Malware RSS Feed
I got back from REcon 2015 a week ago and I’m well and truly over the jet lag at last. As usual, it was a great conference with many interesting talks and people. It is always great to meet other reverse engineers from all over the world and discuss new techniques, tools and research.
Tradition dictates that the event starts with training sessions, and I gave my usual four-day training on malware reverse engineering. During that time we covered all sorts of topics such as how to unpack/decrypt malware, analyze APT and so on.
I even got an award to mark 10 years of teaching Reverse Engineering class at REcon. Time flies
The conference was great. There were several interesting talks, more or less related to malware research. Here are the summaries of a few of them:
Introducing Dynamic IDA Enrichment framework (a.k.a DIE):
DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives researchers access to runtime values from within their standard disassembler screen.
As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.
With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more.
After the framework was explained, 3 live demos showed how to use the tool.
This presentation covered research done into the AnimalFarm operation as well as technical details of their various pieces of malware. The presentation also highlighted connections between samples as well as technical hints found regarding attribution.
Based on a paper that proves that the “mov” instruction is Turing complete, the M/o/Vfuscator takes the source code and compiles it into a program that uses *only* mov instructions – no comparisons, no jumps, no math (and definitely no SMC cheating).
The talk demonstrated how it is possible to write programs with only mov instructions as a way to obfuscate code. I asked the author of the presentation to make a crackme using the obfuscator, which he kindly made.
Other interesting talks included:
- This Time Font can hunt you down in 4 bytes
- Hooking Nirvana
- One font vulnerability to rule them all
- Reversing the Nintendo 64 CIC
You can find the full conference schedule at http://recon.cx/2015/schedule/
Slides and the videos from every talk will be uploaded soon on the REcon website.
See you next year at REcon 2016!
The past Saturday we had the privilege of participating in this year’s edition of “Nuit du Hack”, a French security conference which brings together professionals and amateurs of all skill levels for a series of lectures and challenges. It’s a full day (and night) of hacking goodness. A cloudy day set the perfect mood at the venue, the Academie Fratellini, in the marvelous and beautiful city of Paris.
With an interesting mix of security talks, capture the flag challenges, bug bounty programs, and workshops, the audience was welcome to join in any activities they chose. It was a security professional’s vision of heaven: learning about the latest security trends and issues while enjoying a beer and even getting a glimpse of the legendary Captain Crunch walking around. It’s also a great place for people of all ages and backgrounds to get involved.
The event started at full throttle with a memorable keynote from the director of ANSSI (National Agency for the Security of Information Systems) Guillaume Poupard, who spoke about local cyber security risks such as industrial espionage, electronic warfare and infrastructure sabotage. Moreover, he emphasized the importance of maintaining a balance between security and legality, an ethical dilemma that many security practitioners are facing right now in their daily activities.
The content of the talks was undoubtedly varied, including some that were more technically oriented, while others focused exclusively on the analysis of current security trends, malware and vulnerabilities.
David Melendez spoke about how he was able to build drone control system from scratch, basing his architecture and design on a GNU/Linux OS. Using a regular home Wi-Fi router and conventional hardware materials such as Wii accelerometer, he demonstrated a plausible way to control the drone’s flight using nothing more than an everyday gaming joystick. By sending commands and establishing a secure communication channel between the drone and the pilot, he successfully implemented a new protocol based on the 802.11 standard so as to prevent man-in-the-middle attacks.
The Internet of Things (IoT) is a topic that cannot be ignored any security event. With a very interesting approach, Guillaume Greyhound put on the table a hypothetical scenario about what would happen if some disaster were to damage the current technological infrastructure of a country. How could we face the impending chaos?
Faced with this situation, he exposed how IoT technologies can play a very important role in the implementing low-cost solutions that rely, for example, on Raspberry Pi devices or custom built drones and antennae to maintain a backup communication network that can ensure the exchange of goods and services.
Afterwards, Karsten Nohl introduced us to the world of mobile communication vulnerabilities. Showing a wide array of different technologies and mobile communication protocols such as SS7 and 3G, and how these can be compromised, he grabbed the audience’s attention right from the start. The presentation made it clear that the basic security level for mobile networks is not the same in every country around the world, he explained that some regions are evidently more exposed to intervention and eavesdropping. He also shared some specific tools to evaluate a network’s security, asking attendees to join him in his effort to protect free speech and the privacy of every individual that uses this type of communication (everyone). Interestingly, he also showed some solutions to defend against such attacks, once again highlighting the importance of protecting and defending privacy in digital communications.
My colleague Santiago Pontiroli and I presented our joint research into the evolution of .NET and PowerShell malware, which we titled “The TAO of .NET and PowerShell Malware analysis”. In our talk, Santi showed how malware development on .NET and PowerShell has increased more than 6,000% since 2009 (unique detections), all while presenting a detailed analysis several samples built with these technologies. Everything from devious ransomware campaigns such CoinVault to more complex and persistent threats used by pro-government Syrian hacking groups was shown to the audience.
From my side, I shared another side of the seemingly benevolent PowerShell, demonstrating its powerful incident response and forensics capabilities for us security researchers, and how malware developers are using these same methods for anti-forensics and code protection. As they seek to avoid detection and extend a particular piece of malware’s functionality in post exploitation activities, a plethora of offensive frameworks depending on PowerShell are amongst the bad guys’ favorite weapons of choice.
In addition, I tried to explain how malware developers could be using different penetration testing frameworks as a way to develop malware more rapidly. Certainly, we have found enough evidence in a considerable amount of malware samples showing the usage of SET and other offensive frameworks in the development of everyday malware and APTs, such as the case with the previously reported Machete.
I raised a question with the crowd, asking about the risks involved in the growing trend of cross-platform software development… Will the ability of running a piece of software between different platforms easily enable cybercriminals to create the ultimate multi-platform malware?
In summary, this was a great event with exceptionally exciting talks and very interesting with professionals from all over the world (having Captain Crunch there was an added bonus). As they say…we’ll always have Paris. And Nuit du Hack, of course.
For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically. But we’ve seen information indicating that the scope of targets can be wider and is not limited to the entertainment business. We track samples of Winnti malware all the time, but had not been able to catch one with solid clues indicating other targeted industries. Also our visibility as a vendor does not cover every company in the world (at least so far ;)) and the Kaspersky Security Network (KSN) did not reveal other attacks except those against gaming companies. Well, sometimes targeted entities have been telecommunication companies, rather large holdings, but at least one of their businesses was in some way related to the production or distribution of computer games.
In April Novetta released its report on Winnti malware spotted in the operations of Axiom group. And Axiom group has been presented as a Chinese universal hacking actor carrying out espionage APT attacks against a whole range of different industries. So this report was another source of intelligence that Winnti was already not focused just on online games. Finally, we received a sample proving this.
The sample belongs to one of the Winnti versions described in Novetta’s report – Winnti 3.0. This is one of the Dynamic Link Libraries composing this RAT (Remote Access Trojan) platform – the worker library (which in essence is the RAT DLL) with the internal name w64.dll and the exported functions work_end and work_start. Since, as usual, this component is stored on the disk with the strings and much of other data in the PE header removed/zeroed, it is impossible to restore the compilation date of this DLL. But this library includes two drivers compiled on August 22 and September 4 2014. The sample has an encrypted configuration block placed in overlay. This block may include a tag for the sample – usually it is a campaign ID or victim ID/name. This time the operators put such tag in the configuration and it turned out to be the name of the well-known global pharmaceutical company headquartered in Europe:
Besides the sample tag, the configuration block includes the names of other files involved in the working of the RAT platform and the service name (Adobe Service), after which malware is installed. The presence of the following files could indicate that the system has been compromised:
One of the mentioned drivers (a known, malicious Winnti network rootkit) was signed with a stolen certificate of a division of a huge Japanese conglomerate. Although this division is involved in microelectronics manufacturing, other business directions of the conglomerate include development and production of drugs and medicine equipment as well.
Although the nature of the involvement of Winnti operators, who were earlier perceived to be a threat only to the online gaming industry, in the activities of other cyber-espionage teams still remains rather obscure, the evidence is there. From now on, when you see Winnti mentioned, don’t think just about gaming companies; consider also at least targeted telecoms and big pharma.
Here are the samples in question:
8e61219b18d36748ce956099277cc29b – Backdoor.Win64.Winnti.gy
5979cf5018c03be2524b87b7dda64a1a – Backdoor.Win64.Winnti.gf
ac9b247691b1036a1cdb4aaf37bea97f – Rootkit.Win64.Winnti.ai