Alissa Torres Security BSides Boston 2013 - Sick Anti-Analysis Mechanisms From The Wild

Okay. Hey, my name is Alyssa Torres. It's okay. I was in the Marine Corps for four years, a Marine officer. Anybody else? See, are you saying that because you know it or are you saying that because you've heard other people say it? Oh, nice. Okay. All right. Yeah, exactly. That's mine. It's like a baby baby bark. Hook me up here. Just a little. There we go. Just down a little. Not too far. All right. Right. All right. So, Alyssa Torres, I work at Mandant as an incident handler. Um, there's a lot of people. Well, first of all, have you guys heard of Mandant? Yes. So, if you're working in the incident response realm, you have heard

of Mandant. We we offer remediation services. Uh, some proactive services as well, but it's been a lot of fun. I've been there about 8 months and it feels like 8 years. You know what I mean? You know what I mean? You guys that are working in the instant response realm, very painful. Very painful. But on the side, you know, in all that free time, I teach SANS classes. So, um, in particular, I teach the advanced computer forensics and instant response class. So, I love this stuff. I love this stuff. So, I expect everyone else who loves this stuff to like meet me in that room and we'll just talk, you know, like that after talk room. So, I'm going

to talk today about sick anti-analysis mechanisms in the wild. Yes, they are out there. They're making our jobs harder. When we're doing IR, it's very important to identify malware, right? Yes. You have to know what its capabilities are in order to start addressing it and finding all the other systems that are out in the enterprise. So, I bring this topic to you. How many of you are working in reverse engineering? Some of you, some of you. All right. So, this this stuff might not be new to you people who are hooking and jabbing. You might be like the second tier, the third tier. You know what I mean? They pass it on to you when it

gets ugly. So this is for all of us who are working IR and hitting boxes and doing that first triage or behavioral analysis of malware. Offering some perhaps some techniques that you haven't tried yet and how to make the malware bend to your will. Right? So here we go. See if my clicker works. All right. Why do we look at malware? Why do we do analysis? Well, for sure we want to find out what the capabilities are of the malware with with the the goal of identifying it on other systems. The goal of defeating it, eradicating it from the network. All right. Do you you guys agree that that would be important? And I have to throw in where do I work?

Where do I work? I work at Mandy and I have to mention IOC's. It's like, you know, it's like a paid spot. IOC's stands for indicator of compromise. How many of you are rolling out of your network looking for indicators of compromise based on malware that you've already seen? Okay. So that when I say indicator of compromise, I'm I'm asking you to picture a time and place when you've identified malware that may be custom to your network. Maybe it's something that is not a commodity that antivirus doesn't catch. It's something new perhaps. You would create a signature for it. create an indicator of compromise so you could then scan the rest of your enterprise and identify

other systems that are infected, other systems that are compromised or have been. Right? So all of this is important. We we start with finding the malware and then kind of unraveling it, creating a signature so we can then scan and identify the scope of a compromise. Yeah. All right. So I'm supposed to be advancing here. Oh, but we have to do this in a timely manner. So that means you're not going to give me the hardest piece of malware to reverse, right? That means we when we're working a security team, we often have people who specialize in the very very hard malware analysis, right? So because we have to use we have to do it

timely. Um if we take too long in figuring out the capabilities of malware, what might happen? You know, the intruder being on the network maybe a week. He's been beaconing out to known bad IP, known ma bad domain. It's taking us forever to find out the capabilities of the malware. Certainly, data might leave, right? Data theft might occur. It might spread across the enterprise. You're there with me. You understand why it has to be timely. So, proper analysis. Okay, this is where I have to explain why Dexter's on my slide. Is anyone anyone a Dexter fan there? Not only are you a Dexter fan, but you're like, "Oh, Dexter. Yes, she's knocking it out of the park now."

