Hit2006hit2006
HIT2006HIT2006
SpywareSpyware DetectionDetection :: AutomatedAutomated BehaviorBehavior AnalysisAnalysis SystemSystem
Birdman 2006-07-16 X-Solve AbstractAbstract 分析目前流行的分析目前流行的SpywareSpyware設計手法與運作模型。並介紹我設計手法與運作模型。並介紹我 們所開發的自動化的惡意程式行為分析系統與整合型們所開發的自動化的惡意程式行為分析系統與整合型 SpywareSpyware偵察工具,用來協助資安人員研究新的偵察工具,用來協助資安人員研究新的SpywareSpyware與與 惡意程式行為模型。惡意程式行為模型。
BirdmanBirdman [email protected], X-Solve Our WebSite →Http://x-solve.com/blog 勇勇 Column Writer http://www.informationsecurity.com.tw MSDN Flush Writer http://www.microsoft.com/taiwan/msdn
X-Solve, Inc. is a company focusing on developing IT Security technology for the reliable and high assurance detection and eradication of Spyware and Rootkit.
Automated Behavior Analysis Approach, Birdman, HIT2006 2 OutlineOutline
What is Spyware? The Malicious Behavior Models of Spyware Strategy of Spyware Analysis and Detection Archon Scanner - Spyware Detection Tools Archon Analyzer - Automated Malicious Behavior Analyzer Conclusion
Automated Behavior Analysis Approach, Birdman, HIT2006 3 WhatWhat isis Spyware?Spyware?
DefinitionDefinition Spyware is considered a malicious program in that users unwittingly install the product when they install something else.
ThereThere areare twotwo typestypes ofof Spyware.Spyware. Commercial Purpose � This type Spyware do track your surfing habits in order to serve ads related to user. Now, we will � Adware, Browser Hijackerdiscuss or other this unwantedone in software the following slices. Invasive Purpose � This type is designed for hacker, they are more malicious than another type. Hacker utilizes them to collect private data of the certain victims or penetrate into computer system. � Trojan Horse, Backdoor, key-logger, Rootkit and other hacking tools.
Automated Behavior Analysis Approach, Birdman, HIT2006 4 TheThe DifferenceDifference BetweenBetween VirusVirus && Spyware?Spyware?
VirusVirusVirus VS.VS.VS. SpywareSpywareSpyware Virus Spyware Active and Large-scale Attack Passive, Small-scale and Stealth
Low Mutation High Mutation, Customize
No Specific Target and Localization Specific Target, Localization
Do Destruction Do Information Collection
Automated Behavior Analysis Approach, Birdman, HIT2006 5 TheThe MaliciousMalicious BehaviorBehavior ModelsModels ofof SpywareSpyware
TraditionalTraditional SpywareSpyware BehaviorBehavior Spyware exists as independent executable programs ModernModern SpywareSpyware BehaviorBehavior
Traditional Spyware Modern Spyware
DLL SYS EXE EXE EXE Shellcode
Automated Behavior Analysis Approach, Birdman, HIT2006 6 CaseCase StudyStudy 11 :: DLLDLL InjectionInjection
ThisThis oneone isis aa kindkind ofof DLLDLL InjectionInjection Spyware.Spyware. ItIt willwill injectinject aa DLLDLL intointo Explorer.exeExplorer.exe andand IE.IE. OhOh YA!YA! ^_^^_^ ReallyReally HappyHappy Spyware Dropper
Comph.dllComph.dll Comph.dllComph.dll
ExplorerDropInject CreateInject Spyware DLL DLL invisible into (intocomph.dll Explorer IE IE Process)
Automated Behavior Analysis Approach, Birdman, HIT2006 7 SpywareSpyware BehaviorBehavior
EXEEXE oror ProcessProcess areare insufficientinsufficient !! Different from traditional Spyware, the sophisticated Spyware have not just one EXE. They appear many executable types, such as DLL, SYS even Shellcode. It one of reason that make Anti-Virus sucks!
CommonCommon MaliciousMalicious BehaviorBehavior consistsconsists ofof threethree unitsunits Deployment Unit Launch Unit Core Unit � Remote-Control � Data Collection � Self-Protection � Other malicious behavior
Automated Behavior Analysis Approach, Birdman, HIT2006 8 CommonCommon MaliciousMalicious BehaviorBehavior ModelModel
Modify System Settings or Files Window Startup They are so- called Droppers. Trigger
Drop Files DeploymentDeployment UnitUnit LaunchLaunch UnitUnit
Launch
CoreCore UnitUnit
Malicious Behavior : Collect and Upload Data, Rootkit Function… All “阿里不達” things
Automated Behavior Analysis Approach, Birdman, HIT2006 9 StrategyStrategy ofof SpywareSpyware AnalysisAnalysis andand DetectionDetection
ThereThere areare threethree typestypes forfor SpywareSpyware Detection.Detection. Before Execution On Execution After Execution
Before Execution On Execution After Execution
Signature Detection Behavior Monitor Cross-View Check
Static Analysis Integrity Monitor Integrity Check
Anti-Virus, Reversing Tools Anti-Virus, HIPS Forensic Tools, Scanner
Automated Behavior Analysis Approach, Birdman, HIT2006 10 SpywareSpyware DetectionDetection -- ArchonArchon ScannerScanner RootkitRootkit DetectionDetection DLLDLL InjectionInjection BackdoorBackdoor DetectionDetection MaliciousMalicious BehaviorBehavior AnalysisAnalysis ZeroZero DeploymentDeployment No monitor program need to install No training for baseline AA ForensicForensic tooltool forfor ScanningScanning SpywareSpyware
Download Trial Version Archon (2006-0701 ~ 0730) http://x-solve.com/Products/Archon_Scanner/Trial/Snapshot/Archon_1.JPG http://x-solve.com/Products/Archon_Scanner/Trial/Snapshot/Archon_2.JPG http://x-solve.com/Products/Archon_Scanner/Trial/ArchonScanner_1.0_Preview.zip
Automated Behavior Analysis Approach, Birdman, HIT2006 11 SpywareSpyware DetectionDetection -- ArchonArchon ScannerScanner Spyware Domain View Different form other commercial Spyware Scanners, Archon Scanner is designed of Spyware domain view, we use over 25 aspects as malicious behavior features to analyze unknown Spyware or Rootkit.
Major Malicious Behavior Features Hidden Process Detection Kernel Hooking Detection (SSDT Hook) User Mode Global API-Hooking Detection Hidden Registry Key Detection Malicious DLL Injection Analysis Raw Socket Detection LDR Modification Tricks Detection Message Hooker Detection
Archon Scanner focus on the user mode Spyware detection.
Automated Behavior Analysis Approach, Birdman, HIT2006 12 SpywareSpyware InspectionInspection ofof ArchonArchon ScannerScanner
Static Data FileFile && RegistryRegistry
SensorSensor OSOS KernelKernel
ProcessProcess AA ProcessProcess BB ProcessProcess CC DLL DLLDLL DLLDLL
DLL DLLDLL DLLDLL
DLL DLLDLL DLLDLL
Automated Behavior Analysis Approach, Birdman, HIT2006 13 RootkitRootkit DetectionDetection
Against Hooking There are many Hooking approaches in the world, but we just focus on the major tricks which are popular among Spyware writers. � Kernel Mode Hook : SSDT Hooking � User Mode Hook : IAT Hooking, EAT Hooking, Inline Hooking
Hidden Process Detection We use the “Process Handle Tracking Approach” to detect all kind of hidden processes, such as Hxdef, Fu, AFX, vanquish or other Rootkits. In next version Archon, we will add new approach to detect hidden process by FuTo.
Hidden Objects are easy to discover with Cross-View approach.
Automated Behavior Analysis Approach, Birdman, HIT2006 14 HowHow toto findfind outout injectedinjected DLL?DLL?
Theoretically,Theoretically, itit isis impossibleimpossible toto determinedetermine whichwhich DLLDLL isis injectedinjected inin aa processprocess withoutwithout behaviorbehavior monitor.monitor. Because,Because, allall thethe importantimportant evidenceevidence werewere disappeardisappear afterafter injection.injection. OtherOther CluesClues Find out all explicit load DLLs with LDR Information � PEB -> LDR Table IAT Scanning Malicious PE Check : Packer Analysis
Automated Behavior Analysis Approach, Birdman, HIT2006 15 Automated Behavior Analysis Approach, Birdman, HIT2006 16 ElementElement ofof IntrusionIntrusion DetectionDetection SystemSystem
ThereThere areare manymany IDSIDS aroundaround us.us. Guard → Person NIDS → IP (Session) Anti-Virus → File HIPS/Personal Firewall → Process
We need more precise answers ! How about DLL Injection Spyware? How about Code Injection Spyware? How about Kernel mode Spyware? How about Rootkit!?!
Automated Behavior Analysis Approach, Birdman, HIT2006 17 MaliciousMalicious BehaviorBehavior SetSet
In order to cover all the malicious behavior, including remote threading and DLL injection. We track the relationship of process and thread to identify the “Malicious Behavior Set.”
