Slides - Persistence, Type 1 stealth malware, Type 2

Report
Revealing Stealth Malware
UMD CMSC389M
Xeno Kovah – Jan. 2013
xkovah at gmail
Subject line starting with "UMD:"
1
All materials is licensed under a Creative
Commons “Share Alike” license.
• http://creativecommons.org/licenses/by-sa/3.0/
2
Outline
• Persistence
• Type 1 – use system features
– Hiding in plain sight
• Hiding with filesystem attributes
• Trojan DLL + forwarded exports
• Type 2 – change things that shouldn't be
changed
– Inline hooks
• A userspace OR kernel technique
3
The Persistence of Memory
Memory is impersistent
• Malware executes in memory
• Malware generally wants to stick around
across reboots
• So naturally it would like to persist on disk
• But beyond just persisting, it needs to be
invoked across reboots
• Windows includes a number of registry
locations where code can register that it
would like to be executed at a particular time
5
Autoruns.exe
• This tool examines an (AFAIK) exhaustive list of
locations that code can register itself to either
be automatically executed on system startup,
or executed when some common process like
IE is started.
6
Autoruns.exe
• This tool examines an (AFAIK) exhaustive list of
locations that code can register itself to either
be automatically executed on system startup,
or executed when some common process like
IE is started.
7
Autoruns' Achilles' heel
• Autoruns is not registry hiding aware.
• That's part of why we're going to do
homeworks designed around registry key
hiding
8
Service Control Manager (SCM)
• SCM is invoked as sc.exe, or it can be invoked
programatically with APIs like CreateService()
– In the development environment setup the load.bat
uses sc.exe to register and load the HelloKernel.sys
kernel driver as a service.
• SCM can be used to register a kernel or userspace
program to load on system boot or on demand.
• A side-effect of using SCM is that it creates a
registry entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
9
Malware can also persist by infecting the binaries which are executed in the earliest
stages of bootup. Examining these requires more specialized tools & knowledge
10
From http://www.stoned-vienna.com/downloads/Presentation.pdf
Type 1 Stealth Malware:
Use legitimate system features
Hiding in Plain Sight
• This means to make your software look like
legitimate software, to a cursory examination
– Somewhat related to trojans, though there need
not necessarily be any sort of install-time
subterfuge. More focused on if someone stumbles
upon it later.
• Strategies include naming your files like
legitimate MS or 3rd party software,
12
Hiding in Plain Sight 2
• The key feature of such malware is that if you
know where the malware is, you can see it with
normal tools.
– Because of that, we're not going to spend much time
on them
• They rely more on AV bypassing to stay on home
systems, and lack of application whitelisting or
even new application installation awareness to
stay on enterprise systems.
13
Examples
• Stuxnet named its drives mrxnet.sys and
mrxcls.sys. There are legitimate Microsoft files
named mrxsmb.sys and mrxdav.sys.
– However, later versions were signed by stolen
RealTek Semiconductor & JMicron Technology
certificates, so those two aspects in some way run
counter to each other
• Zeus and other crimeware do not hide their
files/registry keys (though they do often
protect them)
14
Hiding with Filesystem Features
• The "attrib +h" command on Windows can
set the hidden file flag, which will make the
file not visible if the user is running
Explorer.exe with the default folder options.
15
Hiding with Filesystem Features 2
• Use "dir /AH" to see hidden files, and "dir /AS"
to see system files. Or edit explorer's folder
options as shown below.
(On Windows 7 hit "alt" once to show the
tools menu)
Check
Uncheck
Uncheck
16
Hiding with Filesystem Features 2
• NTFS supports "Alternate Data Streams" (ADS)
• An ADS can be created and opened with
normal file access APIs, and will just have a
name starting with a colon. E.g. if you have a
file foo.txt you can just do "notepad
foo.txt:bar" and you will be editing a new
"bar" ADS associated with the foo.txt file
17
Hiding with Filesystem Features 3
• No built in way to see ADS on XP. Post-Vista
they added a /r flag to dir command, but still
no way to see in explorer.exe
• On XP, LADS
(http://www.heysoft.de/en/software/lads.php
) is the way to go, though the good rootkit
detectors will allow for viewing ADS too.
