SlideShare a Scribd company logo

Two-For-One Talk: Malware Analysis for Everyone

Paul Melson, profile picture
Paul Melson

The document discusses the threat of malware, highlighting its evolution and the inadequacy of traditional security measures such as firewalls and antivirus software. It details various automated malware analysis tools like VirusTotal, CWSandbox, and more, which can aid in detecting and understanding malware behavior. Additionally, it covers the vulnerabilities of Adobe Acrobat Reader as a popular vector for malware attacks and offers methods for unpacking malicious PDF files.

Technology
1 of 44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Paul MelsonTwo-For-One Talk:Malware Analysis for Everyone
MWA-101: Five Automated Analysis Tools You should Know
Why Do Malware Analysis?Client-side attacks that install malware are the #1 external threat.It’s not slowing down any time soon:“Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31% from the previous period.”“In 2008, Symantec created 1,656,227 new malicious code signatures. This is a 265% increase over 2007.” (Source: Symantec Internet Threat Report, April 2009)
Firewalls and Anti-Virus Have LostClient-side attacks against web browsers and e-mail go right through most firewall policiesDetection rates for current malware files by market leading anti-virus scanners are averaging 30-50%If you’re not adapting some other way, you’ve lost
Malware is Adapting QuicklyTake away Local Administrator privileges?Malware that persists in HKCU Registry keys or StartUp groupWhitelist apps with Windows Firewall?Malware that hooks into Internet Explorer plugin APIsBlock IRC at the firewall?Malware that uses encrypted HTTP/HTTPS back-channels
“But it’s just spyware, right?”In the past 2 years, we’ve found malware in the wild that:Sends hundreds of spam e-mail messages per secondGives bot “herder” full desktop remote controlSearches files in “Documents and Settings” for SSNs, credit card numbers, and saved Internet Explorer passwordsRecords all screen and text input and reports it in real-time to a server in Russia
VirusTotalhttp://www.virustotal.comUpload a suspicious file, they scan it with 40+ different anti-virus products using current signaturesPretty much everybody, except TrendMicroUseful for determining if a file is maliciousAlso for determining whether your anti-virus would detect a particular fileTake advantage of heuristic/edge products without all of the false positives in productionOK, but not great for brand new or custom malwareNot great for obfuscated exploits, better with binaries
Two-For-One Talk: Malware Analysis for Everyone
CWSandboxhttp://www.cwsandbox.orgUpload a suspicious Windows executable, they run it in their sandbox and tell you what it didGreat for figuring out what a file actually doesIt doesn’t establish malicious vs. benign, that’s up to youRequires some detailed understanding of Windows Registry, processes, file system to interpret reportSome malware can detect this and other sandboxes, and won’t runOther similar servicesNorman SandboxJoeBox
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
Threat Expert http://www.threatexpert.comUpload a suspicious Windows binary, they analyze itSupports web submission, but also Windows appletMust register to submit samplesCombines the features of CWSandbox and VirusTotalAnti-virus scanFile / registry modificationsPacker identificationBrowse reports and statistics from other submitted files
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
Wepawethttp://wepawet.iseclab.orgUpload a suspicious PDF, HTML, or Flash file, or submit a suspicious URL and it will analyze it for malicious JavaScript.Great for working with obfuscated JavaScript where reversing and debugging is complex and time-intensive.However, some forms of obfuscation, especially in PDF and SWF files, can be used to beat it.
Two-For-One Talk: Malware Analysis for Everyone
Comodohttp://camas.comodo.comUpload a suspicious Windows binary, they analyze it for youSimilar to CWSandboxVery fastRelatively new/unknown, so less likely to be targeted for evasion (Assuming they use technology different enough from Norman, CWSandbox)
Two-For-One Talk: Malware Analysis for Everyone
MWA-101: Q&A
MWA-405: Unpacking PDF Exploit Payloads
PDF Files and MalwareMalware relies on two methods to installExploiting a browser vulnerabilityTricking people into running a fileAdobe Acrobat Reader is, right now, the most reliably vulnerable piece of software in the worldIt’s really hard to patch across the enterprisePredecessors:Internet ExplorerQuickTime PlayerAdobe Flash Player
They Don’t Call it Pwndobe for NothingTuesday’s Acrobat Reader security bulletinThat’s 29 unique vulnerabilities, in case you’re keeping score
PDF as an Attack VectorAcrobat Reader is executable from the web browserCalled as a browser plugin via COMThere is an IE killbit, but I dare you to use it in a businessEach version of Acrobat Reader has its own CLSID, and killbitThe PDF file format supports scripting and obfuscation JavaScriptEmbedding binary objects and scripts as streamsCompressing and encoding these streamsThese are the same things that made Flash a good attack vector, so you may have some idea as to what’s next
PDF With Malicious PayloadPDF file header including JavaScript trigger
PDF With Malicious PayloadPDF file body showing binary FlateDecode streamNote the /Filter and /Length tags
Unpacking FlateDecode Streams FlateDecode is stream compression using zlib compress()Several tools can decompress and extract the streams for youPDF Stream Inflater by Bobby Spasic (Malzilla)Not available for download anymorepdftk by Sid Steward (AccessPDF)Not specifically for malwarehttp://www.accesspdf.com/pdftk/pdf-parser.py by Didier StevensThis guy writes all sorts of awesome toolshttp://blog.didierstevens.com/programs/pdf-tools/
Unpacking FlateDecode Streams Using PDF Stream Inflater to extract FlateDecode stream
Unpacking FlateDecode Streams Viewing decoded stream containing obfuscated JavaScript
Unpacking FlateDecode Streams Pipe extracted stream through Didier Stevens’ SpiderMonkey modThe log files contain the output of the obfuscated JavaScript
Unpacking FlateDecode Streams Look! More JavaScript, but this time it’s readable.Hmmm, I wonder…
Unpacking FlateDecode Streams Oh, look, they copied the exploit from milw0rm.
Beyond FlateDecodeDifferent versions of the PDF file standard support additional forms of encoding streamsASCIIHexDecodeASCII85DecodeEncoding methods can be combined on a single streamOrder of operations matters!Two methods for extracting and decoding:Manually decode Hex stream to zlib binary stream, reinsert, resize header, basically recreating the PDF as if it only contained the FlateDecode stream, then extract with inflater.exe (this sucks, BTW)Use pdf-parser.py
Beyond FlateDecodeThis stream is encoded with ASCIIHexDecode and FlateDecode
Beyond FlateDecodeWe decode the stream and find more obfuscated JavaScript./pdf-parser.py -f boBAn.pdf | less
Beyond FlateDecodeThrow <html> and <script> tags around the obfuscated JavaScript and upload it to Wepawet
Beyond FlateDecodeOoh, second stage executable downloads!
Beyond FlateDecode - EpilogueFrom the time that I started this research to the time I wrote this presentation, Wepawet has added support for ASCIIHexDecode in PDF filesSo, yes, the hours of work I did on this can be replicated in mere seconds with only a web browserBut this underscores the ongoing arms race between security researchers and malware vendorsThat’s right, I said vendors
Some Extra Funwhois goodshoot1.comNote the goofy domain on those name servers
Some Extra FunSo we search malwareurl.com for that domain, and…
Some Extra FunYES is a crimeware system made in RussiaThis is the login page for its web console
Network DetectionEasy enough to find PDF files that use encoded streams with your IDS/IPSYour firewall and proxy logs are a good place to look, tooMost sites hosting second-stage malware are in foreign countries, especially Russia, ChinaUse language to your advantage – if your employees speak English, then documents downloaded from countries that don’t speak English could be suspicious
Network Detectionalert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL PDF mailto exploit HTTP download"; flow:from_server,established; content:"%PDF"; nocase; content:"RI(mailto:%/"; nocase; classtype:trojan-activity; sid:9000140; rev:1;)alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with FlateDecode stream download"; flow:from_server,established; content:"%PDF"; content:"FlateDecode"; nocase; classtype:trojan-activity; sid:90000190; rev:1;)alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with ASCIIHexDecode stream download"; flow:from_server,established; content:"%PDF"; content:"ASCIIHexDecode"; nocase; classtype:trojan-activity; sid:90000191; rev:1;)alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with ASCII85Decode stream download"; flow:from_server,established; content:"%PDF"; content:"ASCII85Decode"; nocase; classtype:trojan-activity; sid:90000192; rev:1;)Snort rules to detect suspicious PDF files
Network DetectionFirewall events for PDFs downloaded from countries other than the US, UK, and Canada
pmelson@gmail.comhttp://pmelson.blogspot.comSpecial Thanks to Sean KoesselMWA-405: Q&A

More Related Content

PPTX
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
Rhydham Joshi
 
PPTX
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 
PPTX
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
PPTX
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
PPTX
Analysis of malicious pdf
Raghunath G
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PDF
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
PDF
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
Rhydham Joshi
 
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Analysis of malicious pdf
Raghunath G
 
Introduction to Malware Analysis
Andrew McNicol
 
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 

What's hot (20)

PPTX
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
PDF
Volatile IOCs for Fast Incident Response
Takahiro Haruyama
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
PDF
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 
PDF
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
 
PDF
I Know You Want Me - Unplugging PlugX
Takahiro Haruyama
 
ODP
Malware analysis - What to learn from your invaders
Tazdrumm3r
 
PPT
Malware Analysis Made Simple
Paul Melson
 
PDF
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
PPTX
Winnti Polymorphism
Takahiro Haruyama
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
PPT
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
SANS Windows Artifact Analysis 2012
Rian Yulian
 
PPTX
Basic Dynamic Analysis of Malware
Natraj G
 
PDF
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
PDF
Investigating Hackers' Tools
Israel Umana
 
PDF
Forensics of a Windows System
Conferencias FIST
 
PPTX
Malware Analysis and Defeating using Virtual Machines
intertelinvestigations
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Volatile IOCs for Fast Incident Response
Takahiro Haruyama
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
 
I Know You Want Me - Unplugging PlugX
Takahiro Haruyama
 
Malware analysis - What to learn from your invaders
Tazdrumm3r
 
Malware Analysis Made Simple
Paul Melson
 
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Winnti Polymorphism
Takahiro Haruyama
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
SANS Windows Artifact Analysis 2012
Rian Yulian
 
Basic Dynamic Analysis of Malware
Natraj G
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
Investigating Hackers' Tools
Israel Umana
 
Forensics of a Windows System
Conferencias FIST
 
Malware Analysis and Defeating using Virtual Machines
intertelinvestigations
 
Ad

Similar to Two-For-One Talk: Malware Analysis for Everyone (20)

PPT
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 
PPTX
File inflection techniques
Sandun Perera
 
PDF
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
PDF
Attacking antivirus
UltraUploader
 
PPS
Workshop on BackTrack live CD
amiable_indian
 
PPT
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
PPT
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
PDF
Breaking av software
Thomas Pollet
 
PDF
Breaking Antivirus Software
rahmanprojectd
 
PDF
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Akmal Hisyam
 
PDF
Breaking av software
Joxean Koret
 
ODP
2600 av evasion_deuce
Db Cooper
 
PPT
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
PPT
Black Energy18 - Russian botnet package analysis
Roberto Suggi Liverani
 
PPT
computerviruses-171008143158.ppt
ssuser342286
 
DOCX
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
PDF
UQ_Cybercrime_Professionalism_Lecture_2024_07.pdf
JonathanOliver26
 
PPT
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
PPT
Protecting Your organization from WannaCry Ransomware
Quick Heal Technologies Ltd.
 
PDF
44CON 2014 - Breaking AV Software
44CON
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 
File inflection techniques
Sandun Perera
 
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Attacking antivirus
UltraUploader
 
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Breaking av software
Thomas Pollet
 
Breaking Antivirus Software
rahmanprojectd
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Akmal Hisyam
 
Breaking av software
Joxean Koret
 
2600 av evasion_deuce
Db Cooper
 
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Black Energy18 - Russian botnet package analysis
Roberto Suggi Liverani
 
computerviruses-171008143158.ppt
ssuser342286
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
UQ_Cybercrime_Professionalism_Lecture_2024_07.pdf
JonathanOliver26
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
Protecting Your organization from WannaCry Ransomware
Quick Heal Technologies Ltd.
 
