Matrosov, rodionov win32 flamer. reverse engineering and framework reconstruction
0 likes563 views
This document outlines a presentation on reverse engineering and reconstructing the Flamer malware framework. It begins by comparing typical malware to more advanced threats like Stuxnet and Flamer. It then discusses problems with reconstructing C++ code and identifying library code used by Flamer. An overview of the main object-oriented components in the Flamer framework is provided, including command executors, tasks, consumers, and delayed tasks. The document also looks at the Festi kernel-mode driver framework and Flamer's SQL database schema. It concludes by examining relationships between Stuxnet, Duqu, Flamer and Gauss in terms of source code bases and exploit implementations.
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstruction
- 1. Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
- 2. Outline of The Presentation Typical malware vs. Stuxnet/Flame What the difference? Flamer code reconstruction problems C++ code reconstruction Library code identification Flamer framework overview Object oriented code reconstruction Relationship Stuxnet/Duqu/Flamer
- 3. Typical Malware vs. Stuxnet/Flamer
- 5. What’s the Difference? Typical malware Stuxnet/Flame … Different motivation, budget … Different motivation, budget … Use 1-days for distribution Use 0-days for distribution Anti-stealth for bypassing all sec Anti-stealth for bypassing AV soft Stealth timing: months Stealth timing: years Developed in C or C++ in C style Tons of C++ code with OOP Simple architecture for plugins Industrial OO framework platform Traditional ways for obfuscation: Other ways of code obfuscation: packers tons of embedded static code polymorphic code specific compilers/options vm-based protection object oriented wrappers for typical OS utilities …
- 7. Code Complexity Growth Gauss miniFlamer Stuxnet Duqu Flamer
- 9. C++ Code REconstruction Problems
- 10. C++ Code Reconstruction Problems Object identification Type reconstruction Class layout reconstruction Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls RTTI reconstruction Vftable reconstruction Associate vftable object with exact object Class hierarchy reconstruction
- 11. C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
- 12. C++ Code Reconstruction Problems
- 13. Identify Smart Pointer Structure
- 14. Identify Exact Virtual Function Call in vtable
- 15. Identify Exact Virtual Function Call in vtable
- 16. Identify Exact Virtual Function Call in vtable
- 17. Identify Custom Type Operations
- 20. Library code identification problems
- 21. Library Code Identification Problems Compiler optimization Wrappers for WinAPI calls Embedded library code Library version identification problem IDA signatures used syntax based detection methods Recompiled libraries problem Compiler optimization problem
- 22. Library Code Identification Problems
- 23. Object Oriented API Wrappers and Implicit Calls
- 24. Object Oriented API Wrappers and Implicit Calls
- 25. Object Oriented API Wrappers and Implicit Calls
- 26. Festi: OOP in kernel-mode
- 27. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
- 28. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
- 29. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
- 30. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
- 31. Festi: Plugins Festi plugins are volatile modules in kernel-mode address space: downloaded each time the bot is activated never stored on the hard drive The plugins are capable of: sending spam – BotSpam.dll performing DDoS attacks – BotDoS.dll providing proxy service – BotSocks.dll
- 33. An overview of the Flamer Framework The main types used in Flamer Framework are: Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.) Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
- 34. An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
- 35. Some of Flamer Framework Components Identifying processes in the systems corresponding to Security security software: antiviruses, HIPS, firewalls, system information utilities and etc. Microbe Leverages voice recording capabilities of the system Idler Running tasks in the background BeetleJuice Utilizes bluetooth facilities of the system Telemetry Logging of all the events Gator Communicating with C&C servers
- 36. Flamer SQL Lite Database Schema
- 37. Flamer SQL Lite Database Schema
- 39. Data Types Being Used Smart pointers Strings Vectors to maintain the objects Custom data types: wrappers, tasks, triggers and etc.
- 40. Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
- 41. Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
- 42. Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements }; Used to handle the objects: tasks triggers etc.
- 43. Using Hex-Rays Decompiler Identifying constructors/destructors Usually follow memory allocation The pointer to object is passed in ecx (sometimes in other registers) Reconstructing object’s attributes Creating custom type in “Local Types” for an object Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
- 44. Using Hex-Rays Decompiler Identifying constructors/destructors Usually follow memory allocation The pointer to object is passed in ecx (sometimes in other registers) Reconstructing object’s attributes Creating custom type in “Local Types” for an object Analyzing object’s methods Creating custom type in “Local Types” for a table of virtual routines
- 50. DEMO
- 52. Source Code Base Differences
- 53. Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092 (Task Scheduler) MS11-087 (Win32k.sys)
- 54. Exploit Implementations: Stuxnet & Duqu The payload is injected into processes from both kernel- mode driver & user-mode module Hooks: ZwMapViewOfSection ZwCreateSection ZwOpenFile ZwClose ZwQueryAttributesFile ZwQuerySection Executes LoadLibraryW passing as a parameter either: KERNEL32.DLL.ASLR.XXXXXXXX SHELL32.DLL.ASLR.XXXXXXXX
- 55. Exploit Implementations: Stuxnet & Duqu The payload is injected into processes from both kernel- mode driver & user-mode module Hooks: ZwMapViewOfSection ZwCreateSection ZwOpenFile ZwClose ZwQueryAttributesFile ZwQuerySection Executes LoadLibraryW passing as a parameter either: KERNEL32.DLL.ASLR.XXXXXXXX SHELL32.DLL.ASLR.XXXXXXXX
- 56. Injection mechanism: Flame The payload is injected into processes from user-mode module The injection technique is based on using: VirtualAllocEx WriteProcessMemoryReadProcessMemory CreateRemoteThreadRtlCreateUserThread The injected module is disguised as shell32.dll Hooks the entry point of msvcrt.dll by modifying PEB
- 57. Injection mechanism: Flame The payload is injected into processes from user-mode module The injection technique is based on using: VirtualAllocEx WriteProcessMemoryReadProcessMemory CreateRemoteThreadRtlCreateUserThread The injected module is disguised as shell32.dll Hooks the entry point of msvcrt.dll by modifying PEB
- 58. Exploit Implementations: Gauss The payload is injected into processes from user-mode module
- 60. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov