new advances in ms office malware analysis advances in ms... · introduction to ms office...
TRANSCRIPT
![Page 1: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/1.jpg)
New advances in Ms Office malware analysismalware analysis
Frank BoldewinFrank BoldewinHack.Lu 2009
![Page 2: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/2.jpg)
Agenda
Introduction to MS Office exploitationSome MS Office exploits since 2006Some MS Office exploits since 2006Short introduction to the OLESS formatExample of a malicious MS Office document Example of a malicious MS Office document structureTypical MS Office Shellcode behaviorTypical MS Office Shellcode behaviorStatus Quo to MS Office document analysisIntroduction to OfficeMalScannerIntroduction to OfficeMalScanner
2
![Page 3: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/3.jpg)
Introduction to MS Office exploitation
MS Office commonly exploited since 20062006Existing exploits in the wild exploit unexceptional the older OLESS file unexceptional the older OLESS file format.C tl k b i th Currently no known bugs in the newer XML based MS Office format.
3
![Page 4: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/4.jpg)
Some MS Office exploits since 2006
CVE-2006-0009 Powerpoint MS06-012 (March 2006)CVE-2006-0022 Powerpoint MS06-028 (June 2006)CVE-2006-2492 Word MS06-027 (June 2006)CVE 2006 2492 Word MS06 027 (June 2006)CVE-2006-3434 Powerpoint MS06-062 (October 2006)CVE-2006-3590 Powerpoint MS06-048 (August 2006)CVE-2006-4534 Word MS06-060 (October 2006)CVE-2006-4694 Powerpoint MS06-058 (October 2006)CVE-2006-5994 Word MS07-014 (February 2007)CVE-2006-6456 Word MS07-014 (February 2007)CVE-2007-0515 Word MS07-014 (February 2007)CVE-2007-0671 Excel MS07-015 (February 2007)CVE-2007-0870 Word MS07-024 (May 2007)CVE 2008 0081 E l MS08 014 (M h 2008)CVE-2008-0081 Excel MS08-014 (March 2008)CVE-2008-4841 Word MS09-010 (April 2009)CVE-2009-0238 Excel MS09-009 (April 2009)CVE-2009-0556 Powerpoint MS09-017 (May 2009)
4
CVE-2009-0556 Powerpoint MS09-017 (May 2009)
![Page 5: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/5.jpg)
Short introduction to the OLESS format
OLESS HeaderFAT FSFAT FS
SectorNumbersOLESS directory entries
Data is divided into directories Data is divided into directories (storages) and files (streams)
5
![Page 6: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/6.jpg)
Short introduction to the OLESS format
Depending on the application streams may containmay contain
MacroshiGraphics
TablesSoundsAnimationsAnimations….
6
![Page 7: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/7.jpg)
Short introduction to the OLESS format
Parsing can be done using the Win32 COM APICOM API
StgOpenStorage()h dIStorage methods
IStream methods
7
![Page 8: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/8.jpg)
Example of a malicious MS Office document structure
OLESS HEADERRECORDS
SHELLCODESHELLCODEEXECUTABLEEXECUTABLE
(often encrypted)
HARMLESS DOCUMENTHARMLESS DOCUMENT(e.g. as embedded OLE)
SUMMARY INFORMATION8
SUMMARY INFORMATION
![Page 9: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/9.jpg)
Typical MS Office Shellcode behavior
When a bug in a MS Office application gets triggered…gets triggered…
Shellcode executesi d i lf b fil h dlFinds itself by open file handles
enumeration and file size checkingSetFilePointer to encrypted PE-File(s), decrypt, drop and executeDrop harmless embedded MS Office document and start to look innocent
9
![Page 10: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/10.jpg)
Status Quo to MS Office document analysis
Not much public information about MS-Office malware analysis availableMS Office malware analysis availableMicrosoft Office Binary File Format Specification (since Feb 2008)Specification (since Feb. 2008)Bruce Dang‘s talk „Methods for U d t di T t d Att k ith Understanding Targeted Attacks with Office Documents”
10
![Page 11: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/11.jpg)
Available tools for Ms Office analysis
DFView (oldschool Microsoft OLE structure viewer)structure viewer)Officecat (signature based CLI utility)l di ( dFlexHex Editor (OLE compound
viewer)OffVis - (Office binary file format visualization tool)
11
![Page 12: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/12.jpg)
OffVis in action
12
![Page 13: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/13.jpg)
Introduction to the “OfficeMalScanner” suiteOfficeMalScanner suite
![Page 14: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/14.jpg)
OfficeMalScanner features
OfficeMalScanner is a forensic tool for analysts to find malicious traces in MS Office documents.
Features:SCANSCANBRUTEDEBUGDEBUGINFOINFLATE
14
![Page 15: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/15.jpg)
SCAN mode (Shellcode scanner)
GetEIP (4 Methods)
CALL NEXTNEXT: POP reg-------------------------------------------
JMP [0xEB] 1ST2ND: POP reg1ST: CALL 2ND-------------------------------------------
JMP [0xE9] 1ST2ND: POP reg1ST: CALL 2ND-------------------------------------------
FLDZ FSTENV [esp-0ch] POP regPOP reg
15
![Page 16: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/16.jpg)
SCAN mode (Shellcode scanner)
Find Kernel32 base (3 methods)
MOV DWORD PTR FS [30h]MOV reg, DWORD PTR FS:[30h]---------------------------------------------
XOR reg_a,reg_aMOV reg a(low-byte) 30hMOV reg_a(low-byte), 30hMOV reg_b, fs:[reg_a]
---------------------------------------------PUSH 30hPOP reg_aMOV reg_b, FS:[reg_a]
Find structured exception handlingMOV reg, DWORD PTR FS:[00h]
16
![Page 17: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/17.jpg)
SCAN mode (Shellcode scanner)
API Hashing
LOOP: LODSBTEST al, alJZ short OKROR EDI, 0Dh (or 07h)ADD EDI, EAXJMP short LOOP
OK: CMP EDI, ...
Indirect function call
PUSH DWORD PTR [EBP+val]CALL[EBP+val]
17
![Page 18: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/18.jpg)
SCAN mode (Shellcode scanner)
Suspicious stringsUrlDownloadToFileG tT P thGetTempPathGetWindowsDirectoryGetSystemDirectoryWinExecWinExecShellExecuteIsBadReadPtrIsBadWritePtrCreateFileCloseHandleReadFileWriteFileSetFilePointerVirtualAllocGetProcAddrLoadLibrary
18
![Page 19: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/19.jpg)
SCAN mode (Shellcode scanner)
Easy decryption trickLODS(x)
XOR or ADD or SUB or ROL or RORSTOS(x)
Embedded OLE Data (unencrypted)Signature: \xD0\xCF\x11\xE0\xA1\xB1\x1a\xE1
d d di kGets dumped to disk
19
![Page 20: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/20.jpg)
SCAN mode (Shellcode scanner)
Function Prolog
PUSH EBPPUSH EBPMOV EBP, ESPSUB ESP, <value> or ADD ESP, <value>
PE-File Signature (unencrypted)
Offset 0x0 == MZOffset 0x3c == e_lfanewOffset e_lfanew == PE
Fo nd PE files a e d mped to diskFound PE-files are dumped to disk
20
![Page 21: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/21.jpg)
SCAN mode in action
21
![Page 22: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/22.jpg)
BRUTE mode
Easy XOR + ADD 0x0 – 0xff buffer decryptionAfter decryption
Embedded OLE checkPE-file signature check
Found files get dumped to disk
22
![Page 23: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/23.jpg)
DEBUG mode
The Debug mode displays:Disassembly for detected codeHexdata for detected strings and PE-files
23
![Page 24: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/24.jpg)
Malicious index rating
The malicious index rating can be used for automated analysis as threshold.Every suspicious trace increases the malicious index counter depending on its hazard potential.
Index scoringExecutables : 20Code : 10STRINGS : 2OLE : 1
24
![Page 25: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/25.jpg)
INFO mode
The INFO mode dumps OLE structures, offsets, length and saves found VB-Macro code to disk
25
![Page 26: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/26.jpg)
INFLATE mode
Decompresses Ms Office 2007 documents, into a temp dir and marks potentially p p ymalicious files.Documents with macros included (docm, pptm and xlsm) contain .bin files, usually vbaproject.bin (Old MSOffice format)S h fil ld h t li i d Such files could host malicious macro code and can extracted using the OfficeMalScanner INFO mode.OfficeMalScanner INFO mode.
26
![Page 27: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/27.jpg)
INFLATE mode – Usage STEP 1
27
![Page 28: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/28.jpg)
INFLATE mode – Usage STEP 2
28
![Page 29: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/29.jpg)
MalHost-SetupA shellcode runtime environmentA shellcode runtime environment
![Page 30: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/30.jpg)
MalHost-Setup – Typical shellcode requirements illustrated
30
![Page 31: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/31.jpg)
MalHost-Setup – Finding the shellcode-start with DisView
31
![Page 32: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/32.jpg)
MalHost-Setup – Help screen
32
![Page 33: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/33.jpg)
MalHost-Setup – Configuration (unattended mode)
33
![Page 34: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/34.jpg)
MalHost-Setup – Configuration – (debug mode)
34
![Page 35: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/35.jpg)
MalHost-Setup – Debugging
35
![Page 36: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/36.jpg)
MalHost-Setup – Debugging
36
![Page 37: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/37.jpg)
OfficeMalScanner SuiteDownload
http://www reconstructer org/code/OfficeMalScanner ziphttp://www.reconstructer.org/code/OfficeMalScanner.zip
37
![Page 38: New advances in Ms Office malware analysis advances in Ms... · Introduction to MS Office exploitation MS Office commonly exploited since 2006 Existing exploits in the wild exploit](https://reader033.vdocument.in/reader033/viewer/2022042520/5f42319b03c094220d758dd9/html5/thumbnails/38.jpg)
Questions?
Thanks for brainstorming and beta-testing fly to:
Elia FlorioBruce Dang
Michael Hale LighCarsten WillemsCarsten Willems
38