defeating antiforensics in contemporary complex threats

39

Upload: alexander-matrosov

Post on 08-Jun-2015

2.625 views

Category:

Technology


2 download

DESCRIPTION

Forensic analysis plays a crucial role in cybercrime group investigation, as it allows investigators to obtain such information as bot configuration data, C&C URLs, payload, stolen data and so on. Some of the modern malware falling into the class of complex threats employs various tricks to resist forensics and conceal its presence on the infected system. This paper will present technical and in-depth analysis of the most widely used anti-forensic technique, the implementation of hidden encrypted storage, as used by complex threats currently in the wild: Win64/Olmarik (TDL4) Win64/Olmasco (MaxSS) Win64/Rovnix/Carberp Win64/Sirefef (ZeroAccess) Win32/Hodprot These complex threats use hidden encrypted storage areas to conceal their data and avoid relying on the file system maintained by the operating system. In the presentation the authors will focus on the details of hidden storage implementation as well as the ways in which it is maintained within the system by various kinds of malware. The analysis begins with the initialization procedure and the mechanisms behind it. It is shown which system mechanisms are used to store and retrieve data from the hidden container and the degree to which the malware depends on them. Close attention is paid to the self-defence mechanisms employed by the malware in order to conceal the content kept in its hidden storage areas and protect those contents against modification by the system or by security software. Also a detailed description of the hidden file system is presented for each threat considered, as well as a comparison of its features to the other threats analysed here. To conclude, an approach is presented on the retrieval of data from hidden storage. We will discuss the steps that should be taken to defeat self-defence mechanisms, locate hidden storage on the hard drive and read plain data.

TRANSCRIPT

Page 1: Defeating antiforensics in contemporary complex threats
Page 2: Defeating antiforensics in contemporary complex threats
Page 3: Defeating antiforensics in contemporary complex threats
Page 4: Defeating antiforensics in contemporary complex threats
Page 5: Defeating antiforensics in contemporary complex threats

Page 6: Defeating antiforensics in contemporary complex threats
Page 7: Defeating antiforensics in contemporary complex threats

Win32/Hodprot

ErrorControl CoreSettings HashSeed

Loader Code Main Module C&C URLs

One of the most frequently used droppers in 2011 for delivering banking trojans in Russia: Carberp, Sheldor, RDPdoor.

Relies on system registry to keep its modules and payload HKLM\SOFTWARE\Settings

Page 8: Defeating antiforensics in contemporary complex threats

Win32/Hodprot

ErrorControl CoreSettings HashSeed

Loader Code Main Module C&C URLs

One of the most frequently used droppers in 2011 for delivering banking trojans in Russia: Carberp, Sheldor, RDPdoor.

Relies on system registry to keep its modules and payload HKLM\SOFTWARE\Settings

Page 9: Defeating antiforensics in contemporary complex threats

Browser Address Space

sfc.sys

Setupapi.dll

Payload

System Registry

User-mode

Kernel-mode

Winlogon Address Space

sfcfiles.dll

UpdatePayload

Inject Payload

Assemble Payload

Inject PayloadAssemble PayloadInstall & Load

Driver

Page 10: Defeating antiforensics in contemporary complex threats

Configuration data are stored in a resource of the Flame main module

Configuration data are encrypted with custom algorithm and compressed with DEFLATE algorithm

Block BYTE

Data Length Data

1 Byte 4 Byte Data Length Bytes

Block BYTE

Data Length

1 Byte 4 Byte Data Length Bytes

Offset of the block with item data

Offset of the next item

block

Unicode string (name of the item)

Page 11: Defeating antiforensics in contemporary complex threats

Configuration data are stored in a resource of the Flame main module

Configuration data are encrypted with custom algorithm and compressed with DEFLATE algorithm

Block BYTE

Data Length Data

1 Byte 4 Byte Data Length Bytes

Block BYTE

Data Length

1 Byte 4 Byte Data Length Bytes

Offset of the block with item data

Offset of the next item

block

Unicode string (name of the item)

