SlideShare uma empresa Scribd logo

Win32/Flamer: Reverse Engineering and Framework Reconstruction

Alex Matrosov
Alex Matrosov

In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.

Educação
1 de 60
Baixar para ler offline
Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
Outline of The Presentation  Typical malware vs. Stuxnet/Flame  What the difference?  Flamer code reconstruction problems  C++ code reconstruction  Library code identification  Flamer framework overview  Object oriented code reconstruction  Relationship Stuxnet/Duqu/Flamer
Typical Malware vs. Stuxnet/Flamer
What’s the Difference?
What’s the Difference?  Typical malware  Stuxnet/Flame …  Different motivation, budget …  Different motivation, budget …  Use 1-days for distribution  Use 0-days for distribution  Anti-stealth for bypassing all sec  Anti-stealth for bypassing AV soft  Stealth timing: months  Stealth timing: years  Developed in C or C++ in C style  Tons of C++ code with OOP  Simple architecture for plugins  Industrial OO framework platform  Traditional ways for obfuscation:  Other ways of code obfuscation:  packers  tons of embedded static code  polymorphic code  specific compilers/options  vm-based protection  object oriented wrappers for typical OS utilities  …
Stuxnet/Duqu/Flamer/Gauss Appearance
Code Complexity Growth Gauss miniFlamer Stuxnet Duqu Flamer
Code Complexity Growth
C++ Code REconstruction Problems
C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
C++ Code Reconstruction Problems
Identify Smart Pointer Structure
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Custom Type Operations
Identify Objects Constructors
Identify Objects Constructors
Library code identification problems
Library Code Identification Problems  Compiler optimization  Wrappers for WinAPI calls  Embedded library code  Library version identification problem  IDA signatures used syntax based detection methods  Recompiled libraries problem  Compiler optimization problem
Library Code Identification Problems
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Festi: OOP in kernel-mode
Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
Flamer Framework Overview
An overview of the Flamer Framework The main types used in Flamer Framework are:  Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers  Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer  Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.)  Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
Some of Flamer Framework Components Identifying processes in the systems corresponding to Security security software: antiviruses, HIPS, firewalls, system information utilities and etc. Microbe Leverages voice recording capabilities of the system Idler Running tasks in the background BeetleJuice Utilizes bluetooth facilities of the system Telemetry Logging of all the events Gator Communicating with C&C servers
Flamer SQL Lite Database Schema
Flamer SQL Lite Database Schema
REconstructing Flamer Framework
Data Types Being Used  Smart pointers  Strings  Vectors to maintain the objects  Custom data types: wrappers, tasks, triggers and etc.
Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements };  Used to handle the objects:  tasks  triggers  etc.
Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
Reconstructing Object’s Attributes
Reconstructing Object’s Attributes
Reconstructing Object’s Methods
Reconstructing Object’s Methods
Reconstructing Object’s Methods
DEMO
Relationship Stuxnet/Duqu/Gauss/Flamer
Source Code Base Differences
Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092 (Task Scheduler) MS11-087 (Win32k.sys)
Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
Exploit Implementations: Gauss  The payload is injected into processes from user-mode module
Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov

Recomendados

09 iec t1_s1_oo_ps_session_13
09 iec t1_s1_oo_ps_session_1309 iec t1_s1_oo_ps_session_13
09 iec t1_s1_oo_ps_session_13Niit Care
 
04 iec t1_s1_oo_ps_session_05
04 iec t1_s1_oo_ps_session_0504 iec t1_s1_oo_ps_session_05
04 iec t1_s1_oo_ps_session_05Niit Care
 
05 iec t1_s1_oo_ps_session_07
05 iec t1_s1_oo_ps_session_0705 iec t1_s1_oo_ps_session_07
05 iec t1_s1_oo_ps_session_07Niit Care
 
06 iec t1_s1_oo_ps_session_08
06 iec t1_s1_oo_ps_session_0806 iec t1_s1_oo_ps_session_08
06 iec t1_s1_oo_ps_session_08Niit Care
 
