patching. is it always with the best intentions? · is it always with the best intentions? ... •...
TRANSCRIPT
![Page 1: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/1.jpg)
© 2007 McAfee, Inc.
Patching. Is it always with the bestintentions?
Alex HinchliffeVirus researcher, McAfee Avert Labs
![Page 2: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/2.jpg)
2
12/10/2007
Agenda
• Development• Good Intentions• Bad Intentions• Conclusions• Remedial• The future• Questions
![Page 3: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/3.jpg)
3
12/10/2007
Development
• Boot and Partition sectors• Companion• Startup batch and ini files; StartUp folder• Execution precedence• Registry
— Reg run keys— Win32 services— BHOs— AppInit_DLLs— Winlogon shell— Image File Execution Options
• Autorun INF files• Patching
![Page 4: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/4.jpg)
4
12/10/2007
Definitions
Patch (computer) noun.
A small piece of software that can be added to an existingapplication in order to make it work properly.
http://en.wikipedia.org/wiki/Patch_(computing)
![Page 5: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/5.jpg)
5
12/10/2007
Good intentions
• Software updates• Microsoft Windows Update• Patch Tuesday• Exploit Wednesday• 3rd party updates
— WindizUpdate— AutoPatcher
• 3rd party patches— eEye— Determina
![Page 6: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/6.jpg)
6
12/10/2007
Good intentions
• Windows AutomaticUpdates
• Automated levels
• Silent installs
Thursday 13th September:http://windowssecrets.com/2007/09/13/01-Microsoft-updates-Windows-without-users-consent
![Page 7: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/7.jpg)
7
12/10/2007
Bad intentions
• 4 examples• Intentions
— Data stealing— Destructive
• Targets— Popular applications / libraries— Runners
• Techniques— 2 types of import patches— 1 EP patch— 1 export patch
![Page 8: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/8.jpg)
8
12/10/2007
Bad intentions cont … case study 1
• PWS-Goldun• Late 2006 / early 2007• 1 variant• Patches iexplore.exe• Modifies imports
![Page 9: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/9.jpg)
9
12/10/2007
Bad intentions cont … PWS-Goldun
Preamble
Check infectionmarker
Terminate all IEinstances
Read iexplore.exe
Write msvcrl.dll
Write c:\123.cmd
Exec c:\123.cmd
Patching Overwriting
Write _iexplore.exe
Loading
TerminateProcess()
![Page 10: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/10.jpg)
10
12/10/2007
PWS-Goldun – iexplore.exe patching
• Bound import RVA nulled• Bound import size nulled• All references of msvcrt.dll msvcrl.dll
• Why msvcrt.dll?
![Page 11: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/11.jpg)
11
12/10/2007
PWS-Goldun – msvcrl.dll payload
• NSPack packed• Load msvcrt.dll library
— _except_handler3
• GetModuleHandle: wininet.dll— InternetReadFile, HTTPSendRequestA, HTTPOpenRequestA,
InternetConnectA
• GetModuleHandle: dnsapi.dll— DNSQuery_W— helpershosting.com
• Several threads requesting remote PHP scripts
![Page 12: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/12.jpg)
12
12/10/2007
PWS-Goldun – summary
• Mission• Glorified downloader• No registry modification• No WFP watching
![Page 13: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/13.jpg)
13
12/10/2007
Bad intentions cont … case study 2
• W32/Alvabrig• Early 2007• 3 variants• Drops WFP-killing component• Patches wininet.dll• Patches ws2_32.dll
![Page 14: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/14.jpg)
14
12/10/2007
Bad intentions cont … W32/Alvabrig
Preamble
Mutex “MAU”
WinExec()
Write My.log
Read newwin.tmp
Copy DLLs -> tmp
Read newws.tmp Move DLLs -> %Sys%
Move self -> null)
Sleep(24 hours)
ExitWindows()
Patching Overwriting
Copy DLLs -> dllcache
Loading
TerminateProcess()
![Page 15: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/15.jpg)
15
12/10/2007
W32/Alvabrig – WFP payload
• My.log• FSG 1.33 packed• Enumerates processes for “winlogon.exe”• OpenProcess (DUP_HANDLE)• Loops DuplicateHandle (DUPLICATE_SAME_ACCESS)
— String match for “WIN{NT,DOWS}\SYSTEM32”
• CloseHandle (local)• DuplicateHandle (DUPLICATE_CLOSE_SOURCE)
![Page 16: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/16.jpg)
16
12/10/2007
W32/Alvabrig – wininet.dll patching
• Increases size of code• Increases phys size of 1st section• Increases phys offset of remaining sections• Writes encrypted (^ 0x37A7B517) data & code into new
space• Loop export table matching function names with “Inte”
— And (function names + 0xD) with “ctA0”
• InternetConnectA() function hijacked to call malcode
![Page 17: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/17.jpg)
17
12/10/2007
W32/Alvabrig – wininet.dll patching cont…FASM test app
patchedInternetConnectA()
![Page 18: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/18.jpg)
18
12/10/2007
W32/Alvabrig – wininet.dll patching cont…
KasperskyMcAfee
Symantec
Sophos Trend CA Microsoft F-secure eset
![Page 19: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/19.jpg)
19
12/10/2007
W32/Alvabrig – ws2_32.dll patching
• Increases size of code• Increases phys size of 1st section• Increases phys offset of remaining sections• Write code into new space• Loop export table matching function names with “conn”
— And (function names + 0x4) with “ect”
• connect() function hijacked to call malcode
![Page 20: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/20.jpg)
20
12/10/2007
W32/Alvabrig – ws2_32.dll payload
FASM test app
patchedconnect()
• EDX points to address of a hard-coded IP address
D8 8F 46 4B216 143 70 75
• Returns -1 (fail) if matched
![Page 21: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/21.jpg)
21
12/10/2007
W32/Alvabrig – ws2_32.dll payload cont…
WHOIS
OrgName: Broadwing Communications Services Inc. OrgID: BWNG NetName: BROADWING-NET NameServer: NS3.BROADWING.NET NameServer: NS4.BROADWING.NET
CustName: McAfee 216.143.70.75 [pla-update.nai.com] Address: 5000 Headquarters Dr City: Plano StateProv: TX PostalCode: 75024 Country: US
![Page 22: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/22.jpg)
22
12/10/2007
W32/Alvabrig – summary
• Mission• Glorified hosts infector or DNS changer• Indirect registry modification
![Page 23: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/23.jpg)
23
12/10/2007
Bad intentions cont … case study 3
• W32/Crimea• July 2007• 1 variant• Kills WFP via SFC mechanism• Patches imm32.dll
![Page 24: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/24.jpg)
24
12/10/2007
Bad intentions cont … W32/Crimea
Preamble
Write a.bat
Writemsvcrtdm.dll
Read imm32.dll
Move DLL -> %Sys%
Patching Overwriting Loading
TerminateProcess()
Disable WFP Terminate browsers
![Page 25: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/25.jpg)
25
12/10/2007
Bad intentions cont … imm32.dll patching
• Increases image size• Increases number of sections• Nulls bound import RVA• Nulls bound import size• Adds section “.rdata”
![Page 26: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/26.jpg)
26
12/10/2007
Bad intentions cont … msvcrtdm.dll payload
• Browser termination ensures loading• Waits until…
• http://realcrimea.info
![Page 27: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/27.jpg)
27
12/10/2007
W32/Crimea – summary
• Mission• Glorified, cross-browser BHO• No registry modification
![Page 28: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/28.jpg)
28
12/10/2007
Conclusions• Why Patch?
— Hook into system— Hard for repair— Avoids registry
• What to Patch?— System libraries— Popular applications— High probability of execution
• When to Patch?— WFP isn’t looking— Closing applications
• How to Patch?— Existing code sections— Imports / Exports
![Page 29: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/29.jpg)
29
12/10/2007
Why cont…?
![Page 30: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/30.jpg)
30
12/10/2007
Remedial – problems
• Repairing files— In use— Protected— Deleting now-critical components
• System integrity— After patching— After AV repair of patching
![Page 31: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/31.jpg)
31
12/10/2007
Remedial – solutions
• Interrogation of clean files
• Integrity checking
• Monitoring the patchers
![Page 32: Patching. Is it always with the best intentions? · Is it always with the best intentions? ... • Silent installs Thursday 13th September: ... 21 12/10/2007 W32/Alvabrig](https://reader030.vdocument.in/reader030/viewer/2022011803/5b87aa907f8b9a28238d591f/html5/thumbnails/32.jpg)
32
12/10/2007
The future
• More patching malware
• Greater sophistication
• Vista and WRP
• Vienna in 2010?