In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.

1. Win32/Flamer: Reverse Engineering and
Framework Reconstruction
Aleksandr Matrosov
Eugene Rodionov

2. Outline of The Presentation
 Typical malware vs. Stuxnet/Flame
 What the difference?
 Flamer code reconstruction problems
 C++ code reconstruction
 Library code identification
 Flamer framework overview
 Object oriented code reconstruction
 Relationship Stuxnet/Duqu/Flamer

3. Typical Malware vs. Stuxnet/Flamer

4. What’s the Difference?

5. What’s the Difference?
 Typical malware  Stuxnet/Flame …
 Different motivation, budget …  Different motivation, budget …
 Use 1-days for distribution  Use 0-days for distribution
 Anti-stealth for bypassing all sec
 Anti-stealth for bypassing AV
soft
 Stealth timing: months  Stealth timing: years
 Developed in C or C++ in C style  Tons of C++ code with OOP
 Simple architecture for plugins  Industrial OO framework platform
 Traditional ways for obfuscation:  Other ways of code obfuscation:
 packers  tons of embedded static code
 polymorphic code  specific compilers/options
 vm-based protection  object oriented wrappers for
typical OS utilities
 …

6. Stuxnet/Duqu/Flamer/Gauss Appearance

7. Code Complexity Growth
Gauss miniFlamer Stuxnet Duqu Flamer

8. Code Complexity Growth

9. C++ Code REconstruction
Problems

10. C++ Code Reconstruction Problems
 Object identification
 Type reconstruction
 Class layout reconstruction
 Identify constructors/destructors
 Identify class members
 Local/global type reconstruction
 Associate object with exact method calls
 RTTI reconstruction
 Vftable reconstruction
 Associate vftable object with exact object
 Class hierarchy reconstruction

11. C++ Code Reconstruction Problems
Class A
vfPtr
a1()
A::vfTable
a2()
meta
A::a1()
RTTI Object
Locator A::a2()
signature
pTypeDescriptor
pClassDescriptor

12. C++ Code Reconstruction Problems

13. Identify Smart Pointer Structure

14. Identify Exact Virtual Function Call in vtable

15. Identify Exact Virtual Function Call in vtable

16. Identify Exact Virtual Function Call in vtable

17. Identify Custom Type Operations

18. Identify Objects Constructors

19. Identify Objects Constructors

20. Library code identification
problems

21. Library Code Identification Problems
 Compiler optimization
 Wrappers for WinAPI calls
 Embedded library code
 Library version identification problem
 IDA signatures used syntax based detection methods
 Recompiled libraries problem
 Compiler optimization problem

22. Library Code Identification Problems

23. Object Oriented API Wrappers and Implicit Calls

24. Object Oriented API Wrappers and Implicit Calls

25. Object Oriented API Wrappers and Implicit Calls

26. Festi: OOP in kernel-mode

27. Main Festi Functionality store in kernel mode
Win32/Festi
Dropper
Install kernel-mode
driver
user-mode
kernel-mode
Win32/Festi
kernel-mode
driver
Download plugins
Win32/Festi
Win32/Festi
Plugin 1 Plugin 2 ... Win32/Festi
Plugin N

28. Main Festi Functionality store in kernel mode
Win32/Festi
Dropper
Install kernel-mode
driver
user-mode
kernel-mode
Win32/Festi
kernel-mode
driver
Download plugins
Win32/Festi
Win32/Festi
Plugin 1 Plugin 2 ... Win32/Festi
Plugin N

29. Festi: Architecture
Win32/Festi
Win32/Festi Win32/Festi
C&C Protocol
Plugin Manager Network Socket
Parser
Win32/Festi
Memory
Manager

30. Festi: Plugin Interface
Array of pointers
to plugins
Plugin 1
Plugin1 struct PLUGIN_INTERFACE
Plugin 2
Plugin2 struct PLUGIN_INTERFACE
Plugin 3
Plugin3 struct PLUGIN_INTERFACE
...
Plugin N
PluginN struct PLUGIN_INTERFACE

31. Festi: Plugins
 Festi plugins are volatile modules in kernel-mode address space:
 downloaded each time the bot is activated
 never stored on the hard drive
 The plugins are capable of:
 sending spam – BotSpam.dll
 performing DDoS attacks – BotDoS.dll
 providing proxy service – BotSocks.dll

32. Flamer Framework Overview

33. An overview of the Flamer Framework
The main types used in Flamer Framework are:
 Command Executers –the objects exposing interface that allows
the malware to dispatch commands received from C&C servers
 Tasks – objects of these type represent tasks executed in
separate threads which constitute the backbone of the main
module of Flamer
 Consumers – objects which are triggered on specific events
(creation of new module, insertion of removable media and etc.)
 Delayed Tasks – these objects represent tasks which are executed
periodically with certain delay.

34. An overview of the Flamer Framework
Vector<Consumer> Vector<Command Executor>
DB_Query ClanCmd FileCollect Driller GetConfig
Mobile
Consumer
Cmd Vector<Task>
Consumer
IDLER CmdExec Sniffer Munch FileFinder
Lua
Consumer
Vector<DelayedTasks>
Media Share LSS
Consumer Euphoria Frog Beetlejuice
Supplier Sender

35. Some of Flamer Framework Components
Identifying processes in the systems corresponding to
Security security software: antiviruses, HIPS, firewalls, system
information utilities and etc.
Microbe Leverages voice recording capabilities of the system
Idler Running tasks in the background
BeetleJuice Utilizes bluetooth facilities of the system
Telemetry Logging of all the events
Gator Communicating with C&C servers

36. Flamer SQL Lite Database Schema

37. Flamer SQL Lite Database Schema

38. REconstructing Flamer Framework

39. Data Types Being Used
 Smart pointers
 Strings
 Vectors to maintain the objects
 Custom data types: wrappers, tasks, triggers and etc.

40. Data Types Being Used: Smart pointers
typedef struct SMART_PTR
{
void *pObject; // pointer to the object
int *RefNo; // reference counter
};

41. Data Types Being Used: Strings
struct USTRING_STRUCT
{
void *vTable; // pointer to the table
int RefNo; // reference counter
int Initialized;
wchar_t *UnicodeBuffer; // pointer to unicode string
char *AsciiBuffer; // pointer to ASCII string
int AsciiLength; // length of the ASCII string
int Reserved;
int Length; // Length of unicode string
int LengthMax; // Size of UnicodeBuffer
};

42. Data Types Being Used: Vectors
struct VECTOR
{
void *vTable; // pointer to the table
int NumberOfItems; // self-explanatory
int MaxSize; // self-explanatory
void *vector; // pointer to buffer with elements
};
 Used to handle the objects:
 tasks
 triggers
 etc.

43. Using Hex-Rays Decompiler
 Identifying constructors/destructors
 Usually follow memory allocation
 The pointer to object is passed in ecx (sometimes in other registers)
 Reconstructing object’s attributes
 Creating custom type in “Local Types” for an object
 Analyzing object’s methods
 Creating custom type in “Local Types” for a table of virtual routines

44. Using Hex-Rays Decompiler
 Identifying constructors/destructors
 Usually follow memory allocation
 The pointer to object is passed in ecx (sometimes in other registers)
 Reconstructing object’s attributes
 Creating custom type in “Local Types” for an object
 Analyzing object’s methods
 Creating custom type in “Local Types” for a table of virtual routines

45. Reconstructing Object’s Attributes

46. Reconstructing Object’s Attributes

47. Reconstructing Object’s Methods

48. Reconstructing Object’s Methods

49. Reconstructing Object’s Methods

50. DEMO

51. Relationship
Stuxnet/Duqu/Gauss/Flamer

52. Source Code Base Differences

53. Exploit Implementations
Stuxnet Duqu Flame Gauss
MS10-046 MS10-046 MS10-046
(LNK) (LNK) (LNK)
MS10-061 MS10-061
(Print Spooler) (Print Spooler)
MS08-067 MS08-067
(RPC) (RPC)
MS10-073
(Win32k.sys)
MS10-092
(Task Scheduler)
MS11-087
(Win32k.sys)

54. Exploit Implementations: Stuxnet & Duqu
 The payload is injected into processes from both kernel-
mode driver & user-mode module
 Hooks:
 ZwMapViewOfSection
 ZwCreateSection
 ZwOpenFile
 ZwClose
 ZwQueryAttributesFile
 ZwQuerySection
 Executes LoadLibraryW passing as a parameter either:
 KERNEL32.DLL.ASLR.XXXXXXXX
 SHELL32.DLL.ASLR.XXXXXXXX

55. Exploit Implementations: Stuxnet & Duqu
 The payload is injected into processes from both kernel-
mode driver & user-mode module
 Hooks:
 ZwMapViewOfSection
 ZwCreateSection
 ZwOpenFile
 ZwClose
 ZwQueryAttributesFile
 ZwQuerySection
 Executes LoadLibraryW passing as a parameter either:
 KERNEL32.DLL.ASLR.XXXXXXXX
 SHELL32.DLL.ASLR.XXXXXXXX

56. Injection mechanism: Flame
 The payload is injected into processes from user-mode
module
 The injection technique is based on using:
 VirtualAllocEx
 WriteProcessMemoryReadProcessMemory
 CreateRemoteThreadRtlCreateUserThread
 The injected module is disguised as shell32.dll
 Hooks the entry point of msvcrt.dll by modifying PEB

57. Injection mechanism: Flame
 The payload is injected into processes from user-mode
module
 The injection technique is based on using:
 VirtualAllocEx
 WriteProcessMemoryReadProcessMemory
 CreateRemoteThreadRtlCreateUserThread
 The injected module is disguised as shell32.dll
 Hooks the entry point of msvcrt.dll by modifying PEB

58. Exploit Implementations: Gauss
 The payload is injected into processes from user-mode
module

60. Thank you for your attention!
Eugene Rodionov Aleksandr Matrosov
rodionov@eset.sk matrosov@eset.sk
@vxradius @matrosov