Onion, not parfait:
Today's security check-up and malware for the rest of us
Jared DeMott, lifelong haX0r
Qualified for this talk?
• You decide … rounded out by groups, cons, and talks like this
• My deep dive into a whole new world - security focused
– Booz Allen Hamilton
• Level 3 consultant - Reverse Engineering
– Applied Security, Inc.
• GPF sprung to life
– VDA Labs, LLC
• Founder - Further opened the eyes of many to the effects of fuzzing
– Defcon CTF Campion
• Was part of the l@stplace team during another winning 2007 season
– HBGary, Inc.
• All but the kitchen sink guy, started working with Malware
– Author and Speaker (Black Hat, Defcon, and Toorcon)
• Ari Takanen, Charlie Miller, and I have a book coming out very soon!
– Ferris State University
• Assistant Professor - focus on OS, security, programming, and more
– Crucial Secuity, Inc
• Security Researcher
Layers of Security
• Computer Science as a field is growing all the
– More and more users each year
• Security is one such sub-field and it is growing
level Policy
Low Level Policy
Low Level Technical Threats
High Level Policy
• Decision making and risk management
– Should come from above
– Are CIOs, CSO, etc always qualified for this?
• For example did anyone follow DailyDave thread on AV being
dead, that occurred a while ago?
– Sandboxing to be discussed later
– Need formal processes to make good decisions
• Business continuity
• Disaster recovery
• Data security
– Are Nation-states really our threat?
• For big business and government contractors … YES!
– Booz allen spear-fish that went public a bit ago
• Not so much for small to mids, schools, etc … they worry about
keeping their head above water, and hoping the network works.
• What’s it good for? How has it improved our lives?
– I’m waiting for my RFID tag and mark of the beast
• Who knows, but it can transform business
– Just ask people in health care
• Technology is exploding in this field and is changing the way
people are able to receive care
– Just ask online sales, which didn’t really exists pre1990’s
• Usage
– We need security to be sure technology is used well, or
to perform the Incident Response (IR) when it’s not
• Yes even though current security solutions aren’t perfect
Some current working Attacks
• 0day to the desktop
– In 2008, client side bugs are alive and kicking!
• The old thumb drive outside the bank trick
– Rootkit
• Insider payoff
– Rootkit
• Stealing and modifying hardware (supply chain)
– Rootkit
• Simple .exe in email
– Run this file for pics of whoever == Rootkit
– .com was one of the best I’ve ever received
• Can technology defend against technology?
– Application filtering firewall with a buffer overflow,
what were we thinking there?
– Same for IDS, AV, Wireshark, etc.
– Clearly we’ve got to rid ourselves of the buffer overflow
to have a real shot at reliable computing
• We’re finally seeing this begin to happen
– Modern protections in 64 bit machines are impressive
• But, weak passwords, sniffing, lost hardware,
social engineering, hardware modified in transit
– Defenders have to think of it all! The attacker need
only find one route in
• Average Users
– Just want to do their job, play games, edit pictures of
the grand kids, whatever.
• Need security training.
• Power Users
– Growing. Many users have complex needs and those
annoying Vista pop-ups, personal firewalls issues, etc.
• Just disable all that stuff, right? Need Policies and training.
• Either way, 0day to the desktop
– We still can’t trust our software
So what’s to be done?
• Totally depends on the scope of your
– Someone has to sit down and think about these
issues, and do the best you can with available
• ah… risk management, my favorite oxymoron
• Also totally depends on the layer at which you
– CIO response should differ from software
developer or incident responder, or secretary
Lets discuss some lower layer examples
(more on each of these)
• Security at the Desktop is a MUST!
• Who knows how to do this?
• Auditing the internal and external network policy is,
at minimum, a show of due diligence
• Penetration Tests are great for raising internal awareness
• Watch your website
• Web auditing
• Fuzzing for security and robustness
• Securing software … we hope the OS will continue to get
stronger as well
• Responding to Security Incidents (IR)
• Being prepared or know who to call
Desktop Security
• Could we go to a thin client that doesn’t save
– Pwned on Monday, clean on Tuesday?
– Probably would save desktop support costs
• AV
– Does it really help? Show proof.
– Does it really work? Show proof.
• Host hardening
– Local policy lockdown, registry tweaks, etc
– No local Admin?
– Looks like XP might hang on until Windows 7?
Network Management
• Wireless security
– WEP, right? (not … how about WPA2 with AES)
• Database security
– Talk to our British friend, Mr. Litchfield
• Server security
– Lock ‘em down in VLANs while you’re at it
• Failover (Disaster/Continuity)
– Redundant Internet links
– Multiple servers
– Nightly backups
Net Admin (Cont.)
• Network auditing: Yesterday protection (not 0day)
– Think something like Nessus to be sure your hosts are
all up-to-date
– Is there a better way to be sure boxes are built right
the first time?
• Imaging type solution
• Allow real time updates from M$?
• Network activity monitoring and logging
– The network is hostile, can your IDS find the needle?
• Probably not … though anomaly could work on SCADA or
other “quiet” networks
• Keep good system logs anyway, this will be important again
someday, when IDS finds a way to add value again
Web Auditing
• Think about all the issues we’ve seen
– SQL injections
• Input sanitization is the root problem for many bug types
PHP file inclusions
Old school CGI command injections
Insecure permissions on pages
Weak login schemes
• Some one needs to be thinking about this for your
– http://www.owasp.org/
• Fuzzing for security and robustness
– Since many application still have to be developed in C
type languages (able to manually manage memory)
• For bonus pts, why isn’t the Vista Kernel dev’ed in .py?
– Other languages could have stability issues if not
exploitable overflows
• A telecoms 0day == interruption of service
• Mutation vs. Generation
– One is often quicker while the other tends to get
better coverage. Boils down to cost. Read our book.
Incident Response (IR)
• Responding to Security Incidents. (How big is this
onion anyway?)
– 1st response team
• The key here is handling information well
– Disk forensics
• Remember when the FBI came knocking? Old-school preservation
style. Snag disk. Image it. Search it. Send you to jail. Do not pass
go. Do not collect $200.
– E-discovery
– Live memory analysis
– Malware analysis
• Can these actions be scaled to the Enterprise?
– Probably, for the right price… but, process is key for court.
Enterprise Tools
• You can’t physically pull the disk off each
workstation, can you?
• No, but virtually you can: Agent based
– Push kernel module to desired hosts via SMS or PsExec
• Host code is called “the servlet” by Guidance, Inc (EnCase).
– Used to suck off permanent storage (hard disk data)
and “live” memory (RAM)
• Catalogs; only does full suckage when required
– Scan disk for anomalous files
• Guidance uses bit9 database; good, bad, or unknown lots
– Rate which ones look “worst”
• Mandiant’s red curtain is freeware … I’m surprised EnCase
Enterprise doesn’t have this feature
• Key word searching across file, email, and even
memory in some cases
• Used to discover interesting data
– An example might be searching for the text string
• Why would we do that?
• Litigation is the word you’ll hear
– The way hip Lawyers role
– Indicates a search for evidence during a particular
court case to support one side or the other
Live Memory Analysis
• The kernel agent can collect all or some of
running memory as well
• A tool like HBGary’s Responder could be used
to analyze this memory
– Memory-only Rootkits are TODAYS threat
– Good malware/rootkits maybe able to avoid
dirtying the disk altogether
• If that’s so, how are you going to detect them with your
current forensic toolkit?
Malware Analysis
• This is where it gets interesting
– So, you’ve found some executable code and you
either don’t know if it’s malware, or you know it
is, but aren’t sure what it’s doing
• How can you understand what this nasty business is
doing to/on your host/network??
• Perhaps like other fields an “Art+Science” but
here I think we need more science.
– We need a repeatable methodology that holds
water in court if need be
High level thoughts on Malware
• For malware to be doing something useful (like
stealing data) it’s likely got to be doing some
type of network comms
• Will likely use a covert channel, such as DNS or HTTP.
Think Command & Control to do Data Exfil
• It will likely not want to be discovered
• May download and install a rootkit and delete itself
• Might just hide in plain sight … what’s in your sys32 dir?
• If discovered it desires to make analysis difficult
• Packed, obfuscated, encrypted, jacked up in some other
interesting way
Malware Analysis != IR
• So as we stated before IR includes many steps
• Analyzing potential malware is just one of the
– Some guys at Intel have done some cool new work
addressing the IR information handling problem at
• Rapid Assessment & Potential Incident Examination
– http://code.google.com/p/rapier
My Home Grown Malware Analysis
(Not an exhaustive or “best” list)
1. Document how the malware was discovered
2. Get the filename(s) of malware
3. View the file properties for kicks, though this
information can easily be spoofed.
