SlideShare une entreprise Scribd logo

Defeating antiforensics in contemporary complex threats

Alex Matrosov
Alex Matrosov

Forensic analysis plays a crucial role in cybercrime group investigation, as it allows investigators to obtain such information as bot configuration data, C&C URLs, payload, stolen data and so on. Some of the modern malware falling into the class of complex threats employs various tricks to resist forensics and conceal its presence on the infected system. This paper will present technical and in-depth analysis of the most widely used anti-forensic technique, the implementation of hidden encrypted storage, as used by complex threats currently in the wild: Win64/Olmarik (TDL4) Win64/Olmasco (MaxSS) Win64/Rovnix/Carberp Win64/Sirefef (ZeroAccess) Win32/Hodprot These complex threats use hidden encrypted storage areas to conceal their data and avoid relying on the file system maintained by the operating system. In the presentation the authors will focus on the details of hidden storage implementation as well as the ways in which it is maintained within the system by various kinds of malware. The analysis begins with the initialization procedure and the mechanisms behind it. It is shown which system mechanisms are used to store and retrieve data from the hidden container and the degree to which the malware depends on them. Close attention is paid to the self-defence mechanisms employed by the malware in order to conceal the content kept in its hidden storage areas and protect those contents against modification by the system or by security software. Also a detailed description of the hidden file system is presented for each threat considered, as well as a comparison of its features to the other threats analysed here. To conclude, an approach is presented on the retrieval of data from hidden storage. We will discuss the steps that should be taken to defeat self-defence mechanisms, locate hidden storage on the hard drive and read plain data.

Technologie
1  sur  39
Télécharger pour lire hors ligne
       
 •  •  •  •
      
One of the most frequently used droppers in 2011 for delivering banking trojans in Russia: Carberp, Sheldor, RDPdoor. Relies on system registry to keep its modules and payload HKLMSOFTWARESettings Win32/Hodprot Loader Code Main Module C&C URLs ErrorControl CoreSettings HashSeed
One of the most frequently used droppers in 2011 for delivering banking trojans in Russia: Carberp, Sheldor, RDPdoor. Relies on system registry to keep its modules and payload HKLMSOFTWARESettings Win32/Hodprot Loader Code Main Module C&C URLs ErrorControl CoreSettings HashSeed
Winlogon Address Browser Address Space Space Setupapi.dll Assemble Payload Inject Payload Update Payload sfcfiles.dll Payload System Registry User-mode Kernel-mode Inject Payload Install & Load Assemble Payload Driver sfc.sys
Configuration data are stored in a resource of the Flame main module Configuration data are encrypted with custom algorithm and compressed with DEFLATE algorithm Block Data BYTE Length Data 1 Byte 4 Byte Data Length Bytes Block Data Offset of the block with Offset of the next item Unicode string (name of the item) BYTE Length item data block 1 Byte 4 Byte Data Length Bytes
Configuration data are stored in a resource of the Flame main module Configuration data are encrypted with custom algorithm and compressed with DEFLATE algorithm Block Data BYTE Length Data 1 Byte 4 Byte Data Length Bytes Block Data Offset of the block with Offset of the next item Unicode string (name of the item) BYTE Length item data block 1 Byte 4 Byte Data Length Bytes
Applications Malware payload user-mode address space kernel-mode address space Malicious kernel-mode driver File system interface OS file system driver Physical storage interface OS storage device driver stack Hidden FS Hard drive area
Process1 Process2 Process3 ProcessN Payload1 Payload2 Payload3 PayloadN   user-mode kernel-mode Kernel- mode driver Bootkit hidden storage Payload1 Payload2 Payload3 PayloadN
First widely spread bootkit targeting Microsoft Windows x64 platform Infects MBR of the bootable hard drive to receive control before OS Abuses Windows PE (Preinstallation Environment) boot mode to disable kernel-mode code signing policy Keeps payload in the hidden file system Hijacks pointer to the driver object of the lowest device object in storage device stack
One One Variable length Not more than 8 Mb sector sector Infected MBR Disk partitions TDL4 Hidden FS Growth direction typedef struct _TDL4_FS_ROOT_DIRECTORY typedef struct _TDL4_FS_FILE_ENTRY { { // File name - null terminated string // Signature of the block char FileName[16]; WORD Signature; // Offset from beginning of the file system to file // Set to zero DWORD FileBlockOffset; DWORD Reserved; // Reserved DWORD dwFileSize; // Array of entries corresponding to files in FS // Time and Date of file creation TDL4_FS_FILE_ENTRY FileTable[15]; FILETIME CreateTime; }TDL4_FS_ROOT_DIRECTORY, *PTDL4_FS_ROOT_DIRECTORY; }TDL4_FS_FILE_ENTRY, *PTDL4_FS_FILE_ENTRY;
Visible to payload Maintained by rootkit DriverPnpManager TDL4 Driver object Driver object DeviceXXXXXXXX Unnamed TDL4 Volume TDL4 Physical device object device object DriverObject DriverObject ... Vpb ... ... Volume parameter block DeviceObject RealDevice XXXXXXXX – random 32-bit hexadecimal integer
MBR Code MBR Code Partition Table Entry #1 Partition Table Entry #1 Partition Table Entry #2 Partition Table Entry #2 Employs the same approach for Partition Table Entry #3 Partition Table Entry #4 Partition Table Entry #3 Partition Table Entry #4 disabling kernel-mode signing policy MBR Data MBR Data Bootmgr Partition Bootmgr Partition as TDL4 bootkit OS Partition OS Partition Modifies partition table of the Unpartitioned Space Olmasco Partition bootable hard drive to create malicious partition and mark it active Before Infecting After Infecting Empty Partition Entry Active Partition Entry Existing Partition Entry
MBR Code MBR Code Partition Table Entry #1 Partition Table Entry #1 Partition Table Entry #2 Partition Table Entry #2 Employs the same approach for Partition Table Entry #3 Partition Table Entry #4 Partition Table Entry #3 Partition Table Entry #4 disabling kernel-mode signing policy MBR Data MBR Data Bootmgr Partition Bootmgr Partition as TDL4 bootkit OS Partition OS Partition Modifies partition table of the Unpartitioned Space Olmasco Partition bootable hard drive to create malicious partition and mark it active Before Infecting After Infecting Empty Partition Entry Active Partition Entry Existing Partition Entry
typedef struct _OLMASCO_FS_ROOT_DIRECTORY typedef struct _OLMASCO_FS_FILE_ENTRY { { // Signature of the block // File name - null terminated string // DC - root directory char FileName[16]; DWORD Signature; // Offset from beginning of the file system to file // Set to zero DWORD OffsetInClusters; DWORD Reserved1; // Size of the file in clusters // Set to zero DWORD SizeInClusters; DWORD Reserved2; // Size of the file in bytes // Set to zero DWORD SizeInBytes; DWORD Reserved3; // Checksum // Size of the file system cluster DWORD Crc32; DWORD ClusterSize; }OLMASCO_FS_FILE_ENTRY, *POLMASCO_FS_FILE_ENTRY; // Size of file table in clusters DWORD SizeOfSysTableInClusters; // Size of file table in bytes DWORD SizeOfSysTableInBytes; // Checksum of file table DWORD SysTableCRC32; // Array of entries corresponding to files in FS OLMASCO_FS_FILE_ENTRY FileTable[]; }OLMASCO_FS_ROOT_DIRECTORY, *POLMASCO_FS_ROOT_DIRECTORY;
Mounts a file containing payload & configuration data as NTFS volume with transparent encryption VS. Keeps payload & configuration data encrypted in “C:windows$NtUninstallKB35373$” directory
ZeroAccess NTFS Driver Object Driver Object Hidden Volume Name ZeroAccess Related Device Volume Device Object DriverObject DriverObject ... ... File with data File Object
First known bootkit which infects VBR (Volume Boot Record) with polymorphic malicious bootstrap code It utilizes debugging facilities of the hardware (debugging registers) to persists among processor execution mode switching and set up hooks Rovnix bootkit employs modification of FAT16 for hidden partition Rovnix bootkit was used in Carberp banking trojan
•   MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap Hidden MBR VBR File System Data Unsigned Code Code Partition Driver NTFS bootstrap code (15 sectors)
Employs advanced bootkit techniques to load unsigned malicious kernel-mode driver on 64-bit version of Windows OS Combines bootkit techniques present in Olmarik (TDL4) & Rovnix Bypasses PatchGuard by means of modifying kernel before integrity enforcement service is started Goblin hidden implements hidden file system in a similar way to Olmarik (TDL4)
Olmarik Sirefef Rovnix Goblin Olmasco functionality (TDL4) (ZeroAccess) (Cidox) (XPAJ) (MaxSS) MBR      modification VBR      modification Hidden file FAT16 Custom Custom NTFS Custom system type modification (TDL4 based) encryption Custom RC6 XOR/RC4 RC4  algorithm (XOR+ROL) modification compression   aPlib aPlib  algorithm
        
   
eset.com/download/utilities/detail/family/173/
       
    
Aleksandr Matrosov Eugene Rodionov matrosov@eset.sk rodionov@eset.sk @matrosov @vxradius

