McAfee Confidential—Internal Use Only

Untangling the code An overview of techniques to reverse engineer malicious software

June 3, 2013

Prashant Gupta

Security Architect, McAfee Inc.

Abstract

June 3, 2013 2

Reverse engineering and analysis of binary code has been seen as a black art that requires immense commitment, large degree of experience and intuition to be fruitful. This may have been true a couple of decades ago but with the recent focus on reverse code engineering by security vendors and prolific malicious actors alike this field has progressed significantly. In this talk I will present some of the techniques employed during reversing of unknown binaries when vetting them for malicious traits. The talk would also cover how program analysis can help identify possibly suspicious traits in code and how reverse engineering and program analysis techniques used for code are also relevant for identifying potentially suspicious data when analysing document formats.

Reverse Code Engineering: What?

June 3, 2013 3

Better Understanding

Interactions

Environment

Code

Scanners/Fingerprinting

Decoders/Decryptors

Unpackers

Behaviour Analysers

Code reversers

…

…

Reverse Code Engineering: Why?

June 3, 2013 4

• Improve understanding where source code is not available

• Audit, review or forensic investigation of software systems

• Identifying intellectual property licensing breach

• Malware research & defence

Malware prevalence

June 3, 2013 5

357

8,069

56,342 164,000

54M+

1

10

100

1000

10000

100000

1000000

10000000

100000000

1990 1995 2000 2005 2010

Historically….

Malware prevalence: Why?

June 3, 2013 6

Malware

Code Virtualization

Encryption

Compression

Anti-Emulation

Junk-Code Packer

Chaining

Dynamic Functionality

Extension

Destroy structures

Anti-Disassembly

New attack vectors

Reversing Code: Static Analysis

June 3, 2013 7

• Automated Signature Search

– Text search

– Binary signatures

– Known blobs, tables and data structure search

• Decoding/decrypting code and payload

- Identifying and decoding encoded payloads

- From XORs to Purpose Built Custom algorithms (e.g. usage pseudo-random)

• Code Block identification

- Compiler and Library recognition

- Fingerprinting known obfuscation techniques

- Dealing with compiler optimizations

- Semantic code similarity identification

Reversing Code: Static Analysis

June 3, 2013 8

• Decompiling

- Identifying boiler-plate code

- Make complex code easier to understand (e.g. algorithms)

- Many issues, after so many years still in it’s infancy.

• Packer identification and Un-Packing

- Identify if binary is a setup, built using a binder/packer/cryptor

- Unpack using custom, generic or standard algorithms.

• Artefact extraction and logging

- Structural anomalies

- Known code patterns (e.g. peculiar function chaining)

- Junk-code or no-op code search

Reversing Code: Dynamic Analysis

June 3, 2013 9

• Virtualization/Sandboxing and Debugging

- Control malware exposure and it’s ability to leave irreversible changes.

- Debugging to guide execution flows (bypass exceptions)

- Providing stimulus to force malware to exhibit behaviour

- Active and passive analysis platforms.

• Behaviour logging

- Automated behaviour trace logging

- Identify communication mechanism

- Identify persistence mechanism

• Post/Part execution memory dumps

- Generate memory dumps for detailed static analysis

- In cases where unpacking is not possible/feasible

- In cases where in-memory data structures need analysis

- Runtime unpacking

Reversing Code: Machine Correlation

June 3, 2013 10

• Correlation for high level behaviour inference

- correlation of artefacts extracted from automated analysis

• Automated Classification

- Behavioural trait association

- Static code relationships

- Malware family

Reversing Code: Manual Investigation

June 3, 2013 11

• Separating the wheat from the chaff

– Identifying suspicious code

– Evaluating known patterns and guiding analysis process

– Making decisions where automation could only provide approximations.

• Optimizing program code analysis

- Correlating artefacts from static and behavioural analysis

- Building new algorithms

- Fixing problems faced by automation (exceptions, resource constraints, etc.)

- Manual unpacking/decoding

• Heuristic development

- Adding new feature extraction methods

- New correlation policies

- New subsystem development for analysis and detection improvements

Reverse Engineering documents

June 3, 2013 12

Binary Code Binary Documents Analysis

Not human readable Yes Yes RE tools and

environment

Multitude of

environments

Many execution

environments including

VMs

Documents are

generally platform

agnostic.

Heuristic analysis

systems can be shared

when analysing artefact

correlation.

Can exploit

vulnerabilities

Yes, but not always

needed.

Yes, generally in

document editor/reader

but sometimes in OS

Dynamic analysis

techniques can be used

Internal formats can be

obfuscated

Yes Yes Detecting encoded

payloads.

Identifying presence of

obfuscation.

Executable Code Yes No Signature searches and

payload analysis

techniques.

