Vincent Moscatello - Destover: Inside the Malware at Sony Entertainment

Sony's machines so to the analysis so the very first it's very important when you're doing malware analysis to be pretty methodical when you're analyzing them at work all right that is doing some bookkeeping in the beginning so like collecting hashes what are the names of the malware samples and that sort of thing um and also another a fairly important thing is to Ghani against like some existing antivirus see if this is like an already known our sample or something completely new dropped on a honey pot or something right so the malware analysis that you'll I mean the malware simple you'll find in the like the reports why the FBI in stock it has this hash here this is

the results from virustotal basically you upload your power sample to virustotal and will run it against a whole bunch of anti viruses here's also an option for people to say oh is this a good memory stamp is this actually a real good piece of software or is it actually a piece of malware so 32 people said this is a bad piece of software and four people are probably gonna have a very bad um the malware sample is actually a different variant that I analyzed it actually has this hash my phone virus here you can definitely still find them our sample that has this hash but this is the first one i came across and three people said it was I

guess this is the wall of shame anyway these are the these are the antivirus that said this wasn't an hour samples of view of Agra slides at 47 out of 57 antivirus said that this was a bad evil in our example right these are the tin that said it was fine which is a little surprising these you know you recognize some of these names maybe it just be as the time that got uploaded and analyzed but it was pretty recent like three weeks and three days since when I made this slide so also when you're running it I'm not where sample you usually don't want to do it just like on your regular computer views

that's bad you don't want to run you don't infect your own machine with an hour right so you normally run it inside like a virtual environment so I use VMware Workstation 11 it's pretty effective so nice thing about running malware samples and stuff inside of virtual environments like VMware is you can also set up like virtual networks and stuff so you can monitor like the network traffic do packet captions and stuff with wireshark so vmware is very very useful for that so right so I guess after uploading at the virus total one thing I like to do is just kind of like well right-click the executable and run it as an administrator to see if there's

something obviously inside the retro night right just to see what does ah so when i right clicked and ran this malware sample as an administrator um it wasn't a little anti-climactic it just produced another execute on the desktop yeah a little disappointing creek for a meal our sample called white ball we're just alike destroy like right the very cool environment it just made another executable so a little bit of a letdown that right we need to do more so another thing you can do guess this kind of falls more the bookkeeping is is there just runny and as an administrator and seeing what happens let's stick it into an environment that has a bunch of

monitoring tools on it and see what it does inside of like a sandbox so a sandbox will produce kind of like a general kind of an hour overview report that you can kind of look at so i uploaded the sample to malware calm in a lwr calm and it runs it inside the sandbox called cuckoo so it didn't exactly do it I was expecting it to said it didn't contact any host it didn't compact any domains which is little suspicious there's some useful information like that it might contain some encrypted or compressed data that's useful information and it has been identified by at least one antivirus on anti virus total so and it only produces

some ICMP traffic which there's no drop files so what's going on we have we clicked at ourselves and drop this I gfx whatever binary so even the sandbox didn't pick up on that which I thought was a little bit um yeah so yeah we see the I GFX trade yeah XD x ESO sand boxes aren't always one hundred percent reliable so doing it our like doing actually having an hour analysts look at our samples you get a lot more information out of that so one tool that's really useful when doing malware analysis is this tool called cff explore if you're not familiar with it it's a really great way to get some general information about the binary you're

analyzing you can also like flip a few bits too just like change some things that make analysis a lot easier and this actually came in really handy how many of you here raised by show of hands how many of you have done a CTF before or cdf challenges all right yeah good number of you so I really really popular CTF is ghost in the shell code it's a lot a lot of fun you essentially get that hack of a video game and give yourself like super speed super jump in you try to solve all these challenges that are hacking deleted so yeah one of the things that we did like one of the things you can do for example is

disabled the randomization address of like a dll and all the game logic in the CTF was like captain the side of a dll so when you're moving it from like Ida or whatever in Tolly it can be useful like disabled I randomization right so the way I used it for the sony malware sample was kind of get a general overview see you get the hashes you can tell some more information about the executable like for example it was compiled using microsoft visual c++ compiler right that's pretty useful another a little suspicious thing there right we see that the portable executable size was 56 kilobytes and then the file size was 430 point 3 8 kilobytes so not all of this was a part

of the executable there we go um so yeah if you compare this to something like putty which is just like an ssh client you see like the file size is 472 built lights in the portable executable sizes 472 kilobytes so something might be a little bit off there right another really useful tool is called PE view this actually gives some pretty significant information like when exactly was this malware sample compiled and this date here circled in green is a little suspicious right it's November 22nd 2014 there's tax on sony entertainment happened the 23rd or 24th right yeah so hmm interesting all right so another thing you have to ask yourself when analyzing them our sample is is this

malware sample packed in our sample is packed it makes it significantly more difficult to reverse engineer there are legitimate reasons to pack a program like maybe you want to use implement that as kind of a form of DRM make your program harder to crack and also the main purpose of packing a program is to make the executable size smaller yeah just to reduce the size of your executable in general what happens during a pack when our samples packed is it basically decompresses and becomes larger and memory so why would an hour analysts actually want the pack a program well you can up to skate a lot of strings and once again it makes it harder for someone who just like looking

at your malware sample to reverse engineering yes how people reverse-engineer your mother simple pad so yeah just asking the question is this metal where sample packed and pretty much the answer was no p.i.p eid is a great tool for kind of identifying whether or not this rather not a mount where sample is packed so it wasn't and you can also look at some of the histograms which give you an overview of entropy the text segment of the executable didn't really indicate that it was packed but you also have the rest of the program which was weird because that wasn't part of a segment and it was pretty high in entropy so this file as you'll find out this now our sample it

kind of drops all their executables and it's kind of modular and runs components right so back to see FF explore you see here one of the things you can do to tell if a malware samples packed is if the virtual sighs the executable is much better is much larger than the raw size so we say that the raw sighs it's like the actual size in the file in virtual size is like the size of memory so yeah alright so you can only get so far with just like basic tools that give you a general review of like the like a static analysis of a program so one of the things you'll have to do is kind of do some code analysis so we

say code analysis is actually kind of looking at the assembly language looking at the Assembly of them our sample so unfortunately malware authors aren't real keen on giving you giving you the source code to their programs right yeah they probably don't want to give you that um so how do you get static analysis you take I to cats and you read the move against malware balloons ah so my general idea here is that you get static electricity but as I found out for my vice present Daniel normal people don't rub balloons off the Kings cats I don't advise it yeah you could use any kind of fare to get static electricity yeah okay yeah so the tool I use to do

static analysis on this binary is called Ida I used I to free it pretty much suits the purposes of what you kind of need to analyze it Ida pro obviously has a lot of really really useful features for example a x-rays decompiler can kind of give you almost like the source code of program but I know just the free version of IDA disassembler you're pretty much just going to get a simply language you have to kind of look at that well so yeah as I talked about before um this malware sample drops different components so just looking at our original executable which had that long hash which I kind of need dest over exe it dropped that you can't really get

a full analysis of the malware sample without also looking at the smaller components like I gfx ray exe executable so you have to look at both things they do different stuff um yeah so the idea here is it's modulated line so yeah one of the things that the Mauer sample does if you look at some of the assembly is that it installs itself as a service so one of the reasons why Mauer might want to install itself as a service is to become persistent so they say hey maybe the computer reboots and you want it to keep running you want your mouse able to keep running me well yes install it as a service and you can also hide me from

the process list by installing as a service to that's pretty useful so just an overview kind of like so we all kind of understand like what this assembly kind of looks like and how it works is so you have this function called fluffy and it has a parameter called sheep well this is like an overview of a picture of what the stack looks like so the first thing you do is kind of push the parameters of the function until the stack then you push the return address after you exit the function then you save your old base pointer and then you move the fit you boo ESP and the EBP to create like a new stack frame but the

most important thing here to take away is that you push the parameters of the function on to the stack first before you call the function right so taking a look at this we see that we have the function create service a that the malware sample uses and all these things above it that are like pushes those are the parameters the function so we see some interesting things for example now we know what the name of the service that this not them our sample in salt so it calls itself win schedule management service we also see some interesting some interesting variables to we see that service it gives it the service autostart flag leg right it also xor's

some other flags to and also this is a little a kind of an annoying thing about Ida is actually like right click on these numbers and like select which what the name of it is normally you'll just get kind of like a number there yeah all I good luck is a little bit better about like predicting what the name of these variables are another thing is when it's running commands in general the Maori sample actually creates a service real quick it calls whatever it needs to do and it deletes the service shortly after so it doesn't this that just kind of hide itself inside of the hide itself from the process listen stuff so I