Recommandé

Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 

Recommandé

Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
42054960
4205496042054960
42054960
andres castillo
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
Aleksey Lukatskiy
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Contenu connexe

En vedette

Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE
 

En vedette (14)

Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
42054960
4205496042054960
42054960
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Defeating antiforensics in contemporary complex threats

  • 1.
  • 2.       
  • 3.
  • 4.
  • 5. •  •  •  •
  • 6.      
  • 7. One of the most frequently used droppers in 2011 for delivering banking trojans in Russia: Carberp, Sheldor, RDPdoor. Relies on system registry to keep its modules and payload HKLMSOFTWARESettings Win32/Hodprot Loader Code Main Module C&C URLs ErrorControl CoreSettings HashSeed
  • 8. One of the most frequently used droppers in 2011 for delivering banking trojans in Russia: Carberp, Sheldor, RDPdoor. Relies on system registry to keep its modules and payload HKLMSOFTWARESettings Win32/Hodprot Loader Code Main Module C&C URLs ErrorControl CoreSettings HashSeed
  • 9. Winlogon Address Browser Address Space Space Setupapi.dll Assemble Payload Inject Payload Update Payload sfcfiles.dll Payload System Registry User-mode Kernel-mode Inject Payload Install & Load Assemble Payload Driver sfc.sys
  • 10. Configuration data are stored in a resource of the Flame main module Configuration data are encrypted with custom algorithm and compressed with DEFLATE algorithm Block Data BYTE Length Data 1 Byte 4 Byte Data Length Bytes Block Data Offset of the block with Offset of the next item Unicode string (name of the item) BYTE Length item data block 1 Byte 4 Byte Data Length Bytes
  • 11. Configuration data are stored in a resource of the Flame main module Configuration data are encrypted with custom algorithm and compressed with DEFLATE algorithm Block Data BYTE Length Data 1 Byte 4 Byte Data Length Bytes Block Data Offset of the block with Offset of the next item Unicode string (name of the item) BYTE Length item data block 1 Byte 4 Byte Data Length Bytes
  • 12.
  • 13. Applications Malware payload user-mode address space kernel-mode address space Malicious kernel-mode driver File system interface OS file system driver Physical storage interface OS storage device driver stack Hidden FS Hard drive area
  • 14. Process1 Process2 Process3 ProcessN Payload1 Payload2 Payload3 PayloadN   user-mode kernel-mode Kernel- mode driver Bootkit hidden storage Payload1 Payload2 Payload3 PayloadN
  • 15.
  • 16. First widely spread bootkit targeting Microsoft Windows x64 platform Infects MBR of the bootable hard drive to receive control before OS Abuses Windows PE (Preinstallation Environment) boot mode to disable kernel-mode code signing policy Keeps payload in the hidden file system Hijacks pointer to the driver object of the lowest device object in storage device stack
  • 17. One One Variable length Not more than 8 Mb sector sector Infected MBR Disk partitions TDL4 Hidden FS Growth direction typedef struct _TDL4_FS_ROOT_DIRECTORY typedef struct _TDL4_FS_FILE_ENTRY { { // File name - null terminated string // Signature of the block char FileName[16]; WORD Signature; // Offset from beginning of the file system to file // Set to zero DWORD FileBlockOffset; DWORD Reserved; // Reserved DWORD dwFileSize; // Array of entries corresponding to files in FS // Time and Date of file creation TDL4_FS_FILE_ENTRY FileTable[15]; FILETIME CreateTime; }TDL4_FS_ROOT_DIRECTORY, *PTDL4_FS_ROOT_DIRECTORY; }TDL4_FS_FILE_ENTRY, *PTDL4_FS_FILE_ENTRY;
  • 18. Visible to payload Maintained by rootkit DriverPnpManager TDL4 Driver object Driver object DeviceXXXXXXXX Unnamed TDL4 Volume TDL4 Physical device object device object DriverObject DriverObject ... Vpb ... ... Volume parameter block DeviceObject RealDevice XXXXXXXX – random 32-bit hexadecimal integer
