Masarykova univerzita Fakulta}w¡¢£¤¥¦§¨ informatiky !"#$%&'()+,-./012345<yA| Analysis of Malware Classification Schemas Master’s Thesis Bc. Peter Nemček Brno, Fall 2013 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Bc. Peter Nemček Advisor: Mgr. Vít Bukač iii Acknowledgement I would like to thank my parents, who supported me during the whole stud- ies, my girlfriend, who greatly supported me during the whole studies and in writing of this thesis and I would like to thank my thesis advisor, Mgr. Vít Bukač, for his valuable suggestions and comments about this thesis. v Abstract The aim of this thesis is to analyze and compare properties and behavior of various malware classification schemas (YARA, OpenIOC, MAEC/Mitre). In the theoretical chapter, each schema will be described and there will be a comparison between these schemas, and also strengths and weaknesses of each schema. In the practical chapter, there will be a proposal of a conversion tool in the form of web service which will implement some basic functionality of this tool. The thesis will also propose further research directions. vii Keywords Malware, Malware Analysis, Malware Signatures, YARA, OpenIOC, MAEC, Malware Signature Conversion, APT ix Contents 1 Introduction .............................5 1.1 Motivation – APT1 . .6 Key Findings . .7 2 Malware Types and Properties .................. 11 2.1 Behavior . 12 2.1.1 Downloaders and Launchers . 12 2.1.2 Backdoors . 13 Reverse Shell . 14 Remote Administration Tools . 15 Botnets . 15 2.1.3 Credential Stealers . 16 GINA Interception . 16 Hash Dumping . 16 Keystroke Logging . 17 2.1.4 Maintaining persistence . 18 The Windows Registry . 18 Trojanized System Binaries . 20 DLL Load-Order Hijacking . 21 2.1.5 Privilege Escalation . 22 Using SeDebugPrivilege . 22 2.1.6 User-Mode Rootkits . 23 IAT Hooking . 23 Inline Hooking . 23 2.2 Launching Malware Silently . 24 2.2.1 Launchers . 24 2.2.2 Process Injection . 24 DLL Injection . 25 Direct Injection . 25 2.2.3 Process Replacement . 26 2.2.4 Hook Injection . 27 Local and Remote Hooks . 27 Keyloggers Using Hooks . 27 Using SetWindowsHookEx . 28 Thread Targeting . 28 2.2.5 Detours . 28 2.2.6 APC Injection . 29 APC Injection from User Space . 30 1 APC Injection from Kernel Space . 30 3 Leaving Footprints ......................... 31 3.1 Signatures . 31 3.2 Tools for Effective Signature Creation . 32 3.2.1 Staying Anonymous . 32 3.2.2 Creating a Secure and Controlled Environment . 34 Tools Than May Come Handy . 34 Virtual Machines . 36 4 Signature Formats .......................... 37 4.1 Mandiant’s OpenIOC . 37 4.1.1 OpenIOC . 37 4.1.2 IOC Functionality . 38 4.1.3 Using IOC in the Investigative Lifecycle . 39 4.2 YARA . 41 4.2.1 Creating Rules . 41 Strings . 43 Conditions . 43 4.2.2 Release of Version 2.0 . 45 4.2.3 Advantages of YARA format . 46 4.3 MAEC . 47 4.3.1 MAEC Language . 47 Low Level – Abstracted Actions . 48 Mid Level – Behaviors . 48 High Level – Mechanisms . 49 Example Mapping . 49 The MAEC Bundle Output Format . 50 The MAEC Package Output Format . 51 4.3.2 High Level Use Cases for the MAEC Language . 53 4.3.3 Advantages of MAEC format . 54 4.3.4 Disadvantages of MAEC format . 55 4.4 Comparison of Mentioned Formats . 55 5 A Tool for Malware Signature Conversion .......... 57 5.1 Requirements . 57 5.2 Technology Used . 57 5.2.1 Java . 57 5.2.2 Spring Framework . 57 5.2.3 Server . 58 5.3 The Tool . 58 5.4 Internal Format . 59 5.4.1 Workflow . 59 2 5.5 How to Run the Tool . 60 Running Using a Batch Script . 60 Running Via Maven . 60 Running Using a Server . 60 5.6 A Simple Use Case . 61 6 Conclusion .............................. 65 A Contents of the Attached CD .................. 69 B Mandiant’s OpenIOC signature format ............ 71 C YARA signature format ...................... 73 D MAEC signature format ...................... 75 3 1 Introduction It is hard to imagine a world in which everything is perfect. Nobody threatens anyone and everybody is happy in this beautiful and secure world. Unfortu- nately for us it is indeed hard due to the empirical experience we face each day. And now let’s add the fact that almost everything is already (or is being) converted to electronic form. Every single piece of activity has some connec- tion to electronic devices or electronic way of communication. Let is be a simple task like walking through the city with your smartphone connected to the internet or a more sophisticated one (e.g., buying something through Paypal). In the former example someone might be interested in where you currently are but that someone would be in a very small minority. However, in the latter one, virtually every single bad entity is interested in money. Un- fortunately, money make the world go around and it takes a large amount of money to stop losing even larger sum of money. According to [1], spending in the field of cyber security were the only area where they were majorly increased. As the years go by, attacks are not so undirected as they used to be. There are specialized people, even military groups (as documented in the recent APT1 threat) who attack in a most subtle way trying to hide from every possible defense mechanism and target their victim with most precise strikes. Leaving no traces in essential for the attackers as they want to gather as much information (and of course, money) as possible. The APT1 threat was employed by the Chinese government trying to steal vital information from U. S. military organizations. The threat is not present only to military organizations, it is present to any company that might have an intellectual property that is valuable. It is crucial to be able to thwart and identify any attacks that are employed by evil entities in order to protect ourselves from data and/or money theft. 5 1. Introduction 1.1 Motivation – APT1 Since 2004, Mandiant1 has investigated computer security breaches at hun- dreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the ‘Ad- vanced Persistent Threat’ (APT). Mandiant first published details about the APT in their January 2010 M-Trends report. As they stated in the report, their position was that ‘The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement.’ Now, three years later, they have the evidence required to change their assessment. The details they have analyzed during hundreds of investigations convince them that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them.[2] Mandiant continues to track dozens of APT groups around the world; however, the APT1 report [2] is focused on the most prolific of these groups. They refer to this group as ‘APT1’ and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From their observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1’s operations compelled them to write the report.[2] The activity they have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though their vis- ibility of APT1’s activities is incomplete, they have analyzed the group’s intrusions against nearly 150 victims over seven years. From their unique vantage point responding to victims, they tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. They uncovered a substantial amount of APT1’s attack infras- tructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant revealed three personas they have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others.[2] Their analysis has led them to conclude that APT1 is likely government- sponsored and one of the most persistent of China’s cyber threat actors. They believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government 1. http://www.mandiant.com/ 6 1. Introduction support. In seeking to identify the organization behind this activity, their research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.[2] Key Findings Location APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. The Unit 61398 is believed to be staffed by hundreds or thousands of people based on the size of its physical infrastructure. It resides in a recently built (2007) 12-stories-high building and it has a special fiber optic connection directly from China Telecom. The personnel is required to be trained in computer security and computer network operations and is required to be proficient in the English language.[2] Nature of Stolen Data APT1 has systematically stolen hundreds of ter- abytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.