thought that was pretty interesting alright so this mallory sample is actually an outward form which if you're a system administrator it probably looks a little more like this something more like doom rather than Shelby from adventure time see ya so how does it how does this worm work actually uses a pretty primitive method propagating across the network it actually uses windows file sharing right that's a pretty old pretty old attacked right yeah it creatures but I guess the most significant of these is actually copying the binary onto the new machine right so you see here before we call this function sub 40 to 60 70 we get the username username and the password and then we passed that to do I wmic

are you but what about IDs extra and i just love sheep so that picture doesn't have much to do with presentation um yeah so um what other things IE fxj is when we were in that executable before all did was kind of just drop that I gfx tray and then it kind of just SAT it right the reason why it was just sitting there was because there was extremely long delays between when the malware sample was kind of executed like started going into its next stages so if you kind of in in a ladybug you can look at all like the sleep command you can see all the references to the windows sleep command you see here that somebody is

sleeping for like three hundred thousand milliseconds and that's pretty long time so when you kind of like stick it inside of like a sandbox or whatever um the sandbox is cuz it's gonna run for a certain amount of time but it's not going to run forever inside that environment and maybe the Mauer didn't do anything interesting until this clock finally counted down so one of the things you can do is you can patch the binary and actually change some of these weights to like much smaller times so what I did was I plugged in 200,000 like two thousand two thousand milliseconds and replaced some of these very large values which are like three hundred thousand milliseconds that joins it to

like two seconds and stuff so much shorter time and what do you find what it does is it interesting enough we're in a worse situation now I gfx J what it does is it creates three copies of itself and places it on the desktop so now it not only do we have 1i GFX J we have to look at with three I GFX JS we have to look at so exciting fortunately these I gfx JS all have the same hash so you really only have to look at one of them but what you will find is that each of these IDF x-ray executables um they get started from like using the CMD command but they all get started with a

different flag yeah so this is what my desktop looked like before I ran them our sample this new patch malware sample and then this is what it looked like afterwards this is why is this stuff started getting deleted yeah even the desktop background started to disappear and if you run this inside of Windows XP I guess the background gets rendered a little differently yeah it seriously looks like something from the movie hacker this is pretty cheesy um yeah you soon do you see this a hacked by GOP so as it turns out it doesn't stand for like the Republican fighting it stands for guardians of peace which yeah betrayed me yeah they're worth commence all right so doing some Network

forensics of this executable as it goes through its different stages is really helpful to get an idea of like what kind of host does this malware contact what kind of ways does it use the kind of propagate so who can guess what this is yeah so why I shouldn't really useful tool for taking a look at licking a look at like packing half years is Wireshark you get a great overview of what the network data looks like so this is the original of dust over exe as you can see it makes lots and lots of connections to port 445 and 139 like logs just get filled up it's really really crazy loud and noisy actually so this these

services are netbios in SMB so because we have a yeah but we have a warm here that spreads using Windows File Sharing um yeah so the IP addresses that it tries the contact and stuff you can there in plain text it's really really easy to see like just running strings on the binary so like just like forensics like 101 run strings on your binary these are all just plain text very easy to find hard coded IP addresses and as you find that each time I GF x ray it tries to call home a few times on port 8080 it does that to each of those IP addresses which was statically coded it does that to each IP

address three times so yeah unfortunately these are just kind of request I don't have the other end of the capture but yeah so final thoughts um this power sample wasn't really anything that complicated especially for something that was like written by like I guess like a government there's something new is there's a little surprising that it was this easy normally ladies like take a look at like something like Stuxnet which is thousands of line of code and super complicated this was really really really simple to analyze and I guess the next thing is yeah the news will be the news it's got like a huge amount of hype and when you try to look for information

about them our sample you'll see like people describing this as like a super complex thing that's scary and wiping things but when you look at it actually works pretty simple it's pretty it operates in a really simple way yeah someone like with the freshman but probably like a freshman who has like computer programming one experience probably could have been something similar right so I guess that's most of my slides and I'll kind of open it up the questions and there's my contact information so yeah anyone have any questions for me

one thing well yeah your chair hmm well I guess there's hmm yeah that's a really good question I guess well looking fared like some suspicious baby in running an intrusion detection system I would imagine there's rules you can pick up that would kind of detect when like a single machine or whatever is producing that many connections like on using windows file sharing and stuff so I'm kind of surprised thinking detective

yeah i think it was brute forcing passwords too yeah

really a question say right cool um I guess that's all I am for the talk