  • 19. MBR Code MBR Code Partition Table Entry #1 Partition Table Entry #1 Partition Table Entry #2 Partition Table Entry #2 Employs the same approach for Partition Table Entry #3 Partition Table Entry #4 Partition Table Entry #3 Partition Table Entry #4 disabling kernel-mode signing policy MBR Data MBR Data Bootmgr Partition Bootmgr Partition as TDL4 bootkit OS Partition OS Partition Modifies partition table of the Unpartitioned Space Olmasco Partition bootable hard drive to create malicious partition and mark it active Before Infecting After Infecting Empty Partition Entry Active Partition Entry Existing Partition Entry
  • 20. MBR Code MBR Code Partition Table Entry #1 Partition Table Entry #1 Partition Table Entry #2 Partition Table Entry #2 Employs the same approach for Partition Table Entry #3 Partition Table Entry #4 Partition Table Entry #3 Partition Table Entry #4 disabling kernel-mode signing policy MBR Data MBR Data Bootmgr Partition Bootmgr Partition as TDL4 bootkit OS Partition OS Partition Modifies partition table of the Unpartitioned Space Olmasco Partition bootable hard drive to create malicious partition and mark it active Before Infecting After Infecting Empty Partition Entry Active Partition Entry Existing Partition Entry
  • 21. typedef struct _OLMASCO_FS_ROOT_DIRECTORY typedef struct _OLMASCO_FS_FILE_ENTRY { { // Signature of the block // File name - null terminated string // DC - root directory char FileName[16]; DWORD Signature; // Offset from beginning of the file system to file // Set to zero DWORD OffsetInClusters; DWORD Reserved1; // Size of the file in clusters // Set to zero DWORD SizeInClusters; DWORD Reserved2; // Size of the file in bytes // Set to zero DWORD SizeInBytes; DWORD Reserved3; // Checksum // Size of the file system cluster DWORD Crc32; DWORD ClusterSize; }OLMASCO_FS_FILE_ENTRY, *POLMASCO_FS_FILE_ENTRY; // Size of file table in clusters DWORD SizeOfSysTableInClusters; // Size of file table in bytes DWORD SizeOfSysTableInBytes; // Checksum of file table DWORD SysTableCRC32; // Array of entries corresponding to files in FS OLMASCO_FS_FILE_ENTRY FileTable[]; }OLMASCO_FS_ROOT_DIRECTORY, *POLMASCO_FS_ROOT_DIRECTORY;
  • 22. Mounts a file containing payload & configuration data as NTFS volume with transparent encryption VS. Keeps payload & configuration data encrypted in “C:windows$NtUninstallKB35373$” directory
  • 23. ZeroAccess NTFS Driver Object Driver Object Hidden Volume Name ZeroAccess Related Device Volume Device Object DriverObject DriverObject ... ... File with data File Object
  • 24. First known bootkit which infects VBR (Volume Boot Record) with polymorphic malicious bootstrap code It utilizes debugging facilities of the hardware (debugging registers) to persists among processor execution mode switching and set up hooks Rovnix bootkit employs modification of FAT16 for hidden partition Rovnix bootkit was used in Carberp banking trojan
  • 25.   MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap Hidden MBR VBR File System Data Unsigned Code Code Partition Driver NTFS bootstrap code (15 sectors)
  • 26. Employs advanced bootkit techniques to load unsigned malicious kernel-mode driver on 64-bit version of Windows OS Combines bootkit techniques present in Olmarik (TDL4) & Rovnix Bypasses PatchGuard by means of modifying kernel before integrity enforcement service is started Goblin hidden implements hidden file system in a similar way to Olmarik (TDL4)
  • 27. Olmarik Sirefef Rovnix Goblin Olmasco functionality (TDL4) (ZeroAccess) (Cidox) (XPAJ) (MaxSS) MBR      modification VBR      modification Hidden file FAT16 Custom Custom NTFS Custom system type modification (TDL4 based) encryption Custom RC6 XOR/RC4 RC4  algorithm (XOR+ROL) modification compression   aPlib aPlib  algorithm
  • 28.
  • 29.        
  • 30.
  • 31.
  • 32.
  • 34.
  • 36.        
  • 38.
  • 39. Aleksandr Matrosov Eugene Rodionov matrosov@eset.sk rodionov@eset.sk @matrosov @vxradius