All right. So, Dexter is really a phenomenon of sorts because somehow the producers of the show, he's a serial killer, right? The producers of the show have allowed us to really relate to him. He's quite a relatable character. And I I attribute this to the fact that we only see him use one weapon, you know, for the most part. I mean, you might have seen that episode where he did actually have what was it? The chainsaw. Yeah. But that I mean that was the exception to the rule. Typically, we only see Dexter with that one knife, right? So, I'm asking you to bring this analogy to malware. If we are just to stop when we find out, oh, the

capability of this malware is a back door. It's beaconing out. If that's where we stop and we we call a spade a spade and don't dig deeper, we would never know that Dexter chops up bodies and puts them in bags and drops them into the bay, right? We would never know that that malware does key logging, does credential stealing. We need to get better at doing a full scope analysis of our malware, right? We need to keep on going because obviously he's a very disturbed individual and they want us to like him somehow. So that's that's my analogy. Like it. You like it? Sure. Those Yeah. Those of you who have seen the show, the rest of you are like,

"What? What are you talking about?" Showtime. Showtime. So, all right. So, why are anti-analysis mechanisms actually employed by malware authors? Well, it slows down the whole process. You know, anti-analysis mechanisms, I give you a definition here. They're specific capabilities of malicious software used to protect the malware from analysis. So we as malware authors, they want to slow us down. The the slower they can make the analysis process, the longer their malware is good, right? The longer it's accomplishing the mission. You know, I I I can rattle off MTS statistics quite impressively. I know that 2012 the mrends, that's our the mandance. Anyone read it? The Mandant annual report. In 2012, how long was the adversary found

to be on network? From initial vector of compromise to, hey, now we know he's here. How many days was that? Yeah, it was over 300. Oh, you know, straight away 412. Damn, I love it. I love it. Yeah. Yeah. Yeah. So, definitely over 400. I'm I'm thinking 416, man. But if if you're going with 412, I'll go with you, man. I'll go with you. So, I'm I I took a little feray. I took a little venture on that uh offensive side of the house metas-ploit and stuff. I could tear it up though. I mean, I'm kind of a noob, but I could tear it up 400 days. I could totally make the mission. I could totally make

it happen if I was on the network for 400 days. And that's exactly the type of scenario the malware author wants. Right? You don't know the full capabilities of my malware or I've encrypted it five, six, seven times and you're unable to get it to a point where you can analyze it. I'm winning as the mau author right so you can see his intent in applying all of these anti-analysis mechanisms it's quite resourceful actually so I cite this qualis study blackhat USA 2012 uh three three individuals Branco Barbosa and neato presented um a study that they had done on over four million samples of malware and they were really focusing in on what types of anti

anti-analysis mechanisms were being used most frequently. But what they found of all those samples was 88% of those samples employed anti-analysis mechanisms. So all right, it's a topic worth talking about. We're seeing this on a daily basis, right? If you're looking at one sample a week, if you're looking at a couple samples a week, the chances of that sample actually employing some of these techniques we're going to talk about are quite high, right? Worth talking about, worth having the conversation. In addition, you know, some of the unique things I talk about during this 40 minutes that I've been allowed and then of course when we talk more right in the other room, but the evolution of sophistication, we're

seeing with malware capabilities as a whole, but we're also seeing with anti-analysis techniques. So the things I'm going to talk about with my two that I've fallen in love with these malware samples, Mini Duke and Shillock, the cool stuff that they're doing is going to become more common and just like your run, what is it? Garden garden variety malware. So we're seeing the evolution of sophistication and that that the stuff that's really cool now is going to be common place or something you can buy uh you know next week, next month. So that's what I mean by that. So here we go. The attacker's goal is to push us farther down the pyramid. So, as a

triage or someone who hits a compromised system and does the initial triage uh of the malware, you're going to be dealing with automated analysis. You might be doing some static analysis. But as you move farther down this pyramid, it's going to require more time and it's going to require a higher threshold of knowledge to get the job done. And that's exactly where the attacker wants to move. It's where the malware author intends uh his masterpiece to uh be included is down here at the bottom where deoffuscation and unpacking is required in order to understand the capabilities. All right. So these are the four I talk about. These categories might not be familiar to you because I

kind of created them my all myself. You know, I threw them together myself. These are these are the categories I love to talk about. The first one, of course, me being from the forensics side of the house, hostbased forensics, not network, but hostbased forensics is all about mechanisms that going to prevent me from getting live data off the system, from doing a memory dump, you know, accomplishing the mission that way. There's quite a few techniques that have been employed or being employed. I'm going to talk to you about them. In addition, we'll talk about system environment checks. And this is something that's as easy and commonplace as anti virtualization checks. Nodding with me? You've heard of anti-VM. Yeah.

