Malware Reverse E ngineering

Malware Reverse Engineering 1

Malware Reverse Engineering

Jeet MorpariaSoftware Engineer, Malware Analysis and Response

Man In The Browser (MITB)

Today’s malware landscape 1

Reverse engineering a malware2

Man In The Browser3

Agenda

3Malware Reverse Engineering

Today’s malware landscape

Though ‘spams’ have

decreased, ‘malicious

attacks’ have increased!

Use of more and more web-

toolkits

>50% increase in unique variants of

malware

>10k unique malicious web

domains

~50% increase in mobile

vulnerabilities

2 main reasons for this trend:

- Part of large organizations eco-system providing stepping stone to larger attack

- Less defended

Reverse Engineering A MalwareBlack boxing and White boxing

Analysis of a malware

Presentation Identifier Goes Here

FILE PROPERTIES

VIRTUAL MEMORY

PACKED CODE

UNPACKED CODE

UPX Packed Sections

Unpacked Sections

Embedded Resources

Version Information

Monitoring Tools

OllyDbg

Break Points

IDA PRO

Man In The BrowserMalware Reverse Engineering 1

Man-in-the-middle (MiM)

ALICEEnd User

TRUDYAttacker

BOBBank server

Transfer $2500 to Mom Transfer $10000 to Trudy

Transferred $10000 to TrudyTransferred $2500 to Mom

Man-in-the-browser (MITB)

Malware Reverse Engineering17

ALICE’S Browser

Transfer $2500 to Mom Transfer $10000 to Trudy

Transferred $10000 to TrudyTransferred $2500 to Mom

Captured form dataALICE

End User

TRUDYAttacker

BOBBank server

Infect Alice’s system with a Trojan

CLEAN BROWSER

- No extra fields- Just the required information

INFECTED BROWSER

- Extra fields e.g.: PIN- Asks for critical information usually not required

Parameters MiM MITB

Hardware/Software requirements

Usually requires compromised hardware

Injects malicious software (Trojan) in web browser

Communication Has to deal with secure communication

Immune to secure communication such as SSL

Targets Targets are directed or location-based

Targets can be anywhere on the internet

MiM vs MITB

Purpose of MITB

• Subvert secure communication, SSL

• Steal and modify form data

• Didn’t I say MONEY !

Types of MITB

Hooking Windows API

• Trojan.Clampi

Using BHO (Browser Helper Objects) in IE ---OR--- Using

Firefox Extensions

• Trojan.Neloweg

Using Self Signed Certificates

• Trojan.Tatanarg

MITB by hooking Windows APIs

{- - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - -}

{- - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - -}

ORIGINAL FUNCTION

HOOKING FUNCTION

Trojan.Clampi injects malicious thread into IE browser

{- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -}

Monitors and hooks several API calls monitored by Windows DLL, urlmon.dll

• InternetConnectA

• InternetOpenA

• InternetReadFile

• InternetWriteFile

Hooks itself to original API when its called

What is a hook ?A piece of code that intercepts function calls to modify function of the application.

Grab data from IE browser before its encrypted, hence overcoming SSL

{- - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - -}

{- - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - -}

Can be detected by scanning for injected process

MITB using BHO/ Browser extension• Trojan.Neloweg

– Sets up Namespace and associates it with Winsock2

– Loads the dll in memory when any program tries to connect to the internet using Winsock2

– No process injection needed !Malware Reverse Engineering 2

• The dll file creates the browser extension files if its running under Firefox.exe– %ProgramFiles%\Mozilla Firefox\chrome\error.manifest– %ProgramFiles%\Mozilla Firefox\chrome\error.jar– %ProgramFiles%\Mozilla Firefox\components\nsLego.js– %ProgramFiles%\Mozilla Firefox\components\nsILEgo.xpt

• Error.jar contains the main code for form grabbing.

• Can be detected by in browser security software which block APIs form browser extensions. Eg Trusteer Rapport.

MITB using self signed certificates• Trojan.Tatanarg

– Much like MiM: Creates proxy service between bank and client

– On the bank side of proxy: Outbound traffic encrypted using bank credentials

– On the browser side of proxy: Encrypt traffic using its own credentials– Can be detected by scanning injected process

Other MITB prevention/detection techniques• Client-side java-script to encrypt some fields before the form

grabbing component– Already broken

• Multi factor authentication– Already broken

• Out of band transaction verification (OOB)– Verifying the transaction over a channel other than the browser

• Web frauds detection– Automated checks for fraud detection patterns by the banks

MITB Hooking win APIs BHO Self signed certificate

Trojan name Trojan.Clampi Trojan.Neloweg Trojan.Tatanarg

Injected process required ?

Yes No Yes

Encrypts/decrypts secure communication ?

No No Yes

Detection Scan injected browser process

In browser security Scan injected browser process

Summary of MITB

Conclusion• Attackers are using newer ways to infect machines

– Targeted attacks– Use of web tool kits

• Comprehensive analysis of a malware involves combination of black-boxing and white-boxing techniques

• MITB is an innovative way used by attackers to break security• MITB prevention is still work in progress (Good research

project!)• Malware reverse engineering as a profession has a broad scope

Reverse engineering tools• Hex View

– http://www.hiew.ru/• Unpacking tools

– http://www.woodmann.com/collaborative/tools/index.php/Category:Unpacking_Tools• Resource hacker

– http://www.angusj.com/resourcehacker/• Monitoring tools

– http://www.woodmann.com/collaborative/tools/index.php/Category:Monitoring_Tools• OllyDbg

– http://www.ollydbg.de/• IdaPro

– http://www.hex-rays.com/• Process Dumper

– http://www.microsoft.com/en-us/download/details.aspx?id=4060– http://www.woodmann.com/collaborative/tools/index.php/Category:Process_Dumpers

References• http://www.symantec.com/content/en/us/enterprise/media/security_respo

nse/whitepapers/inside_trojan_clampi.pdf• http://www.symantec.com/content/en/us/enterprise/media/security_respo

nse/whitepapers/Trojan_Neloweg_Bank_Robbing_Bot_in_the_Browser.pdf• http://www.symantec.com/connect/blogs/banking-proxy-trojantatanarg• http://www.symantec.com/threatreport/• https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Bas

e#Appendix_A:_Security_Considerations_about_Authentication_Solutions_and_Malware

• http://www.scis.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf

• http://www.youtube.com/watch?v=USCHPIQB8_Y

Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Jeet Morparia

jeet.morparia@gmail.com

Malware Reverse E ngineering

Documents

Introduction to Reverse Engineering · Protecting the irreplaceable | f-secure.com Introduction to Reverse Engineering Gergely Erdélyi – Senior Manager, Anti-malware Research

Android Reverse Engineering - Internet Security Auditors€¦ · Malware identification in Android apps . OWASP 4 Reverse engineering: definition and objectives Definition Refers

GPU Powered Malware - WordPress.com · GPGPU echTnologies How could that be used in a malwrea ? Reverse Engineering Packing Conclusion GPU Powered Malware Daniel Reynaud reynaudd@loria.fr

SOLAPUR UNIVRSITY, SOLAPUR aculty of ngineering ...bmitsolapur.org/syllabus/ele/te.pdf · SOLAPUR UNIVRSITY, SOLAPUR aculty of ngineering & Technology T.. (lectrical ngineering) Choice

Reverse Engineering Malware - A Practical Guide

Reverse Engineering Mac Malware - SANS Information ... · Reverse Engineering Mac Malware ... Office Document ZIP Archive ... • ^Reverse Engineering OS X _ - reverse.put.as (@osxreverser)

Reversing & malware analysis training part 5 reverse engineering tools basics

INTRODUCTION TO MALWARE REVERSE ENGINEERING › syed › files › 2014 › 06 › book... · INTRODUCTION TO MALWARE REVERSE ENGINEERING Syed Zainudeen Mohd Shaid 1. INTRODUCTION

How Malware Attacks Web Applications - OWASP Foundation · 2020. 1. 17. · • Malware Reverse Engineering • Anti-Virus Evasion • Rootkit Technologies ... Exploit Packs, Malicious

Reverse Malware

Reverse Engineering Mac Malware - Digital Forensics … · Reverse Engineering Mac Malware SANS DFIR Summit 06/09/14 Sarah Edwards @iamevltwin mac4n6.com

Intro to Reverse Engineering and Malware Analysis · Malware Types (What) Ransomware •Encrypts all files and demands ransom •Example: WannaCry, (Not)Petya, TeslaCrypt RAT/Backdoor

Malware, Reverse Code Engineering and Cyber Threat

Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Course Introduction & Logistics · 2013. 6. 25. · Reverse Engineering Malware, Spring 2013 Antti Tikkanen, F-Secure Corporation Course Introduction & Logistics . Reverse Engineering

Windows for Reverse Engineers OS Internals · Windows for Reverse Engineers OS Internals CS-E4330 - Special Course in Information Security Reverse Engineering Malware Course 2017

SRI International Reverse Engineering Malware Hassen Saidi Computer Science Laboratory SRI International Hassen.Saidi@sri.com

CERTIFIED ETHICAL HACKER Brochure.pdf · 6. Inclusion of complete Malware Analysis Process Discover and learn how to reverse engineer malware in order to determine the origin, functionality,

Understanding APT1 malware techniques using malware analysis and reverse engineering

Malware Reverse Engineering (Class)