ファイルベースのサンドボックスの回避

2 3 3 5 11 VMware 14 17 17 FireEye 18 1

FireEye? API iframe DLL VMware VMware VMX 2

1 C&C FireEye 2012 12 UpClicker 1 2 3 UpClicker C&C APT Advanced Persistent Threat RAT Poison Ivy 4 1 UpClicker 0Eh SetWinodwsHookExA Windows WH_MOUSE_LL 5 1 Gartner. Best Practices for Mitigating Advanced Persistent Threats. January 2012. 2 FireEye. Don t Click the Left Mouse Button: Introducing Trojan UpClicker. December 2012. 3 Symantec. Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems. October 2012. 4 ZDNet. Nitro targeted malware attacks hit chemical companies. November 2011. 5 Microsoft. SetWindowsHookEx function. June 2013. 3

1 fn 1 fn 2 2 fn UnhookWindowsHookEx () sub_401170 () UpClicker 6 APT BaneChant 3 6 6 FireEye. Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks. April 2013. 4

Windows API MessageBox MessageBoxEx EXE DLL Adobe Acrobat PDF JavaScript for Acrobat API app.alert() 3 OK app.launchurl() URL 3 Web JavaScript Web URL API API 2013 2 Nap 7 Nap Microsoft Kaspersky 2011 Kelihos 8 7 FireEye. An Encounter with Trojan Nap. February 2013. 8 Microsoft. Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case. September 2011. 5

4 Nap Nap wowrizep.ru newbos2.exe HTTP 4 5 SleepEx() 60 10 0x0927C0 10 alterable false 10 5 SleepEx Nap 6

1 API NtDelayExecution() PDF JavaScript for Acrobat API app.settimeout() PDF 6 mystr() 100 16 6 app.settimeout() mystr() 100 JavaScript for Acrobat API 2013 3 Hastati 9 Hastati Windows SystemTime API GetLocalTime() 7 SystemTime 16 07 DD wyear 2013 00 06 wmonth 6 00 01 wdayofweek 00 11 wday 17 9 Vinay Pidathala, Yasir Khalid, et al. More Insights on the Recent Korean Cyber Attacks (Trojan.Hastati). March 2013. 7

7 Hastati GetLocalTime() 2013 6 17 2013 3 20 2 Sleep() 0EA60 6 8 6 Sleep() 8 Sleep() 8

Microsoft PsSetCreateProcessNotifyRoutine Windows Windows PsSetCreateProcessNotifyRoutine Windows XP SP2 8 6 Pushdo Pushdo 10 Pushdo PsCreateProcessNotifyRoutine PsSetCreateProcessNotifyRoutine 9 IDA Windows ntoskrnl.exe PsSetCreateProcessNotifyRoutine x86 9 ntoskrnl.exe PsSetCreateProcessNotifyRoutine 10 Gunter Ollmann (Security Dark Reading). Much Ado About PushDo. May 2013. 9

Pushdo 10 Pushdo 1. NtBuildNumber Windows Windows XP 32 2600 64 3790 2. PsSetCreateProcessNotifyRoutine 11 jmp_pssetcreateprocessnotifyroutine PsSetCreateProcessNotifyRoutine jmp jmp 2 PsSetCreateProcessNotifyRoutine jmp PsSetCreateProcessNotifyRoutine + 2 3. 5 0x57 0xBF 0xBF PspCreateProcessNotifyRoutine 4. PsCreateProcessNotifyRoutine Windows XP 0xBF mov edi 0x57 push edi 10 PsCreateProcessNotifyRoutine 11 jmp PsSetCreateProcessNotifyRoutine 10

Flash 12 Flash ActionScript Flash Player geturl() v GET Flash f.swf 12 Flash Flash Flash 11

PDF 13 JavaScript Acrobat Reader API app. viewerversion() 6.0 13 Acrobat JavaScript GIF Flash iframe GIF Acrobat Flash HTML iframe GIF Flash 12

GIF GIF 1 GIF 0x3B GIF iframe 14 14 GIF iframe Flash GIF Flash Web iframe 15 iframe Flash Flash HTML Flash iframe GIF 15 Flash iframe 13

DLL DLL run32dll.exe DLL DLL DLL 16 16 VMware APT FireEye 11 VMware VMware VMware VMware vmicheatbeat vmci vmdebug vmmouse vmscis VMTools vmware vmx86 vmhgfs vmxnet 11 Virus Bulletin. Techniques for Evading Automated Analysis. February 2013. 14

17 RegOpenKeyExA() VMware RegOpenKeyExA() 17 RegOpenKeyExA() VMware VMware VMware 1 VMware 18 GetFileAttributeA() VMware 18 GetFileAttributeA() VMware GetFileAttributeA() cmp eax 0FFFFFFFh -1 vmmouse.sys VMware 15

VMX VMware VMX VMware 19 19 I/O VMware 1. move eax, 'VMXh' 0x564D5868 EAX 2. EBX 3. ECX 0Ah VMware 4. DX VX VMware 5. in eax, dx EAX VMware 16

1 3 iframe FireEye Multi-Vector Virtual ExecutionTM MVX Flash/JPG iframe API VMware 1 2 3 1 3 1 1 FireEye MVX http://www.fireeye.co.jp/products-and-solutions/virtual-execution-engine.html 17

FireEye FireEye FireEye IPS FireEye FireEye Web 3 FireEye 2012 12 31 40 900 Fortune 500 100 http://www.fireeye.co.jp 2013 FireEye, Inc. All rights reserved. FireEye FireEye, Inc. RPT.HKTB.JA.082013 101-0054 1-1 6 TEL: 03-4577-4401 japan@fireeye.com www.fireeye.co.jp