I mean to the to the point of the new stuff which I talked about miniuke uh things that are are checking to see whether you're in a remote desktop session, right? So it includes all of that includes debugging. That's a very broad category. System environment checks anti-disassembly techniques we'll touch on and obuscation methods. We're going to talk a lot about debugging. Anti-debugging that is. So here we go. All right. So, you got to give a shout out if I talk about something that you've heard of before, right? This some of this stuff might be near and dear to your heart because I'm talking about some old malware samples here. So, maybe some IRC stuff. You guys

might have been doing that. Um, so when I talk about anti- response mechanisms, malware with capabilities that is going to prevent me from pulling the live data off the system or somehow offuscating it, screwing it up, manipulating it, corrupting it. These are all of those techniques that I'm lumping together. And you can see there's a timeline. If this is my target system and I'm collecting data off of it, there are several places in my timeline from collection execution of my collection tool to all the way on the right side, which is when I have my my solid memory image or my solid collection of volatile data that I can then parse. There's a lot of pieces to

this puzzle that could fail, right? So, you can choose any point in time on this timeline and you can pretty much as a malware author create failure. And we're going to talk about some of these uh techniques that have been discussed or have been seen out in the wild. This is my list of anti-response. Um decaf. Has anyone used decaf or played around with it? Coffee le backgrounds for coffee. I'll talk to Yeah, I have a screenshot of that. But spy by RIC. Anyone play around with spybot? This is not the Yeah, this is not search and destroy. This is kind of old school IRC uh you are in my bot now kind of thing. I'll I'll show you a screenshot

of that metas-lade script. Um not around anymore, but this guy uh would kill memory acquisition processes. So as as simple as you can get just looking for particular processes that are kicking off like FTK imager uh like 132DD and killing those killing the loading of a driver you know just making making sure it didn't happen you know we see these and they represent to us anti-response mechanisms so things that are going to not make it happen so we're going to talk about shadow walker uh one bite abort factor and dementia so these are all points in the timeline that are going to mess with me walking away with a solid memory image getting the job done so I'd have something to

analyze in the back end of my analysis workstation. So for my first one here have to point it at my spybot. You can see what are you seeing here in my screenshot spybot you know this is part of the settings.h H file. You use this to compile and make your uh your malicious executable that you drop on a box. Typically, you know, drive by browser exploits. So, what's being being uh set up here is on your bot, if someone tries to hit it and do some type of live response running any of these following commands, regedit, ms config, task manager, netstat, it's going to kill the process, right? So, this is pretty simple. by name. If you run any

of these by name, they're not going to go. They're not going to work. Of course, netstat netstat actually gets the job done because it go it kicks off so quickly. You actually get netstat output and then it attempts to kill the process. So, some of these are they fail. But, um MS config if you were try to launch MS config on a system that was uh compromised with spybot, it would not run. It would kill the MS config process. You guys with me? Yeah, man. gets better from here because this is like, oh my god, that's so old school. It's 2003. Of course, things get a little bit more sophisticated. So, here's coffee. Coffee was, you know, you think probably in

your environment, old school, if you've been in the instant response field a while, you probably had a batch script that ran and collected all this cool volatile data, right? Netstat, MBT stat, all that IP config stuff, PS list, all of this. Well, they put together an LE script, Microsoft did, and offered it to law enforcement so they could then collect volatile data that was called coffee. People got pissed off. Number one, people always get pissed off when tools are involved. They try to make things easy for people and people don't like it, right? There's purists in our Would you agree that there's purists in our community that don't like push button? What the hell? So these people

they created something called decaf like the antidote to coffee and would actually watch for particular uh coffee like processes to kick off. So I give you a screenshot here. Um you can put your system this is this is from decaf. You can put decaf install it on your system and it will watch and monitor for coffee being run which then monitors for um and will respond with this lockdown mode that will contaminate the MAC address. um it will actually shut down the computer or kill particular processes that you can set. Very interesting stuff. But again, kind of old school, right? Kind of old school, not very cutting edge, but uh an interesting example of anti-response you