11 iec t1_s1_oo_ps_session_16
11 iec t1_s1_oo_ps_session_1611 iec t1_s1_oo_ps_session_16
11 iec t1_s1_oo_ps_session_16Niit Care
 
12 iec t1_s1_oo_ps_session_17
12 iec t1_s1_oo_ps_session_1712 iec t1_s1_oo_ps_session_17
12 iec t1_s1_oo_ps_session_17Niit Care
 
08 iec t1_s1_oo_ps_session_11
08 iec t1_s1_oo_ps_session_1108 iec t1_s1_oo_ps_session_11
08 iec t1_s1_oo_ps_session_11Niit Care
 
07 iec t1_s1_oo_ps_session_10
07 iec t1_s1_oo_ps_session_1007 iec t1_s1_oo_ps_session_10
07 iec t1_s1_oo_ps_session_10Niit Care
 

Recomendados

09 iec t1_s1_oo_ps_session_13
09 iec t1_s1_oo_ps_session_1309 iec t1_s1_oo_ps_session_13
09 iec t1_s1_oo_ps_session_13Niit Care
 
04 iec t1_s1_oo_ps_session_05
04 iec t1_s1_oo_ps_session_0504 iec t1_s1_oo_ps_session_05
04 iec t1_s1_oo_ps_session_05Niit Care
 
05 iec t1_s1_oo_ps_session_07
05 iec t1_s1_oo_ps_session_0705 iec t1_s1_oo_ps_session_07
05 iec t1_s1_oo_ps_session_07Niit Care
 
06 iec t1_s1_oo_ps_session_08
06 iec t1_s1_oo_ps_session_0806 iec t1_s1_oo_ps_session_08
06 iec t1_s1_oo_ps_session_08Niit Care
 
11 iec t1_s1_oo_ps_session_16
11 iec t1_s1_oo_ps_session_1611 iec t1_s1_oo_ps_session_16
11 iec t1_s1_oo_ps_session_16Niit Care
 
12 iec t1_s1_oo_ps_session_17
12 iec t1_s1_oo_ps_session_1712 iec t1_s1_oo_ps_session_17
12 iec t1_s1_oo_ps_session_17Niit Care
 
08 iec t1_s1_oo_ps_session_11
08 iec t1_s1_oo_ps_session_1108 iec t1_s1_oo_ps_session_11
08 iec t1_s1_oo_ps_session_11Niit Care
 
07 iec t1_s1_oo_ps_session_10
07 iec t1_s1_oo_ps_session_1007 iec t1_s1_oo_ps_session_10
07 iec t1_s1_oo_ps_session_10Niit Care
 
13 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_1913 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_19Niit Care
 
10 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_1410 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_14Niit Care
 
01 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_0101 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_01Niit Care
 
.Net platform an understanding
.Net platform an understanding.Net platform an understanding
.Net platform an understandingBinu Bhasuran
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Vincenzo Iozzo
 
Csharp
CsharpCsharp
CsharpSwaraj Kumar
 
01 gui 01
01 gui 0101 gui 01
01 gui 01Niit Care
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#Mohammad Faizan
 
Synapse india reviews sharing asp.net
Synapse india reviews sharing asp.netSynapse india reviews sharing asp.net
Synapse india reviews sharing asp.netSynapseindiaComplaints
 
Java session02
Java session02Java session02
Java session02Niit Care
 
Session2 (3)
Session2 (3)Session2 (3)
Session2 (3)DrUjwala1
 
Basics of building a blackfin application
Basics of building a blackfin applicationBasics of building a blackfin application
Basics of building a blackfin applicationPantech ProLabs India Pvt Ltd
 
Virus&malware
Virus&malwareVirus&malware
Virus&malwareRobin Garza
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaowaspindia
 
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetDefconRussia
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Symantec Italia
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesCharles Nutter
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 

Mais conteúdo relacionado

Mais procurados

13 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_1913 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_19Niit Care
 
10 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_1410 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_14Niit Care
 
01 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_0101 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_01Niit Care
 
