Presentation is loading. Please wait.

Presentation is loading. Please wait.

One wrong click… Techniques to analyze malicious code Tyler Hudak.

Published byDale Antony Haynes Modified over 9 years ago

Similar presentations

Presentation on theme: "One wrong click… Techniques to analyze malicious code Tyler Hudak."— Presentation transcript:

1 One wrong click… Techniques to analyze malicious code Tyler Hudak

2 What we will cover Techniques to “externally” analyze malware General do’s and don’ts of analysis An analysis of an actual malware in the wild

3 What we will NOT cover How to debug / disassemble malware Every possible tool available Every possible malware infection vector Malware obfuscation or anti-forensics techniques

4 WARNING!!! The examples used within are real-world examples. If you go to these sites with an unprotected machine you WILL get infected. You have been warned.

5 Why learn malware analysis? Eventually you will find unknown malware in your systems You can either wait for the AV companies to analyze it or do it yourself It’s fun!!!

6 Our lab You should ALWAYS analyze malware on a “throw away” system NEVER use a machine on a production network VMWare is an excellent tool for this: Can easily restore to a previous point in time Can control network access of virtual OS Images allow re-use Almost limitless OS’ available (Windows, Linux, Solaris, Netware, *BSD, MS-DOS, …)

7 Our lab Host OS: Mandriva Linux LE 2005 Guest OS: Win XP SP1 (installed from disk – no patches) NAT networking Host OS 192.168.1.1 Guest OS 192.168.1.2

8 Our situation User complains about slow PC or IDS picks up unusual activity Investigating shows unknown processes running on PC Looking through web logs/Internet cache shows access to suspicious site http://play.joyiex.com/love.htm Let’s begin!

9 Copying malware off In initial stages, you would normally copy the unknown process/files off and do analysis on them before anything else. For the sake of the presentation, let’s pretend you can’t do that.

10 Checking out the site We need to check out the site the user went to Never go to the site in a web browser Download the source page using a tool (wget, curl, etc)

11 love.htm love.htm opens up three 0 by 0 iframes to download three more web pages This is a commonly used technique by spyware to load malicious code Use wget to download the other three to analyze

12 ip.htm Runs JavaScript from union1.50bang.com Sends information about your computer (browser, screen resolution, color depth) to www.50bang.comwww.50bang.com Sets a cookie with a unique ID 50bang.com is in China – the same as joyiex.com

13 zx.htm Contains obfuscated JavaScript that gets executed Cannot tell what the JavaScript does However, modifying the code and loading it into a browser reveals what it does

14 zx.htm modified Code is modified to display a popup instead of writing the decoded JavaScript

15 zx.htm decoded zx.htm JavaScript uses a known vulnerability (MS04-013) to trick IE into executing a CHM file in the local zone context This allows malicious code – zx.htm within zx.chm in this case – to be downloaded and executed on the local machine. More information on MS04-013 at http://www.securityfocus.com/bid/9658/info. http://www.securityfocus.com/bid/9658/info Use wget to download zx.chm to examine

16 zx.chm We’d like to look at zx.chm to see what it does but it will most likely execute malicious code upon opening Use KeyTools Utilities from KeyWorks Software to decompile CHM file Do NOT use the ‘Examine CHM File’ option as it may launch the malicious code Use the ‘Decompile’ Option

17 zx.chm decompiled Decompiling finds 3 files zx.exe (18,540 bytes) – we’ll see this later zx.htm – HTML file which runs zx.exe zx.hhp – MS Help Project file (created by KeyTools)

18 sp2/sp3.htm Calls a variant of a Windows XP SP2 remote execution technique (patched by MS05-001) Uses multiple vulnerabilities to execute bbs003302.gif (encoded vbscript) Not sure what bbs00302.gif does, but can wager a guess it executes bbs00302.css, but what does that do?

19 File analysis Lots of tools that should be used to analyze a file Run ‘file’ against it to see what it is Should hash the file as well using your favorite cryptographic hash Can google for the hash and hope for results

20 String Analysis Look for any readable strings in the executable using ‘strings’ or ‘bintext’ from Foundstone Not many readable strings in bbs003302.css, but it looks to be packed with FSG

21 Packed executables Programs available which “pack” executables making them smaller and harder to analyze upx, aspack, fsg, etc Have to download an unpacker else dump it from memory bbs003302.css is packed with FSG (look for FSG! in file) Use unfsg2.0 to unpack and run through bintext again

22 Unpacked bbs003302.css Lots of references to registry entries within the unpacked file Appears to overwrite registry entries to an unknown value Also looks like it will start up on boot References osrss.exe and coniem.exe

23 What do we know so far? Go to website and three web pages open One of the pages sends information about your computer to China Two others launch exploits and execute code on your local machine So – let’s go to the site and see what happens!