might see out there. All right. Shadow Walker 2005, Jamie Butler, this is my disclaimer, he works at Mandant now. Um, so him and Sherry Sparks presented at Black Hat Japan uh on a particular root kit called Shadow Walker that prevented the acquisition of hidden whatevers, hidden objects from memory. So he discussed being able to evade a memory dump, right? Being able to evade the detection of this type of root kit. Pretty cool. But there's been other things since then. Brendan Dolan Gavit spoke on uh anti-object carving. So if you know how memory analysis works, you'll realize yes, you can follow the doubly linked list. Oh, and you have to you have to sit in uh memory analysis and IR is

being covered uh at after this one. So you have to sit in on that. Andrew Casease, shout out to Andrew Casease. Yeah. So we have uh Brendan Dolan Gavit talked about actually screwing around with the signatures that made up particular objects in memory. So if you screw around with the pool header tag and the dispatcher tag, dispatcher tag being shown here, you'll actually be able to evade some types of object carving. So he spoke on this 2006 2007. Um, an example of this type of manipulation is actually I'm changing here the dispatch header in a process object. So I'm showing you the dispatch header and it's that easy to manipulate. Of course, some tools are going to be

able to detect this type of manipulation and it is something that what FDK uh memorize, HP, Gary are going to be able to detect because they use a type of validation that is able to uh ascertain the process objects irregardless of the dispatch header. So that being said, that brings us to uh what was presented last year at uh computer chaos conference. Uh this is 2012 CCC. Luca Milovik spoke on a tool that he had created dementia. Dementia is a really scary tool as an instant responder. If dementia is running on a system and I go to do a memory dump, I will walk away with a clean memory dump. It won't be like that other one I mentioned which

was the one bite abort. The other one that was on a couple slides ago, the one bite abort would actually kill my memory dump process. What Luca came up with was a tool that would allow me to walk away with a memory image and it would be parsible, but it would be missing the malicious stuff that he chose to hide. So, pretty impressive, right? But pretty scary. So, this is proof of concepts. That's what you want to hear, right? Is this out there now? No, this is proof of concept. Uh 2012, there's been a lot of conversation in it about this the beginning of the year, January, February of this year. Uh but we haven't

seen it in the wild yet. Have you guys seen it in the wild yet? Would you know it if you if you saw it? Right? Because you you'd have a pretty legit looking memory image, but it would be missing some some of the malicious processes, memory sections that he was uh you know, keeping from you, obuscating from you. So, scary stuff. Um when you get a copy of this uh slide deck, the references are in the back. So, if you want to watch him, the uh the YouTube video is awesome. The presentation he gives. But that moves us to the second category. Second category is system environment checks. So what are these percentages about? Um remember back the

qualis study that was presented at black hat this past year. 81% of the malware study of the 4 million samples uh exhibited an anti virtualization capability. So it would look for am I being run in a virtual environment and it would do some type of check. So 81% is it worth talking about? Is it worth learning how to deal with this stuff? For sure. For sure. Uh, anti-debugging was found in 43% of the samples. So, if I'm running a debugger, like did just That's a battery thing. Yeah, battery life. But I a Marine Corps, you know what I mean? I'm good. You'll just have to fix this for Andrew because he has a soft voice. I'm

just chatting with you, man. La. Okay. So, 40. Yeah. He's sitting right behind you. You're like, "Okay, 43%." Anti-debugging is all about like uh if I'm running Ali debug, I'm actually watching Thank you. the step-by-step uh execution of the program. And I need to be able to as a malware author, I need to be able to stop that because if you can watch step by step the execution of the malware, you're going to be able to reverse it quite easily and understand the capabilities. Uh 43%. And then there's something that I'm going to talk about anti- sandboxing, which uh takes us to some of the newer capabilities we're seeing in malware today. So I will

begin. Yeah, my Mac's playing games with me. There you go. So here we go. Talking about these three. First off, anti virtualization. It is prominent 81%. Uh this is when malware checks for components that indicate the malware is being run in a virtualized environment. So I'll I'll ask you front row, always put you on the spot. Is this like a key player now? Would you say how much of your environment is virtualized? Very little. Very little. Yeah. And you you're saying how much is 70%. 70%. So if malware was running um an anti-verirtualization check, would it be effective at it would be effective at not infecting your 70% environment that's virtualized, right? because it's going

to if it detects it's being run in a virtualized environment, it's actually going to kill itself or not exhibit the characteristics that are going to get its job done. Right. Okay. Okay. Damn, that's a that's a huge percentage of virtualized machines. But we are seeing that trending that they're no longer checking for virtualization or come on. I just bought this too, man. I just bought this. It's probably the interference.

You know what? That's all right. So, but one of the checks you're going to see malware do, you know, we'll talk about some of the the really easy ones. One of the checks is just to look for services running. It could be something as easy as querying like or doing a netstand command and looking for anything that has VMware in it. So, that's that's what my machine is running. uh other things that are being looked for a and so you see that little star that means there's going to be a quiz so that's scary right it builds apprehension and anxiety in my students um so we other things you look for virtualized video controllers I mean

tells tells that hardware is being virtualized you could have a hard drive you could have a mouse that's being virtualized um but you also have something that kind of gives way an OUI okay what does an OUI stand for hands raised. Sorry. O UI OI MAC. It's associated with MAC. Yes. Black shirt. Sure. It's first few digits of the MAC address. Nice. Yes. Organizational unique identity. Damn. Damn. All right. So, if I'm looking for like a VMware OUI, what would that start with? Because I know some of you are like that. You have it memorized and you're waiting to tell me an OUI that would identify a MAC address that was a VMware MAC address. Come

on. What? I had to think of another one. I had to think of another one. All right. So like 0005. I mean, the first couple hex there. There's four of them. It's all right. I don't have to tell you. But dude, it will recognize in an anti-verirtualization check or a virtualization check. It will recognize the OUI and be able to map it to is it VMware, is it a virtual box and it will it will act accordingly. So we also have some specific instructions it can throw out. Um based on what is returned for these instructions, it'll make the decision, hey, am I running virtualized or not? uh and then specific IO ports. So the IO ports are could very

well uh facilitate the conversation between the host and the appliance. So you can understand that if you have sharing turned on or some kind of VMware tools that this conversation uh would would need particular ports to make happen. So um counter measures counter measures uh so we can analyze malware that might be implementing these types of checks. That's what I mean by counter measures. So, how can we take action as that first person that's hitting the box and triaging the malware? How can we take action and get around that type of malware check or an anti-verirtualization mechanism? Well, you can certainly start by turning off services. That was the first thing I showed you was net start and I

enumerated the VMware services. One of them that came back was VMware tools. You can kill that and and see if you can get around it. Obviously, you probably want eyes on on what's actually being checked. So opening it up in Ali debug and getting eyes on as to what's going on in this step of anti anti virtualization. Other things you might want to look into um I'll come down to an easier one. You can manipulate the VMX uh if you're using VMware you can manipulate the VMX file to make modifications. So something as simple as not allowing particular queries uh from host to appliance. So if if you manipulate these particular things um it it will be

less of a tell for the malware that is virtualized. Uh more technical aspects um shoot identify you're actually going to have to use a tool in order to get around this portion of it. Uh you will have to place particular breakpoints and jump around the particular string comparison. So it's looking for a particular string. If you can manipulate that with Ali debug, you can certainly circumvent it and hopefully that'll be your only uh point of failure in the analysis of this malware. But how likely is that, right? It this is a kind of goes back to the school of thought. Uh gentleman up in the front said 70% of his uh his network was actually virtualized, which

I find amazing. Um this was on the Rapid 7. Rapid 7. Anybody in the room from Rapid 7? I know they're here today, right? Um, Rapid 7 on their blog, they talked about something called VM VM aware vaccination. So, actually using this fact that 81% of those malware samples were looking for the fact that they were running in a virtualized environment like using that to actually vaccinate your workstations which may or may not be virtualized. You can actually make them appear as though they're virtualized and you're using this to your advantage. Much like uh the configurer mutexes, if you put the configure mutexes on the system, configure will think it's already infected. So much like that, you are

vaccinating your system by making it look virtualized because then the malware won't run and won't infect the systems. Thank you, Rapid 7 blog. Excellent. Excellent. So, one one more uh system environment check that goes down is debugging. Hey, is this process being debugged? Is my malware being debugged? That's something the malware author is very interested in because if the debugger is going while the the binary is executing, it is most likely being uh analyzed, you know, disassembled. What's going on here? So, there's several ways we can look for um debugging. I'll only talk about a few of them. Um one of them being the API based There we go. So there are Windows API functions um that we can call. These are

three of them. Uh and where we go to look for these particular values, these particular flags is the process environment block of the process itself has a flag. If it's being debugged, that flag will actually be set. So if you open something up in Ali debug, this flag is set. So if the malware is looking or running a call to the Windows API is debugger present, it's going to get back a value that indicates yes a debugger is present. So you might also see these other API functions check remote debugger present. That allows you to both check your own process, the process is running in and of itself or a remote process to find out if a debug

debugger's uh present. um antiquery information process. Another one that's used by malware and these anti-debugging checks via Windows API. So we'll work around here. Doesn't like this podium. All right. Um this is my uh miniuke. Miniuke actually does is debugger present. Think miniuk's like new, right? Miniuk's like end of 2012 2013. and we're seeing a API uh function call to find an is debugger present. So just an example of what you'd see if you threw that guy into Ali debug. How can we get around it? Counter measures for us as analysts. All right, I see you. I see you. Um dude, it's good that Ali debug has plugins that will work around this. Two plugins you might

have heard, Phantom or Hide debugger. These actually give you the ability to manipulate those values. If the API function is returning like a a value that indicates a debugger is running, running these plugins will manipulate those values along with several other things. We're going to talk about the uh the get tick count, which is a timing u the ability to recognize a delay. That's also a debugger check. But knowing that these two plugins are there and possible help you out, get you through the easy stages. So when you p finally pass it off to uh you know the badass malware analyst who has a whole stack of things that you've given them to do, uh you've at least taken care of

the lowhanging fruit. All right, so this I talk about two of my favorite examples. Why do I like Shillock? I like Shillock because it it does some cool stuff. I like it. It's a um banking uh Trojan and it can talk directly to users who are perhaps on a banking website. It'll open up a chat window and prompt them for their password. I think that's so it's like the personal touch, but it acts as a man-in-the-middle u and you know creates fake digital certificates, intercepts network traffic. It's obviously going for financial credentials uh and it targets the UK. Um but although rumor has it it's moving this way, right? So what what is notable about that and how

does it do environmental checks? Shillock in recent I think it's up to version seven now. You know how malware will increment itself and become more and more badass as time goes on. Well, version seven of Shillock generation 7 is actually implementing something that's allowing it to detect whether it's being run in a remote desktop session. I don't know about you, but when I This is not a a meme. I don't know about you, but when I um analyze malware, I like to do it in a remote desktop session, right? That's funny. That's funny. That was a good one. Damn it. All right. So, anyways, this is, you know, malware authors, they like to study the market trends. They like to

study how we do things as analysts. Um, and they're finding, hey, those people don't like to work in the cold basement where the server is. They'll actually have all these remote desktop sessions. is a remote desktop in and then they'll analyze their malware there. Well, in this regard, they're using a particular Windows API function. They drop um a windscard DLO, which now we're talking about smart card stuff, but windscard DLO. Uh and then they'll actually query it. Where is it? Sard forge reader group A, which is like so benign and strange. It's actually querying or trying to flush uh an SAR reader group. And based on what it gets back, it can tell whether it's being run

in a remote desktop session or not. Pisses me off because both of these are errors. So whether it's being run locally or whether it's being run in a remote desktop session, both of them are freaking errors. But based on the error, it's able to determine, hey, am I local or am I being analyzed in a remote desktop session? I'm going to act differently based on what I determine. You can see here it does just that. Uh I talk about miniukeh I was telling my buddies long story but uh I like we all do I work with some pretty badass people um at mandate and I was tell I was telling them this presentation I was going to do

and I was actually pointed to miniuk and I'm glad I was pointed to miniuke um it has a lot of cool capabilities um but most notable dude it talks on Twitter I mean that's crazy right C2 channel on Twitter. What? So, so yeah. Yeah. It, you know, um, delivers its evil to European governments. That's what was the targeted audience, but via malicious PDFs, but once it's nice and cozy and has done all its environmental checks, it'll actually reach out to particular Twitter accounts for C2 uh, communications, like where do I hit next to get the next uh, the next stage. Really impressive stuff. But there's a reason I'm talking about it here. U,, it runs environmental checks. It does I

showed you uh a debugger check. That was the screenshot I showed you before. But it does some VMware detection, but it also looks to see if the mouse is being used. It runs this particular function get async key state. Is the mouse being clicked? So what do you think it's trying to avoid? Automation. Yeah. Yeah. We totally have something where we can just drop. It's like cuckoo a cuckoo sandbox. You can just drop an executable in and it gives you a report. Did I have to click a mouse? No. So, if you're dropping a piece of mini duke into a sample or into a sandbox, it's actually not going to execute the way you would

think it would, the way it wants to accomplish its mission because it's waiting for mouse click and it's not going to get it in that type of environment. So, that's pretty cool. I like that one. I like that one. It also looks for all these running processes, which I think is kind of a old school, but the fact that it's looking for maybe what 30 up here. Uh Ali debug is one of them. Um some of my favorites, some of my favorites, wire shark and uh process explorer. Awesome. But yeah, of course it's going to act differently based on what it gets back. It doesn't mean it's going to kill its process. It just means

it's probably not going to move to that next stage, that awesome Twitter stage. You know what I mean? Where you really want it to act like it's going to act when it's on a victim machine, right? So knowing what the malware requires, it's like um trigger conditions. That is one of many Duke's trigger conditions is actually having a mouse click uh in order to move to the next stage. It's good to know, right? You need to recreate these things. I don't talk, don't worry, I don't talk about anti- disassembly that much. Um 12% of the malware samples that the Qualis guys looked at of the 4 million were um exhibiting disassembly, anti-disassembly techniques. I merely give you a

definition for them. Uh these are techniques that are going to frustrate the automated analysis. So if you're using uh IDA pro, if you're using Ali debug, these type of techniques are going to take advantage of how those tools attempt to analyze and interpret the code. And of course, I throw up a quote because this is always good luck is to talk about the practical malware analysis book up here. If ever you get in a jam and something gets very technical, you step off into the deep end, you just freaking throw up a quote from these guys, these bad boys, and you're like, "What?" Then you're winning, right? So really, I move on to debugging. I don't have much time. I

conveniently say that. Uh obuscation methods were seen in 68% of the malware samples. So obuscation methods include uh packers, which I'm going to go deep on. um conditional code accusation, uh corrupting PE headers, anything that's going to make the code harder to read and harder to understand is going to fall into this category. So, um yeah, they saw of of all of their malware samples, 35% were packed. So, what does it mean for malware to be packed? It means that you're actually concealing the original executable within another executable. And here we go. So we have this this nice juicy on the left uh malicious piece of code. It's been packed and this is the way it presents itself as I am

looking at it. I pulled the binary from my file system and that's the way it presents itself on the file system. Um you can see that the entry point would be right here at the beginning of the text section for the original. But right here is the entry point for my packed. It points to the unpacking stub. The unpacking stuff has some very important tasks ahead of it if it's going to make this guy work. And just to throw this up here, this is how it would look in UPX. Uh this would be UPX0 would be pointing to the unpacking stub. And then all the juicy data from that original would be something that would be here in the

packed original code. UPX1 typically. How do I detect that something is packed? Well, you always have these awesome tools you can drag and drop into PEID. Guys use pe strings, man. Sometimes strings will lie though, right? Because a lot of malware authors, they want you to think it's easy. They want you to try to use UPX so they can then laugh at you. So they'll put UPX in the strings and it won't be UPX packed, man. So UPX is one of the easier ones and you can actually run UPX to decompress a UPX binary, but they just want you to do that so they can then laugh. Um, so static analysis, uh, some some notable things about a

packed binary is that it will have very few imports. Oh, you'll see these in particular, get process and load library. So, the actual imports can then, you know, once the Yeah, once the packer unpacker does its job, it'll then uh pull in those and um recreate the import table. Excellent. Uh so these are the tools I was talking about in order to identify a packer. Uh you have the Linux file command. Never forget that artificial intelligence there. And then you have P ID Ali debug will attempt to identify and tell you that a particular thing is packed. PE scanner does as well. And you can do an entropy checker. When I pack something, the entropy

increases, right? The randomness increases. Packing is a combination of either or decompressing, opuscating, encrypting that jacks up my entropy, the randomness of the code. So uh as well as looking at entry points might give you a way. So, how do you go about unpacking? We're I don't even get to fit in my demo. So, if you want to see a demo of like me actually doing some badass, I'll have to, you know, go in the next room later. But, uh, so unpacking, well, if it's something simple, you have tools that'll help you unpack it. UPX is one of those examples, but there are others written that have uh e percentage rate, successful percentage rate that varies.

Uh, you can of course do it yourself. So allow and step through with oi debug allow the unpacker to go ahead and unpack. You create a break point and then you're able to dump um what the unpacker has placed uh from that point. The ali debug offers that as an ali dump plugin. So you can do that. Awesome. So this is this is how it's going to look. It's not going to match what is on disk. Um, and this is the demo I was actually going to do is to go and uh this is my process hacker. Anyone use process hacker? A badass tool. Easy to dump a particular process as it's running and particularly effective if

you're going to kick off a packed executable. Of course, it's unpacked when it's running in memory, right? Most are, right? Unless it's a complex uh unpacking on the fly kind of thing. But so you'd kick it off and you'd then uh with process hacker be able to create a dump file which would then allow you to analyze it a bit better. Um so that's like my final advice. Get process hacker. Um so anti- unpacking techniques targeting the dumper um and then targeting the debugger. These are ways we can work around uh the effects a packer has on a particular executable or binary. uh you might end up with a corrupt PE header or you might have to

rebuild the import table. So these are things that would require more advanced skills. Uh but just realize that what you dump from process hacker is not going to be the executable in a clean form and fashion. Typically you're going to have to deal with some corruption. So I don't I don't really talk about a conditional code obuscation. What I want to do is point out dude Sans has new classes. Who's Sans attendees? any prior SN attendees. All right. All right. So I can talk to you guys. You know, you guys would understand. We got a advanced network forensics class coming. That's going to be badass. It's based on 508 scenario. 508 is the scenario that does the

enterprise enterprise compromise. So several systems and to include a domain controller. So we take all of those network packet and all that data of adversary. It's based on AP1 activity. you know, contribute one activity, but using the same tactics and strategies. So, that's going to be a very good class and it's coming out this fall. Of course, 610 is adding day six to it. Anyone taking 610 in this room? Yeah, man. So, there's like, you know, Net Wars, how they have a scoring server? Well, they're adding like a Net War scenario as day six. And I'm I'm not saying you need to go back and take it again cuz I know you got mad skills, but

there's there's a Mac iOS forensics class coming um which I think there's a huge need for. I think at Mandant we're about 50% Mac, which is some intel that you can take back with you right when you when you target us. Um I have I have a offensive uh forensics digital forensics class that's on the on the charts too, but that won't be until the beginning of next year. We also have the advanced smartphone and the cloud forensics. So, all of these things, um, I have my references here, which a bunch of really sweet YouTube videos, sweet PDFs, white papers, uh, and I can make sure that you guys get this if you're interested. And that's all I'll take

questions even though I'm getting kicked out of here for Andrew's badass presentation. Anyone have questions? What we went over? Yes. Have you seen the 64-bit um, malware? Yes, I mean we have and we actually, you know, had to develop a new sandbox to handle the 64-bit malware because most of our sandboxes do not do the automated processing. So, I'm happy to say that Manny has the 64-bit uh analyzer now that you can just drop in. Um, it's probably maybe a fifth of the time now. Um, and we're seeing new samples every day. What about you? No. No, not yet. H interesting. Anyone else? Yeah. How frequently are you doing Mac memory forensics versus Windows? Dude, it's How

frequently are we doing it or how frequently do we need to do it? It's it's an ignored market. I would say it's an ignored market right now and definitely our focus is on Yeah. ramping it up. Um but it's I think it's out there. Definitely a pain point. Yes. Um, it sounds like a malware analyst needs a hypervisor with motion and a debugger that can run up the hypervisor. Yes. Is there any such thing? Yeah. Someone was telling me of an emulator. Um, as well as there's an article ether. Has anyone read that white paper? It was just point out. I think I might have it with me so I can give you that information. But,

uh, what was it based on? um a different it was running outside of the the host. It was running outside the virtual environment. Yes. Yes. I think you're right. But the article will describe it for you. Yes. I hate to interrupt. Can we do one more audience question because we want to stay on track with schedule? Oh, yeah. Sure. Thank you. Um they're done. They're done with me. Thank you guys. I appreciate

it. Thank you.