Page 12: Defeating antiforensics in contemporary complex threats
Page 13: Defeating antiforensics in contemporary complex threats

Malicious kernel-mode driver

Malware payload

File system interface

Physical storage interface

Hard drive

OS file system driver

OS storage device driver stack

Hidden FS area

Applications

kernel-mode address space

user-mode address space

Page 14: Defeating antiforensics in contemporary complex threats

Bootkit hidden storage

Kernel-mode driver

Process1 Process2 Process3 ProcessN

Payload1 Payload2 Payload3 PayloadN

Payload1 Payload2 Payload3 PayloadN

kernel-mode

user-mode

Page 15: Defeating antiforensics in contemporary complex threats
Page 16: Defeating antiforensics in contemporary complex threats

First widely spread bootkit targeting Microsoft Windows x64 platform

Infects MBR of the bootable hard drive to receive control before OS

Abuses Windows PE (Preinstallation Environment) boot mode to disable kernel-mode code signing policy

Keeps payload in the hidden file system

Hijacks pointer to the driver object of the lowest device object in storage device stack

Page 17: Defeating antiforensics in contemporary complex threats

typedef struct _TDL4_FS_ROOT_DIRECTORY

{

// Signature of the block

WORD Signature;

// Set to zero

DWORD Reserved;

// Array of entries corresponding to files in FS

TDL4_FS_FILE_ENTRY FileTable[15];

}TDL4_FS_ROOT_DIRECTORY, *PTDL4_FS_ROOT_DIRECTORY;

TDL4 Hidden FS

Growth direction

Disk partitions

One sector

One sector

Variable length Not more than 8 Mb

Infe

cte

d M

BR

typedef struct _TDL4_FS_FILE_ENTRY { // File name - null terminated string char FileName[16]; // Offset from beginning of the file system to file DWORD FileBlockOffset; // Reserved DWORD dwFileSize; // Time and Date of file creation FILETIME CreateTime; }TDL4_FS_FILE_ENTRY, *PTDL4_FS_FILE_ENTRY;

Page 18: Defeating antiforensics in contemporary complex threats

TDL4 Volume device object

DriverObject

...Vpb

...

TDL4 Physical device object

DriverObject

...

\Driver\PnpManagerDriver object

TDL4Driver object

Volume parameter block

DeviceObject

RealDevice

\Device\XXXXXXXX Unnamed

XXXXXXXX – random 32-bit hexadecimal integer

Visible to payload Maintained by rootkit

Page 19: Defeating antiforensics in contemporary complex threats

Bootmgr Partition

OS Partition

MBR Code

Partition Table Entry #1

MBR Data

Partition Table Entry #2

Partition Table Entry #3

Partition Table Entry #4

Unpartitioned Space

Bootmgr Partition

OS Partition

MBR Code

Partition Table Entry #1

MBR Data

Partition Table Entry #2

Partition Table Entry #3

Partition Table Entry #4

Olmasco Partition

Empty Partition Entry Active Partition Entry

Before Infecting After Infecting

Existing Partition Entry

Modifies partition table of the bootable hard drive to create malicious partition and mark it active

Employs the same approach for disabling kernel-mode signing policy as TDL4 bootkit

Page 20: Defeating antiforensics in contemporary complex threats

Bootmgr Partition

OS Partition

MBR Code

Partition Table Entry #1

MBR Data

Partition Table Entry #2

Partition Table Entry #3

Partition Table Entry #4

Unpartitioned Space

Bootmgr Partition

OS Partition

MBR Code

Partition Table Entry #1

MBR Data

Partition Table Entry #2

Partition Table Entry #3

Partition Table Entry #4

Olmasco Partition

Empty Partition Entry Active Partition Entry

Before Infecting After Infecting

Existing Partition Entry

Modifies partition table of the bootable hard drive to create malicious partition and mark it active

Employs the same approach for disabling kernel-mode signing policy as TDL4 bootkit

