Unit III Malicious Code

and Defense
Techniques
Agenda
• Self-Replicating Malicious code
• Evading detection and Elevating Privileges
• Rootkits – Spyware
• Token Kidnapping
• Virtual Machine detection
• Defense techniques :
• Memory Forensics – Honey pots – Malicious code Naming – Automated
Malicious Code Analysis System- Intrusion Detection System
- Discovery
- Replication
- Payload
 Examples
The first recorded IBM PC-based virus, called the “Brain,” debuted in
January 1986. The Brain copied itself into a floppy disk’s boot sector,
the space on the floppy disk used to run code when the system starts.
Once in memory, it attempted to copy itself to other floppy disks; the
main side effect of an infection was a change to the volume label to “(c)
Brain.”
In 1987, the Jerusalem virus and its variants began infecting systems.
This virus resided in memory and infected all executable files (.com
and .exe) on the system. When a user opened an infected file, the virus
deleted the infected file.
 Types of Computer
Boot Sector Virus Viruses
- damages or controls the boot sector on the drive,
rendering the machine unusable.
Web Scripting Virus-Most browsers have defenses against malicious
web scripts, but older, unsupported browsers have vulnerabilities
allowing attackers to run code on the local device.
Browser Hijacker-A computer virus that can change the settings on
your browser will hijack browser favorites, the home page URL
Resident Virus-A virus that can access computer memory and sit
dormant until a payload is delivered is considered a resident virus.
Polymorphic Virus-Each time the code runs, it executes slightly
differently, and typically every time it moves to a new machine, its code
will be slightly different
File Infector Virus-computer virus is activated when the system boots
or the program runs, affects critical OS related files
Multipartite Virus-programs spread across a network by copying
themselves or injecting code into critical computer resources.
Macro Virus-macros that can be used to download additional malware
Security against virus
• Check whether it’s a Resident or Non-Resident virus?
• A nonresident virus infects other files only when the infected file runs.
• A resident virus differs by loading itself into memory and continuing to run
after the infected file closes
• Resident virus can be : fast infectors and slow infectors.
• Worms typically have two roles.
• The first is to spread to additional computers
• secondary task known as a payload.
• A worm’s payload is what the attacker programs the worm to accomplish after it
spreads.
• This can include distributed denial of service (DDoS) attacks, spam distribution,
cyber crime, or anything else the attacker chooses.
• E-mail worms spread by sending a message designed to entice the recipient into
clicking a link or downloading an attachment that contains a copy of the worm.
• Network worms, which often spread without any user interaction, can infect many
computers in a very short amount of time. (purpose – guessing passwords,
intrusion etc)
• Eg: Blaster (2003) -spread through a vulnerability in the Microsoft Windows RPC interface
• USB worms configure the infected drives to execute the worm as soon as an
unsuspecting user plugs it into a computer.
• Worms can spread between mobile devices by sending copies of themselves
attached to short message service (SMS)
Mitigation of Worms
• administrators must protect systems from all propagation
techniques
• Use antivirus products to scan incoming e-mails and IMs for
malicious links.
• Disable autorun functionality for USB devices.
• Apply patches for vulnerabilities in network services in a timely
manner
• Disable access to P2P networks.
• Educate users on the dangers of worms that use social-
engineering technique
 Evading Detection and Elevating
Privileges
• Defense evasion is a technique used by hackers to bypass or evade
the defenses of a target system. In cybersecurity, defense evasion
refers to any attempt to avoid detection or prevention by antivirus
software, intrusion detection systems, or other security measures.
• Disabling security tools
• Masquerading (tricked file type, scheduled tasks, renamed hacking
software, etc.)
• Obfuscating malicious code
• Privilege escalation is the act of evading established access and
authorization controls in an enterprise network to gain elevated
privileges and access critical network assets.
• Escalation may happen in Horizontal or Vertical(privilege elevation)
means
What is this
Obfuscation?
• Literal Meaning of Obfuscation:
• The word ‘obfuscation' refers to the concept of concealing
the meaning of communication by making it more
confusing and harder to interpret.
• Code Obfuscation:
• Code obfuscation is the generation or alteration of source
code and/or object code in such a way that it is easy for
the computer to comprehend but considerably difficult to
reverse engineer.
Reverse Engineering
Code
• Normal Engineering:
Dude writes code -> compiles -> binary

• Reverse Engineering:
dude gets the binary -> Uses powerful tools (e.g IDA Pro
tool) to gain knowledge about program -> Gets to know code
structure, control flow, and valuable assets, keys, algorithms
How can Obfuscation Help
• Types of Obfuscation:
• Code Structure Obfuscation
• Data Obfuscation
• Control Obfuscation

• Effects of Obfuscation on Code:

• Code logic doesn’t change
• Decreases footprint of code
• Decreases performance (w.r.t time)
• Harder for developers during product cycle & possibly support
• For legitimate programmers, source code obfuscation helps protect their
intellectual property by making it more difficult to steal.
• Malicious programmers benefit from the same techniques, which complicate
malicious code reverse engineering and human analysis, thereby frustrating
efforts to understand and mitigate the threat.
• Obfuscation - to transform data or source code into obscure or unclear
representations while retaining the original functionality.
• obfuscation techniques used to hide the data or the behavior of an application
• Source code obfuscation seen in malicious code and commercial applications
reduces the chances of successful decompilation and increases the difficulty
of reverse engineering.
• Many programming languages require source code to pass through a compiler to
create an executable or byte code file.
• Inversely, decompilers take executables and byte code files and attempt to
convert them into the original source code.
• Exposed source code leaks sensitive information by revealing the inner workings
of the application. Legitimate developers use obfuscation in an attempt to hide
possible vulnerabilities, trade secrets, and intellectual property.
• Successful obfuscation disrupts decompilers and results in faulty or incomplete
source code.
• Faulty or incomplete source code complicates the situation by providing broken
or incorrect code for analysis.
• An example of obfuscation that deters decompilation and source code analysis is
a product named Zend Guard that encodes and obfuscates PHP applications.
• Zend Guard uses encoding and other obfuscation routines to turn cleartext PHP
scripts into binary code. Deobfuscating Zend Guard binaries into the original
cleartext PHP code is possible with an application called Dezender
• A common anti-reverse-engineering obfuscation technique involves
self-modifying code.
• Example: Binary packing compresses executable code and adds functionality
to the application to uncompress the code at runtime.
• Obscure variable and function names obfuscate code by making it
difficult to read.
• Illegible variable names make human code analysis a burden because it is
difficult to follow the random variable name from initialization to assignment
to use within code.
• White space and new line modifications complicate data and code
Virtual Machine Obfuscation
• Attackers regularly use obfuscation techniques to obscure code
functionality and frustrate mitigation efforts.
• One of the most advanced obfuscation techniques executes code
within a virtualized environment, making the use of traditional
analytical tools difficult and therefore representing a dangerous and
sophisticated threat.
• recent developments in the obfuscation -is the use of virtual machine
(VM) obfuscation.
• Here, the obfuscated program no longer executes on the native
platform but instead operates in a virtual machine.
• VM obfuscation,
• a binary is an executable file run by the operating system.
• a program, in this case, is the original code that the VM
obfuscation system modifies—the behavior and instruction of
the malicious code
• Traditional obfuscation systems
• generally modify the binary in such a way that the binary can
be analyze using the tools and techniques available for the
binary’s platform.
• The analysis process is typically slow due to the injection of
junk code, the modified loops and various other obfuscation
techniques used.
• VM obfuscation systems
• replace the original binary with a binary that contains three
components: bootstrap code, a bytecode VM interpreter, and
the program converted into a byte stream
• effectiveness of VM obfuscation systems lies in the fact that the
• The obfuscation occurs when the VM obfuscator reads the original
source binary.
• The obfuscator determines the execution paths of the binary, the
native instructions used to construct the program, and any external
dependencies (such as system dynamic link libraries, or DLLs).
• The system uses this information to transform the original program
into bytecode.
• The obfuscator packs the new VM-obfuscated binary before saving
the completed binary to disk.
• The bootstrap code of a VM-obfuscated binary provides the
minimal amount of native platform execution instructions
necessary to load the VM interpreter.
• The bootstrap usually contains a startup algorithm that performs
the following functions:
1. Inspect the operating system for the existence of debugging
tools.
2. Terminate the loading of the binary if debugging tools are
found.
3. Unpack the rest of the obfuscated binary.
4. Transfer control to the VM interpreter
• VM interpreter, then begins the process of executing the bytecode
Persistent Software Techniques
• Persistence is a crucial stage often embedded within the
Installation phase of a cyber attack.
• Persistence techniques vary widely but commonly include
manipulating system processes to restart malicious programs
automatically, altering registry keys, or creating scheduled
tasks to ensure the malware is initialized at regular intervals.
• Malicious programs use legitimate (and sometimes undocumented) features
of Windows to ensure they execute each time Windows starts up.
• In simple, how malicious code has, or could, run at that phase of boot process.
• Regular audits of common autostart locations are the best way to identify
unauthorized startup attempts.
A timeline of the Windows boot process and
techniques that malicious code can use to
ensure it starts up with the system.

At each stage of the boot process, there are places for malicious
code to make changes that will cause it to run after a reboot.
• BIOS / CMOS
• is executed at the very beginning of system boot
• Some viruses and Trojans modify this flash memory to ensure that the BIOS starts up the
malicious code or hides its existence
• MBR
• is read shortly after the BIOS loads and before the operating system boots.
• some malicious code modifies the master boot record(MBR). Eg:Torpig MBR Rootkit
• Hypervisor
• a program that loads before the operating system and virtualizes hardware calls, such as
is done by Vmware
• Hypervisors allow malicious code to continue running after a “soft” reboot, during which
power is not cut to the system, but not after “hard” reboots or a full shutdown of the
system.
• Legacy Text Files
• For malicious code to instruct win.ini or system.ini to run it on startup, the code simply
adds a few lines to either file
• [windows] Run=malware.exe
Detecting Autostart Entries
• variety of tools available to help researchers detect the use of these
persistent methods
• GMER - to detect and remove rootkits
• Autoruns -shows which programs are configured to run at system
startup.
• Hijackthis - is a common means of detecting changes that malicious
code are likely to make
• msconfig - is a utility that Windows includes and allows easy
configuration of several common startup locations.
Rootkits
• A common rootkit definition is a type of malware program
that enables cyber criminals to gain access to and
infiltrate data from machines without being detected.
• A rootkit is a tool that allows actors to retain their administrative (or root)
privileges and to hide their activity.
• A rootkit achieves stealth by modifying the way a user program receives
information from the operating system.
• Rootkits often modify processes or modify the system to falsify and hide
information.
• give the attacker remote control, and remain hidden
for a long period of time.
• The simplest and earliest rootkits replaced system utilities (like ls) to
change their functionalities and hide certain files.
• More complex rootkits have similar goals, providing a way for
attackers to hide files or processes with certain attributes
• Categories:
• User mode - may target only a single process at a time to hide information
• Kernel mode - target the entire system and can hide information from all
sources t
 Different Types of Rootkits in
cyber security
Firmware rootkits allow hackers to easily install malware on a memory chip on a target
Firmware Rootkits computer’s motherboard, infect the target computer’s hard drive or system BIOS, and
intercept data written to the hard drive.
Hackers use application rootkits to replace the target user’s computer’s default files
Application Rootkits with rootkit files that disrupt the working of default applications. It is difficult to detect
a rootkit in an application because the infected application looks and works fine.
In a memory rootkit, the hacker hides the rootkit in the RAM of the target user’s
computer, which makes it easy for the hacker to perform malicious activities in the
Memory Rootkits
background, but this rootkit has a short lifespan because the RAM is a volatile memory
due to which it lost all its data when the power is turned off.
The kernel is first loaded into memory when the OS is loaded and remains there until the
OS is shut down again. Using a kernel-mode rootkit, hackers attack the core of the target
Kernel mode Rootkits user’s computer’s operating system, the kernel. In rootkit kernel mode, hackers can
change the functionality of the operating system simply by adding their own programs,
making it easy for hackers to steal the personal information of targeted users.
User Mode Rootkits
• User mode rootkits are able to hide
information by targeting a user’s
running processes.
• The rootkit can hook critical
functions of a process by altering the
process’s import address table (IAT)
or by injecting a dynamic link library
(DLL) or other code into the memory
of a running process
 Kernel Mode Rootkits
• Stealthier rootkits will attempt to load into the
kernel to influence critical memory structures and
avoid detection
• kernel mode rootkit may make changes to critical
kernel memory structures to hook and alter
certain kernel mode function calls on the system.
• (SSDT) is one target in kernel memory that the
rootkit may try to hook.
• SSDT- address lookup table for system API calls
• Modifying address in SSDT -> replace normal
functionality with that of rootkit that hides
information
Rootkit Protection and Removal
• Rootkits hide on a system and try to leave a very small footprint for
administrators to find
• Many anti-rootkit tools that attempt to detect rootkits
• General Procedure:
• Backup vital data
• Boot in safe mode
• Use different rootkit scan tools

• Example: GMER
Spyware
• spyware describes a class of malware based on the functionality of its
payload
• Named because of its main intention of monitoring (spying on) a user’s
activity without the user’s consent
• To be a spyware – Program should lack an End User License Agreement
(EULA) or a privacy policy
• overall goal is to steal information
• Information stolen from spyware-infected systems can include typed
keys, form data, e-mail addresses, credentials, certificates, pictures and
videos from attached Web cams, audio from an attached microphone,
documents, software licenses, network activity, and cookies.
Is keyloggers are a spyware?

• Key loggers belong to the spyware category because

they monitor a user’s keystrokes and then send the
stolen information to the attacker.
• Another drawback to this type of spyware is that it gathers a lot of information
that is not valuable. This requires the spyware author to analyze all of the data or
filter out the valuable information.
• Form-grabbing spyware - act of stealing information entered into a form within a
web browser.
• Zeus banking Trojan steals a user’s online banking credentials
• Enumerating Windows Protected Storage (WPS) – Location in windows registry
which stores auto-saved data (passwords and etc). Is another way to steal the
information
• e-mail harvesting Spyware - gathers e-mail addresses from a user’s e-mail
address book. These addresses will be sent back to attacker. (for future campaign)
• Network monitoring Spyware - to steal information from a user (username,
password etc) sent over the network in cleartext reside within network packet,
monitoring websites visited and etc.
• a majority of spyware authors create their applications to make money.
• Exhibit 4-16 shows the general steps that an attacker takes to generate
revenue.
• The steps include the installation of the attacker’s spyware, followed by
the specific actions performed by the spyware’s payload, and finally the
profits received from the stolen information
Token Kidnapping
• Windows operating system uses access tokens to determine whether
a program has permission to perform an operation or interact with
an object.
• These tokens are a fundamental part of the operating system’s access
control safeguards.
• They provide permissions used in access control lists to grant or limit
access to system components.
• A technique to compromise a token, known as token kidnapping,
thwarts access control, resulting in system compromise.
• a technique to take over and use a token that is not originally
available or assigned to an account
• Results in getting access to a token that has higher privileges than the
original account
• This result allows privilege escalation that malicious attackers seek
when presented with limited access to the system
• Token kidnapping involves impersonation tokens.
Virtual Machine Detection
• Malware analysts routinely use virtual machines (VMs) to
detect when it is running inside a virtual machine
environment
• use of virtual machines
• allows analysts to run malicious code without the risk of purposely
infecting the analyst’s real workstation and servers
• unnoticed by malware authors
• ability to run a multitude of vulnerable configurations without the
expense and administrative overhead
Fingerprints Everywhere!
• VM rely on host application VMM (Virtual machine monitor)
• VMM is responsible for providing glue between the host machine and
the virtual machines
• VMM provide a realistic copy of actual hardware architecture while at
the same time providing suitable performance
• malicious applications, leaves fingerprints behind in this process in the
virtual devices generated by the VMM.
 Defense and Analysis
Techniques
• Memory Forensics
• Honeypot
• Malicious Code Naming
• Automated Malicious Code Analysis Systems
• Intrusion Detection Systems
Memory Forensics
• Memory forensics (aka memory analysis) refers to the analysis of volatile data in a
computer’s memory dump.
• Information security professionals conduct memory forensics to investigate and
identify attacks or malicious behaviors that do not leave easily detectable tracks on
hard drive data.
• In other way, finding and extracting forensic artifacts from a computer’s physical
memory.
• Volatile data is the data stored in temporary memory on a computer while it is
running.
• A memory dump (also known as a core dump or system dump) is a snapshot capture
of computer memory data from a specific instant.
• Memory dumps contain RAM data that can be used to identify the cause of an
incident and other key details about what happened.
Why Memory Forensics?
