Engineering Malware and Mitigation Techniques Jacek Milunski NATO Computer Incident Response Center Andrzej Dereszowski NATO Computer Incident Response Center Raf Cox Microsoft ID: 537451
Download Presentation The PPT/PDF document "Reverse" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Reverse Engineering Malware and Mitigation Techniques
Jacek Milunski – NATO Computer Incident Response CenterAndrzej Dereszowski – NATO Computer Incident Response CenterRaf Cox – Microsoft BeLux
SIA404Slide2
Overview
Who are we?Why malware reverse-engineering is importantMitigation techniquesDemos:Malware-dropper versus AppLockerShellCode versus EAF (EMET)Buffer-overrun versus DEP (EMET)Buffer-overrun versus Heapspray-preallocation (EMET)ROP-exploit versus DEP and Mandatory ASLR (EMET)ConclusionsSlide3
NATO Computer Incident Response Capability
NTM-I
OPERATION
OCEAN SHIELD
DARFUR
Support
African Union
KFOR
ISAF
OUP
Libya
Norfolk
Naples
Lisbon
EUFOR
Brunssum
NATO HQ
& Agencies
NATO HQ
NC3A
NAMSA
NETMA
……..
MonsSlide4
Incident Response Services
System Engineering
System hardening
Enterprise
-wide security tools
Forensics analysis
Advice to projects
Incident Detection & Response
Intrusion detection
Incident handling
Web site monitoring
Email monitoring
Vulnerability Management
Assessments and testing
Security awareness
Cyber Defence ExercisesSlide5
Mitigation techniquesSlide6
Overview
We will deep-dive into actual malware code:How does it work? What exploit
techniques
does
it
use
?
Look under the hoods
what’s going on and how the malware executes
How do countermeasures block these exploits?Focus on AppLocker , DEP, Heapspray allocation & mandatory
ASLR (last 3 enforced
through EMET)Slide7
DO NOT TRY THIS AT HOME OR AT THE OFFICE!
We’ve selected actual malware targeted at NATO that has been analyzed (so we know what it does)Testing malware can
will infect your systems
Malware testing and reverse engineering must only be done on fully isolated systems
We selected a few (real) samples that are relevant for the purpose of this presentation (mainly based on older PDF exploits)
WARNINGSlide8
Case 1: malware-dropperversus AppLocker
targeted PDF with CVE-2010-2883 (Adobe Reader Cooltype TTF vulnerability)
Winword.js
Adobe.pdf
~
temqp.tmp
OWNED!Slide9
Malware-dropperSlide10
Application Control policies
Controls the execution environmentSupports multiple scenarios:Blacklisting (deny specific known-bad apps)Whitelisting (only allow approved apps)Code-signed Apps onlyLocation-based (e.g. only allow apps to run from %programfiles% and %windir%)AppLocker Rules:Block or allowApply to <user> or <group>
Rule-type: path, publisher (code-signed) or hash
Exceptions (combination of rule-types)Slide11
Malware-dropper
blocked by AppLockerSlide12
Enhanced Mitigation Experience Toolkit
In the following samples, we will use several advanced protection mechanisms
that
are
build
-in
into
the OS or
enforced
through EMETEMET (
Enhanced Mitigation Experience Toolkit) is a free tool that will enhance existing
memory-protection mechanisms (e.g. mandatory ASLR, DEP opt-in, …)Introduce new protection
mechanisms (EAF, heapspray-allocation,…)
http://www.microsoft.com/en-us/download/details.aspx?id=29851 Slide13
Case 2:
ShellCode sample
We
use
a
proof
-of-concept
exploit
code (http://skypher.com/
index.php/2010/11/17/bypassing-eaf/) Test-application (w32-testival) loads shell-code sample in memory (RWE-access) Jumps
to Shell-code
Process
Code
Stack
Heap
ShellCode
NTDLL
Kernel32
EAT
EAT
EAT
ShellCodeSlide14
Case 2: ShellCode vs
EAF protection (EMET)EMET will set a hardware breakpoint on Export Address Tables of NTDLL and Kernel32If code originates
from
code-pages or
application
-modules
succeed
If
originates from stack or heap STOP
Can be circumvented by
evading hardware breakpoints…
Process
Code
Stack
Heap
ShellCode
NTDLL
Kernel32
EAT
EAT
EATSlide15
Malware
scanning Extended Address Tables versus EAFSlide16
Case 3: buffer-overrun vs DEP
Targeted malicious PDF document fires a CVE-2009-4324 exploit Adobe Reader this.MediaPlayer.new() vulnerabilityThe exploit uses classic heap spraying to prepare execution of the shellcodeSuccessfully executed on Windows XPSP3 with Adobe Reader 8 (works also with 9)Slide17
Case 3: Heap spraying explained
Process
Code
Heap
exploit
0c0c
0c
sc
0c0c
0c
sc
0c0c
0c
sc
0c0c
0c
sc
0c0c
0c
sc
0c0c
0c
sc
0c0c
0c
sc
0c0c0csc0c0c0csc0c0c0csc0c0c0csc0c0c0cscnop slide…shellcodeSlide18
Buffer overflowSlide19
Case 3 buffer-overrun vs DEP
(EMET enabled)After enabling DEP with EMET, the exploit fails to executeAccess violation exception when executing address 0x0c0c0c0cDEP blocks the execution of code located on the heapSlide20
Buffer overflow (EMET DEP enabled)Slide21
Case 4: How about heap spraying allocation ?
The same PDF is used to test if the HeapSpray protection stops the attackAdobe Reader wants to jump to 0x0c0c0c0c but … there is no memory allocated at this addressHeapSpray protection stops the attack as wellCan be employed as a second layer to block this attackDrawback: easy to circumvent if the attacker knows we are using itSlide22
Buffer overflow (EMET HeapSpraying enabled)Slide23
Case 5: Fixed ROP gadgets vs ASLR
Available since Windows VistaExploit: targeted PDF with CVE-2010-2883 (Adobe Reader Cooltype TTF vulnerability)Despite DEP enabled and default ASLR settings the exploit successfully executes (thanks to ROP shellcode and not relocated DLL: icucnv36.dll)Slide24
Case 5: ROP explainedSlide25
Buffer overflow with ROP exploit (EMET DEP enabled)Slide26
Case 5: Fixed ROP gadgets vs ASLR (DEP + Mandatory ASLR enabled)
DEP + Mandatory ASLR stops the exploit !The program jumps into nonexistent address: the shellcode had hardcoded addresses into icucnv36.dllEMET forces icucnv36.dll to be relocatedAdobe Reader jumps into the void …Slide27
Buffer overflow with ROP exploit (EMET DEP + Mandatory ASLR enabled)Slide28
Conclusions
You still need to patch, have up-to-date AV, run as standard user and harden systemsAppLocker effective to counter drive-by downloads and social engineering (not against 0-day exploits)EMET is quite effective as additional protection against 0-days, although not perfectIt will break some techniques which are considered as “universal DEP and ASLR bypass” by forcing all DLLs to be randomized (see www.corelan.be)Mandatory ASLR+DEP together makes exploit writing much more challenging (see Object Confusion technique with CVE-2011-0609 on Vupen’s blog)Slide29
Track Resources
www.microsoft.com/twc
www.microsoft.com/security
www.microsoft.com/privacy
www.microsoft.com/reliabilitySlide30
Resources
Connect. Share. Discuss.
http
://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn Slide31
Evaluations
http://europe.msteched.com/sessionsSubmit your evals online Slide32
©
2012 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part
of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.