Page 21: Defeating antiforensics in contemporary complex threats

typedef struct _OLMASCO_FS_ROOT_DIRECTORY { // Signature of the block // DC - root directory DWORD Signature; // Set to zero DWORD Reserved1; // Set to zero DWORD Reserved2; // Set to zero DWORD Reserved3; // Size of the file system cluster DWORD ClusterSize; // Size of file table in clusters DWORD SizeOfSysTableInClusters; // Size of file table in bytes DWORD SizeOfSysTableInBytes; // Checksum of file table DWORD SysTableCRC32; // Array of entries corresponding to files in FS OLMASCO_FS_FILE_ENTRY FileTable[]; }OLMASCO_FS_ROOT_DIRECTORY, *POLMASCO_FS_ROOT_DIRECTORY;

typedef struct _OLMASCO_FS_FILE_ENTRY

{ // File name - null terminated string char FileName[16]; // Offset from beginning of the file system to file DWORD OffsetInClusters; // Size of the file in clusters DWORD SizeInClusters; // Size of the file in bytes DWORD SizeInBytes; // Checksum DWORD Crc32;

}OLMASCO_FS_FILE_ENTRY, *POLMASCO_FS_FILE_ENTRY;

Page 22: Defeating antiforensics in contemporary complex threats

Mounts a file containing payload & configuration data as NTFS volume with transparent encryption

Keeps payload & configuration data encrypted in “C:\windows\$NtUninstallKB35373$” directory

VS.

Page 23: Defeating antiforensics in contemporary complex threats

ZeroAccess Volume Device

DriverObject

...

ZeroAccessDriver Object

Hidden Volume Name

File ObjectFile with data

Related Device Object

DriverObject

...

NTFSDriver Object

Page 24: Defeating antiforensics in contemporary complex threats

First known bootkit which infects VBR (Volume Boot Record) with polymorphic malicious bootstrap code

It utilizes debugging facilities of the hardware (debugging registers) to persists among processor execution mode switching and set up hooks

Rovnix bootkit employs modification of FAT16 for hidden partition

Rovnix bootkit was used in Carberp banking trojan

Page 25: Defeating antiforensics in contemporary complex threats

MBR VBR Bootstrap Code File System Data

VBRMalicious

CodeFile System Data

Bootstrap Code

MBR

NTFS bootstrap code(15 sectors)

Before Infecting

After InfectingCompressedData

Hidden Partition

Malicious Unsigned

Driver

Page 26: Defeating antiforensics in contemporary complex threats

Employs advanced bootkit techniques to load unsigned malicious kernel-mode driver on 64-bit version of Windows OS

Combines bootkit techniques present in Olmarik (TDL4) & Rovnix

Bypasses PatchGuard by means of modifying kernel before integrity enforcement service is started

Goblin hidden implements hidden file system in a similar way to Olmarik (TDL4)

Page 27: Defeating antiforensics in contemporary complex threats

functionality Olmarik (TDL4)

Sirefef (ZeroAccess)

Rovnix (Cidox)

Goblin (XPAJ)

Olmasco (MaxSS)

MBR modification

VBR modification

Hidden file system type

Custom NTFS FAT16

modification Custom

(TDL4 based) Custom

encryption algorithm

XOR/RC4 RC4 Custom

(XOR+ROL)

RC6 modification

compression algorithm

aPlib aPlib

Page 28: Defeating antiforensics in contemporary complex threats
Page 29: Defeating antiforensics in contemporary complex threats
Page 30: Defeating antiforensics in contemporary complex threats
Page 31: Defeating antiforensics in contemporary complex threats
Page 32: Defeating antiforensics in contemporary complex threats
Page 33: Defeating antiforensics in contemporary complex threats
Page 34: Defeating antiforensics in contemporary complex threats
Page 35: Defeating antiforensics in contemporary complex threats

eset.com/download/utilities/detail/family/173/

Page 36: Defeating antiforensics in contemporary complex threats
Page 37: Defeating antiforensics in contemporary complex threats
Page 38: Defeating antiforensics in contemporary complex threats
Page 39: Defeating antiforensics in contemporary complex threats

Aleksandr Matrosov [email protected] @matrosov

Eugene Rodionov [email protected] @vxradius