Malware: Then, Now and How

[Music] well good morning everyone my name is Kody Winkler welcome to my talk this is malware then now and how I wish I had come up with a better title but I was a little inebriated when I first came up with it and this was the best that I could come up with at the time so a little about me a one stripe white belt in Brazilian jiu-jitsu I really love Brazilian jiu-jitsu it's like the hacking form of martial arts like there's this move called the gogoplata where you can actually choke someone with your ankle it's like super legit i love playing diablo 3 I'm an Air Force veteran and I'm a network engineer at

Jack Henry and associates so if you've ever been to an infoset conference before there's this running joke of sons ooh slides and it's entirely to troll attrition org they have like some kind of pet peeve with InfoSec professionals quoting sons ooh so so let me read the quote to you appear at points which the enemy must hasten to defend March swiftly to places where you are not expected Sun Tzu The Art of War and I think this quote really holds true for malware analysis and reverse engineering because when developers are creating applications eventually somewhere down the line there's going to be a reverse engineer or malware analysis that or analysts that pops out of nowhere and

it's just like ha gotcha so I thought that this was you know pretty applicable to to the talk as a quick overview we're going to be comparing malware from days of old and current times looking at growing threat landscapes why competing with other antivirus vendors and trying to protect end-users against malware is still an uphill battle and we're also going to take a very quick look at some analytical tools so back in the days of old you would see infections from malware such as Zeus which targeted banking credentials Conficker so if you've ever seen a tutorial on the Metasploit framework you're gonna know automatically what MSO a o-67 was so that's exactly how can trigger spreaded

itself additionally through admin shares and removable media and as of 2015 it was estimated that there are still four hundred thousand roughly 400,000 infections of Conficker you'd also see some fake antivirus platforms that were actually loaded with malware the storm botnet was pretty interesting in and of itself it would spread itself through email attachments trying to spread fake news about some apocalyptic storm in Europe so I thought that that was pretty funny it ended up being estimated between 1 and 50 million different infections and the bat itself was pretty interesting it would actually counter DDoS if it detected that it was being analyzed or if it detected that there was someone trying to mess around with

the botnet itself also came with a few different encryption keys the author wanted to sell the platform so that other people could use it and different keys allowed other other people to access different part of the botnet and it was super interesting because someone actually developed a tool that would collect all of the keys and eventually that's how the storm botnet ended up going away so I thought that was kind of funny and then so that being said we also had Vienna said well possibly possibly the NSA Stuxnet Flame Dooku so this was really the turning point for malware back in roughly the 2007 to 2009 timeframe we would see infections in really strange places in the Middle East

where at least with the case of Stuxnet he leveraged three different zero days within the Windows platform it also emulated real proprietary PLC code which ended up messing up some nuclear centrifuges in a power plant Dooku was pretty similar to sucks Stuxnet and the fact that it's code was also stiffly signed with stolen certificates so it would actually appear like a legitimate program and it took a while for analysts to actually catch catch up with what was going on so how about these days well as was discussed in Aaron's talk i OT is becoming a huge huge topic and we'll get into that in a little bit but we're seeing some mariah variants ever since the malware author

released the source code onto its github anime and commie cuba these are all competing or rival malware families that also in fact iot devices similar with bash bash alight and we're also seeing a spike in ransomware I can't remember the quote but I think I have some statistics on the different infection types that are coming up Sears shortly interesting note before I get into this we also have Shadow Broker leaks and shame shame NSA possibly NSA interesting note about one of the Shadow Broker leaks Microsoft actually released a security bulletin for the eternal blue exploit before the exploit was publicly leaked to the publicly leaked which is quite suspicious so normally when public disclosures are made it happens

relatively the same style the vendor will usually release a patch or a fix and then the whoever discovered the vulnerability will do a public disclosure afterward but usually there's a pretty significant time frame between the events so it was it was pretty suspicious to see a security bulletin I believe back in March and then a couple weeks later Shadow Broker leaks with all of these highly sophisticated attack tools so how does this keep happening back in the day lots of software pirating led to a lot of infections drive-by attacks browsing habits kind of go hand in hand to an extent but an end user can usually tell when they're about to be wrecked you know through bad

