Practical Malware Analysis

Ch 11: Malware Behavior

Last revised 11-3-14

Downloaders and Launchers
 Downloaders
• Download another piece of malware
– And execute it on the local system
• Commonly use the Windows API
URLDownloadtoFileA, followed by a call to
WinExec
 Launchers (aka Loaders)
• Prepares another piece of malware for covert
execution
– Either immediately or later
– Stores malware in unexpected places, such as
the .rsrc section of a PE file
Backdoors
 Backdoors
• Provide remote access to victim machine
• The most common type of malware
• Often communicate over HTTP on Port 80
– Network signatures are helpful for detection
• Common capabilities
– Manipulate Registry, enumerate display windows,
create directories, search files, etc.
 Reverse Shell
• Infected machine calls out to attacker, asking
for commands to execute
 Windows Reverse Shells
• Basic
– Call CreateProcess and manipulate STARTUPINFO
structure
– Create a socket to remote machine
– Then tie socket to standard input, output, and
error for cmd.exe
– CreateProcess runs cmd.exe with its window
suppressed, to hide it
 Windows Reverse Shells
• Multithreaded
– Create a socket, two pipes, and two threads
– Look for API calls to CreateThread and
CreatePipe
– One thread for stdin, one for stdout
 RATs
(Remote Administration Tools)