– Note if much file property information is included
• Vendor, etc
– What is the modified time?
– What is the file size?
– File hash? Use the WinMD5 utility
• Google for this hash, you might get lucky
– Mandiant’s Freeware Red Curtain will give you a threat score
• guess as to whether or not the file is Malicious
– If you’re not worried about sharing, you can upload to
http://www.virustotal.com (multiple virus scans)
http://www.norman.com/microsites/nsic/Technology/en-us (see in a bit)
Home Grown: File Inspection
4. If possible, determine how the file was created and if
it includes obfuscation.
Open the file in PEid.
5. If possible, determine if the PE headers look normal.
Open the file in PEView.
6. Open the file in IDA pro
– Are there any interesting strings?
– Are the strings visible or obfuscated?
– Is the code flow normal or does is start with funny
decryption/unpacking routines?
– Save further REing for later unless something really sticks
out. A dynamic run trace is the next best step in
understanding your malware.
Home Grown: Execution
7. Prepare to execute in your test lab
Take a VM snapshot so you can roll back after execution
Launch Wireshark.
Launch other utilities such as process explorer, file
explorer, and filemon if desired
Execute RegShot to get a baseline of the system
Launch the malware and note Registry changes and
Network connections
Note whatever else interesting happens. CAUTION: At this point
you are probably infected with something.
If it’s dialing out, it may be desirable to set up a fake
server to play with command and control plus any data
exfiltration it may have.
Home Grown: Dynamic Investigation
8. Reversing the Malware with Immunity debugger,
windbg, Responder
Yes, we’re talking just about Windows here
– Roll back to the previous snap shot
– For Inspector
Open the Wintel Node Agent Debugger in the VM
Start a new Inspector project
Connect to the debugger with Inspector
Start the malware via Inspector
Analyze the binary (may set bps)
Run the malware analysis plugin script to see what pops out
– Cool freeware tools like: Malware Unpacking Framework For
• http://muffi.googlecode.com/ by JMS
Home Grown: Dynamic Investigation
• Analyze key .dlls and set further breakpoints
• W32_32.dll and winsock.dll for network activity
– WSARecvFrom, WSASendTo, etc.
• Kernel32.dll for process manipulation and file modification
– LoadLibrary, CreateProces, FindFile, etc.
• advapi32.dll for registry modifications
– CreateNewKey, SetKeyValue, etc
• Execute the software to begin a runtrace
– A graph will begin to appear as the software is
• Could be useful to search runtrace samples for strings such as
IP address, passwords, etc
• How to proceed depends on the nature of the
investigation/malware … more of an Art … ooops…
However, SandBoxes are cool
• A Sandbox/Sandnet attempts to automate prior
steps and boil down results
1. Quicker/Scales
2. No hardcore RE person required
3. Repeatable (Hold water in court?)
However, could fail if
• Too tricky
– Virtualization detection and/or escape
» Would be a problem for VM home grown solution too
» Only an air gapped net solves this
– slow to use network, like 1 week after install
– Will only run if in, for example, the Outlook directory, etc
• Manual/Static RE is required for complete analysis
Sample Output from Norman
[Name]: W32/Backdoor. Sig Name: Suspicious_P.gen
[ Detection Info ]
* Compressed: NO. TLS hooks: NO
* Executable type: Application
* Executable file structure: OK
[ General information ]
* Drops files in %WINSYS% folder.
* File length: 237562 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\service.exe.
* Deletes file 256.
[ Changes to registry ]
* Creates key "HKLM\Software\\Microsoft\\Windows".
* Sets value "Microsoft Update"="service.exe" in key
* Creates key "HKCU\Software\".
* Sets value "Microsoft Update"="service.exe" in key “HKCU\Software\".
Sample Norman Output (cont.)
[ Network services ]
* Looks for an Internet connection.
* Connects to [REMOVED] on port 6667 (TCP).
* Connects to [REMOVED]
* IRC: Uses password [REMOVED]
* IRC: Uses nickname [REMOVED]
* IRC: Uses username [REMOVED]
* IRC: Joins channel [REMOVED] with password [REMOVED]
* IRC: Sets the usermode for user [REMOVED] to i.
[ Process/window information ]
* Creates a mutex By Crash.
* Creates process "C:\WINDOWS\SYSTEM32\service.exe".
