Malware ArmorBlackhat

Tyler Halfpop, Fidelis Cybersecurity

• Threat Researcher for Fidelis CyberSecurity• Working on doctorate in computer science• SANS Lethal Forensicator• Certifications – CISSP, GREM• Site: tylerhalfpop.com | Twitter: @tylerhalfpop

$ whoami

Malware protections designed to:

1. Make malware more difficult to detect2. Make malware more difficult to analyze and

understand what it is doing.

What is Malware Armor?

1. Dynamic Analysis – safely watch what it does2. Static Analysis – what can we learn about it without

running it

Malware Analysis

(Branco, Barbosa, & Neto 2012)

Malware Armor in Wild

(Branco, Barbosa, & Neto 2012)

Types of Malware Armor

• Detecting virtualization artifacts or using anti-VM instructions (Red pill, no pill, etc.)

• Becoming less common because of the increased usage of virtualization

Anti-Virtualization

Emotet Anti-Virtualization Example - Kaspersky

0xBCF398B5 = vboxservice.exe0x2C967737 = vmacthlp.exe0xE3EBFE44 = vmtoolsd.exe 0x61F15513 = vboxtray.exe(Shulmin, 2015)

- If detected the malware contacts fake C2 Servers to confuse analysts.(Shulmin, 2015).

- Detect when under the control of a debugger or mess with debuggers- Tons of techniques, buta few are most common

- The “Ultimate” Anti-Debugging Reference by Peter Ferrie (2011) details many of the techniques in a 147 page pdf

Anti-Debugging

IsDebuggerPresent() – returns nonzero if the current process is running in a debugger

Anti-Debugging Windows API

There are other APIsas well to look out for

Decompiled:

Manually Checking Process Environment Block (PEB)

typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId;} PEB, *PPEB; mov eax, dword ptr fs:[30h]

mov ebx, byte ptr [eax+2] test ebx, ebx jz NoDebuggerDetected(Sikorski & Honig, 2012)

time.debug > time.run

Timing Checks

rdtsc ;ticks since reboot stored in edx:eaxxor ecx, ecx add ecx, eax rdtsc sub eax, ecx cmp eax, 0xFFF jb NoDebuggerDetected rdtsc push eax ret(Sikorski & Honig, 2012)

Windows API GetTickCount()can be used in a similar fashion

• Techniques to make disassemblers mess up • Disassemblers must make assumptions on how to

display code• There is no alignment and instructions have a

variable length of bytes

Anti-Disassembly

• Linear (objdump)• Disassembles code straight through from the

beginning to the end• Recursive Traversal (IDA)

• Intelligently goes over and follows the code discovering what should be disassembled

Two Types of Disassemblers

(Eagle, 2011)

Shiva Anti-RE

(Eagle, 2011)

Shiva Anti-RE

(Eagle, 2011)

Shiva Anti-RE

• Obscuring programs to make them more difficult to analyze

• Simple Substitutions (Ceasar, XOR, Base64)• Real Cryptography• Custom encoding• Insert junk code

Obfuscation

(Lipovsky & Cherepanov, 2015)

XOR Loop Strings

• Used to shrink malware• Make detection more difficult• Make analysis more difficult• Often combine multiple armoring techniques

Packers

(Branco, Barbosa, & Neto 2012)

Packers

(Branco, Barbosa, & Neto 2012)

Top Packers

UPX

UPX Unpacked

• Modern malware is often armored and protected with anti-vm, anti-debugging, anti-disassembly, obfuscation, and packers.

• Malware still needs to execute it’s business, so there is usually a way for skilled analysts to make it reveal it’s secrets in order to create indicators and better understand attacks

• Malware also still needs to communicate on the network where we can pick that up

Conclusion

Branco, R. R., Barbosa, G. N., & Neto, P. D. (2012). Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Black Hat USA.

Eagle, C. (2011). The IDA pro book: The unofficial guide to the world's most popular disassembler. San Francisco: No Starch Press.

Ferrie, P. (2011). The ultimate anti-debugging reference.Hale Ligh, M., Case, A., Levy, J., & Walters, A. (2014). Art of memory forensics: Detecting

malware and threats in Windows, Linux, and Mac memory.Lipovsky, R., & Cherepanov, A. (2015). OPERATION POTAO EXPRESS. Retrieved from

http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf

Sikorski, M., & Honig, A. (2012). Practical malware analysis: The hands-on guide to dissecting malicious software. San Francisco: No Starch Press.

Shulmin, A. (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved June 7, 2015, from https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/

References

QUESTIONS?THANK YOU!

tyler.halfpop@fidelissecurity.com

@tylerhalfpop tylerhalfpop.com | @FidSecSys fidelissecurity.com