.Net platform an understanding
.Net platform an understanding.Net platform an understanding
.Net platform an understandingBinu Bhasuran
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Vincenzo Iozzo
 
Java session02
Java session02Java session02
Java session02Niit Care
 
Session2 (3)
Session2 (3)Session2 (3)
Session2 (3)DrUjwala1
 

Mais procurados (12)

13 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_1913 iec t1_s1_oo_ps_session_19
13 iec t1_s1_oo_ps_session_19
 
10 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_1410 iec t1_s1_oo_ps_session_14
10 iec t1_s1_oo_ps_session_14
 
01 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_0101 iec t1_s1_oo_ps_session_01
01 iec t1_s1_oo_ps_session_01
 
.Net platform an understanding
.Net platform an understanding.Net platform an understanding
.Net platform an understanding
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
 
Csharp
CsharpCsharp
Csharp
 
01 gui 01
01 gui 0101 gui 01
01 gui 01
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#
 
Synapse india reviews sharing asp.net
Synapse india reviews sharing asp.netSynapse india reviews sharing asp.net
Synapse india reviews sharing asp.net
 
Java session02
Java session02Java session02
Java session02
 
Session2 (3)
Session2 (3)Session2 (3)
Session2 (3)
 
Basics of building a blackfin application
Basics of building a blackfin applicationBasics of building a blackfin application
Basics of building a blackfin application
 

Destaque

Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaowaspindia
 
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetDefconRussia
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesCharles Nutter
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
 
Corporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligenceCorporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligenceMartin Brunet
 
Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio kennywhite
 
10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More ProfitWhatRunsWhere
 
Human as a virus
Human as a virusHuman as a virus
Human as a virusYaniv sela
 

Destaque (20)

Virus&malware
Virus&malwareVirus&malware
Virus&malware
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
 
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
 
Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?Duqu: il nuovo Stuxnet?
Duqu: il nuovo Stuxnet?
 
JavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for DummiesJavaOne 2011 - JVM Bytecode for Dummies
JavaOne 2011 - JVM Bytecode for Dummies
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
Corporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligenceCorporate espionage versus competitive intelligence
Corporate espionage versus competitive intelligence
 
Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio Cinema Volano - Programma Dicembre-Febbraio
Cinema Volano - Programma Dicembre-Febbraio
 
10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit10 Spying Strategies To Generate More Profit
10 Spying Strategies To Generate More Profit
 
Human as a virus
Human as a virusHuman as a virus
Human as a virus
 

Semelhante a Win32/Flamer: Reverse Engineering and Framework Reconstruction

.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETLicensingLive! - SafeNet
 
Win rt fundamentals
Win rt fundamentalsWin rt fundamentals
Win rt fundamentalsKevin Stumpf
 
Inside .net framework
Inside .net frameworkInside .net framework
Inside .net frameworkFaisal Aziz
 
jhkghj
jhkghjjhkghj
jhkghjAdmin
 
test2PPT
test2PPTtest2PPT
test2PPTAdmin
 
Implementation
ImplementationImplementation
Implementationhcicourse
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET PlatformPeter R. Egli
 

Semelhante a Win32/Flamer: Reverse Engineering and Framework Reconstruction (20)

Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
 
Android cameraoverview
Android cameraoverviewAndroid cameraoverview
Android cameraoverview
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
C# tutorial
C# tutorialC# tutorial
C# tutorial
 
Understand study
Understand studyUnderstand study
Understand study
 
Presentation On Com Dcom
Presentation On Com DcomPresentation On Com Dcom
Presentation On Com Dcom
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Asp dot net
Asp dot netAsp dot net
Asp dot net
 
Win rt fundamentals
Win rt fundamentalsWin rt fundamentals
Win rt fundamentals
 
.Net Session Overview
.Net Session Overview.Net Session Overview
.Net Session Overview
 
