CNIT 126 Ch 11: Malware Behavior

Practical Malware Analysis
Ch 11: Malware Behavior
Last revised 10-27-20

Downloaders
• Download another piece of malware
– And execute it on the local system
• Commonly use the Windows API
URLDownloadtoFileA, followed by a
call to WinExec

Launchers (aka Loaders)
• Prepares another piece of malware for
covert execution
– Either immediately or later
– Stores malware in unexpected places, such as
the .rsrc section of a PE file

Backdoors
• Provide remote access to victim machine
• The most common type of malware
• Often communicate over HTTP on Port 80
– Network signatures are helpful for detection
• Common capabilities
– Manipulate Registry, enumerate display
windows, create directories, search files, etc.

Reverse Shell
• Infected machine calls out to attacker,
asking for commands to execute

Windows Reverse Shells
• Basic
– Call CreateProcess and manipulate
STARTUPINFO structure
– Create a socket to remote machine
– Then tie socket to standard input, output,
and error for cmd.exe
– CreateProcess runs cmd.exe with its
window suppressed, to hide it

Windows Reverse Shells
• Multithreaded
– Create a socket, two pipes, and two threads
– Look for API calls to CreateThread and
CreatePipe
– One thread for stdin, one for stdout

RATs
(Remote Administration Tools)
• Ex: Poison Ivy

Botnets
• A collection of compromised hosts
– Called bots or zombies

Botnets v. RATs
• Botnet contain many hosts; RATs control
fewer hosts
• All bots are controlled at once; RATs
control victims one by one
• RATs are for targeted attacks; botnets are
used in mass attacks

Credential Stealers
• Three types
–Wait for user to log in and steal
credentials
–Dump stored data, such as password
hashes
–Log keystrokes

GINA Interception
• Windows XP's Graphical Identification and
Authentication (GINA)
– Intended to allow third parties to customize
logon process for RFID or smart cards
– Intercepted by malware to steal credentials
• GINA is implemented in msgina.dll
– Loaded by WinLogon executable during logon
• WinLogon also loads third-party customizations
in DLLs loaded between WinLogon and GINA

GINA Registry Key
• HKLMSOFTWAREMicrosoftWindows
NTCurrentVersionWinlogonGinaDLL
• Contains third-party DLLs to be loaded by WinLogon
• Malware adds an extra item here

MITM Attack
• Malicious DLL must export all functions
the real msgina.dll does, to act as a MITM
– More than 15 functions
– Most start with Wlx
–Good indicator
–Malware DLL exporting a lot of Wlx
functions is probably a GINA interceptor

WlxLoggedOutSAS
• Most exports simply call through to the real
functions in msgina.dll
• At 2, the malware logs the credentials to the
file %SystemRoot%system32driverstcpudp.sys

GINA is Gone
• No longer used in Windows Vista and later
• Replaced by Credential Providers
• Link Ch 11c

Custom Credential Provider Rootkit on
Windows 7
• Two sets of login buttons
• Only steals passwords from second set
• Code is provided to filter out the original set

Hash Dumping
• Windows login passwords are stored as LM
or NTLM hashes
– Hashes can be used directly to authenticate
(pass-the-hash attack)
– Or cracked offline to find passwords
• Pwdump and Pass-the-Hash Toolkit
– Free hacking tools that provide hash dumping
– Open-source
– Code re-used in malware
– Modified to bypass antivirus

Pwdump
• Injects a DLL into LSASS (Local Security
Authority Subsystem Service)
– To get hashes from the SAM (Security Account
Manager)
– Injected DLL runs inside another process
– Gets all the privileges of that process
– LSASS is a common target
• High privileges
• Access to many useful API functions

Pwdump
• Injects lsaext.dll into lsass.exe
– Calls GetHash, an export of lsaext.dll
– Hash extraction uses undocumented Windows
function calls
• Attackers may change the name of the
GetHash function

Pwdump Variant
• Uses these libraries
– samsrv.dll to access the SAM
– advapi32.dll to access functions not already
imported into lsass.exe
– Several Sam functions
– Hashes extracted by SamIGetPrivateData
– Decrypted with SystemFunction025 and
SystemFunction027
• All undocumented functions

CNIT 126 Ch 11: Malware Behavior

Pass-the-Hash Toolkit
• Injects a DLL into lsass.exe to get hashes
– Program named whosthere-alt
• Uses different API functions than Pwdump

Keystroke Logging
• Kernel-Based Keyloggers
– Difficult to detect with user-mode
applications
– Frequently part of a rootkit
– Act as keyboard drivers
– Bypass user-space programs and protections

Keystroke Logging
• User-Space Keyloggers
– Use Windows API
– Implemented with hooking or polling
• Hooking
– Uses SetWindowsHookEx function to notify malware
each time a key is pressed
– Details in next chapter
• Polling
– Uses GetAsyncKeyState & GetForegroundWindow
to constantly poll the state of the keys

Polling Keyloggers
• GetAsyncKeyState
– Identifies whether a key is pressed or
unpressed
• GetForegroundWindow
– Identifies the foreground window
– Loops through all keys, then sleeps briefly
– Repeats frequently enough to capture all
keystrokes

