CNIT 126 11. Malware Behavior

Practical Malware Analysis
Ch 11: Malware Behavior
Last revised 11-9-21

Downloaders
• Download another piece of malware

– And execute it on the local system

• Commonly use the Windows API
URLDownloadtoFileA, followed by a
call to WinExec

Launchers (aka Loaders)
• Prepares another piece of malware for
covert execution

– Either immediately or later

– Stores malware in unexpected places, such as
the .rsrc section of a PE file

Backdoors
• Provide remote access to victim machine

• The most common type of malware

• Often communicate over HTTP on Port 80

– Network signatures are helpful for detection

• Common capabilities

– Manipulate Registry, enumerate display
windows, create directories, search files, etc.

Reverse Shell
• Infected machine calls out to attacker,
asking for commands to execute

Windows Reverse Shells
• Basic

– Call CreateProcess and manipulate
STARTUPINFO structure

– Create a socket to remote machine

– Then tie socket to standard input, output,
and error for cmd.exe

– CreateProcess runs cmd.exe with its
window suppressed, to hide it

Windows Reverse Shells
• Multithreaded

– Create a socket, two pipes, and two threads

– Look for API calls to CreateThread and
CreatePipe

– One thread for stdin, one for stdout

RATs
 
(Remote Administration Tools)
• Ex: Poison Ivy

Botnets
• A collection of compromised hosts

– Called bots or zombies

Botnets v. RATs
• Botnet contains many hosts; RATs control
fewer hosts

• All bots are controlled at once; RATs
control victims one by one

• RATs are for targeted attacks; botnets are
used in mass attacks

Credential Stealers
• Three types

–Wait for user to log in and steal
credentials

–Dump stored data, such as password
hashes

–Log keystrokes

GINA Interception
• Windows XP's Graphical Identification and
Authentication (GINA)

– Intended to allow third parties to customize
logon process for RFID or smart cards

– Intercepted by malware to steal credentials

• GINA is implemented in msgina.dll

– Loaded by WinLogon executable during logon

• WinLogon also loads third-party customizations
in DLLs loaded between WinLogon and GINA

GINA Registry Key
• HKLMSOFTWAREMicrosoftWindows
NTCurrentVersionWinlogonGinaDLL

• Contains third-party DLLs to be loaded by WinLogon

• Malware adds an extra item here

MITM Attack
• Malicious DLL must export all functions
the real msgina.dll does, to act as a MITM

– More than 15 functions

– Most start with Wl
x

–Good indicator

–Malware DLL exporting a lot of Wlx
functions is probably a GINA interceptor

WlxLoggedOutSAS
• Most exports simply call through to the real
functions in msgina.dll

• At 2, the malware logs the credentials to the
file %SystemRoot%system32driverstcpudp.sys

GINA is Gone
• No longer used in Windows Vista and later

• Replaced by Credential Providers

• Link Ch 11c

Custom Credential Provider Rootkit on
Windows 7
• Two sets of login buttons

• Only steals passwords from second set

• Code is provided to filter out the original set

Hash Dumping
• Windows login passwords are stored as LM
or NTLM hashes

– Hashes can be used directly to authenticate
(pass-the-hash attack)

– Or cracked offline to find passwords

• Pwdump and Pass-the-Hash Toolkit

– Free hacking tools that provide hash dumping

– Open-source

– Code re-used in malware

– Modified to bypass antivirus

Pwdump
• Injects a DLL into LSASS (Local Security
Authority Subsystem Service)

– To get hashes from the SAM (Security Account
Manager)

– Injected DLL runs inside another process

– Gets all the privileges of that process

– LSASS is a common target

• High privileges

• Access to many useful API functions

Pwdump
• Injects lsaext.dll into lsass.exe

– Calls GetHash, an export of lsaext.dll

– Hash extraction uses undocumented Windows
function calls

• Attackers may change the name of the
GetHash function

Pwdump Variant
• Uses these libraries

– samsrv.dll to access the SAM

– advapi32.dll to access functions not already
imported into lsass.exe

– Several Sam functions

– Hashes extracted by SamIGetPrivateDat
a

– Decrypted with SystemFunction025 and
SystemFunction02
7

• All undocumented functions

Pass-the-Hash Toolkit
• Injects a DLL into lsass.exe to get hashes

– Program named whosthere-alt

• Uses different API functions than Pwdump

Keystroke Logging
• Kernel-Based Keyloggers

– Difficult to detect with user-mode
applications

– Frequently part of a rootkit

– Act as keyboard drivers

– Bypass user-space programs and protections

Keystroke Logging
• User-Space Keyloggers

– Use Windows API

– Implemented with hooking or polling

• Hooking

– Uses SetWindowsHookEx function to notify malware
each time a key is pressed

– Details in next chapter

• Polling

– Uses GetAsyncKeyState & GetForegroundWindow
to constantly poll the state of the keys

Polling Keyloggers
• GetAsyncKeyStat
e

– Identifies whether a key is pressed or
unpressed

• GetForegroundWindo
w

– Identifies the foreground window

– Loops through all keys, then sleeps briefly

– Repeats frequently enough to capture all
keystrokes

Identifying Keyloggers in Strings Listings
• Run Strings

• Terms like these will
be visible

Three Persistence Mechanisms
1. Registry modifications, such as Run key

• Other important registry entries:

– AppInit_DLLs

– Winlogon Notify

– ScvHost DLLs

2. Trojanizing Binaries

3. DLL Load-Order Hijacking

Registry Modifications
• Run key

– HKEY_LOCAL_MACHINE SOFTWARE
Microsoft Windows CurrentVersion Run

– Many others, as revealed by Autoruns

• ProcMon shows all registry modifications
when running malware (dynamic analysis)

• Can detect all these techniques

AppInit DLLs
• AppInit_DLLs are loaded into every process
that loads User32.dll

– This registry key contains a space-delimited list
of DLLs

Microsoft Windows NT CurrentVersion
Windows

– Many processes load them

– Malware often calls DLLMain to check which
process it is in before launching payload

AppInit DLLs Security
• Beginning with Windows Vista,
AppInit_DLLs are disabled by default.

• Beginning with Windows 7, the AppInit_DLL
infrastructure supports code signing.

• Starting with Windows 8, the entire
AppInit_DLL functionality is disabled
when Secure Boot is enabled, regardless of
code signing or registry settings

• From Wikipedia

Winlogon Notify
• Notify value in

Microsoft Windows

– These DLLs handle winlogon.exe events

– Malware tied to an event like logon, startup,
lock screen, etc.

– It can even launch in Safe Mode

SvcHost DLLs
• Svchost is a generic host process for services
that run as DLLs

• Many instances of Svchost are running at once

• Groups defined at

– HKEY_LOCAL_MACHINE SOFTWARE Microsoft
Windows NT CurrentVersion Svchost

• Services defined at

– HKEY_LOCAL_MACHINE System
CurrentControlSet Services ServiceName

Process Explorer
• Shows many
services running in
one svchost
process

• This is the netsvcs
group

ServiceDLL
• All svchost.exe DLL contain a Parameters
key with a ServiceDLL value

– Malware sets ServiceDLL to location of
malicious DLL

Groups
• Malware usually adds itself to an existing
group

– Or overwrites a non-vital service

– Often a rarely used service from the netsvcs
group

• Detect this with dynamic analysis
monitoring the registry

– Or look for service functions like
CreateServiceA in disassembly

Trojanized System Binaries
• Malware patches bytes of a system binary

• To force the system to execute the malware
the next time the infected binary is loaded

• DLLs are popular targets

• Typically the entry function is modified

• Jumps to code inserted in an empty portion of
the binary

• Then executes DLL normally

KnownDLLs Registry Key
• Contains a list of specific DLL locations

• Overrides the search order for listed DLLs

• Makes them load faster, and prevents load-
order hijacking

• DLL load-order hijacking can only be used

– On binaries in directories other than System32

– That load DLLs in System32

– That are not protected by KnownDLLs

Example: explorer.exe
• Lives in Windows

• Loads ntshrui.dll from System32

• ntshrui.dll is not a known DLL

• Default search is performed

• A malicious ntshrui.dll in Windows will
be loaded instead

Many Vulnerable DLLs
• Any startup binary not found in System32
is vulnerable

• explorer.exe has about 50 vulnerable DLLs

• Known DLLs are not fully protected,
because

– Many DLLs load other DLLs

– Recursive imports follow the default search
order

DLL Load-Order Hijacking Detector
• Searches for DLLs that appear multiple
times in the file system, in suspicious
folders, and are unsigned

• From SANS (2015) (link Ch 11d)

No User Account Control
• Most users run Windows XP as
Administrator all the time, so no privilege
escalation is needed to become
Administrator

• Metasploit has many privilege escalation
exploits

• DLL load-order hijacking can be used to
escalate privileges

Using SeDebugPrivilege
• Processes run by the user can't do
everything

• Functions like TerminateProcess or
CreateRemoteThread require System
privileges (above Administrator)

• The SeDebugPrivilege privilege was
intended for debugging

• Allows local Administrator accounts to
escalate to System privileges

• 2 AdjustTokenPrivileges raises privileges to
System

Covering Its Tracks—
 
User-Mode Rootkits

User-Mode Rootkits
• Modify internal functionality of the OS

• Hide files, network connections,
processes, etc.

• Kernel-mode rootkits are more powerful

• This section is about User-mode rootkits

IAT (Import Address Table) Hooking
• May modify

– IAT (Import Address Table) or

– EAT (Export Address Table)

• Parts of a PE file

– In a DLL in RAM

– This technique is old and easily detected

Inline Hooking
• Overwrites the API function code

• Contained in the imported DLLs

• Changes actual function code, not
pointers

• A more advanced technique than IAT
hooking

CNIT 126 11. Malware Behavior

More Related Content

What's hot (20)

Similar to CNIT 126 11. Malware Behavior (20)

More from Sam Bowne (20)

Recently uploaded (20)

CNIT 126 11. Malware Behavior