Security Solution 2008
Windows DOS (apack, lzexe, diet, pklite) Linux (gzexe, UPX)
PE PE
DOS Stub Space Section Header.idata PE Header & Optional Header Space.unpack (unpack code) Section Header.unpack Space Section Table Section Header.data Sections.data Space.idata
DOS Stub Space Section Header.idata Space PE Header & Optional Header.unpack (unpack code) DOS Stub Space PE Header & Optional Header Section Header.text Section Header.data Section Header.idata Section Header.unpack Space Section Header.rsrc Section Table Sections Section Header.data.data ( ) pack Section Header.reloc Space.text Space.data Space Space.idata.idata Space.rsrc Space.reloc
VirtualAlloc() API PE Section Windows Import (IAT) LoadLibrary() GetProcAddress() IAT (OEP) long jump retn OEP OEP C/C++ GetStartupInfoA() GetVersion()
WORM_ALLAPLE.IK Microsoft Crypto API 256 0 256
Anti-Debugging Anti- Reversing Obfuscating OEP JUMP
API IsDebuggerPresent() TRUE CheckRemoteDebuggerPresent() WindowsXP SP1 API INVALID_HANDLE_VALUE(-1) ZwQueryProcessInformation() ProcessInformationClass ProcessDebugPort
(SEH Structured Exception Handling) CloseHandle() CloseHandle() CloseHandle() EXCEPTION_INVALID_HANDLE STATUS_INVALID_HANDLE
GetTickCount() Time Stamp Counter call _do_rdtsc // 1 mov ecx, eax call _do_rdtsc // 2 sub eax, ecx je _exit // cmp eax, 100 // 100 ja _exit _do_rdtsc: rdtsc retn _exit
Windows PE PE NumOfRvaAndSizes OllyDbg
INT3 INT3(0xCC) INT3 INT3
OutputDebugString OutputDebugString() OutputDebugString() WinBase.h void VOID WINAPI OutputDebugStringA( in LPCSTR lpoutputstring); OutputDebugString() OutputDebugString() 1
VMware VirtualPC
VMware I/O OS OS I/O VMware DWORD p = 0; try { _asm { pushfd or dword ptr [esp], 0x100 popfd // TF pushfd // pop eax // mov p, eax }; } except(exception_execute_handler) {} if (p & 0x100) { MessageBox(NULL, " Debugger Detected", "Result", 0); }
VirtualPC OS Windows Unknown OP code VirtualPC OS DWORD rc; try { _asm xor ebx, ebx _asm mov eax, 1 // VPC function number // call VPC _asm emit 0Fh _asm emit 3Fh _asm emit 07h _asm emit 0Bh rc = TRUE; MessageBox(NULL, "Virtual PC Detected", "Result", 0); } except (EXCEPTION_EXECUTE_HANDLER) { rc = FALSE; }
OllyDbg OllyDbg "FLD TBYTE PTR [address]" address OllyDbg DAH :0040D031 db 0DBh ; FLD TBYTE PTR [0x40d037] DAH :0040D032 db 2Dh ; - DAH :0040D033 db 37h ; 7 DAH :0040D034 db 0D0h ; DAH :0040D035 db 40h ; @ DAH :0040D036 db 0 DAH :0040D037 db 0FFh ; FLD DAH :0040D038 db 0FFh DAH :0040D039 db 0FFh DAH :0040D03A db 0FFh DAH :0040D03B db 0FFh DAH :0040D03C db 0FFh DAH :0040D03D db 0FFh DAH :0040D03E db 0FFh DAH :0040D03F db 3Dh ; = DAH :0040D040 db 40h ; @
API PE_VIRUT.K 4 API API ZwCreateFile MOV EAX, 25 MOV EDX, 7FFE0300 CALL [EDX] ZwCreateProcess MOV EAX, 2F MOV EDX, 7FFE0300 CALL [EDX] ZwCreateProcessEx MOV EAX, 30 MOV EDX, 7FFE0300 CALL [EDX] ZwOpenFile MOV EAX, 74 MOV EDX, 7FFE0300 CALL [EDX] CALL 7FFA22ED MOV EDX, 7FFE0300 CALL [EDX] CALL 7FFA2341 MOV EDX, 7FFE0300 CALL [EDX] CALL 7FFA234E MOV EDX, 7FFE0300 CALL [EDX] CALL 7FFA233A MOV EDX, 7FFE0300 CALL [EDX]
API ntdll Zw????? 0x7FFE0300 "MOV EAX xx" "CALL <malicious-code>"
WORM_POEBOT.I [W32.Linkbot.M] ftpd http ftp tftp
C&C IRC HTTP WORM_POEBOT.I [W32.Linkbot.M] ftpd http ftp tftp
1.killthread.massscan.imspread.keylog.visit.udp.opencmd.upgrade WORM_RANDEX.AI [W32.Randex.GEL] all TCP 80 139 1433 5800 http UDP cmd.exe
2 n s rh vm ud ef df pf WORM_SDBOT.GEN-1 [W32.Kwbot.B.Worm] 1 2 OS DNS IP URL HTTP HTTP ping
3 WORM_SDBOT.AIH [IRC.Backdoor.Trojan] 4 0x447EB9D9 0x63AFD836 0x9D9E8858 IE 0x020A3F58 PC 0x44852779 ID 0x2F92C451
Inline Function Hooking DKOM(Direct Kernel Object Manipulation)
DKOM Direct Kernel Object Manipulation Windows API ProcessExplorer
DKOM Windows PsInitialSystemProcess
W32.Linkbot W32.IRCBot PE_BOBAX.AH-O PE_BOBAX.AH-O PE_BOBAX.AH-O PE_SALITY.AS-O PE_SALITY.AS-O PE_BOBAX.AH-O
Process Monitor Microsoft TechNet: Windows Sysinternals http://www.microsoft.com/technet/sysinternals/default.mspx
OS
IDA Pro Hex-Rays SA. http://www.hex-rays.com/idapro/
SecureBrain Zero-Hour Response System (http://www.securebrain.co.jp/products/ zhr/index.html) Sunbelt CWSandbox (http://www.sunbeltsoftware.com/developer/sunbelt- CWSandbox/) Norman Sandbox Malware Analyzer (http://www.norman.com/microsites/ malwareanalyzer/) XML HTML Zero-Hour Response System
SecureBrain Zero-Hour Response System http://www.securebrain.co.jp/products/zhr/index.html
Security Solution 2008 <yuji_hoshizawa@securebrain.co.jp>