Identifying Keyloggers in Strings Listings
• Run Strings
• Terms like these will
be visible

Three Persistence Mechanisms
1. Registry modifications, such as Run key
• Other important registry entries:
– AppInit_DLLs
– Winlogon Notify
– ScvHost DLLs
2. Trojanizing Binaries
3. DLL Load-Order Hijacking

Registry Modifications
• Run key
– HKEY_LOCAL_MACHINE SOFTWARE
Microsoft Windows CurrentVersion Run
– Many others, as revealed by Autoruns
• ProcMon shows all registry modifications
when running malware (dynamic analysis)
• Can detect all these techniques

AppInit DLLs
• AppInit_DLLs are loaded into every process
that loads User32.dll
– This registry key contains a space-delimited list
of DLLs
Microsoft Windows NT CurrentVersion
Windows
– Many processes load them
– Malware will call DLLMain to check which
process it is in before launching payload

AppInit DLLs Security
• Beginning with Windows Vista,
AppInit_DLLs are disabled by default.
• Beginning with Windows 7, the AppInit_DLL
infrastructure supports code signing.
• Starting with Windows 8, the entire
AppInit_DLL functionality is disabled
when Secure Boot is enabled, regardless of
code signing or registry settings
• From Wikipedia

Winlogon Notify
• Notify value in
Microsoft Windows
– These DLLs handle winlogon.exe events
– Malware tied to an event like logon, startup,
lock screen, etc.
– It can even launch in Safe Mode

SvcHost DLLs
• Svchost is a generic host process for services
that run as DLLs
• Many instances of Svchost are running at once
• Groups defined at
– HKEY_LOCAL_MACHINE SOFTWARE Microsoft
Windows NT CurrentVersion Svchost
• Services defined at
– HKEY_LOCAL_MACHINE System
CurrentControlSet Services ServiceName

Process Explorer
• Shows many
services running in
one svchost
process
• This is the netsvcs
group

ServiceDLL
• All svchost.exe DLL contain a Parameters
key with a ServiceDLL value
– Malware sets ServiceDLL to location of
malicious DLL

Groups
• Malware usually adds itself to an existing
group
– Or overwrites a non-vital service
– Often a rarely used service from the netsvcs
group
• Detect this with dynamic analysis
monitoring the registry
– Or look for service functions like
CreateServiceA in disassembly

Trojanized System Binaries
• Malware patches bytes of a system binary
• To force the system to execute the malware
the next time the infected binary is loaded
• DLLs are popular targets
• Typically the entry function is modified
• Jumps to code inserted in an empty portion of
the binary
• Then executes DLL normally

KnownDLLs Registry Key
• Contains a list of specific DLL locations
• Overrides the search order for listed DLLs
• Makes them load faster, and prevents load-
order hijacking
• DLL load-order hijacking can only be used
– On binaries in directories other than System32
– That load DLLs in System32
– That are not protected by KnownDLLs

Example: explorer.exe
• Lives in Windows
• Loads ntshrui.dll from System32
• ntshrui.dll is not a known DLL
• Default search is performed
• A malicious ntshrui.dll in Windows will
be loaded instead

Many Vulnerable DLLs
• Any startup binary not found in System32
is vulnerable
• explorer.exe has about 50 vulnerable DLLs
• Known DLLs are not fully protected,
because
– Many DLLs load other DLLs
– Recursive imports follow the default search
order

DLL Load-Order Hijacking Detector
• Searches for DLLs that appear multiple
times in the file system, in suspicious
folders, and are unsigned
• From SANS (2015) (link Ch 11d)

No User Account Control
• Most users run Windows XP as
Administrator all the time, so no privilege
escalation is needed to become
Administrator
• Metasploit has many privilege escalation
exploits
• DLL load-order hijacking can be used to
escalate privileges

Using SeDebugPrivilege
• Processes run by the user can't do
everything
• Functions like TerminateProcess or
CreateRemoteThread require System
privileges (above Administrator)
• The SeDebugPrivilege privilege was
intended for debugging
• Allows local Administrator accounts to
escalate to System privileges

• 2 AdjustTokenPrivileges raises privileges to
System

Covering Its Tracks—
User-Mode Rootkits

User-Mode Rootkits
• Modify internal functionality of the OS
• Hide files, network connections,
processes, etc.
• Kernel-mode rootkits are more powerful
• This section is about User-mode rootkits

IAT (Import Address Table) Hooking
• May modify
– IAT (Import Address Table) or
– EAT (Export Address Table)
• Parts of a PE file
– In a DLL in RAM
– This technique is old and easily detected

Inline Hooking
• Overwrites the API function code
• Contained in the imported DLLs
• Changes actual function code, not
pointers
• A more advanced technique than IAT
hooking

CNIT 126 Ch 11: Malware Behavior

More Related Content

What's hot (20)

Similar to CNIT 126 Ch 11: Malware Behavior (20)

More from Sam Bowne (20)

Recently uploaded (20)

CNIT 126 Ch 11: Malware Behavior