The Tao of .Net and Powershell Malware Analysis Pontiroli & Martinez

The Tao of .Net and Powershell Malware Analysis Pontiroli & Martinez

THE TAO OF .NET AND POWERSHELL MALWARE ANALYSIS PONTIROLI & MARTINEZ THE TAO OF .NET AND adopted proven practices from agile software development and business administration that focus on maximizing profi ts while POWERSHELL MALWARE minimizing the development time and maintenance cost of ANALYSIS these dreadful concoctions. Santiago M. Pontiroli In 2002, Microsoft released a game-changing framework that Kaspersky Lab, Argentina revolutionized the software development industry and unwittingly provided malware writers with an unimaginable F. Roberto Martinez arsenal of weapons. While ‘script kiddies’ resorted to builders and automated environments to cobble together variations of Kaspersky Lab, Mexico already-available malware samples, seasoned malware writers now had access to forums with approachable lessons on how Email {santiago.pontiroli; roberto.martinez}@ to write fresh pieces of malicious code, all with an eye to the kaspersky.com most desirable feature of all: avoiding anti-virus detection for as long as possible. Intended to compete directly with Oracle’s JAVA platform, the .NET framework provided not only a ABSTRACT comprehensive library of built-in functions but also an accompanying development environment capable of With the ubiquitous adoption of Microsoft’s .NET and supporting several high-level programming languages PowerShell frameworks, an ever increasing number of including Microsoft’s soon-to-be-fl agship C# and the evolution software development and IT ninjas are joining a nascent of Visual Basic, dubbed VB .NET. tradition of professionals leveraging these powerful environments for added effi cacy in their everyday jobs. With a Available by default in most Windows installations, the .NET wide array of libraries and cmdlets at their fi ngertips, the need framework has become the de facto standard for software to reinvent the wheel is long forgotten. development in Microsoft’s family of operating systems. Of course, malware writers are not far behind – they too have Moreover, with the 2006 addition of the increasingly powerful seen the light and are eager to use these convenient tools against PowerShell scripting framework, the interaction between .NET’s us. Whether it’s for everyday ransomware or state-sponsored supported programming languages and scripting automation has targeted campaigns, cybercriminals are now emboldened by a given software developers and system administrators an easy new arsenal that enables them to adapt with ease and agility. way to interface not only with the operating system but nearly Are you ready to defend yourself against this emerging threat? all Microsoft software, ranging from the Offi ce suite to the crown jewel, the SQL Server database engine. It’s time to understand our adversaries’ capabilities. In this paper, we’ll analyse select in-the-wild malware samples, Vast amounts of ready-to-use functionality make the picking apart the inner workings of these dastardly creations. combination of .NET and PowerShell a deadly tool in the hands We’ll introduce the cloaking mechanisms adopted by of cybercriminals. The straightforward value is immediate: cybercriminals, moving beyond managed code in execution developing simple yet effective applications to send spam, brute environments to the devious packers, obfuscators and crypters forcing credentials for virtually any service, or creating the next leveraged in conjunction with these powerful frameworks in global malicious campaign. The added benefi t: PowerShell order to baffl e malware analysts and forensic investigators. being ubiquitously whitelisted due to its importance in everyday Windows system administration and other recurring Knowing is not enough; we must apply. Willing is not enough; management activities makes it harder to prevent attacks that are we must do. With a plethora of post exploitation and lateral reliant on these deeply ingrained operating system components. movement tools created and customized every day in rapid application development environments and high-level With access to a powerful integrated development environment programming languages, defending against this kind of (IDE) such as the newly free Visual Studio, even application pervasive opponent is a full-time job. lifecycle management and rapid application development practices have become easier and are increasingly adopted by THE RISE OF .NET AND POWERSHELL today’s cybercriminals with aspirations of forming part of an organized industry. Clearly defi ned separations between MALWARE programmers, designers, testers, command-and-control server Gone are the days when a programming-savvy malware writer administrators, and everyone involved in cybercriminal would lock him/herself up in a dark basement, looking at a operations translates into maximum effi ciency and, in turn, glaring screen fi lled with assembly code. A challenge to the maximum profi ts. Computer-enabled crime and fraud have status quo has succeeded and now the self-titled cybercrime become a faithful refl ection of their ‘real-life’ counterparts. With industry has become a booming business, with criminals all cybercrime gangs stealing millions of dollars from institutions around the world wanting to jump on the bandwagon and get a (examples include Carbanak and gangs like the recently piece of the action. With a greater availability of high-level apprehended Svpeng), we are witnessing a paradigm shift in programming languages each day, some of which are even computer crime away from the ‘one-man show’ to that of an taught in high-school- and university-level courses thanks to earnest team effort. On the other side of the table, we fi nd their simplicity, lots of curious ‘wannabe criminals’ with cooperation between private security research companies and dubious intentions fi nd themselves surprisingly well equipped law enforcement agencies proving paramount in combating these to reach into the depths of the Internet and pull out examples borderless threats. The evolution in the complexity and quantity of source code and step-by-step tutorials to create their next of .NET and PowerShell malware is becoming a reality, and as malicious campaign. Instead of wanting to showcase their security researchers we need to be ready to fi ght back against technical expertise or intellectual capacity, criminals have these types of threats with the proper tools and knowledge. VIRUS BULLETIN CONFERENCE SEPTEMBER 2015 99 THE TAO OF .NET AND POWERSHELL MALWARE ANALYSIS PONTIROLI & MARTINEZ Whereas normal PE samples are better analysed using a embedded device use. A reduced version of the framework, debugger such as Olly or a disassembler such as IDA Pro, .NET Compact Framework, is available on Windows CE understanding .NET malware samples requires a specifi c set platforms, including Windows Mobile devices such as of tools that will make the malware analyst’s life much smartphones. Additionally, .NET Micro Framework is easier. The availability of free and open-source decompilers targeted at severely resource-constrained devices. and a plethora of tools to help in our analysis tasks means Amidst the number of open-sourced .NET related projects, that not only can cybercriminals benefi t from the use of we can fi nd the compiler platform code-named ‘Roslyn’, high-level programming languages, but we can benefi t as which provides open-source C# and Visual Basic compilers well. As with any endeavour, building the right toolset with rich code analysis APIs. Moreover, the .NET Core means getting prebuilt tools but also being ready to develop platform is made up of several components, including the our own when needed. What better than to fi ght fi re with aforementioned managed compilers, the runtime, the BCL fi re, by using Visual Studio, PowerShell and C# in our daily and the application model, such as ASP.NET. The majority of fi ght against malware? Integrating PowerShell with several .NET Core platform projects typically use either the MIT or .NET libraries and DLLs from currently available Apache 2 code licences. Some projects license their decompilers such as ILSpy will allow any analyst to create a documentation and other forms of content under Creative standardized process that fi ts his needs, enabling quick Commons Attribution 4.0. determination both of the sample’s behaviour and whether it warrants further research. The Mono Project is a software platform designed to allow To understand the differences in the analysis of .NET developers to easily create cross-platform applications assemblies we’ll need fi rst to briefl y review how the (Figure 1). It is an open-source implementation of Microsoft’s framework works and how a .NET PE is built. We have .NET Framework based on the ECMA standards for C# and already seen that cybercriminals have changed their habits to the Common Language Runtime. Along with the adopt new malware development practices, and as defendants implementation of the CLR we can also fi nd a cross-platform we should adapt our analysis environments too in order to IDE named MonoDevelop, making a perfect companionship counteract this evolving threat in an effi cient manner. for cross-platform .NET developers. As of Windows XP SP2 (and Windows 2003 server editions), .NET FRAMEWORK INTERNALS the .NET Framework is included by default in Microsoft operating systems. The inclusion of version 2.0 in Windows It was within Microsoft’s original plans to build the .NET XP SP2 paved the way for the availability of newer versions Framework with the ambitious goal of providing developers a in editions of Windows to follow. Windows Vista already single platform on which they could build all kinds of included versions 2.0 and 3.0, nearly reaching the ever applications. In theory, this revolutionary framework was to popular Windows 7, which included version 3.5.1 of the .NET be supported by a wide range of operating systems outside the Framework (in addition to previous framework versions with Microsoft ecosystem, having an ECMA specifi cation in place their corresponding service packs). The development path so as to aid the development of open-source implementations suggested by Microsoft is clear; making .NET an essential (e.g.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    26 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us