Steps in Memory Forensics
 Memory Analysis Frameworks
• Many memory analysis frameworks
• Factors to choose: cost, the programming language for developing
plug-ins for the framework, OS support, reliability of framework.
• Volatility framework – mostly used
• Free/ Open source, written in Python
• Advanced level of analysis
• Runs on multiple OS
• Favorite choice of iDefense developers
• Dumping Physical Memory:
• To dump physical memory, iDefense recommends using win32dd2
• can transmit the memory dump across the network easily
• dump the full physical address space, save the output file to
mem.dmp
• F:\>win32dd.exe /f mem.dmp /s 1
• Installing and Using Volatility:
• download the package, extract and use
• $ tar -xvf Volatility-1.3.tar.gz
• $ cd Volatility-1.3
• $ python volatility
• $ python volatility -f mem.dmp
Finding Hidden Processes
• Windows kernel creates an EPROCESS
object for every process on the system.
• The object contains a pair of pointers, which
identifies the previous and subsequent
processes. Together, this creates a chain of
process objects also called a doubly linked
list.
• To find the EPROCESS objects, Volatility
locates a symbol named _
PsActiveProcessHead. (global variable that
points to the beginning of the doubly linked
list)
• hide processes by unlinking entries
from the doubly linked list. The
authors overwrite the forward link
(Flink) and backward link (Blink)
pointers of surrounding objects so
that they point around the EPROCESS
object that represents the process to
hide.
• Pslist (analogy- traditional way of
counting number of people)
• psscan2 scans linear memory
(analogy – thermal scanning). objects
in memory even if a rootkit has
unlinked it from the list.
Volatility Analyst Pack
• Volatility Analyst Pack (VAP) is a collection of plug-ins designed for
malware analysis and rootkit detection
• If the status is “Public,” then the plug-in is publicly available.
• If the status is “By request,” then the plug-in is currently only available to
iDefense customers upon request
Honeypots
• A honeypot can be modeled after any digital asset,
including software applications, servers or the network
itself.
• It is intentionally and purposefully designed to look like a
legitimate target, resembling the model in terms of structure,
components and content.
• This is meant to convince the adversary that they have accessed
the actual system and encourage them to spend time within this
controlled environment.
• Creating an asset to attract malicious activity for monitoring and early warning is
a well-established activity.
• A honeynet is a network of honeypots that is designed to look
like a real network, complete with multiple systems, databases,
servers, routers and other digital assets.
AMAS Automated Malicious
Analysis System
• Massive volume of distinct malicious code in existing today
• It is not possible to analyze each sample by hand
• AMAS – performs the analysis quickly and efficiently, and produces a
report that human analyst can determine what actions the malicious
code took
• Two types to analyze the behavior of malicious code
• Passive analysis – record the state of system before and after the infection,
then they are compared to determine what have changed
• Active analysis – actively monitor and record malicious code actions during
execution
Passive Analysis
• Hands-off approach
• Requires – way to capture the state
and way to restore
• Works in three stage cycle
• 1. Records the clean state
• 2. malicious code is executed on the
system. Records the infected state
• 3. Analysis – compares the both
state
Common analysis
includes:
1. File system
2. Windows Registry
content
3. Running processes
4. Listening ports
5. Memory content
Conclusions
• While passive analysis is simple, it cannot tell the malicious code’s
entire story (analysis report doesn’t include evidence)
• Passive monitoring also fails to capture the timeline of the infection
Active analysis
• active analysis AMASs install software on the soon-to-be-infected system that
monitors the malicious code and keeps a log of its activity
• Gives a complete analysis report
• Active analysis systems can install their own rootkits that hook the APIs that
the malicious code will use
• If malicious code can detect the AMAS processes, it could simply exit without
taking any actions
• Active analysis systems also work in a cycle between clean and infected
states, but do not require a comparison of the clean and infected states to
perform their analysis.
• Other option for active analysis – use emulator (SandBox)
Active analysis
• active analysis AMASs install software on the soon-to-be-infected system that
monitors the malicious code and keeps a log of its activity
• Gives a complete analysis report
• Active analysis systems can install their own rootkits that hook the APIs that
the malicious code will use
• If malicious code can detect the AMAS processes, it could simply exit without
taking any actions
• Active analysis systems also work in a cycle between clean and infected
states, but do not require a comparison of the clean and infected states to
perform their analysis.
• Other option for active analysis – use emulator (SandBox)