24 Before Infection Need to do a couple of steps before we infect our VMWare image 1. Create a snapshot of our image 2. Set up a sniffer 3. Set up the tools on our VMWare image

25 Sniffer Want to record any network traffic from our malware Use whatever sniffer you prefer (tcpdump, Ethereal, Snort, etc) Capture entire packet for reconstruction later

26 Regshot Takes and compares snapshots on a computer of the registry entries and files We’ll take a snapshot before and after infection From this any new/modified/deleted files will be found

27 Regmon / Filemon / TDIMon Monitors registry, files access and network access on a computer We can use this to find out what process is doing what All are available from www.sysinternals.com

28 Let’s get infected! Once our tools are set up and running we can go to the website and get infected. After a minute or two we stop the tools and begin analysis.

29 Post Infection Steps Run second regshot and compare Run post-infection tools Save data off of VMWare image Pause VMWare Analyze

30 Regshot Compare The regshot compare showed a number of interesting things New files: C:\WINDOWS\system32\he1p.exe C:\WINDOWS\system32\she11.dll C:\WINDOWS\OSRSS.exe C:\arcldrer.exe

31 Regshot Compare New / changed registry entries HKU\ \Software\Microsoft\Windows\CurrentVersion\ Run\ctfnom.exe: "C:\WINDOWS\OSRSS.exe“ HKU\ \Software\Microsoft\Windows\CurrentVersion\ Policies\system\DisableTaskMgr: "1“ HKU\ \Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage: "1“ HKLM\SOFTWARE\Classes\txtfile\shell\open\command\: "C:\WINDOWS\System32\he1p.exe "%1"" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explor er\Advanced\Folder\Hidden\SHOWALL\CheckedValue: "0"

32 Post infection tools pslist Dumps current process list Shows OSRSS running Does not see any other files added running

33 Post infection tools F-port Shows what programs are listening to what ports Does not see any unusual processing listening to a port

34 What we know so far The infection caused 4 files to appear Only 1 file is currently running Nothing is listening on the network OSRSS.exe is set to start on boot he1p.exe will run whenever a.txt file is opened A number of Windows items were locked down to prevent us from fixing things easily

35 Copying Next we copy all of our data off of the image Make sure you grab any new files as well Use VMWare’s Shared Folders, SSH or FTP Once finished, pause VMWare image

36 File analysis 4 files were created from the infection It might be useful to look at them before we proceed Notice that the file sizes on three of the files are the same, and are the same as zx.exe. This is very unusual – they could be the same file.

37 File analysis Next, ‘file’ is run against them. The three files are Windows executables. she11.dll is a text file containing “http://www.joyiex.com”

38 File analysis Finally, check the md5sum of each file. The same hash on the exe’s means they are the same file A quick look with bintext shows these are packed with FSG as well.

39 File analysis One of the files is unpacked with unfsg2.0 and put through bintext Has many of the same strings as seen with bbs003302.css However, references to coniem.exe replaced with he1p.exe Perhaps different versions of malware?

40 Timeline Since we still don’t know much about what the programs did we can look at other logs. Useful to create a timeline from tdimon, filemon, regmon and ethereal logs. Load filemon and regmon into spreadsheet and sort by time - they have more accuracy. You can use this to start your timeline and add in the other logs as you progress.

41 Timeline Keep a running log of interesting events for each process. Expect to have LOTS of entries to go through.

42 13:03:49.211 – IE downloads http://play.joyiex.com/love.htm 13:04:00.247 – IE copies zx.exe into c:\windows\downloaded program files 13:04:00.305 – IE executes zx.exe 13:03:54.568 – IE drops zx.exe into temporary Internet files zx.htm timeline 13:03:49.852 – IE downloads http://play.joyiex.com/zx.htm

43 13:04:00.524 – zx.exe creates c:\windows\osrss.exe – file size 18,540 13:04:00.539 – zx.exe creates c:\windows\system32\he1p.exe – file size 18,540 13:04:00.477 – 00.524 – zx.exe sets the following registry keys: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1 HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“ HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue to 0 zx.htm timeline

44 13:04:01.055 – osrss.exe tries to create itself but fails (sharing violation) 13:04:01.055 – osrss.exe tries to create c:\windows\system32\he1p.exe but fails (access denied) 13:04:01.008 – osrss.exe sets the following registry keys: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1 HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“ HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue to 0 zx.htm timeline 13:04:00.789 – zx.exe executes c:\windows\osrss.exe

45 13:04:02.318 – osrss.exe makes a DNS query for www.cd321.com 13:04:03.305 – osrss.exe shuts down zx.htm timeline 13:04:03.524 – IE deletes c:\windows\downloaded program files\zx.exe

46 13:03:49.914 – IE downloads http://play.joyiex.com/sp2/sp3.htm 13:04:01.336 - IE executes bbs003302.gif 13:04:01.555 - IE creates c:\ntdetect.hta - length 1,620 13:03:55.414 - IE downloads http://play.joyiex.com/sp2/bbs003302.css sp3.htm timeline 13:03:51.055 - IE downloads http://play.joyiex.com/sp2/bbs003302.gif

47 13:04:02.586 - mshta.exe reads c:\ntdetect.hta and executes it 13:04:03.149 - c:\arcldrer.exe is executed by mshta.exe 13:04:03.149 - mshta.exe closes c:\ntdetect.hta 13:04:03.086 - mshta.exe creates c:\arcldrer.exe - length 18,540 sp3.htm timeline 13:04:03.086 - mshta.exe searches for bbs003302.css and finds it

48 13:04:03.305 - arcldrer.exe recreates c:\windows\osrss.exe 13:04:03.305 - arcldrer.exe tries to create c:\windows\system32\he1p.exe but fails (access denied) sp3.htm timeline 13:04:01.008 – arcldrer.exe sets the following registry keys: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1 HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“ HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue to 0

49 13:04:03.352 - arcldrer.exe executes c:\windows\osrss.exe 13:04:03.493 - osrss.exe tries to create c:\windows\system32\he1p.exe but fails (access denied) 13:04:05.273 - osrss.exe downloads http://www.cd321.com/ie1.txt 13:04:03.493 - osrss.exe tries to create itself but fails (sharing violation) sp3.htm timeline 13:04:03.680 - osrss.exe sets registry keys again

50 sp3.htm timeline 13:04:01.008 – osrss.exe sets the following registry keys: HKCU\Software\Microsoft\Internet Explorer\Main\Start Page to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1 to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url2 to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url3 to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\Main\Local Page to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\Main\Search Page to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\Main\default_page_url to http://www.joyiex.com HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL to http://www.joyiex.com

51 13:04:05.633 - osrss.exe creates c:\windows\system32\she11.dll 13:04:06.164 - mshta.exe creates c:\cmd.bat - length 79 13:04:06.243 - mshta.exe executes cmd.exe to run cmd.bat 13:04:05.993 - osrss.exe sets initial registry keys again sp3.htm timeline 13:04:05.633 - osrss.exe deletes cache file for ie1.txt

52 13:04:06.352 - cmd.bat deletes c:\ntdetect.hta 13:04:08.508 - osrss.exe sets registry keys again 13:04:13.539 - osrss.exe sets registry keys again 13:04:06.352 - cmd.exe/cmd.bat stop running sp3.htm timeline 13:04:06.352 - cmd.bat deletes itself 13:04:18.555 - osrss.exe sets registry keys again

53 What do we know now? The site uses multiple exploits in IE to install multiple copies of the same malware and execute it (he1p.exe, osrss.exe, arcldrer.exe) A number of settings in IE are set to point to www.joyiex.comwww.joyiex.com osrss.exe will run on boot up he1p.exe will be executed whenever a.txt file is double-clicked on The local computer is locked down to prevent settings from being changed or task manager from running All of this happens in about 17 seconds.

54 What do we NOT know? What happens when we double-click on a txt file? What happens on boot up? Will the malware do anything else? Let’s find out!

55 he1p.exe and txt files HKCR\txtfile\shell\open\command\(Default) is modified to point to he1p.exe instead of notepad.exe This registry key defines what application is run when a.txt file is opened To find out what happens: Unpause the VMWare image Start a new sniffer Take a regshot 1 st scan Start regmon, tdimon and filemon Double-click on a.txt file Wait a couple of seconds and then perform analysis

56 9:16:32.371 - readme.txt file double-clicked in explorer.exe 9:16:32.481 - explorer.exe executes he1p.exe 9:16:33.262 - he1p.exe begins settings registry keys he1p.exe timeline 9:16:32.403 - explorer.exe opens HKCR\txtfile\shell\open\command\(Default) reg key and sees to use he1p.exe 9:16:33.387 - he1p.exe executes notepad.exe 9:16:33.715 - notepad.exe opens readme.txt

57 9:16:34.012 - he1p.exe tries to overwrite itself but fails (sharing violation) 9:16:34.012 - currently running copy of osrss.exe shuts down he1p.exe timeline 9:16:33.996 - he1p.exe tries to overwrite c:\windows\osrss.exe but fails (sharing violation) 9:16:34.028 - he1p.exe executes a new copy of osrss.exe 9:16:34.199 - he1p.exe shuts down

58 he1p.exe results No network traffic while clicking on the txt file Monitoring tools don’t show any new activity Regshot shows no new registry entries or files he1p.exe doesn’t do anything to the text file – it never even opens it! osrss.exe will shut down if another copy starts up Appears that he1p.exe is just put in the txt registry key to re-infect the system

59 On boot It can be difficult to start all utilities on boot up (not all support it) Regshot results would generate A LOT to go though after reboot We can do the next best thing – kill the process and restart it This doesn’t cover all possible situations, but should be close enough

60 On boot Malware prevents task manager from running, so we have to use pslist and pskill to kill the process Once the process is confirmed stopped, we set up the monitoring tools again and run the malware

61 9:21:01.981 c:\windows\osrss.exe executed 9:21:02.043 osrss.exe tries to create itself but fails (sharing violation) 9:21:02.043 osrss.exe recreates he1p.exe 9:21:02.028 osrss.exe sets initial registry keys On boot timeline 9:21:01.996 osrss.exe checks for c:\windows\system32\she11.dll 9:21:04.543 osrss.exe sets initial registry keys again and does so every 2 seconds 9:21:02.043 osrss.exe sets IE registry keys (homepage, etc) 9:21:02.043 osrss.exe opens and reads c:\windows\system32\she11.dll

62 On boot results No networking traffic shows up Only a modified he1p.exe shows up in regshot osrss.exe behaves as we have seen it behave thus far

63 Analysis results From our analysis of the malware we can conclude the following: 1. Going to http://play.joyiex.com/love.htm with an unpatched IE infected the client with the same malware multiple times.http://play.joyiex.com/love.htm 2. The malware will copy itself to c:\windows\osrss.exe and c:\windows\system32\he1p.exe.

64 Analysis results 3. Osrss.exe will be set to start on boot. 4. He1p.exe will be run whenever a txt file is opened. 5. The current user will be prevented from running the task manager. 6. The current user will be prevented from changing IE’s homepage. 7. The malware will download http://www.cd321.com/tm/ie1.txt and place the results in c:\windows\system32\she11.dll. http://www.cd321.com/tm/ie1.txt

65 Analysis results 8. The malware will set a number of IE settings (homepage, etc) to the contents of she11.dll. 9. When running, the malware will reset the registry keys every 2-5 seconds. 10. The malware will only allow 1 instance of itself to run at any given time. 11. The malware has a predictable flow of events.

66 Malware flow Malware Starts Startup and Lockdown registry keys set Create osrss.exe Create he1p.exe If she11.dll does not exist, download contents from www.cd321.com Set IE registry keys with contents from she11.dll Set Startup and Lockdown registry keys again Am I osrss.exe? Start osrss.exe and kill my process No Yes

67 Virustotal.com results osrss.exe: variant of IM Lewor worm bbs003302.css: TR/Dldr.Delf.CQ or variant of IM Lewor worm Bbs003302.gif: Trojan.Phel More than half of the anti-virus programs didn’t find anything.

68 More information Lenny Zeltser’s Reverse Engineering Malware paper Tom Liston’s Follow the Bouncing Malware series at incidents.org Honeynet Project’s Reverse Challenge Hacker Disassembling Uncovered by Kris Kaspersky Malware: Fighting Malicious Code by Ed Skoudis The Art of Computer Virus Research and Defense by Peter Szor Google for: “reverse engineering” or “malware analysis”

69 Presentation http://www.hudakville.com/infosec

70 Questions?

Download ppt "One wrong click… Techniques to analyze malicious code Tyler Hudak."

Similar presentations

Installing DOS and Windows98 under MS Virtual PC.

Installing DOS and Windows98 under MS Virtual PC.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Computer Basics Hit List of Items to Talk About ● What and when to use left, right, middle, double and triple click? What and when to use left, right,

Computer Basics Hit List of Items to Talk About ● What and when to use left, right, middle, double and triple click? What and when to use left, right,
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
The Windows Registry Adapted from

The Windows Registry Adapted from
Chapter 14 Chapter 14: Server Monitoring and Optimization.

Chapter 14 Chapter 14: Server Monitoring and Optimization.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.

What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.

VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge

NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.

Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.
HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004.

HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid Project 1 Fall 2004.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Viruses.

Viruses.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Get the best performance out of your PC By Matthew Pinch.

Get the best performance out of your PC By Matthew Pinch.
Malware Fighting Spyware, Viruses, and Malware Ch 4.

Malware Fighting Spyware, Viruses, and Malware Ch 4.
Spyware Sue Scott Technology Librarian. What is Spyware Malware – (Malicious Software) A general term to encompass unwanted software on a personal computer.

Spyware Sue Scott Technology Librarian. What is Spyware Malware – (Malicious Software) A general term to encompass unwanted software on a personal computer.

Similar presentations

Ads by Google