An example technique…

June 3, 2013 13

0

10

20

30

40

50

60

70

80

90

100

100

384

00

767

00

115

00

01

53

30

01

91

60

02

29

90

02

68

20

03

06

50

03

44

80

03

83

10

04

21

40

04

59

70

04

98

00

05

36

30

05

74

60

06

12

90

06

51

20

06

89

50

07

27

80

07

66

10

08

04

40

08

42

70

08

81

00

09

19

30

09

57

60

09

95

90

0

explorer.exe

0

10

20

30

40

50

60

70

80

90

100

100

145

00

289

00

433

00

577

00

721

00

865

00

100

90

01

15

30

01

29

70

01

44

10

01

58

50

01

72

90

01

87

30

02

01

70

02

16

10

02

30

50

02

44

90

02

59

30

02

73

70

02

88

10

03

02

50

03

16

90

03

31

30

03

45

70

03

60

10

03

74

50

0

upx compressed explorer.exe

An example technique…

June 3, 2013 14

0

10

20

30

40

50

60

70

80

90

100

100

157

90

03

15

70

04

73

50

06

31

30

07

89

10

09

46

90

01

10

47

00

126

25

00

142

03

00

157

81

00

173

59

00

189

37

00

205

15

00

220

93

00

236

71

00

252

49

00

268

27

00

284

05

00

299

83

00

315

61

00

331

39

00

347

17

00

362

95

00

378

73

00

394

51

00

410

29

00

426

07

00

441

85

00

457

63

00

473

41

00

document

0

10

20

30

40

50

60

70

80

90

100

100

157

90

03

15

70

04

73

50

06

31

30

07

89

10

09

46

90

01

10

47

00

126

25

00

142

03

00

157

81

00

173

59

00

189

37

00

205

15

00

220

93

00

236

71

00

252

49

00

268

27

00

284

05

00

299

83

00

315

61

00

331

39

00

347

17

00

362

95

00

378

73

00

394

51

00

410

29

00

426

07

00

441

85

00

457

63

00

473

41

00

document with hidden executable

Open source toolsets

June 3, 2013 15

SysAnalyzer

- Automated malcode analysis system (not a sandbox!)

Malcode Analyst Pack

- suite of tools useful for malcode analysts

VirtualBox

- x86 and AMD64/Intel64 virtualization product

BeaEngine

- disassembler library x86 x86-64 (IA32 and Intel64)

Libemu

- x86 shellcode emulation

Databases/Tools

June 3, 2013 16

RE-Google IDA plugin

Queries Google Code for information about the functions contained in a

disassembled binary

ClamAV

Open source (GPL) antivirus engine

Malware lookup services

VirusTotal, The Malware Hash Registry

ThreatExpert, McAfee SiteAdvisor

Utilities and Assessment Tools

McAfee Free Tools, Collaborative RCE Tool Library

Extensible analysis frameworks

June 3, 2013 17

Cuckoo Sandbox

- Modular malware analysis system

Zero Wine Malware Analysis Tool

- Research project to dynamically analyse the behaviour of malware

Malheur

- Automatic analysis of malware behaviour

Radare

- Open source tools to disasm, debug, analyse, manipulate binary files

Prashant Gupta

Security Architect, McAfee Inc. @PrashantGupta

References

June 3, 2013 19

IMPORTANT: These are 3rd party websites so please review what you

download for malware/suspicious content before use.

1. Cuckoo Sandbox: http://www.cuckoosandbox.org/

2. Zero Wine Malware Analysis Tool: http://zerowine.sourceforge.net/

3. Malheur: http://www.mlsec.org/malheur/

4. Radare: http://www.radare.org/

5. Interactive Disassembler Pro: http://www.hex-rays.com/

6. REGoogle: http://regoogle.carnivore.it/

7. ClamAV: http://www.clamav.net/

8. SysAnalyzer: https://github.com/dzzie/SysAnalyzer

9. Example technique from - Detecting exploits in electronic objects,

Alexander Shipp: http://www.google.com/patents/US20080134333

References

June 3, 2013 20

IMPORTANT: These are 3rd party websites so please review what you

download for malware/suspicious content before use.

10. Malcode Analyst Pack: https://github.com/dzzie/MAP

11. VirusTotal: http://www.virustotal.com/

12. The Malware Hash Registry: http://www.team-cymru.org/Services/MHR/

13. ThreatExpert: http://www.threatexpert.com

14. McAfee SiteAdvisor: http://www.siteadvisor.com/

15. McAfee Free Tools: http://www.mcafee.com/us/downloads/free-tools/

16. Collaborative RCE Tool Library:

http://www.woodmann.com/collaborative/tools/index.php/Category:RCE_To

ols

17. McAfee Threats Report Q4 2012:

http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q4-

2012.pdf