Scribd
Upload
127 views

Malware Behavior: Malware Analysis CSCI 4976 - Fall 2015 Branden Clark

This document summarizes a lecture on malware behavior. It discusses various types of malware like downloaders, backdoors, credential stealers, and techniques for persistence and privilege escalation. It reviews analysis methods and encourages students to apply their knowledge to a malware analysis project due in two weeks. A lab session on malware analysis will take place the following Friday.

Uploaded by

Saluu TvT
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
127 views

Malware Behavior: Malware Analysis CSCI 4976 - Fall 2015 Branden Clark

This document summarizes a lecture on malware behavior. It discusses various types of malware like downloaders, backdoors, credential stealers, and techniques for persistence and privilege escalation. It reviews analysis methods and encourages students to apply their knowledge to a malware analysis project due in two weeks. A lab session on malware analysis will take place the following Friday.

Uploaded by

Saluu TvT
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Malware Behavior

Malware Analysis
CSCI 4976 - Fall 2015
Branden Clark

Malware - 09/28/2015 Malware Behavior 1


Overview
• Section 1 review & Project 1
• Downloaders and Launchers
• Backdoors
• Credential Stealers
• Persistence Mechanisms
• Privilege Escalation

Malware - 09/28/2015 Malware Behavior 2


What we’ve learned so far...
• Basic Analysis
– Quickly glean information from the sample(s)
– Help guide and focus Advanced Analysis

Malware - 09/28/2015 Malware Behavior 3


What we’ve learned so far...
• Advanced Analysis - Static
– Used to see what is going on
– Confirm suspicions aroused during basic analysis
– Identify functionality
• Advanced Analysis - Dynamic
– Control the program
∘ Take new code paths
∘ Change data
– See what is really going on
∘ Encoded data?
∘ Polymorphic code?

Malware - 09/28/2015 Malware Behavior 4


What we’ve learned so far...
• Windows API and systems
– How does malware interact with Windows?
– How does Windows make malware author’s lives
easier?
– How does it make their lives harder?

Malware - 09/28/2015 Malware Behavior 5


Apply that knowledge!
• Project 1
– Due TWO weeks from today (10/13 11:59PM)
– Like a larger lab, but without questions
– You will write a report on the sample
∘ Analysis, things found, difficulties, conclusion,
etc
∘ You will be given an official guide and an
example report

Malware - 09/28/2015 Malware Behavior 6


Overview
• Section 1 review & Project 1
• Downloaders and Launchers
• Backdoors
• Credential Stealers
• Persistence Mechanisms
• Privilege Escalation

Malware - 09/28/2015 Malware Behavior 7


Downloaders and Launchers
• Names are pretty self explanatory
– Downloaders
∘ Downloads a (probably) more complex sample
and installs/runs it
– Launchers
∘ Unpacks/Decrypts/Drops a (probably) more
complex sample and installs/runs it

• PMA Lab11-01.exe

Malware - 09/28/2015 Malware Behavior 8


Overview
• Section 1 review & Project 1
• Downloaders and Launchers
• Backdoors
• Credential Stealers
• Persistence Mechanisms
• Privilege Escalation
• User-mode rootkits

Malware - 09/28/2015 Malware Behavior 9


Backdoors
• Remote access to or control of a system
– RAT - Remote Access Trojan
• We’ve seen a couple of these

• Class lab lab03b.malware


– APT1 SEASALT

Malware - 09/28/2015 Malware Behavior 10


Overview
• Section 1 review & Project 1
• Downloaders and Launchers
• Backdoors
• Credential Stealers
• Persistence Mechanisms
• Privilege Escalation

Malware - 09/28/2015 Malware Behavior 11


Credential Stealers
• GINA - Graphical Identification and
Authentication (Win XP & earlier)
– A framework for getting all authentication attempts
∘ Similar to the networking stack, several
modules get the packet and can handle
accordingly
∘ Microsoft - It has uses, we promise
• side note: Lenovo rootkit
• Credential Provider (Now used)
– Basically the same thing
– Great write-up by Tyler Wrightson

Malware - 09/28/2015 Malware Behavior 12


Credential Stealers - Background
• Windows Authentication (Long ago)
– Type your password EVERY time you access a
resource
– Quickly became annoying
– The solution?

