SlideShare uma empresa Scribd logo
1 de 46
Baixar para ler offline
www.SecurityXploded.com
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without
any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are
solely of the trainer’s only and nothing to do with the company or the organization in which
the trainer is currently working.

However in no circumstances neither the trainer nor SecurityXploded is responsible for any
damage or loss caused due to use or misuse of the information presented here.




                                        www.SecurityXploded.com
Acknowledgement
 Special thanks to null & Garage4Hackers community for their extended support and
  cooperation.


 Special thanks to ThoughtWorks for the beautiful and bigger venue.


 Thanks to all the trainers who have devoted their precious time and countless hours to make it
  happen.




                                         www.SecurityXploded.com
Reversing & Malware Analysis Training

  This presentation is part of our Reverse Engineering & Malware Analysis Training
  program. Currently it is delivered only during our local meet for FREE of cost.




For complete details of this course, visit our Security Training page.

                                           www.SecurityXploded.com
Who am I
Monnappa
     m0nna
     Member of SecurityXploded (SX)
     Info Security Investigator @ Cisco
     Reverse Engineering, Malware Analysis, Memory Forensics
     GREM
     Email: monnappa22@gmail.com,
     Twitter: @monnappa22
       Linkedin: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8



                                    www.SecurityXploded.com
Contents
   What is a Rootkit?
   User Mode Rootkits
   Kernel Mode Rootkits
   Function Call cycle on Windows
   Levels of hooking/modification on Windows
   Demo 1 (mader– SSDT hook)
   Demo 2 (prolaco – DKOM)
   Demo 3 (darkmegi /waltrodock– installs device driver)
   Demo 4 (carberp– syscall patch and inline API hook)


                                         www.SecurityXploded.com
What is a Rootkit?

   Program that perform system hooking or modifies functionality of OS

   Hide files, processes, other objects to conceal its presence

   Intercepts and alters the normal execution flow

   Can contain both user mode and kernel mode components

   Some rootkits can install as device drivers

   Types: User Mode and Kernel Mode Rootkits



                                             www.SecurityXploded.com
User Mode Rootkits


   Runs in Ring 3

   Hooking in user space or application space

   Some common user mode Rootkit technqiues:
       - IAT (Import Address Table) hooking
      - Inline API hooking


   Rootkit need to perform patching in the memory space of every running application




                                              www.SecurityXploded.com
Kernel Mode Rootkits


   Runs in Ring 0

   System hooking or modification in kernel space

   Some Kernel mode Rootkit techniques:
      - SSDT (System Service Descriptor Table) hooking
      - DKOM (Direct Kernel Object Manipulation)
      - IDT (Interrupt Descriptor Table) hooking
       - Installing as Device Drivers
        - Driver IRP hooking




                                             www.SecurityXploded.com
Function Call cycle on Windows
Below screenshot shows the API lifecycle on Windows system




                                        www.SecurityXploded.com
Levels of hooking/modification on Windows
The below screenshot shows tables and objects that Rootkit can hook/modify to hide its presence




                                                  www.SecurityXploded.com
NOTE

    Rootkit Theory and Techniques will be covered in depth in our Advanced Training Series. This
     session focuses on the Rootkit Analysis.


    Because of the time constraint, the demo uses a script “sandbox.py” which automates the behavioural
     analysis and memory analysis discussed in the Part 8 (Malware Memory Fornesics) and Part 9
     (Advanced Malware Analysis) of the training session.
http://nagareshwar.securityxploded.com/2012/06/16/training-session-part-8-%E2%80%93-practical-reversing-iii-memory-forensics/
http://nagareshwar.securityxploded.com/2012/07/15/training-session-part-9-%E2%80%93-practical-reversing-iv-advanced-malware-analysis/



    “sandbox.py” uses the tools CaptureBat (file, processs, registry activity), tshark (network activity),
     InetSim (simulating the services like dns, http, smtp) and Volatility (Memory Forensics) to produce
     the results. All these tools were discussed in Part 9 (Advanced Malware Analysis) of the training
     session.


                                                       www.SecurityXploded.com
Reversing & Malware Analysis Training Part 12 - Rootkit Analysis
Executing the sample mader.exe
Executing the sample drops a driver and loads it as kernel service




                                           www.SecurityXploded.com
Network Activity
The malware makes dns query and downloads additional files




                                        www.SecurityXploded.com
Kernel Callbacks
Rootkit uses callbacks to monitor for process creation activity




                                            www.SecurityXploded.com
SSDT Hooking
Rootkit modifies the pointers in the SSDT to protect itself from deletion or removal




                                            www.SecurityXploded.com
Rootkit Submission to VirusTotal
VirusTotal confirms the Rootkit after dumping and submitting the driver from memory




                                          www.SecurityXploded.com
Reversing & Malware Analysis Training Part 12 - Rootkit Analysis
Executing the sample prolaco.exe
Prolaco.exe drops two files on “Googlxe.exe” and “Rundll45.exe” on the filesystem




                                          www.SecurityXploded.com
Disables Security Products
Prevents the security products from running by looking for the security products and deleting its registry
key value




                                            www.SecurityXploded.com
Sends Spam
The malware sends spam invitation mails to the some of the organizations




                                    www.SecurityXploded.com
Hides the process
Process id 1080 sends the spam, but the rootkits hides that process from the process listing using DKOM technique




                                                 www.SecurityXploded.com
Hides Process from security tool
Hides the process from process explorer




                                          www.SecurityXploded.com
Detecting the hidden process
Comparing the process listing using Volatility’s “pslist” and “psscan” plugin, shows the hidden process
prolaco.exe (pid 1080)

             pslist                                                    psscan




                                           www.SecurityXploded.com
Dumping the hidden process
Dumping the hidden process from memory and submitting to VirusTotal confirms the presence of malicious hidden
process




                                                www.SecurityXploded.com
Reversing & Malware Analysis Training Part 12 - Rootkit Analysis
Executing the sample darkmegi.exe
The sample drops a driver and also invokes rundll32 and iexplore proces.




                                          www.SecurityXploded.com
Network Activity
Makes dns query and download additional files




                                         www.SecurityXploded.com
Sets Callbacks
Sets kernel callbacks to montior for an Image/DLL loading




                                          www.SecurityXploded.com
Examining the driver
The driver creates a device and accepts control codes from usermode programs




                                        www.SecurityXploded.com
Device and Driver object
Examining the device and driver objects shows the base address and address of DriverEntry routine




                                         www.SecurityXploded.com
DriverEntry routine
Examining the DriverEntry routine shows the presence of a DLL “com32.dll”




                                         www.SecurityXploded.com
Dumping the DLL from memory
The DLL dumped from the memory, which was loaded by rundll32.exe




                                       www.SecurityXploded.com
Dumping the Device Driver
Dumping the driver after determining the Driver’s base address




                                          www.SecurityXploded.com
DLL and Driver Submission
VT confirms the Rootkit component after submitting the samples

                                                                   VT results for dumped DLL
VT results for dumped Driver




                                         www.SecurityXploded.com
Reversing & Malware Analysis Training Part 12 - Rootkit Analysis
Executing the sample carberp.exe
The sample creates .tmp files and invokes explorer.exe and svchost.exe




                                         www.SecurityXploded.com
Network Activity
Malware performs dns and http activity




                                         www.SecurityXploded.com
Submits process information
Submits process information on the system to the command and control server




                                         www.SecurityXploded.com
SYSCALL Patch
Patches SYSCALL in ntdll.dll to hide its presence




                                          www.SecurityXploded.com
Inline API Hooks
Hooks API calls to steal http data, the hooking functions points to unknown location




                                           www.SecurityXploded.com
Embedded Executable
Dumping the embedded executable which was determined by examining the hooking function.




