ebook img

Freeze Drying for Capturing Environment-Sensitive Malware Alive PDF

53 Pages·2014·1.87 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Freeze Drying for Capturing Environment-Sensitive Malware Alive

Black Hat Europe 2014 Freeze Drying for Capturing Environment-Sensitive Malware Alive FFRI, Inc. http://www.ffri.jp Yosuke Chubachi Ver 2.00.01 FFRI,Inc. WHO AM I? Yosuke Chubachi is a security engineer at FFRI, Inc. since this spring. He studied at the graduate school of information system engineering, University of Tsukuba. His research interests are in operating system and virtual machine monitoring. Particular interests include access control and intrusion prevention systems. He is a Security Camp lecturer (national information security human resource development program ) since 2011 and a member of executive committee of SECCON (SECurity CONtest, the largest CTF organizer in Japan) since 2012. 忠鉢 洋輔 CHUBACHI Yosuke 2 FFRI,Inc. Contents   • Background   • Idea   – Malware migration system for capturing malware alive   • Challenges   – Process migration   – Anti-‐‑‒anti-‐‑‒sandbox arming   • Implementation   – Overview   – IA32 CPU Emulator   – Process migration using process-‐‑‒level sandbox   – API Proxies for faking an artifact   • Conclusions 3 FFRI,Inc. Background •  Sophisticated malware arms many anti-‐‑‒ analyze techniques •  using targeted attacks, cyber espionages, banking malware •  First, we need protection •  Second, we are curious about true intention 4 FFRI,Inc. Case study: Citadel   • Some citadel detects the execution environment and do not engage in malicious behavior when the current host differs from the infected host [1]   – To avoid behavior-‐‑‒based malware detection(like sandbox analysis)   • Showing 2 examples   – Host-‐‑‒fingerprinting   – VM/Sandbox detection 5 FFRI,Inc. Host-fingerprinting   • Embedding infected hostʼ’s unique value into execution binary Citadel Environment-sensitive Citadel Self-rewriting Unpacker Unpacker when original malware Malicious execution Malicious code with code host unique value Different signature pattern 6 FFRI,Inc. Host-fingerprinting(cont’d)   • Getting GUID on system drive using the GetVolumeNameForVolumeMountPoint()   • Comparing running hostʼ’s GUID value and embedded infected hostʼ’s value   • Process executes malicious code if GUID values are Environment-sensitive Citadel Infected host’s GUID(packed) Unpack Unpacker Malicious Unpacked GUID code with Format: host unique {XXXXXXXX-XXXX-XXXX-XXXXXXXX } value 7 FFRI,Inc. VM/Sandbox detection   • Checking processʼ’s product name   – like ”*vmware*”, ”*virtualbox”   • Scanning specific files and devices   – C:\popupkiller.exe   – C:\stimulator.exe   – C:\TOOLS\execute.exe   – \\.\NPF_̲NdisWanIp   – \\.\HGFS   – \\.\vmci   – \\.\VBoxGuest 8 FFRI,Inc. Citadel behavior of host/environment inconsistency   • For example:   – Process termination   – Running fake(or harmless) code 9 FFRI,Inc. Citadel runtime activities Memory Persistent Network storage Initialization unpack Environment-awareness Scouting Host fingerprinting Malicious code execution Malicious Behavior Code Unauthorized Connecting injection Access C&C server 10

Description:
Live malware defrosting. • Sandbox resumed packed living malware. • Reconstructing address gaps. 23 user-space kernel-space. Runtime & Libraries. Defroster(sandbox). FILE. HEAP. Kernel Objects. &Entities. Runtime & Libraries. Living. Malware. Memory. Context. Execution. Context. De-serialize.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.