Malware - 09/28/2015 Malware Behavior 13


Credential Stealers - Background
• Windows Authentication
– SSO - Single Sign-On
– Type your password ONCE, Windows keeps the hash
around
– When Windows needs to access a resource it just
passes the hash around

Problem? So can you!


(Pass-the-Hash Attack)

Malware - 09/28/2015 Malware Behavior 14


Credential Stealers - Background
• Windows Authentication
– SSO - Single Sign-On
– Type your password ONCE, Windows keeps the hash
around
– When Windows needs to access a resource it just
passes the hash around

Problem? So can you!


(Pass-the-Hash Attack)
What do we do now?

Malware - 09/28/2015 Malware Behavior 15


Credential Stealers
• Windows Authentication
– SSO - Single Sign-On
– Type your password ONCE, Windows keeps
encrypted password around
– No more passing hashes, since we have the
password now!
∘ wait a minute…

Malware - 09/28/2015 Malware Behavior 16


Credential Stealers
• Windows Authentication
– SSO - Single Sign-On
– Type your password ONCE, Windows keeps
encrypted password around
– No more passing hashes, since we have the
password now!
∘ wait a minute…

Ciphertext is in memory
Encryption keys are in memory

Malware - 09/28/2015 Malware Behavior 17


Credential Stealers
• Windows Authentication
– SSO - Single Sign-On
– Type your password ONCE, Windows keeps
encrypted password around
– No more passing hashes, since we have the
password now!
∘ wait a minute…

Open Sesame...or something

Malware - 09/28/2015 Malware Behavior 18


Credential Stealers
Amplia Security - Windows Credentials Editor

Malware - 09/28/2015 Malware Behavior 19


Credential Stealers
mimikatz

Malware - 09/28/2015 Malware Behavior 20


Overview
• Section 1 review & Project 1
• Downloaders and Launchers
• Backdoors
• Credential Stealers
• Persistence Mechanisms
• Privilege Escalation

Malware - 09/28/2015 Malware Behavior 21


Persistence Mechanisms
• Things we’ve seen so far
– A few registry keys
– Startup folder
– BHO - Browser Helper Objects
– Services

Malware - 09/28/2015 Malware Behavior 22


Persistence Mechanisms
• Things we’ve seen so far
– A few registry keys
– Startup folder
– BHO - Browser Helper Objects
– Services

Now go run SysInternalsSuite/Autoruns.exe

Malware - 09/28/2015 Malware Behavior 23


Persistence Mechanisms
• APPInit_DLLs
– “...a mechanism that allows an arbitrary list of
DLLs to be loaded into each user mode process on
the system” - MSDN
• SvcHost DLLs
– svchost.exe runs legitimate Microsoft services, and
use for any other purpose is unsupported.
– Trojan a legitimate service, now it looks legit!

Malware - 09/28/2015 Malware Behavior 24


Persistence Mechanisms
• DLL Load-Order Hijacking
– Microsoft’s loader looks for DLLs in specific places
– So stick your own DLL higher in the load-order and
give it the same name
∘ Problem identified ~15 yrs ago, marked WNF

Malware - 09/28/2015 Malware Behavior 25


Overview
• Section 1 review & Project 1
• Downloaders and Launchers
• Backdoors
• Credential Stealers
• Persistence Mechanisms
• Privilege Escalation

Malware - 09/28/2015 Malware Behavior 26


Privilege Escalation
• Some of the previously mentioned
techniques work
• So do Windows exploits
– Why is it this easy

Malware - 09/28/2015 Malware Behavior 27


Privilege Escalation
• There’s a little more to it
– An Administrator on Windows doesn’t have ALL the
permissions...

• right away…
– AdjustTokenPrivileges(...)

Malware - 09/28/2015 Malware Behavior 28


Review
• Section 1 review & Project 1
• Downloaders and Launchers
• Backdoors
• Credential Stealers
• Persistence Mechanisms
• Privilege Escalation

Malware - 09/28/2015 Malware Behavior 29


Lab on Friday! (10/03)
• Same place
• Same time
• Same idea

Malware - 09/28/2015 Malware Behavior 30


References
1. Sikorski, Michael, and Andrew Honig. Practical Malware Analysis the
Hands-on Guide to Dissecting Malicious Software. San Francisco: No
Starch, 2012. Print.

Malware - 09/08/2015 Advanced Static Analysis 31

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy