In a twisted sort of way, today’s threats are kind of thrilling. Hacker movies of yesterday have nothing on the reality of today.When I first learned how buffer overflows worked I was amazed. But reflective memory attacks go way beyond “simple” buffer overflows. Reflective memory attacks allows the bad guy to silently load large programs and execute them inside an already running process, using it’s memory, resources and authority. These attacks bypass common security technologies like AV and application whitelisting because they don’t drop any file onto the file system. They basically just allocate some memory, write the malicious code into it and then (usually) spin up a thread executing that code. That’s actually not a very unusual sequence of operations so it’s really hard to detect. In this presentation, we will do a deep dive exclusively into reflective memory attacks. You will learn: • How reflect memory attacks work • Why they’re called reflective • Why traditional security technologies don’t catch them • Methods for detecting them • Crippling performance problems caused by some detection methods • Tradeoff between detection and performance Joining me will be Dan Teal who invented CoreTrace (acquired by Lumension) Bouncer technology. Dan will shed light on this advanced topic and then briefly show how Lumension Endpoint Security Suite incorporates Bouncer technology to detect reflective memory attacks without hurting performance.

1. Reflective Memory Attacks Deep Dive:
How They Work;
Why They’re Hard to Detect
© 2013 Monterey Technology Group Inc.

2. Brought to you by
Speaker
 Dan Teal, Senior Architect
www.lumension.com

3. Preview of Key Points
© 2013 Monterey Technology Group Inc.
How did we get to where we are today with
reflective memory attacks?
How does reflective memory injection work?
Why doesn’t AV or application whitelisting
detect it?
What does a process look like that has been
injected this way?
How can it be detected via security software?

4. How did we get to where we are today with
reflective memory attacks?
© 2013 Monterey Technology Group Inc.
Simple
scripts
Buffer
overflows
with file
drops
Reflective
memory
injection

5. How does reflective
memory injection work?
© 2013 Monterey Technology Group Inc.
Relocatable code DLLs Threads
Memory
management
• Stack
• Heap
• Addresses/pointers
Function calls

6. How does reflective
memory injection work?
© 2013 Monterey Technology Group Inc.
Malformed
content sent to
PC
Buffer overflow
Shell code
activates
Downloads larger
malware from
Internet
Writes malware
directly to heap
memory
• No file access
Dynamically links
references to
function calls
Flags memory as
executable
Spins up a thread
to run the
malware

7. How does reflective
memory injection work?
© 2013 Monterey Technology Group Inc.
 More details
 Write the library into the address space of the target process
 Pass execution to the Reflective Loader
 Determines its location in memory for parsing its own headers
 Parse kernel32.dll export table to calculate addresses of
 GetProcAddress and VirtualAlloc
 Allocate a contiguous block of memory for loading its image
 Load in its headers and sections
 Process its import table, loading additional libraries as needed
and
 resolving imported function addresses
 Process its relocation table
 Call its entry point function, DLLMain

8. In a way, Microsoft makes
it easy
© 2013 Monterey Technology Group Inc.
• NtQueryVirtualMemory()
• VirtualAllocEx()
• NtReadVirtualMemory / NtWriteVirtualMemory
• NtCreateThread()
A process can access and manipulate
the address space of another process
• When functions are used within the kernel, even
DRM protected processes can be accessed
• This is why ProcessHacker has the option to install
KProcessHacker
Ease of access is related to how
Windows processes are created

9. Why doesn’t AV or
application whitelisting detect it?
© 2013 Monterey Technology Group Inc.
 Nothing dropped onto the file system
 Does not use LoadLibrary()
Will not show up in list of loaded modules for a process
 RMI places libraries into processes that are already
authorized and running
DEP, ASLR, and other technologies great but not enough
 Blacklisting involves collecting a list of bad threat
signatures and preventing those apps from running
Reactive: Always a step behind the latest threats
 Traditional signature based anti-virus is not enough

10. What does a process look like
that has been injected this way?
© 2013 Monterey Technology Group Inc.
“At a process level the only indicators that the library
exists is that there will be a chunk of allocated
memory present, via VirtualAlloc, where the loaded
library resides. This memory will be marked as
readable, writable and executable. There will also be
a thread of execution which will be, periodically at
least, executing code from this memory chunk.”
Stephen Fewer
Harmony Security
http://www.harmonysecurity.com/files/HS-
P005_ReflectiveDllInjection.pdf

11. How can it be detected
via security software?
© 2013 Monterey Technology Group Inc.
Synchronously
Rock solid but prohibitively expense performance-
wise
Asynchronously
Stack walking
• Performance prohibitive
Correlate processes with legitimate code
• Catches the attack without impacting performance

12. How can it be detected
via security software?
© 2013 Monterey Technology Group Inc.
Synchronously
Sequence of events
• Allocate memory via VirtualAllocEx
• Copy in the library
• Link it in
• Start a thread.
Windows kernel only gives a few options for
registering for callbacks.
Security software used to be able to hook the kernel
to monitor VirtualAllocEx, but that is no longer an
option on x64 with PatchGuard.
We can register to be notified when a thread is
started but not when memory is allocated

13. How can it be detected
via security software?
© 2013 Monterey Technology Group Inc.
Asynchronously
Stack walking
• Periodically analyze the call stack ofevery running
thread to ensure
• that the instruction pointer in every stack frame points
to legitimate
• code
• Pros: works very well if implemented correctly and can
also detect types of buffer overflows
• Cons: performance impact

14. How can it be detected
via security software?
© 2013 Monterey Technology Group Inc.
Asynchronously
Legitimate code correlation
• Continually track every process from the kernel and
correlate with legitimate code
• Threads, memory regions, loaded module list (can be
manipulated)
• Whitelisting provides great support for this – control
loading of kernel modules
• Pros: Low performance impact
• Cons: Limited to detecting library injection

15. Let’s see detection in action…
© 2013 Monterey Technology Group Inc.

16. Brought to you by
Speaker
• Dan Teal, Senior Architect
www.lumension.com

17. More Information
• Free Security Scanner Tools
» Vulnerability Scanner – discover all OS and
application vulnerabilities on your network
» Application Scanner – discover all the apps
being used in your network
» Device Scanner – discover all the devices
being used in your network
http://www.lumension.com/special-
offer/premium-security-tools.aspx
• Lumension® Endpoint Management
and Security Suite
» Online Demo Video:
http://www.lumension.com/Resources/Demo-
Center/Vulnerability-Management.aspx
» Free Trial (virtual or download):
http://www.lumension.com/endpoint-
management-security-suite/free-trial.aspx
• Get a Quote (and more)
http://www.lumension.com/endpoint-
management-security-suite/buy-now.aspx#2
17

18. Q&A

19. Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
info@lumension.com