[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\service.exe (237562 bytes) :
Case Study
• Got a file called sample.exe from a friend
• He wanted me to take a quick peek at it, since
he though it was ugly but no AV product he
had could confirm that
• Lets see what Norman says…
Hmm… in this case Norman pooped
sample.exe : Not detected by Sandbox (Signature: NO_VIRUS)
[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: NO TLS hooks: NO
* Executable type: Application
* Executable file structure: OK
[ General information ]
* File length: 210944 bytes.
* MD5 hash: 27f4b3938997383576137cd7036dda25.
[ Process/window information ]
* Attempts to open CLSID {148BD52A-A2AB-11CE-B11F00AA00530503}.
Case study: Try my home brew
1. Received a file from a friend
2. Name = “sample.exe”
3. File properties
– Not much listed
– Time: Looks unreliable
– Size: 206KB
– MD5: 27f4b3938997383576137cd7036dda25
– Red Curtain reports that it looks malicious, as the
threat score is over 1.0. See next slide.
Hash and
Properties: Fairly
normal here
Mandiant Red Curtain: >1 == badness
Case Study (cont.)
4. PEid
– No build type detectable, Win32 GUI
5. PEView
– Looks Normal
6. IDA Pro
– Initial Interesting Strings:
• Looks like a bunch of strings are present but are unreadable
– Code looks funny … a lot of moving, XORing, etc and
than a LoadLibraryA + GetProcAddress to begin with
– First func from main took ~100 int’s as parameters
PEID and
Case Study (cont.)
7. Upon Execution
– Regshot noticed a bunch of changes
– Wireshark snagged an outbound connection
Very suspect here
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: KRSystem v1.0
Host: upd.host-domain-lookup.com
Connection: Keep-Alive”
“HTTP/1.1 304 Not Modified
Connection: close
Server: Yaws/1.68 Yet Another Web Server
Date: Wed, 30 Jan 2008 13:59:05 GMT
Content-Length: 13
Content-Type: text/html
not modified”
Case Study (cont.)
8. Inspector
– Reverted to clean snapshoot, started remote debugger,
started new project, connected to debugger, analyzed
sample (this is cool can bypass anti debugging and
packing), analyzed .dlls, viewed strings, etc…
– Difficult to know which API calls to hook
– MAP script provided convoluted results
– Run trace not trivial to apply correctly
– Graph unclear
– All-in-all, not a great tool for a “first pass” look
Better for very advanced users
I am looking forward to their new “Responder” product, which
attempts to find rootkits in running memory
Inspector Screen Shot
Other Sandboxes
• Norman pooped on this one
• This one did better
– CWSandbox
• Tried some others as well
– ThreatExpert
– Joebox
– Etc.
Sample XML from CWSandBox
<connection transportprotocol="TCP"
remoteaddr="" remoteport="80"
protocol="HTTP" connectionestablished="1" socket="1692">
<http_cmd method="GET"
&#x2A;/&#x2A;</header><header>Accept-Encoding: gzip,
deflate</header><header>User-Agent: KRSystem
v1.0</header><header>Host: upd.host-domainlookup.com</header><header>Connection: KeepAlive</header></header_data></http_cmd>
Small sampling of the total CW output
New CW Look
Hmm… states one of it’s primary
actions, but have hunch it’s worse
than that. Didn’t provide as much
information as CWSandbox.
• Gave some good information
• But doesn’t include network information, etc. yet
– Seems to have good potential, but lacks robustness as
of now
Boiling down results
• For large corps, scalability is important and
Sandboxes give us that
– However, like anything else, they’re not fail proof
• Norman boils down the results well
– But didn’t work in this case
• ThreatExpert
– Seemed ok
• Joebox has great potential
– Missing key features
• CWSandbox did the best here IMHO
– XML is busy, so new web interface is nice
– Recent work to escape CW has been made public for
• Onions smell … security can to, but we keep at it.
– We need to find ways to stem the tide of 0days
– We need to find ways to detect memory-only Rootkits
• Responder via Encase? Or Mandiant’s MIR technology?
– Once we do, malware won’t go away
• Insider threat, thumb drive, hacked hardware in transit, etc
– We’ll need some sort of reliable computing help from
our operating system/hardware
• Hypervisor protection?
– Monitoring, IR, and many other branches will always be
important, even as roles and technology change

Onion, not parfait