                                       www.SecurityXploded.com
Embedded EXE Submission
VirusTotal confirms the executable as component of Carberp




                                         www.SecurityXploded.com
Reference

   Complete Reference Guide for Reversing & Malware
    Analysis Training




                           www.SecurityXploded.com
Thank You !



www.SecurityXploded.com

Mais conteúdo relacionado

Destaque

Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automationsecurityxploded
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwaressecurityxploded
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6  - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6  - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Antivirus Evasion Techniques and Countermeasures
Antivirus  Evasion Techniques and CountermeasuresAntivirus  Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and Countermeasuressecurityxploded
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password securitysecurityxploded
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7  - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7  - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 -  Practical Reversing (I)Reversing & Malware Analysis Training Part 6 -  Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)securityxploded
 

Destaque (12)

Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6  - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6  - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Antivirus Evasion Techniques and Countermeasures
Antivirus  Evasion Techniques and CountermeasuresAntivirus  Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and Countermeasures
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
Primer on password security
Primer on password securityPrimer on password security
Primer on password security
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7  - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7  - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 -  Practical Reversing (I)Reversing & Malware Analysis Training Part 6 -  Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
 

Mais de securityxploded

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutionssecurityxploded
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tacticssecurityxploded
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandboxsecurityxploded
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysissecurityxploded
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malwaresecurityxploded
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memorysecurityxploded
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bulletsecurityxploded
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)securityxploded
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensicssecurityxploded
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learningsecurityxploded
 

Mais de securityxploded (20)

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bullet
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 

Último

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 

Último (20)

20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 

Reversing & Malware Analysis Training Part 12 - Rootkit Analysis

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Special thanks to ThoughtWorks for the beautiful and bigger venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who am I Monnappa  m0nna  Member of SecurityXploded (SX)  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  GREM  Email: monnappa22@gmail.com,  Twitter: @monnappa22  Linkedin: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8 www.SecurityXploded.com
  • 6. Contents  What is a Rootkit?  User Mode Rootkits  Kernel Mode Rootkits  Function Call cycle on Windows  Levels of hooking/modification on Windows  Demo 1 (mader– SSDT hook)  Demo 2 (prolaco – DKOM)  Demo 3 (darkmegi /waltrodock– installs device driver)  Demo 4 (carberp– syscall patch and inline API hook) www.SecurityXploded.com
  • 7. What is a Rootkit?  Program that perform system hooking or modifies functionality of OS  Hide files, processes, other objects to conceal its presence  Intercepts and alters the normal execution flow  Can contain both user mode and kernel mode components  Some rootkits can install as device drivers  Types: User Mode and Kernel Mode Rootkits www.SecurityXploded.com
  • 8. User Mode Rootkits  Runs in Ring 3  Hooking in user space or application space  Some common user mode Rootkit technqiues: - IAT (Import Address Table) hooking - Inline API hooking  Rootkit need to perform patching in the memory space of every running application www.SecurityXploded.com
  • 9. Kernel Mode Rootkits  Runs in Ring 0  System hooking or modification in kernel space  Some Kernel mode Rootkit techniques: - SSDT (System Service Descriptor Table) hooking - DKOM (Direct Kernel Object Manipulation) - IDT (Interrupt Descriptor Table) hooking - Installing as Device Drivers - Driver IRP hooking www.SecurityXploded.com
  • 10. Function Call cycle on Windows Below screenshot shows the API lifecycle on Windows system www.SecurityXploded.com
  • 11. Levels of hooking/modification on Windows The below screenshot shows tables and objects that Rootkit can hook/modify to hide its presence www.SecurityXploded.com
  • 12. NOTE  Rootkit Theory and Techniques will be covered in depth in our Advanced Training Series. This session focuses on the Rootkit Analysis.  Because of the time constraint, the demo uses a script “sandbox.py” which automates the behavioural analysis and memory analysis discussed in the Part 8 (Malware Memory Fornesics) and Part 9 (Advanced Malware Analysis) of the training session. http://nagareshwar.securityxploded.com/2012/06/16/training-session-part-8-%E2%80%93-practical-reversing-iii-memory-forensics/ http://nagareshwar.securityxploded.com/2012/07/15/training-session-part-9-%E2%80%93-practical-reversing-iv-advanced-malware-analysis/  “sandbox.py” uses the tools CaptureBat (file, processs, registry activity), tshark (network activity), InetSim (simulating the services like dns, http, smtp) and Volatility (Memory Forensics) to produce the results. All these tools were discussed in Part 9 (Advanced Malware Analysis) of the training session. www.SecurityXploded.com
  • 14. Executing the sample mader.exe Executing the sample drops a driver and loads it as kernel service www.SecurityXploded.com
  • 15. Network Activity The malware makes dns query and downloads additional files www.SecurityXploded.com
  • 16. Kernel Callbacks Rootkit uses callbacks to monitor for process creation activity www.SecurityXploded.com
  • 17. SSDT Hooking Rootkit modifies the pointers in the SSDT to protect itself from deletion or removal www.SecurityXploded.com
  • 18. Rootkit Submission to VirusTotal VirusTotal confirms the Rootkit after dumping and submitting the driver from memory www.SecurityXploded.com
  • 20. Executing the sample prolaco.exe Prolaco.exe drops two files on “Googlxe.exe” and “Rundll45.exe” on the filesystem www.SecurityXploded.com
  • 21. Disables Security Products Prevents the security products from running by looking for the security products and deleting its registry key value www.SecurityXploded.com
  • 22. Sends Spam The malware sends spam invitation mails to the some of the organizations www.SecurityXploded.com
  • 23. Hides the process Process id 1080 sends the spam, but the rootkits hides that process from the process listing using DKOM technique www.SecurityXploded.com
  • 24. Hides Process from security tool Hides the process from process explorer www.SecurityXploded.com
  • 25. Detecting the hidden process Comparing the process listing using Volatility’s “pslist” and “psscan” plugin, shows the hidden process prolaco.exe (pid 1080) pslist psscan www.SecurityXploded.com
  • 26. Dumping the hidden process Dumping the hidden process from memory and submitting to VirusTotal confirms the presence of malicious hidden process www.SecurityXploded.com
  • 28. Executing the sample darkmegi.exe The sample drops a driver and also invokes rundll32 and iexplore proces. www.SecurityXploded.com
  • 29. Network Activity Makes dns query and download additional files www.SecurityXploded.com
  • 30. Sets Callbacks Sets kernel callbacks to montior for an Image/DLL loading www.SecurityXploded.com
  • 31. Examining the driver The driver creates a device and accepts control codes from usermode programs www.SecurityXploded.com
  • 32. Device and Driver object Examining the device and driver objects shows the base address and address of DriverEntry routine www.SecurityXploded.com
  • 33. DriverEntry routine Examining the DriverEntry routine shows the presence of a DLL “com32.dll” www.SecurityXploded.com
  • 34. Dumping the DLL from memory The DLL dumped from the memory, which was loaded by rundll32.exe www.SecurityXploded.com
  • 35. Dumping the Device Driver Dumping the driver after determining the Driver’s base address www.SecurityXploded.com
  • 36. DLL and Driver Submission VT confirms the Rootkit component after submitting the samples VT results for dumped DLL VT results for dumped Driver www.SecurityXploded.com
  • 38. Executing the sample carberp.exe The sample creates .tmp files and invokes explorer.exe and svchost.exe www.SecurityXploded.com
  • 39. Network Activity Malware performs dns and http activity www.SecurityXploded.com
  • 40. Submits process information Submits process information on the system to the command and control server www.SecurityXploded.com
  • 41. SYSCALL Patch Patches SYSCALL in ntdll.dll to hide its presence www.SecurityXploded.com
  • 42. Inline API Hooks Hooks API calls to steal http data, the hooking functions points to unknown location www.SecurityXploded.com
  • 43. Embedded Executable Dumping the embedded executable which was determined by examining the hooking function. www.SecurityXploded.com
  • 44. Embedded EXE Submission VirusTotal confirms the executable as component of Carberp www.SecurityXploded.com
  • 45. Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com