18
Misleading extension and/or icon
• Windows will hide the ".exe", ".txt", ".jpg"
extensions by default.
19
Stuxnet trojaned DLL
• Stuxnet used forwarded exports for the
93 of 109 exports in s7otbxdx.dll which
it didn't need to intercept.
20
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet trojaned DLL 2
21
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
STEALTH MALWARE
(will cut you!)
Malware that hides by changing something
that shouldn't legitimately change
A portrait of the rootkit as a young
man in the middle
(CC BY-NC-SA 2.0) image by thrill kills sunday pills
http:[email protected]/2994587384/in/photostream/
23
Inline Hooked Intra-Module Function Call
WickedSweetApp.exe
1
…
push 1234
call SomeFunc()
add esp, 4
…
…
SomeFunc:
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0x20
…
ret
2
24
Inline Hooked Intra-Module Function Call
WickedSweetApp.exe
1
…
push 1234
call SomeFunc()
add esp, 4
…
…
SomeFunc:
jmp EvilFunc
sub esp, 0x20
…
ret
WickedWickedDll.dll
EvilFunc:
<stuff>
…
mov edi, edi
push ebp
mov ebp, esp
jmp SomeFunc+5
4
3
25
Inline Hooked Intra-Module Function Call
WickedSweetApp.exe
1
…
push 1234
call SomeFunc()
add esp, 4
…
…
SomeFunc:
jmp EvilFunc
sub esp, 0x20
…
ret
WickedWickedDll.dll
EvilFunc:
<stuff>
…
mov edi, edi
push ebp
mov ebp, esp
jmp SomeFunc+5
4
3
26
Hooking
• We call the act of redirecting program
execution "hooking"
• Because you're hooking into the program to
make it come to you
27
So what functions would an attacker
want to hook?
• Depends on what they're trying to hide, but
the principle always is:
Find whatever function shows that which you
wish to hide, and hook it.
• Well dang, I guess we're going to need to
learn how programs view "stuff"
28
To the Googles!
Or better yet
29
RTFMSDN!
• FindFirstFile() http://msdn.microsoft.com/enus/library/windows/desktop/aa364418(v=vs.8
5).aspx
• FindNextFile() http://msdn.microsoft.com/enus/library/windows/desktop/aa364428(v=vs.8
5).aspx
• FindClose() - http://msdn.microsoft.com/enus/library/windows/desktop/aa364413(v=vs.8
5).aspx
30
Everything you ever wanted to know
about the X86-64 calling convention
(but that OST Intro x86 didn't tell you)
• Going to be in the updated version, "Intro x8664" recorded in Feb
• Argument 1 is in rcx
• Argument 2 is in rdx
• Argument 3 is in r8
• Argument 4 is in r9
• Any further arguments are on the stack
• Return value is still in rax
31
WiiiiinDebugging, across the universe!
• Windbg uses function name notation like
"module!function"
• I will set breakpoints on things like
– kernel32!FindFirstFileExW, kernel32!FindFirstFileW,
kernel32!FindFirstFileA, kernel32!FindNextFileW,
kernel32!FindNextFileA
• The W or A at the end means the "Wide" (unicode)
or ASCII string version
32
Win 7 DLL Injection
• See http://en.wikipedia.org/wiki/DLL_injection for more ways that
this can be achieved on Windows/*nix
• We're going to use the AppInit_DLLs way of doing this for simplicity
• Note: AppInit_DLLs' behavior has changed in releases > XP, it now
has to be enabled with Administrator level permissions.
• Must set the DLL in question in the registry key:
– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\AppInit_DLLs
– Use comma delimitation if there is an existing entry
• Must also set the following key to 1
– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\LoadAppInit_DLLs
• Must also set the following key to 0
– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\RequireSignedAppInit_DLLs
33
Example use of AppInit_DLLs for
XP DLL injection
• http://www.codeproject.com/KB/vista/api-hooks.aspx
– This will hook NtQuerySystemInformation(), which is what taskmgr.exe uses in
order to list the currently running processes. It will replace this with
HookedNtQuerySystemInformation(), which will hide calc.exe
– I modified that code to use IAT hooking rather than inline (which is much
simpler actually)
• Steps:
– Compile AppInitHookIAT.dll
– Place at C:\tmp\AppInitHookIAT.dll for simplicity
– Use regedit.exe to add C:\tmp\AppInitHookIAT.dll as the value for the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\AppInit_DLLs and set the other values from the
previous slide
– Start calc.exe, start taskmgr.exe, confirm that calc.exe doesn't show up in the list
of running processes.
– Remove C:\tmp\AppInitHookIAT.dll from AppInit_DLLs and restart taskmgr.exe.
– Confirm calc.exe shows up in the list of running processes.
– (This is a basic "userspace rootkit" technique. Because of this, all entries in this
registry key should always be looked upon with suspicion.)
34
Stuxnet use of inline hooks
•
From the Stuxnet Dossier:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepa
pers/w32_stuxnet_dossier.pdf
•
•
•
"~WTR4141.tmp then loads ~WTR4132.tmp, but before doing so, it
attempts to hide the files on the removable drive. Hiding the files on
the removable drive as early in the infection process as possible is
important for the threat since the rootkit functionality is not installed
yet, as described in the Windows Rootkit Functionality section.
Thus, ~WTR4141.tmp implements its own less-robust technique in
the meantime.
WTR4141.tmp hooks the following APIs from kernel32.dll and
Ntdll.dll:
From Kernel32.dll
– FindFirstFileW
– FindNextFileW
– FindFirstFileExW
•
From Ntdll.dll
– NtQueryDirectoryFile
– ZwQueryDirectoryFile"
35
Homework 1
• Use AppInit_DLLs DLL injection with inline or IAT
hooking to hide any registry key named "UMDRK"
from Regedit.exe on Windows 7 64 bit. But in
particular make sure you hide
– HKLM\SYSTEM\CurrentControlSet\Services\UMDRK
36
High level HW1 steps
• 1) Convert the module finding inline asm to C code (you're not
allowed to use inline asm when it's 64 bit assembly with microsoft
compilers). Start from the __readgsqword() intrinsic
• 2) Figure out which Windows APIs are used to list registry entries &
create fake versions that behave differently when they are trying to
view the specified key
• 3) Set up a MitM situation either through inline assembly
manipulation, or through IAT entry changing
• NOTE1: Your solution should cause the specified registry key to be
hidden, but should *not* cause any subsequent registry keys to be
hidden
• NOTE2: Your solution should be generic, and not build in
assumptions based on analyzing regedit (e.g. not just skipping
directly to some offset to make some modification.) It must
programmatically find the location(s) to change. You should
probably test it against some other registry reading tools to make
sure it is actually generic enough.
37
Helpful tools for HW1
• Win 7 x64 (VM recommended)
– to test on
• VisualStudio 2010 Express
– to compile code
• WinDbg x86-64 aka "amd64"
– to look at structure definitions
• PEView & CFF Explorer
– to look at PE headers
• Process Monitor
– helpful for inferring what functions map to what registry
actions that are done by regedit to read the key
38
Build as DLL
FYI, the one change I made to the template projects, that you wouldn't have seen in the
instructions for setting up the dev env, was to change the project to make a DLL, like so:
39
For easy install enter the following into a file named
"install.reg" that you can double click
(you will still need to make C:\tmp and copy your compiled file to C:\tmp before running this)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\tmp\\StudentAppInitHookIAT.dll"
"LoadAppInit_DLLs"=dword:00000001
"RequireSignedAppInit_DLLs"=dword:00000000
OR
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\tmp\\StudentAppInitHookInline.dll"
"LoadAppInit_DLLs"=dword:00000001
"RequireSignedAppInit_DLLs"=dword:00000000
40
For easy uninstall enter the following into a file
named "uninstall.reg" that you can double click
(you will still need to make C:\tmp and copy your compiled file to C:\tmp before running this)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
OR
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
41

similar documents