• Ex: Poison Ivy

 Botnets
• A collection of compromised hosts
– Called bots or zombies
 Botnets v. RATs
• Botnet contain many hosts; RATs control
fewer hosts
• All bots are controlled at once; RATs control
victims one by one
• RATs are for targeted attacks; botnets are
used in mass attacks
Credential Stealers
 Credential Stealers
• Three types
– Wait for user to log in and steal credentials
– Dump stored data, such as password hashes
– Log keystrokes
 GINA Interception
• Windows XP's Graphical Identification and
Authentication (GINA)
– Intended to allow third parties to customize logon
process for RFID or smart cards
– Intercepted by malware to steal credentials
• GINA is implemented in msgina.dll
– Loaded by WinLogon executable during logon
• WinLogon also loads third-party customizations in
DLLs loaded between WinLogon and GINA
 GINA Registry Key
• HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GinaDLL
• Contains third-party DLLs to be loaded by
WinLogon
 MITM Attack
• Malicious DLL must export all functions the
real msgina.dll does, to act as a MITM
– More than 15 functions
– Most start with Wlx
– Good indicator
– Malware DLL exporting a lot of Wlx
functions is probably a GINA interceptor
 WlxLoggedOutSAS
• Most exports simply call through to the real
functions in msgina.dll
• At 2, the malware logs the credentials to the file
%SystemRoot%\system32\drivers\tcpudp.sys
 Hash Dumping
• Windows login passwords are stored as LM or
NTLM hashes
– Hashes can be used directly to authenticate (pass-the-
hash attack)
– Or cracked offline to find passwords
• Pwdump and Pass-the-Hash Toolkit
– Free hacking tools that provide hash dumping
– Open-source
– Code re-used in malware
– Modified to bypass antivirus
 Pwdump
• Injects a DLL into LSASS (Local Security
Authority Subsystem Service)
– To get hashes from the SAM (Security Account
Manager)
– Injected DLL runs inside another process
– Gets all the privileges of that process
– LSASS is a common target
• High privileges
• Access to many useful API functions
 Pwdump
• Injects lsaext.dll into lsass.exe
– Calls GetHash, an export of lsaext.dll
– Hash extraction uses undocumented Windows
function calls
• Attackers may change the name of the
GetHash function
 Pwdump Variant
• Uses these libraries
– samsrv.dll to access the SAM
– advapi32.dll to access functions not already
imported into lsass.exe
– Several Sam functions
– Hashes extracted by SamIGetPrivateData
– Decrypted with SystemFunction025 and
SystemFunction027
• All undocumented functions
 Pass-the-Hash Toolkit
• Injects a DLL into lsass.exe to get hashes
– Program named whosthere-alt
• Uses different API functions than Pwdump
 Keystroke Logging
• Kernel-Based Keyloggers
– Difficult to detect with user-mode applications
– Frequently part of a rootkit
– Act as keyboard drivers
– Bypass user-space programs and protections
 Keystroke Logging
• User-Space Keyloggers
– Use Windows API
– Implemented with hooking or polling
• Hooking
– Uses SetWindowsHookEx function to notify
malware each time a key is pressed
• Polling
– Uses GetAsyncKeyState & GetForegroundWindow
to constantly poll the state of the keys
 Polling Keyloggers
• GetAsyncKeyState
– Identifies whether a key is pressed or unpressed
• GetForegroundWindow
– Identifies the foreground window
Identifying Keyloggers in Strings
Listings
Persistence Mechanisms
 Three Persistence Mechanisms
• Registry modifications, such as Run key
• Other important registry entries:
– AppInit_DLLs
– Winlogon Notify
– ScvHost DLLs
 Registry Modifications
• Run key
– HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\
Windows\ CurrentVersion\ Run
– Many others, as revealed by Autoruns
• ProcMon shows registry modifications
• AppInit_DLLs
 APPINIT DLLS
• AppInit_DLLs are loaded into every process
that loads User32.dll
– This registry key contains a space-delimited list of
DLLs
– HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\
Windows NT\ CurrentVersion\ Windows
– Many processes load them
– Malware will call DLLMain to check which process
it is in before launching payload
 Winlogon Notify
• Notify value in
– HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\
Windows
– These DLLs handle winlogon.exe events
– Malware tied to an event like logon, startup, lock
screen, etc.
– It can even launch in Safe Mode
 ScvHost DLLs
• Scvhost is a generic host process for services that
run as DLLs
• Many instances of Scvhost are running at once
• Groups defined at
– HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\
Windows NT\ CurrentVersion\ Svchost
• Services defined at
– HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\
Services\ ServiceName
Process Explorer
 ServiceDLL
• All svchost.exe DLL contain a Parameters key
with a ServiceDLL value
– Malware sets ServiceDLL to location of malicious
DLL
 Groups
• Malware usually adds itself to an existing
group
– Or overwrites a nonvital service
– Often a rarely used service from the netsvcs group
• Detect this with dynamic analysis monitoring
the registry
– Or look for service functions like CreateServiceA
in disassembly
 Trojanized System Binaries
• Malware patches bytes of a system binary
• To force the system to execute the malware
• The next time the infected binary is loaded
• DLLs are popular targets
• Typically the entry function is modified
• Jumps to code inserted in an empty portion of
the binary
• Then executes DLL normally
DLL Load-Order Hijacking
 KnownDLLs Registry Key
• Contains list of specific DLL locations
• Overrides the search order for listed DLLs
• DLL load-order hijacking can only be used
– On binaries in directories other than System32
– That load DLLs in System32
– That are not protected by KnownDLLs
 Example: explorer.exe
• Lives in /Windows
• Loads ntshrui.dll from System32
• ntshrui.dll is not a known DLL
• Default search is performed
• A malicious ntshrui.dll in /Windows will be
loaded instead
 Many Vulnerable DLLs
• Any startup binary not found in /System32 is
vulnerable
• explorer.exe has about 50 vulnerable DLLs
• Known DLLs are not fully protected, because
– Many DLLs load other DLLs
– Recursive imports follow the default search order
Privilege Escalation
 No User Account Control
• Most users run Windows XP as Administrator
all the time, so no privilege escalation is
needed to become Administrator
• Metasploit has many privilege escalation
exploits
• DLL load-order hijacking can be used to
escalate privileges
 Using SeDebugPrivilege
• Processes run by the user can't do everything
• Functions like TerminateProcess or
CreateRemoteThread require System
privileges (above Administrator)
• The SeDebugPrivilege privilege was intended
for debugging
• Allows local Administrator accounts to
escalate to System privileges
• 1 obtains an access token
• 2 AdjustTokenPrivileges raises privileges to
System
Covering Its Tracks—
User-Mode Rootkits
 User-Mode Rootkits
• Modify internal functionality of the OS
• Hide files, network connections, processes,
etc.
• Kernel-mode rootkits are more powerful
• This section is about User-mode rootkits
 IAT (Import Address Table)
Hooking
• May modify
– IAT (Import Address Table) or
– EAT (Export Address Table)
• Parts of a PE file
• Filled in by the loader
– Link Ch 11a
IAT Hooking
 Inline Hooking
• Overwrites the API function code
• Contained in the imported DLLs
• Changes actual function code, not pointers