browsing habits there will be a pop-up 1-800 call us and we'll fix your computer if you give us access drive-by attacks they can be a little more subtle and I would I would be surprised that if a verage user can recognize the drive-by attack but yes still they do they do go hand in hand to an extent removable media is also still prevalent as a major issue for how infections happen and I think you know soapbox time one of one of the biggest reasons is people just not using security products or keeping their systems updated and the NSA and the Russians so from back in 2007 there was a large amount of malware that was trojan based

and it's interesting because there there really isn't that much anymore I mean yes there's it's still really widespread and prevalent but it compared with a decade ago where we're not seeing it as much we're seeing more of a conversion toward the ransomware family and more for financial crimes but compared with today you can see the large large dramatic increase in meant ransomware and consequentially smaller market share of malware that you know still it's trojan based but the main two perpetrators are mobile and IOT so it was estimated back in 2007 that there was roughly 1.1 billion users on the Internet this doesn't come from a reputable source so I can't say for sure certain if there's that many but it's estimated

from that same source use a network share comm or network market share com they estimate now that there's roughly 3.3 billion users which is good because we'd like to see more internet access within countries that aren't as well off as as we are so well with that though comes more malware another interesting note currently 7% of the Internet is estimated as still using Windows XP which would explain why there's a lot of older variants still running around interesting you know with the free update for Windows 10 we're still seeing a lot of Windows 7 users and then you have the Mac OS X and Linux families that have their own different areas of consumption on the Internet

so I just want to advise anyone if anyone here works in mobile antivirus or is a developer for mobile antivirus you just want to give you a you know for for warrant trigger warning you may be slightly peeved by this next slide there are some quirks with mobile antivirus I am under the impression that it's one not reliable and you're probably more likely to be infected by downloading mobile antivirus especially if it's not from a reputable vendor but there were some trends that have been noticed over the last couple of years the App Store is actually quite good on tracking third-party applications that are released and they're usually pretty good at cracking down on them the Google Play

Store it not quite to the extent as the App Store but their Google is getting better about it and you know to even really get infected at least the the likelihood of being infected you really have to have developer tools developer mode enabled on your Android device and you usually physically have to click on a suspicious apk to actually 4/2 likely be infected I'm not saying that you can't be infected from the Play Store I'm just saying it's more likely if you set yourself up for that so this it's a really slippery slope and then with mobile antivirus it's not truly signature-based it's they from the applications that I look through for the most part they just looked through a

given package and you grep through four known strings that were associated with different types of malware so there's a few projects on github they originally designed for penetration testers where you can actually run this script and it'll go through your apk dissect it change out all the strings that are associated with the the MSF payload for Android it'll change all of these strings and then when you can recompile it for the most part it tends to not be caught by mobile antivirus again so it's definitely an industry that needs to be looked at more especially as users are doing more online banking these days so some trends that we've been seeing typically you know some really popular

strains of malware are reused over and over again but rehashed with packers and crypto so difference between packers and crypto scripters will actually go in change the different instruction sets for a given application and so it's a kind of like a pseudo encryption they're a little more hard to actually look through than executables that are packed where packing is more of compression based so most malware tends to be crap that's just designed to steal account credentials and DDoS but there are a few variants out there that are quite serious especially back in the day with Zeus there's more more and more strains of financial malware that are just wreaking havoc but ransomware and internet of things are still publicly

enemy number one you can kind of throw mobile in there as well but ransomware and iot are pretty prominent these days so speaking of Internet of Things lots of people talk about IOT though we had a great presentation by Aaron earlier just showing the the scope of what's out there and IOT is not limited to security cameras it's as Aaron said there's watches there's there's even refrigerators that out there that are internet enabled DVRs and so forth but it's quite astounding actually there's it's estimated that roughly 40% of IOT devices are in businesses in manufacturing 30% in healthcare facilities and 8% in retail as you can see from the notes we can also count point-of-sale systems I'm not sure if

anyone recalls the target breach from back in 2014 but there was a vendor for target and created point-of-sale systems for them so the vendor is actually the one that got compromised in this but through them they ended up getting into target's corporate network and through that the compromise of roughly a hundred and ten million credit card and debit card details I think it was I think the leak was estimated at right around eleven gigabytes so if you can imagine an 11 gigabyte text file with just credit card information it's quite astounding so how it does Internet of Things tie in with malware welcome to Mirai so Mirai I'd like to refer to it as the IOT Deathstar

it was compromised mostly if cameras and DVRs numbered in the hundreds of thousands it spread itself by scanning for IOT devices with weak access credentials an interesting note about Mirai was there were hard-coded address ranges within the source code that actually showed that it wouldn't scan internal address ranges there was a few company address ranges I think HP was one of them that they wouldn't scan the Department of Defense and some strange reason the United States Post Office Postal Service I'm not sure why they included that in there but it was intended to avoid detection ironically it also removes competitive malware from from compromised devices I thought that was an interesting note there are other

strains of malware out there that do that but this one in particular is just kind of funny and its primary form for attacking was generating GRE traffic and GRE traffic is usually used for creating end-to-end VPN tunnels or tunnels between network infrastructure so it was really interesting to see that it was generating GRE traffic to for its attack methods because there's if you've ever seen firewall rules before there I would be surprised if you were to ever see a firewall rule that restricted GRE traffic but Jan 2 the exciting stuff Brian Krebs was the first victim of Mirai back in September of 2016 he was hit by his website was hit by a 620 gigabit per

second DDoS and I can't remember which provider he was on I want to say it was Akamai but whoever was hosting his website actually dropped him because they were seeing so so much traffic coming through their infrastructure they just didn't want to deal with it but wait there's more so Mirai also attacked the French web hosting company called OVH and this one was pretty incredible it set a record level for the amount of traffic ever received by by a victim for denial of service traffic it reached up to 1.5 terabits per second and if you've ever seen some cloud player CloudFlare presentations you will know that their engineers get excited whenever it goes 100 gigabits per second because usually

the interfaces on their devices they'll either go to 10 gigabits per second or 40 gigabits per second so whenever it goes over that threshold a lot of people get excited you all get a DDoS so this picture is a little misleading so these websites individually were not directly attacked they were all hosted by din which is a global DNS provider and din was hit really hard especially on the eastern coast of the United States he was earlier this year late last year but the traffic was substantial and it ended up affecting several huge websites such as github reddit Airbnb and Twitter but moving forward how are these malware authors still beating at antivirus I mean so the

industry itself has had 20 years roughly 20 to 30 years to come up with different methods to track and identify malware and malware is still a huge problem but to kind of explain how malware authors are able to do this they employ mechanisms that will either abrupt the analytical process or stop it all together and that can be done through detecting debuggers detecting if it's living in a virtual machine detecting other processes so if there's like a protocol analyzer or oftentimes some sis internal tools will use to help with identifying what malware can actually do and these these are all relatively simple to look through and it's kind of a problem but on that same

note the analytical analytical tools and from what we understand of malware now it's getting easier for us to siphon through all of these anti reversing mechanisms but they also employ some excuse me some methodologies that I've talked about earlier such as cryptos and Packers so yeah and that's talking about you know pseudo encrypting and executable versus compressed compressing and executable and so when this is kind of why signature based detection died off a couple of years ago just because they're there would be malware strains that would be used over and over again and they'd be like well why aren't our signatures picking up on it and it's because that the malware authors were messing around with the the instruction

set and changing it up so that the signature wouldn't be valid anymore at least for for that next generation of the strain but they also employ some stealth mechanisms DLL injection is actually a legitimate technique a lot of antivirus actually uses DLL injection to insert hooks into other processes so man look at what what's happening in memory but it's interesting that malware often uses DLL injections because with that comes risks of privileges and where the malware ends up as far as the flow of execution goes another technique that's been employed more recently is the dropping of rogue drivers so there was one sample I recall reading an article on where the malware would actually create a driver and it would the driver

itself would open up a chat ode file system and drop a rootkit into the shadowed file system and the antivirus wouldn't be able to see it so how can we beat them well we can do this through the analytical process by rewriting instructions or knocking them out as we're analyzing them in runtime we can also attempt to reverse the application or attempt to decrypt given samples but it's typically not really not as reliable as just analyzing it in run time we also trick the sample into running setting up a lab where you're running to two instances of virtual machines we'll be talking about REM NOx here shortly getting kind of short on time so I'm

gonna blast through these next few slides but we can also change the registry values of security products I recall reading an article where an was having trouble analyzing a sample because the sample would actually detect that it was in a virtual machine so what he ended up doing was he ended up changing what vm platform he was using I think he ended up using qmu to start analyzing it further and these are similar techniques that one could employ and there are there's at least one example that I can think of where the malware was actually exploited one a cry from the first rendition of wanna cry there was a malware tech blog was the original person that kind of started

getting the ball rolling on how to defeat wanna cry and he discovered that there was a mutex created for all of the threads within wanna cry that would actually stop the malware from starting if the mutex wasn't closed so there's two main types of malware analysis there's static and dynamic static is where you're opening the instruction set of the executable without actually executing the malware and this is interesting to do because we can actually see what libraries are being referenced from the malware and get a better understanding of what it can actually do before we actually see what's going on dynamic analysis that's where you end up opening it up in application like a debugger and seeing

what it actually does while it's executing and you can watch routines happen in real time so some useful tools quick note about the differences between disassemblers and debuggers descent disassemblers will convert machine code to human readable assembly instructions and debuggers will to an extent do the same thing it's just debuggers will allow for modifying and executable during runtime so some very popular disassemblers ID a pro is probably top dog in this industry and radar - we is I believe free some debuggers immunity debugger and Ally debug these are quite popular but there are some others such as x64 debugger I think that's a recent one it's open source and it has support for 32-bit and 64-bit

immunity debugger is actually was originally a spin-off of Olie debug and I think I like debug is pretty much all but dead now so I think immunity debuggers way that the industry in that area is starting to go but dependency Walker is another useful tool you can see what libraries are actually loaded by an application hex editors and everything in sysinternals is great and it's free to download from Microsoft I wish they would actually include it with Windows because it it's helpful sysinternals is helpful for more than just reverse engineering there's instances if you've ever had an application crash there's sysinternals tools that will help you figure out why that crash happened REM Knox is a Linux

VM so Kali Linux for penetration testing REM Knox for reverse engineering it's quite astounding what's what's all included in it and then PID it's a dead project now but it helps with detecting common packers common crypt there's common compilers and I'll give you a quick demo here while I still have time so I was hoping that my tech demo would be awesome but I'm just gonna verify that I can actually use my lab

Oh

and

while I'm waiting for my Windows machine to load I'll give you a some intro to ram knucks so there's this suite which is called I netsim and it will simulate common Internet services such as NTP DNS HTTP is it's quite useful when you're analyzing different traffic I'm sorry that's I'm not worried about that at the moment would you like me to make it fullscreen Oh long has that been happening

Oh we got it

all right so I'm netsim will simulate different IP services or different internet services DNS ntp HTTP etc we also use this it couldn't quite get the DNS functionality need to work within AI netsim so we'll just do this Wireshark going and while we're waiting for that so what we're looking at now is some libraries from the memorized source code and within here you can take a look at all of the different attack vectors that are present within me right and over here so this one this part of the source code was really funny because there was this comment in here but bro what if method is the default value one a segfault cuz read only string and just

through reading that you can kind of get an idea of how old the malware author was and it did turn out he was in his early 20s so additionally we have the scanner header or I'm sorry the scanner portion of me right and we can actually see all of the different credentials that mirai uses so while I go over here am I good on time ok no people are getting hungry I don't want to dig into anyone's lunch time

so

okay so I wasn't able to find the original version of wanna cry that had the kill switch within it within its executable but I do have this version and so what we're gonna do is we are going to take a look at the traffic that it generates after it runs

so we see that there's some different SMB traffic that's coming into the into play here I wish you actually see it dude well I guess it's gone so that kind of concludes my talk on a final note though use antivirus and keep your systems up to date I mean it's not that hard to do and the benefits outweigh the risks so additionally egress rules really aren't that found through throughout many environments so I would advise if you're running network infrastructure if you manage it consider you know setting up some egress or outbound rules change default login credentials and pray the NSA keeps their attack tools under control and if you'd like to get more information on reverse

engineering and malware analysis kernel-mode info is a great resource I've had fantastic times interacting with their users and they usually are all quite respectful and I don't think I've any seen debauchery on that website so that being said I'll take a couple of questions before turn you over to Beth

so the question was what do you recommend for antivirus for non-windows kind of hypocritical of me because I actually don't use antivirus at all on Linux so to protect myself I usually set up a number of IP tables and generally watching my system through H top and that being said thank you all for your time and I hope this has been informative that being said I'll turn it over to Beth [Applause] [Music]