣ @cheese0x2

What is Malware?
“Malware is a binary that does
something someone wouldn’t
like...”

What we know
- An encrypted POST request to brb.3dtuts.by
- Not a single call to WinInet is weird
- No reference to brb.3dtuts.by
- No sign of cryptography functions
- Too much noise in `./strings` output
- The use of TLS

Typical HTTP Imports
Courtesy of MSDN
(Microsoft Developer
Network)

Typical Cryptography Imports
Courtesy of MSDN
(Microsoft Developer
Network)

Theory
Theory #1: Binary will use VirtualProtect to dump
a packed binary?
Theory #2: CryptEncrypt will be used
somewhere?

VirtualProtect
Courtesy of MSDN
(Microsoft Developer
Network)

Checking Memory Regions
Found a newly created
memory region with
“ERW” permissions

Theory #1 was correct
Theory #1: Binary will use VirtualProtect to
dump a packed binary? YES
Theory #2: CryptEncrypt will be used
somewhere?

Theory #2: CryptEncrypt
We know now the malware is
unpacking itself. Let it finish...

CryptEncrypt
Courtesy of MSDN
(Microsoft Developer
Network)

Theory #2 was correct
Theory #1: Binary will use VirtualProtect to
dump a packed binary? YES
Theory #2: CryptEncrypt will be used
somewhere? YES

Unix: ./strings dumped_bin
HTTP and
Cryptography
imports and
strings were
hidden in the
packed malware

Remember this?
Further analysis shows the binary
communicating with a Command & Control
server called brb.3dtuts.by

Similar to Intro to Reversing Malware

Malware analysis

Prakashchand Suthar

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.

Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014

grecsl

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...

grecsl

This presentation was created based on a sample we found. At first sight this looked to be a standard fileless cryptocurrency mining malware, however, when looking a bit further, we noted that this malware had some other tricks up its sleeve. This presentation starts with an introduction into how fileless malware works and how to detect it, a short introduction into cryptocurrency mining and of course the analysis of the sample itself.

Sans london april sans at night - tearing apart a fileless malware sample

Michel Coene

A Threat Hunter Himself

Sergey Soldatov

A Threat Hunter Himself

Teymur Kheirkhabarov

Basic malware analysis

securityxploded

At all times there have been bad guys, who tried to steal money. ATM machines containing vast amounts of money have always been attractive targets. Until recently, criminals were only using physical weaknesses. Skimmers and shimmers for stealing magstripe-tracking data, fake pin pads and cameras for stealing pin codes, and even fake ATMs were created. Time passed and ATM software started to unify. Where there is unification, there are viruses. Trojan.Skimmer.*, Ploutus and other named or unnamed trojans. And what did we see on the public scene? Vendors started discussing the skimmers problem only after they were detected in the wild. As you remember, Barnaby Jack presented "Jackpotting Automated Teller Machines" at Black Hat USA 2010. He used some vulnerabilities in ATM software. He showed that malware, was injected into the OS of the ATM via bootable flash drive or via remote management TCP port. Barnaby Jack's work was based on assumptions that most vulnerabilities were concentrated in the host machine and that we can and should reuse software made by ATM vendors. And that's quite true, but... antiviruses, locked firmware upgrades, blocked USB connectors, and encrypted hard drives can mitigate such risks. But, what about connecting not to the host machine, but to devices themselves? What countermeasures exist, when we will try to impersonate ourselves as an ATM host? Hacking ATMs with small computer like Raspberry Pi should be impossible, but it isn't. The point of our presentation is to draw attention to the problem, which has existed for quite a long time. The problem is usage of common interfaces (like RS232 or USB) and protocols of communication from host machine to such devices as card readers, pin pads and/or dispenser units.

Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)

Olga Kochetova

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...

grecsl

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a “ninja” per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.

Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014

grecsl

Become a Threat Hunter by Hamza Beghal

Null Singapore

IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area the used operating systems are summarized with the term firmware. The devices by themself, so called embedded devices, are essential in the private, as well as in the industrial environment and in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection. With EMBA you always know which public exploits are available for the target firmware. Beside the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is an open-source firmware scanner, created by penetration testers for penetration testers. Project page: https://github.com/e-m-b-a/emba Conference page: https://troopers.de/troopers22/agenda/tr22-1042-emba-open-source-firmware-security-testing/

EMBA Firmware analysis - TROOPERS22

MichaelM85042

Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware. Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network. Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques. Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.

Watchtowers of the Internet - Source Boston 2012

Stephan Chenette

Malware Analysis

Ramin Farajpour Cami

Visualizing Threats: Network Visualization for Cyber Security

Cambridge Intelligence

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...

Andrew Morris

Having Honeypot for Better Network Security Analysis

Bangladesh Network Operators Group

CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT

CanSecWest

Ransomware ist nicht mehr nur ein auf Privatanwender ausgerichtetes Ärgernis, sondern hat sich zu einer ernstzunehmenden Bedrohung für Unternehmen und Regierungseinrichtungen entwickelt. In unserem Webinar können Sie mehr darüber herausfinden, was Ransomware genau ist und wie es funktioniert. Anschliessend zeigen wir Ihnen das Ganze in einer Live Demo mit Daten aus einer Windows Ransomware Infektion. Detailliert zeigen wir Ihnen: - wie Sie mit Splunk Enterprise Ransomware IOCs "jagen" - wie Sie Malicious Endpoint Verhalten aufdecken - Abwehrstrategien

Wie Sie Ransomware aufspüren und was Sie dagegen machen können

Splunk

Keith J. Jones, Ph.D. - Crash Course malware analysis

Keith Jones, PhD

Similar to Intro to Reversing Malware (20)

Malware analysis

Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...

Sans london april sans at night - tearing apart a fileless malware sample

A Threat Hunter Himself

Basic malware analysis

Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...

Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014

Become a Threat Hunter by Hamza Beghal

EMBA Firmware analysis - TROOPERS22

Watchtowers of the Internet - Source Boston 2012

Malware Analysis

Visualizing Threats: Network Visualization for Cyber Security

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...

Having Honeypot for Better Network Security Analysis

CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT

Wie Sie Ransomware aufspüren und was Sie dagegen machen können

Keith J. Jones, Ph.D. - Crash Course malware analysis

Recently uploaded

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Manulife - Insurer Transformation Award 2024

The Digital Insurer

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

MINDCTI Revenue Release Quarter One 2024

MIND CTI

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Real Time Object Detection Using Open CV

Khem

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Ransomware_Q4_2023. The report. [EN].pdf

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

presentation ICT roal in 21st century education

Why Teams call analytics are critical to your entire business

Manulife - Insurer Transformation Award 2024

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

MINDCTI Revenue Release Quarter One 2024

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MS Copilot expands with MS Graph connectors

Artificial Intelligence Chap.5 : Uncertainty

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Corporate and higher education May webinar.pptx

A Beginners Guide to Building a RAG App Using Open Source Milvus

Axa Assurance Maroc - Insurer Innovation Award 2024

Real Time Object Detection Using Open CV

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Intro to Reversing Malware

1. BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE

2. 2 About Me ‣ Security Analyst ‣ Former Software Engineer ‣ Part of Adjust’s Fraud Team ‣ RiverBird.co ‣ @cheese0x2

3. What is Malware? “Malware is a binary that does something someone wouldn’t like...”

4. Demo

5. Why bother with analysis?

6. “Sacred Cash Cow Tipping”

7. Analyzing a Ransomware

8. openme.exe

9. Static Analysis

10. Unix: ./strings openme.exe

11. Unix: ./strings openme.exe

12. Windows: PEStudio

13. Windows: PEStudio

14. Dynamic Analysis

15. Unix: ./fakedns.py

16. Unix: ./inetsim

17. What we know - An encrypted POST request to brb.3dtuts.by - Not a single call to WinInet is weird - No reference to brb.3dtuts.by - No sign of cryptography functions - Too much noise in `./strings` output - The use of TLS

18. Typical HTTP Imports Courtesy of MSDN (Microsoft Developer Network)

19. Typical Cryptography Imports Courtesy of MSDN (Microsoft Developer Network)

20. Checking for Packers

21. Theory

22. Theory Theory #1: Binary will use VirtualProtect to dump a packed binary? Theory #2: CryptEncrypt will be used somewhere?

23. VirtualProtect Courtesy of MSDN (Microsoft Developer Network)

24. Attach a Debugger Windows: x32dbg

25. Windows: x32dbg Breakpoint hit!

26. Checking Memory Regions Found a newly created memory region with “ERW” permissions

27. Theory #1 was correct Theory #1: Binary will use VirtualProtect to dump a packed binary? YES Theory #2: CryptEncrypt will be used somewhere?

28. Theory #2: CryptEncrypt We know now the malware is unpacking itself. Let it finish...

29. CryptEncrypt Courtesy of MSDN (Microsoft Developer Network)

30. Windows: x32dbg Breakpoint hit!

31. MZ == ?

32. MZ == Profit $$$

33. Theory #2 was correct Theory #1: Binary will use VirtualProtect to dump a packed binary? YES Theory #2: CryptEncrypt will be used somewhere? YES

34. Unix: ./strings dumped_bin HTTP and Cryptography imports and strings were hidden in the packed malware

35. Remember this? Further analysis shows the binary communicating with a Command & Control server called brb.3dtuts.by

36. Demo

37. Conclusion

38. Thank you

Intro to Reversing Malware

Recommended

Recommended

More Related Content

Similar to Intro to Reversing Malware

Similar to Intro to Reversing Malware (20)

More from DefCamp

More from DefCamp (20)

Recently uploaded

Recently uploaded (20)

Intro to Reversing Malware