44CON 2014 - Breaking AV Software
44CON
 
Ad

Recently uploaded (20)

PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Software Development Methodologies in 2025
KodekX
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 

Two-For-One Talk: Malware Analysis for Everyone

  • 1. Paul MelsonTwo-For-One Talk:Malware Analysis for Everyone
  • 2. MWA-101: Five Automated Analysis Tools You should Know
  • 3. Why Do Malware Analysis?Client-side attacks that install malware are the #1 external threat.It’s not slowing down any time soon:“Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31% from the previous period.”“In 2008, Symantec created 1,656,227 new malicious code signatures. This is a 265% increase over 2007.” (Source: Symantec Internet Threat Report, April 2009)
  • 4. Firewalls and Anti-Virus Have LostClient-side attacks against web browsers and e-mail go right through most firewall policiesDetection rates for current malware files by market leading anti-virus scanners are averaging 30-50%If you’re not adapting some other way, you’ve lost
  • 5. Malware is Adapting QuicklyTake away Local Administrator privileges?Malware that persists in HKCU Registry keys or StartUp groupWhitelist apps with Windows Firewall?Malware that hooks into Internet Explorer plugin APIsBlock IRC at the firewall?Malware that uses encrypted HTTP/HTTPS back-channels
  • 6. “But it’s just spyware, right?”In the past 2 years, we’ve found malware in the wild that:Sends hundreds of spam e-mail messages per secondGives bot “herder” full desktop remote controlSearches files in “Documents and Settings” for SSNs, credit card numbers, and saved Internet Explorer passwordsRecords all screen and text input and reports it in real-time to a server in Russia
  • 7. VirusTotalhttp://www.virustotal.comUpload a suspicious file, they scan it with 40+ different anti-virus products using current signaturesPretty much everybody, except TrendMicroUseful for determining if a file is maliciousAlso for determining whether your anti-virus would detect a particular fileTake advantage of heuristic/edge products without all of the false positives in productionOK, but not great for brand new or custom malwareNot great for obfuscated exploits, better with binaries
  • 9. CWSandboxhttp://www.cwsandbox.orgUpload a suspicious Windows executable, they run it in their sandbox and tell you what it didGreat for figuring out what a file actually doesIt doesn’t establish malicious vs. benign, that’s up to youRequires some detailed understanding of Windows Registry, processes, file system to interpret reportSome malware can detect this and other sandboxes, and won’t runOther similar servicesNorman SandboxJoeBox
  • 12. Threat Expert http://www.threatexpert.comUpload a suspicious Windows binary, they analyze itSupports web submission, but also Windows appletMust register to submit samplesCombines the features of CWSandbox and VirusTotalAnti-virus scanFile / registry modificationsPacker identificationBrowse reports and statistics from other submitted files
  • 15. Wepawethttp://wepawet.iseclab.orgUpload a suspicious PDF, HTML, or Flash file, or submit a suspicious URL and it will analyze it for malicious JavaScript.Great for working with obfuscated JavaScript where reversing and debugging is complex and time-intensive.However, some forms of obfuscation, especially in PDF and SWF files, can be used to beat it.
  • 17. Comodohttp://camas.comodo.comUpload a suspicious Windows binary, they analyze it for youSimilar to CWSandboxVery fastRelatively new/unknown, so less likely to be targeted for evasion (Assuming they use technology different enough from Norman, CWSandbox)
  • 20. MWA-405: Unpacking PDF Exploit Payloads
  • 21. PDF Files and MalwareMalware relies on two methods to installExploiting a browser vulnerabilityTricking people into running a fileAdobe Acrobat Reader is, right now, the most reliably vulnerable piece of software in the worldIt’s really hard to patch across the enterprisePredecessors:Internet ExplorerQuickTime PlayerAdobe Flash Player
  • 22. They Don’t Call it Pwndobe for NothingTuesday’s Acrobat Reader security bulletinThat’s 29 unique vulnerabilities, in case you’re keeping score