Inside .net framework
Inside .net frameworkInside .net framework
Inside .net framework
 
jhkghj
jhkghjjhkghj
jhkghj
 
Asp net
Asp netAsp net
Asp net
 
test2PPT
test2PPTtest2PPT
test2PPT
 
Implementation
ImplementationImplementation
Implementation
 
CFInterop
CFInteropCFInterop
CFInterop
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET Platform
 
.Net + novas tecnologias + win8
.Net + novas tecnologias + win8.Net + novas tecnologias + win8
.Net + novas tecnologias + win8
 

Mais de Alex Matrosov

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Cybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesCybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesAlex Matrosov
 

Mais de Alex Matrosov (10)

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Cybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesCybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and Issues
 
Stuxnet msu
Stuxnet msuStuxnet msu
Stuxnet msu
 
RusCrypto'2009
RusCrypto'2009RusCrypto'2009
RusCrypto'2009
 

Último

Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 

Último (20)

Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 

Win32/Flamer: Reverse Engineering and Framework Reconstruction

  • 1. Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
  • 2. Outline of The Presentation  Typical malware vs. Stuxnet/Flame  What the difference?  Flamer code reconstruction problems  C++ code reconstruction  Library code identification  Flamer framework overview  Object oriented code reconstruction  Relationship Stuxnet/Duqu/Flamer
  • 3. Typical Malware vs. Stuxnet/Flamer
  • 5. What’s the Difference?  Typical malware  Stuxnet/Flame …  Different motivation, budget …  Different motivation, budget …  Use 1-days for distribution  Use 0-days for distribution  Anti-stealth for bypassing all sec  Anti-stealth for bypassing AV soft  Stealth timing: months  Stealth timing: years  Developed in C or C++ in C style  Tons of C++ code with OOP  Simple architecture for plugins  Industrial OO framework platform  Traditional ways for obfuscation:  Other ways of code obfuscation:  packers  tons of embedded static code  polymorphic code  specific compilers/options  vm-based protection  object oriented wrappers for typical OS utilities  …
  • 7. Code Complexity Growth Gauss miniFlamer Stuxnet Duqu Flamer
  • 10. C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
  • 11. C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
  • 14. Identify Exact Virtual Function Call in vtable
  • 15. Identify Exact Virtual Function Call in vtable
  • 16. Identify Exact Virtual Function Call in vtable
  • 17. Identify Custom Type Operations
  • 21. Library Code Identification Problems  Compiler optimization  Wrappers for WinAPI calls  Embedded library code  Library version identification problem  IDA signatures used syntax based detection methods  Recompiled libraries problem  Compiler optimization problem
  • 23. Object Oriented API Wrappers and Implicit Calls
  • 24. Object Oriented API Wrappers and Implicit Calls
  • 25. Object Oriented API Wrappers and Implicit Calls
  • 26. Festi: OOP in kernel-mode
  • 27. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 28. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 29. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
  • 30. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
  • 31. Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
  • 33. An overview of the Flamer Framework The main types used in Flamer Framework are:  Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers  Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer  Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.)  Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
  • 34. An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
  • 35. Some of Flamer Framework Components Identifying processes in the systems corresponding to Security security software: antiviruses, HIPS, firewalls, system information utilities and etc. Microbe Leverages voice recording capabilities of the system Idler Running tasks in the background BeetleJuice Utilizes bluetooth facilities of the system Telemetry Logging of all the events Gator Communicating with C&C servers
  • 36. Flamer SQL Lite Database Schema
  • 37. Flamer SQL Lite Database Schema
  • 39. Data Types Being Used  Smart pointers  Strings  Vectors to maintain the objects  Custom data types: wrappers, tasks, triggers and etc.
  • 40. Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
  • 41. Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
  • 42. Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements };  Used to handle the objects:  tasks  triggers  etc.
  • 43. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 44. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 50. DEMO
  • 52. Source Code Base Differences
  • 53. Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092 (Task Scheduler) MS11-087 (Win32k.sys)
  • 54. Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  • 55. Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  • 56. Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
  • 57. Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
  • 58. Exploit Implementations: Gauss  The payload is injected into processes from user-mode module
  • 59.
  • 60. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov