1. Analyzing Malware Behavior
The Secret to a More Secure World
Greg Hoglund

2. Malware
The Tip of the Spear

3. Malware is the single greatest threat to Enterprise security today
Fact
Malware is the single greatest threat to Enterprise security today
Existing security isn’t stopping it
Over 80% of corporate intellectual property is stored online, digitally

4. Google cyber attacks a 'wake-up' call
-Director of National Intelligence Dennis Blair

5. IP is Leaving The Network Right Now
Everybody in this room who manages an Enterprise with more than 10,000 nodes:
They are STEALING right now, as you sit in that chair.

6. Scale Over 100,000 malware are released daily
Automated malware infrastructure
Signature-based security solutions simply can’t keep up
The peculiar thing about signatures is that they are strongly coupled to an individual malware sample
More malware was released in the last year than all malware combined previous

7. Economy
Russian Mafia made more money in online banking fraud last year than the drug cartels made selling cocaine
An entire industry has cropped up to support the theft of digital information with players in all aspects of the marketplace

8. 35 million computers infected every month with “rogueware”
Example: Rogueware
35 million computers infected every month with “rogueware”
Many are fake anti-virus scanners
Victims pay for these programs, $50+, and stats show that some Eastern Europeans are making upwards of $34 million dollars a month with this scam *

9. Rogueware

10. Cash is not the only motive
State sponsored
economic power
Stealing of state secrets
intelligence & advantage
Stealing of IP
competitive / strategic advantage – longer term
Infrastructure & SCADA
wartime strike capable
Info on people (not economic)
i.e., Political dissidents

11. Espionage

12. MI5 says the Chinese government “represents one of the most significant espionage threats”

13. Big Brother
Opennet.net

14. Why Malware is
Not Going Away

15. Not an antivirus problem
Malware isn’t released until it bypasses all the AV products
Testing against AV is part of the QA process
AV doesn’t address the actual threat – the human who is targeting you
AV has been shown as nearly useless in stopping the threat
AV has been diminished to a regulatory checkbox – it’s not even managed by the security organization, it’s an IT problem

16. Malware is a human issue
Evolving Threat
Malware is a human issue
If you detect a malware that is part of an targeted operation and you remove it from the computer, the risk has not been eliminated – the bad guys are still operating
“Malware is only a vehicle for intent, tomorrow the bad guy will be back again”

17. Attack Surface Over Time
Value Horizon
Hardness of Windows remote RPC
Use of Windows remote RPC overflows

18. Continuous Area of Attack
Value Horizon
Continuous area of attack
Windows remote RPC
GDI Image Bugs
Flash Overflows
IIS Server overflows

19. Technology Lifecycle
Value Horizon
Area of attack

20. Continuous Area of Attack
By the time all the surfaces in a given technology are hardened, the technology is obsolete
Value Horizon
Continuous area of attack
We secured java, but now we have flash
We secure the web, but now we have Second Life
Technology Lifecycle

21. The Global
Malware Economy

22. This “malware ecosystem” supports both Crimeware and e-Espionage
A Global Theatre
There are thousands of actors involved in the theft of information, from technology developers to money launderers
Over the last decade, an underground economy has grown to support espionage and fraud
This “malware ecosystem” supports both Crimeware and e-Espionage

23. Payment system developer
$500+
Implant Vendor
$1,000+
Exploit Pack Vendor
$10,000+ for 0-day
Exploit Developer
$10,000+ for 0-day
Rootkit Developer
Rogueware Developer
Back Office Developer
$1000+
Wizard
Bot Vendor
eGold
~4% of bank customers
Payment system developer
Country that doesn’t co-op w/ LE
Secondary
atm
Keep 10%
Victims
Small Transfers
A single operator here may recruit 100’s of mules per week
$5,000 incrm.
Drop Man
Account
Buyer
Affiliate Botmaster
ID Thief
Endpoint Exploiters
Keep 50%
$ per 1000 infections
PPI
Forger
Cashier / Mule
Bank Broker
Sells accounts in bulk
Country where account is physically located
$5.00 per
$50
Keep 10%

24. Crimeware and the State
Using crimeware collected from the underground makes it harder to attribute the attack, since it looks like every other criminal attack
There is no custom code that can be fingerprinted

25. China
“There are the intelligence-oriented hackers inside the People's Liberation Army”
“There are hacker conferences, hacker training academies and magazines”
“Loosely defined community of computer devotees working independently, but also selling services to corporations and even the military”
When asked whether hackers work for the government, or the military, [he] says "yes."

26. C&C map from Shadowserver, C&C for 24 hour period

27. Crimeware and Terrorism
Consider that terrorist groups, often thought to be unsophisticated in the area of cyber attack, can just purchase fully capable exploitation kits for $1,000

28. Crimeware Affiliate Networks
Grown out of older adware business models

29. Pay-per-install.org

30. Pays per 1,000 infections Earning4u*

31. PPI Programs *

32. Custom Crimeware Programming Houses

33. Malware
Attribution

34. Digital fingerprints left by compiler tools Developer code idioms
Forensic Toolmarks
Digital fingerprints left by compiler tools
Developer code idioms
Major technology components that can be fingerprinted:
Distribution system
Exploitation capability
Command and Control
Payload (what does it do once its in)

35. Reverse Engineering Focus Areas
Compiler version
Paths unique to the developer workstation
i.e., .pdb paths
Language codes, keyboard layouts
Unique variations of algorithms
obfuscation, compression
C&C Protocol design
Even spelling mistakes!

36. Same malware compiled in three different ways
DISK FILE
IN MEMORY IMAGE
Same malware compiled in three different ways
OS Loader
MD5 Checksums
all different
Code idioms remains consistent

37. In-memory analysis tends to defeat packers
IN MEMORY IMAGE
Packer #1
Packer #2
Decrypted
Original
OS Loader
In-memory analysis tends to defeat packers
Starting Malware
Packed
Malware
Unpacked portions remains consistent

38. Toolkits and developer signatures can be detected
IN MEMORY IMAGE
OS Loader
Toolkits and developer signatures can be detected
Malware
Toolkit
Different
Malware
Authors
Using
Same Toolkit
Toolkit Marks Detected
Packed

39. Country of Origin Country of origin
Is the bot designed for use by certain nationality?
Geolocation of IP is NOT a strong indicator
However, there are notable examples
Is the IP in a network that is very unlikely to have a third-party proxy installed?
For example, it lies within a government installation
C&C map from Shadowserver, C&C for 24 hour period

40. Language codes in resources
Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality
Be aware some technologies have multiple language support
Language codes in resources

41. Command and Control
These commands map to a foreign language keyboard.

42. ZeuS (botnet)

43. ZeuS C&C server source code.
Written in PHP
Specific “Hello” response (note, can be queried from remote to fingerprint server)
Clearly written in Russian
In many cases, the authors make no attempt to hide…. You can purchase ZeuS and just read the source code…

44. A GIF file included in the ZeuS C&C server package.

45. Caution: The developer != operator
The developer may not have any relation to those who operate the malware
The operation is what’s important
Ideally, we want to form a complete picture of the ‘operation’ – who is running the operation that targets you and what their intent is

46. Stage I: Exploitation

47. Malware Distribution Systems
Large scale systems to deploy malware
Browser component attacks
Precise spearphising attacks
Contain boobytrapped documents
Backdoored physical media
USB, Camera, CD’s left in parking lot, ‘gifts’

48. Attack Vector: Boobytrapped Documents
This is the current trend
Single most effective focused attack today
Human crafts text

49. Example: PDF Boobytrap
Exploit is chosen based on version of Acrobat Reader™
Malicious PDF Analysis:

50. Attack Vector: Web based attack
Social Networking Space
Injected Java-script
Used heavily for large scale infections
Social network targeting is possible

51. Example: Trap Postings I
<script>
</script>
Some text to be posted to…
the site ….

52. Example: Trap Postings II
<IFRAME src=
style=“display:none”></IFRAME>
Some text to be posted to…
the site ….

53. Example: SQL Injection
SQL attack, inserts IFRAME or script tags

54. Example: ‘Reflected’ injection
Link contains a URL variable w/ embedded script or IFRAME *
User clicks link, thus submitting the variable too
Trusted site, like
.com, .gov, .edu
The site prints the contents of the variable back as regular HTML
*For an archive of examples, see xssed.com

55. Actor: Vuln Researchers
Paid well into the five figures for a good, reliable exploit
$20,000 or more for a dependable IE exploit on latest version
Injection vector & activation point can be fingerprinted
Method for heap grooming, etc
Delivery vehicle

56. Actor: Endpoint Exploiter
Endpoint Exploiters
$ per 1000 infections
The exploiter of the end nodes, sets up the XSS or javascript injections to force redirects
Newcomers can learns various attack methods from their PPI affiliate site (mini-training)
These are generally recruited hackers from forums (social space)
The malware will have an affiliate ID
“somesite.com/something?aflid=23857  look for potential ID’s – this ID’s the individual endpoint exploiter

57. Link Analysis Using Link Analysis URL artifact Unique Affiliate ID’s
Codenamed Botmaster
C&C Fingerprint
Endpoints
Link Analysis

58. Fingerprinting Exploit Packs
Common methods in shellcode
Heap grooming/spray techniques
Methods to located shellcode in memory
Methods to load function pointers from kernel32.dll, etc
Web Server version
Backend technology – cgi, PHP, etc.
HTTP variable names, number formats, etc.

59. Eleonore (exploit pack)

60. Tornado (exploit pack)

61. Napoleon / Siberia (exploit pack)

62. Exploitation Complete: A three step infection
Injected Java-script
Exploit Server
Redirect
Browser Exploit
Payload Server
Dropper

63. Stage II: Droppers

64. Fingerprinting Droppers
Use of certain packer version
Compiler and settings used
Delphi? C++ classes?
Stack pointer omission, etc.
How are embedded resources used?
Language codes? Compressed?
Dropper-webserver type / version
Brute-force URL’s to find all the downloadable exe’s

65. CRUM (protector)

66. ‘Dropper’ or Payload Server
A machine that has the actual malware dropper ready for download.
The exploit server will redirect the victim to download a binary from this location

67. malwaredomainlist.com abuse.ch spamcop.net team-cymru.org
Intelligence Feeds
malwaredomainlist.com
abuse.ch
spamcop.net
team-cymru.org
shadowserver.org

68. NOTE: Packing is not fully effective here
GhostNet: Dropper
UPX!
¶üÿÿU‹ìƒìSVW3ÿÿ
Packer Signature
MZx90
This program cannot be run in DOS mode
Embedded executable
NOTE: Packing is not fully effective here

69. GhostNet: Resource Culture Codes
The embedded executable is tagged with Chinese PRC Culture code

70. PDB path reveals malware name
GhostNet: PDB Paths
UPX!
The embedded executable is extracted to disk. The extracted module is NOT PACKED.
MZx90
MZx90
E:\gh0st\Server\Release\install.pdb
PDB path reveals malware name

71. Actionable Intelligence
Information obtained via droppers that you can use for immediate defense:
File and Registry Paths used for the installation
Enterprise tools can scan for these to detect other infections

72. Stage III: Implants

73. The ‘persistent’ backdoor program Hide in plain sight strategy
Implants
The ‘persistent’ backdoor program
Hide in plain sight strategy
General purpose hacking tool
Stealth capabilities
In-field update capabilities
Has command-and-control system

74. Poison Ivy (implant)

75. A device driver is embedded in the executable
GhostNet Implant
A device driver is embedded in the executable
Dropped as a svchost.exe DLL:
MZx90
MZx90

76. GhostNet: Embedded Drivers
i386 directory is common to device drivers. Other clues:
sys directory
‘SSDT’ in the name
Also, embedded strings in the binary are known driver calls:
IoXXXX family
KeServiceDescriptorTable
ProbeForXXXX

77. Command and Control Once installed, the malware phones home… TIMESTAMP
SOURCE COMPUTER USERNAME
VICTIM IP
ADMIN?
OS VERSION
HD SERIAL NUMBER

78. Command and Control Server
The C&C system may vary
Custom protocol (Aurora-like)
Plain Old URL’s
IRC (not so common anymore)
Stealth / embedded in legitimate traffic
Machine identification
Stored infections in a back end SQL database

79. ‘SoySauce’ C&C Hello Message
this queries the uptime of the machine..
checks whether it's a laptop or desktop machine...
enumerates all the drives attached to the system, including USB and network...
gets the windows username and computername...
gets the CPU info... and finally,
the version and build number of windows.

80. Aurora C&C parser
Command is stored as a number, not text. It is checked here.
Each individual command handler is clearly visible below the numerical check
After the command handler processes the command, the result is sent back to the C&C server

81. Triad (botnet)

82. ZeuS (botnet)

83. Fragus (botnet)

84. Actionable Intelligence
Information obtained via implants that you can use for immediate defense:
IP and URL’s used for command and control can be used for NIDS, egress filtering, and searches against archived netflow data

85. Intellectual Property Threats

86. Soysauce: Steal Credentials
Outlook Password
Generic stored passwords

87. All the file types that are exfiltrated
Soysauce: Steal Files
All the file types that are exfiltrated

88. A place to store all the stolen goods before it gets ‘exfiltrated’
Staging Server
A place to store all the stolen goods before it gets ‘exfiltrated’
Data is moved off the network in a variety of ways – ‘Hacking Exposed’ level behavior

89. Drop Site
Sometimes the stolen data is moved to a tertiary system, not the same as the C&C

90. Drop-point is in Reston, VA in the AOL netblock

91. Actionable Intelligence
Information obtained via staging server that you can use for immediate defense:
Drive forensics will reveal what has already been stolen

92. Advanced Fingerprinting

93. GhostNet: Screen Capture Algorithm
Loops, scanning every 50th line (cY) of the display.
Reads screenshot data, creates a special DIFF buffer
LOOP: Compare new screenshot to previous, 4 bytes at a time
If they differ, enter secondary loop here, writing a ‘data run’ for as long as there is no match.
Offset in screenshot
Len in bytes
Data….

94. GhostNet: Searching for sourcecode
Large grouping of constants
Search source code of the ‘Net

95. GhostNet: Refining Search
Has something to do with audio…
Further refine the search by including ‘WAVE_FORMAT_GSM610’ in the search requirements…

96. GhostNet: Source Discovery
We discover a nearly perfect ‘c’ representation of the disassembled function. Clearly cut-and-paste.
We can assume most of the audio functions are this implementation of ‘CAudio’ class – no need for any further low-level RE work.

97. Sell bot systems for four figures
Actor: Developers
Sell bot systems for four figures
$4,000 - $8,000 with complete C&C and SQL backend
Sell advanced rootkits for low five figures
Possibly integrated into a bot system
Possibly used as a custom extension to a bot, integrated by a botmaster, $10,000 or more easily for this
All of this development is strongly fingerprinted in the malware chain

98. Link Analysis Link Analysis We want to find a connection here
C&C Fingerprint
Botmaster
URL artifact
Affiliate ID
Developer
Protocol Fingerprint
Endpoints
Developer
C&C products
Link Analysis

99. Softlinking into the Social Space
Where is it sold, does that location have a social space?
If it has a social space, then this can be targeted
Forum, IRC, instant messaging
Using link-analysis, softlink can be created between the developer of a malware product and anyone else in the social space
Slightly harder link if the two have communicated directly
If someone asks for tech support, indicates they have purchased
If someone queries price, etc, then possibly they have purchased

100. Link Analysis Link Analysis Software Author Software Author
Social Space
Social Space
Link Analysis

101. Example: Link Analysis with Palantir™
Implant
Forensic Toolmark specific to Implant
Searching the ‘Net reveals source code that leads to Actor
Actor is supplying a backdoor
Group of people asking for technical support on their copies of the backdoor

102. Working back the timeline
Who sells it, when did that capability first emerge?
Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces
Requires budget for acquisition of emerging malware products

103. Link Analysis with Timeline
Software
Author
Social Space
i.e., Technical Support Query made AFTER version 1.4 Release
Use of timeline to differentiate links
Link Analysis

104. Conclusion

105. Existing security doesn’t stop ‘bad guys’
Takeaways
Actionable intelligence can be obtained from malware infections for immediate defense:
File, Registry, and IP/URL information
Existing security doesn’t stop ‘bad guys’
Go ‘beyond the checkbox’
Adversaries have intent and funding
Need to focus on the criminal, not malware
Attribution is possible thru forensic toolmarking combined with open and closed source intelligence

106. Solutions for Enterprises
About HBGary
Solutions for Enterprises
Digital DNA™ - codified tracking of malware authors
Integrated into several Enterprise products:
McAfee ePO
Guidance EnCase Enterprise,
more to be announced
Responder™ – malware analysis and physical memory forensics