  • 23. PDF as an Attack VectorAcrobat Reader is executable from the web browserCalled as a browser plugin via COMThere is an IE killbit, but I dare you to use it in a businessEach version of Acrobat Reader has its own CLSID, and killbitThe PDF file format supports scripting and obfuscation JavaScriptEmbedding binary objects and scripts as streamsCompressing and encoding these streamsThese are the same things that made Flash a good attack vector, so you may have some idea as to what’s next
  • 24. PDF With Malicious PayloadPDF file header including JavaScript trigger
  • 25. PDF With Malicious PayloadPDF file body showing binary FlateDecode streamNote the /Filter and /Length tags
  • 26. Unpacking FlateDecode Streams FlateDecode is stream compression using zlib compress()Several tools can decompress and extract the streams for youPDF Stream Inflater by Bobby Spasic (Malzilla)Not available for download anymorepdftk by Sid Steward (AccessPDF)Not specifically for malwarehttp://www.accesspdf.com/pdftk/pdf-parser.py by Didier StevensThis guy writes all sorts of awesome toolshttp://blog.didierstevens.com/programs/pdf-tools/
  • 27. Unpacking FlateDecode Streams Using PDF Stream Inflater to extract FlateDecode stream
  • 28. Unpacking FlateDecode Streams Viewing decoded stream containing obfuscated JavaScript
  • 29. Unpacking FlateDecode Streams Pipe extracted stream through Didier Stevens’ SpiderMonkey modThe log files contain the output of the obfuscated JavaScript
  • 30. Unpacking FlateDecode Streams Look! More JavaScript, but this time it’s readable.Hmmm, I wonder…
  • 31. Unpacking FlateDecode Streams Oh, look, they copied the exploit from milw0rm.
  • 32. Beyond FlateDecodeDifferent versions of the PDF file standard support additional forms of encoding streamsASCIIHexDecodeASCII85DecodeEncoding methods can be combined on a single streamOrder of operations matters!Two methods for extracting and decoding:Manually decode Hex stream to zlib binary stream, reinsert, resize header, basically recreating the PDF as if it only contained the FlateDecode stream, then extract with inflater.exe (this sucks, BTW)Use pdf-parser.py
  • 33. Beyond FlateDecodeThis stream is encoded with ASCIIHexDecode and FlateDecode
  • 34. Beyond FlateDecodeWe decode the stream and find more obfuscated JavaScript./pdf-parser.py -f boBAn.pdf | less
  • 35. Beyond FlateDecodeThrow <html> and <script> tags around the obfuscated JavaScript and upload it to Wepawet
  • 36. Beyond FlateDecodeOoh, second stage executable downloads!
  • 37. Beyond FlateDecode - EpilogueFrom the time that I started this research to the time I wrote this presentation, Wepawet has added support for ASCIIHexDecode in PDF filesSo, yes, the hours of work I did on this can be replicated in mere seconds with only a web browserBut this underscores the ongoing arms race between security researchers and malware vendorsThat’s right, I said vendors
  • 38. Some Extra Funwhois goodshoot1.comNote the goofy domain on those name servers
  • 39. Some Extra FunSo we search malwareurl.com for that domain, and…
  • 40. Some Extra FunYES is a crimeware system made in RussiaThis is the login page for its web console
  • 41. Network DetectionEasy enough to find PDF files that use encoded streams with your IDS/IPSYour firewall and proxy logs are a good place to look, tooMost sites hosting second-stage malware are in foreign countries, especially Russia, ChinaUse language to your advantage – if your employees speak English, then documents downloaded from countries that don’t speak English could be suspicious
  • 42. Network Detectionalert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL PDF mailto exploit HTTP download"; flow:from_server,established; content:"%PDF"; nocase; content:"RI(mailto:%/"; nocase; classtype:trojan-activity; sid:9000140; rev:1;)alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with FlateDecode stream download"; flow:from_server,established; content:"%PDF"; content:"FlateDecode"; nocase; classtype:trojan-activity; sid:90000190; rev:1;)alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with ASCIIHexDecode stream download"; flow:from_server,established; content:"%PDF"; content:"ASCIIHexDecode"; nocase; classtype:trojan-activity; sid:90000191; rev:1;)alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with ASCII85Decode stream download"; flow:from_server,established; content:"%PDF"; content:"ASCII85Decode"; nocase; classtype:trojan-activity; sid:90000192; rev:1;)Snort rules to detect suspicious PDF files
  • 43. Network DetectionFirewall events for PDFs downloaded from countries other than the US, UK, and Canada