Automated Behavior Analysis Approach, Birdman, HIT2006 18 AutomatedAutomated MaliciousMalicious BehaviorBehavior AnalyzerAnalyzer
WeWe needneed anan automatedautomated analyzeranalyzer toto profileprofile maliciousmalicious behaviorbehavior ofof Spyware.Spyware. ImplementationImplementation To Capture all the user mode Spyware behavior, we have developed a pure Kernel mode monitor, ArchonArchon AnalyzerAnalyzer. Behavior Monitor: � Process and Thread Tracking � File Dropping Monitor � Remote Threading Monitor � Process Memory Access Monitor � Registry Access Monitor � Networking Monitor
Automated Behavior Analysis Approach, Birdman, HIT2006 19 VirtualVirtual LabLab ForFor SpywareSpyware AnalysisAnalysis
VirtualVirtual LabLab == ArchonArchon AnalyzerAnalyzer ++ VMVM SandboxSandbox AutomatedAutomated !! EfficientEfficient !! VM Sandbox
Automated Behavior Analysis Approach, Birdman, HIT2006 20 Case Study 2 - (1/2) DropDrop EXE, EXE, shell32.exeshell32.exe and and xyztmp2.exexyztmp2.exe
DriverDriver !! !! Rootkit??Rootkit??
WinlogonWinlogonNotification Notification !! !! Wlogntiy.dllWlogntiy.dll(Autorun (Autorun!)!) DLLDLL Injection Injection !! !! InjectInject to to IE IE and and spoolsv.exespoolsv.exe
Automated Behavior Analysis Approach, Birdman, HIT2006 21 Case Study 2 - (2/2) Network Traffic Recording DNSDNS Query Query
Query:Query: www.baidu.comwww.baidu.com? ?
Archon Analyzer also records the traffic of TCP, UDP and ICMP.
Automated Behavior Analysis Approach, Birdman, HIT2006 22 CaseCase StudyStudy 33 :: CodeCode InjectInject
InIn thisthis case,case, wewe willwill revealreveal somesome sophisticatedsophisticated trickstricks aboutabout codecode injection.injection. ItIt nevernever dropdrop anyany filesfiles intointo disk.disk. That is why they are so difficult to detect! That is why they are so difficult to detect!ItIt overwriteoverwrite thethe IEIE memorymemory directlydirectly withwith aa wholewhole EXEEXE image.image.
ShellcodeShellcode
EXEEXE FileFile Anti-Virus : No File to Detect !! Orz
Automated Behavior Analysis Approach, Birdman, HIT2006 23 CaseCase StudyStudy 33 :: BehaviorBehavior AnalysisAnalysis (1/2)(1/2)
DropDrop EXE EXE
CopyCopy a a whole whole EXE EXE ImageImage into into IE IE
Automated Behavior Analysis Approach, Birdman, HIT2006 24 CaseCase StudyStudy 33 :: BehaviorBehavior AnalysisAnalysis (2/2)(2/2)
DNSDNS Query: Query: kimo.2288.orgkimo.2288.org ns1.3322.netns1.3322.net
SpywareSpyware Log Log file file
Automated Behavior Analysis Approach, Birdman, HIT2006 25 ScannerScanner VS.VS. AnalyzerAnalyzer
ArchonArchon ScannerScanner Work In the wild � It works in the uncontrolled environment. Focus on find out unknown malicious software Behavior Scanner Forensic Tool
ArchonArchon AnalyzerAnalyzer Work In the zoo Focus on analyze malicious behavior of certain target. Behavior Monitor Software Malicious Behavior Testing Tool Lab Tool
Automated Behavior Analysis Approach, Birdman, HIT2006 26 ConclusionConclusion
TheThe dangerdanger ofof SpywareSpyware isis veryvery real,real, andand RootkitRootkit technologytechnology isis thethe latestlatest trendtrend inin hidinghiding SpywareSpyware fromfrom usersusers andand AntiAnti--SpywareSpyware software.software. StealingStealing ofof informationinformation andand compromisecompromise ofof privateprivate datadata cancan continuecontinue unnoticedunnoticed forfor days,days, weeksweeks andand sometimessometimes months.months. ThroughThrough personalpersonal policiespolicies andand thethe latestlatest technology,technology, youyou cancan activelyactively protectprotect youryour company'scompany's network,network, andand taketake aa standstand againstagainst MalwareMalware..
Automated Behavior Analysis Approach, Birdman, HIT2006 27 Q&A&THXQ&A&THX
Automated Behavior Analysis Approach, Birdman, HIT2006 28 GreezGreez All the great Rootkit hackers on Earth. Mr. SSCAN, ICST Archon Team, X-Solve And all my friends ☺
Automated Behavior Analysis Approach, Birdman, HIT2006 29