Why you should never use the internet
Overview
The Situation
 Infiltration
 Characteristics
 Techniques
 Detection
 Prevention

The Situation: Shit Just Got Real

The players and the game has changed
 Criminal organizations*
 Governments**

Profit/Politically driven
 Cyber weapons
 FBI vs Coreflood

Professionally developed
 User manuals
 MaaS
*may or may not be organized
** may or may not be criminals
Infiltration

Legitimate (compromised) hosts
 Direct: Wordpress hacked
 Indirect: Advertisements
Exploit Packs
 Search Engine Optimization hacks

 Breaking news
 Celebrities (Snookie causes infections)

Social
 Facebook, Twitter, etc
Characteristics (the lines have blurred)
Virus
 Trojan/Backdoor
 Rootkit
 Scam/Scareware/Randsomware
 Password stealers
 Worms

Techniques
API Hooking
 Run-time Patching
 Boot sector modification
 Browser Content replacement

API Hooking
Allows malware to intercept Windows
API calls
 Can be done in user or kernel space,
but in kernel space it’s much more
powerful

API Hooking
Program
DeleteFile[A|W]
NtDeleteFile
USER MODE
KERNEL MODE
System Service Descriptor Table
SSDT
ZwDeleteFile
API Hooking: Example
Program
DeleteFile[A|W]
NtDeleteFile
USER MODE
KERNEL MODE
System Service Descriptor Table
SSDT
fakeDelete
ZwDeleteFile
API Hooking

Allows rootkits to do a lot of nasty things
 Hide processes/files
 Hide networking (to a degree)
 Basically take over your system
Fairly straightforward to implement
 However, it is easy to detect

Run-time Patching
Replaces API calls with your own by
patching the API routine itself
 Can achieve the same goals as API
hooking, but harder to detect

Run-time Patching: Example
Target Code
Run-time Patching: Example
Jump Back
Target Code
Detour Jump
Malicious Code
Run-time Patching
Very tricky to implement
 Harder to detect

 You have to scan the memory space
 If it’s not permanent, an offline analysis isn’t
very helpful
Boot Sector Modification
Changes boot sector code to load an
alternative boot loader
 This boot loader can change the way
Windows boots, including disabling
checks and protections
 Can be difficult to remove (and detect)

Browser Content Replacement
Allows the malware to modify what you
see and send in your web browser
 Can replace forms, POST data, POST
locations, hide data…
 “View Source” does nothing:
modifications are done in memory
 HTTPS is not relevant

Browser Content Replacement:
Zeus botnet
From the user manual:
“Intercepting HTTP/HTTPS-requests from wininet.dll
(Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla
Firefox) libraries:

1.
2.
3.
4.
5.
6.
7.
8.
9.
Modification of the loaded pages content (HTTP-inject).
Transparent pages redirect (HTTP-fake).
Getting out of the page content the right pieces of data (for
example the bank account balance).
Temporary blocking HTTP-injects and HTTP-fakes.
Temporary blocking access to a certain URL.
Blocking logging requests for specific URL.
Forcing logging of all GET requests for specific URL.
Creating a snapshot of the screen around the mouse cursor
during the click of buttons.
Getting session cookies and blocking user access to specific
URL.”
Detection
AV (loosing race)
 Monitor outbound communications






TCPView
Netstat
Border monitoring
Outbound watching IDS (snort)
System Internals
 TCPView
 Procmon
 RootKitRevealer
Detection: GMER
Rootkit detector
 Detects:

 Hidden processes, hidden files, hidden




DLLs, hidden registry keys, hidden*
SSDT, IAT, EAT hooks
MBR modification
Suspicious drivers
…lots more
Detection: GMER
Prevention
Update software (not just Windows)
 Windows 7 (x64)
 EMET
 Uninstall Adobe Reader
 Chrome/Firefox
 VMs/Linux/OSX

Further Information

Blogs
 F-secure: http://www.f-secure.com/weblog/
 Sophos: http://nakedsecurity.sophos.com/
 Inreverse: http://www.inreverse.net/

Online tools
 Virus Total: http://www.virustotal.com/
 Anubis: http://anubis.iseclab.org/

Samples:
 Malware domain list:
http://www.malwaredomainlist.com/
 Offensive Security:
http://www.offensivecomputing.net/
LayerOne
Hacker con at the Anaheim Marriott
 May 28-29
 Hardware Hacking, Lockpicking,
Contests
 $100 online, $140 at the door

References







2010 Websense Threat Report: http://www.websense.com/content/threatreport-2010-introduction.aspx?cmpid=prblog
Verizon 2011 Data Breach Investigations Report:
http://www.verizonbusiness.com/resources/reports/rp_data-breachinvestigations-report2011_en_xg.pdf?&src=/worldwide/resources/index.xml&id=
Microsoft Security Intelligence Report v10:
http://www.microsoft.com/security/sir/
Book: “The Rootkit Arsenal”, by Reverend Bill Blunden
Book: “Malware Analyst’s Cookbook”, by M. Ligh, S. Adair, B. Hartstein, M.
Richard
Book: “Reversing: Secrets of Reverse Engineering”, by Eldad Eilam
MSDN Documentation: http://msdn.microsoft.com/en-us/library/default.aspx
Questions?
seanbmcallister@gmail.com