Abstract image of a woman sitting on books and studying on a laptop

Win32/Flamer: Reverse Engineering and Framework Reconstruction

Alex Matrosov, profile picture
Alex Matrosov

The document outlines the reverse engineering and reconstruction challenges of the Flamer malware framework in comparison to typical malware and the Stuxnet/Duqu exploits. It discusses aspects such as C++ code reconstruction, library identification issues, and the architectural components of Flamer including command executers and task management. The presentation also elaborates on the injection mechanisms used by Flamer and its relation to other malware variants.

Education
1 of 60
Downloaded 120 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
Outline of The Presentation  Typical malware vs. Stuxnet/Flame  What the difference?  Flamer code reconstruction problems  C++ code reconstruction  Library code identification  Flamer framework overview  Object oriented code reconstruction  Relationship Stuxnet/Duqu/Flamer
Typical Malware vs. Stuxnet/Flamer
What’s the Difference?
What’s the Difference?  Typical malware  Stuxnet/Flame …  Different motivation, budget …  Different motivation, budget …  Use 1-days for distribution  Use 0-days for distribution  Anti-stealth for bypassing all sec  Anti-stealth for bypassing AV soft  Stealth timing: months  Stealth timing: years  Developed in C or C++ in C style  Tons of C++ code with OOP  Simple architecture for plugins  Industrial OO framework platform  Traditional ways for obfuscation:  Other ways of code obfuscation:  packers  tons of embedded static code  polymorphic code  specific compilers/options  vm-based protection  object oriented wrappers for typical OS utilities  …
Stuxnet/Duqu/Flamer/Gauss Appearance
Code Complexity Growth Gauss miniFlamer Stuxnet Duqu Flamer
Code Complexity Growth
C++ Code REconstruction Problems
C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
C++ Code Reconstruction Problems
Identify Smart Pointer Structure
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Exact Virtual Function Call in vtable
Identify Custom Type Operations
Identify Objects Constructors
Identify Objects Constructors
Library code identification problems
Library Code Identification Problems  Compiler optimization  Wrappers for WinAPI calls  Embedded library code  Library version identification problem  IDA signatures used syntax based detection methods  Recompiled libraries problem  Compiler optimization problem
Library Code Identification Problems
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Object Oriented API Wrappers and Implicit Calls
Festi: OOP in kernel-mode
Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
Flamer Framework Overview
An overview of the Flamer Framework The main types used in Flamer Framework are:  Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers  Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer  Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.)  Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
Some of Flamer Framework Components Identifying processes in the systems corresponding to Security security software: antiviruses, HIPS, firewalls, system information utilities and etc. Microbe Leverages voice recording capabilities of the system Idler Running tasks in the background BeetleJuice Utilizes bluetooth facilities of the system Telemetry Logging of all the events Gator Communicating with C&C servers
Flamer SQL Lite Database Schema
Flamer SQL Lite Database Schema
REconstructing Flamer Framework
Data Types Being Used  Smart pointers  Strings  Vectors to maintain the objects  Custom data types: wrappers, tasks, triggers and etc.
Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements };  Used to handle the objects:  tasks  triggers  etc.
Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
Reconstructing Object’s Attributes
Reconstructing Object’s Attributes
Reconstructing Object’s Methods
Reconstructing Object’s Methods
Reconstructing Object’s Methods
DEMO
Relationship Stuxnet/Duqu/Gauss/Flamer
Source Code Base Differences
Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092 (Task Scheduler) MS11-087 (Win32k.sys)
Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
Exploit Implementations: Gauss  The payload is injected into processes from user-mode module
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov

More Related Content

PPS
09 iec t1_s1_oo_ps_session_13
Niit Care
 
PPS
04 iec t1_s1_oo_ps_session_05
Niit Care
 
PPS
05 iec t1_s1_oo_ps_session_07
Niit Care
 
PPS
06 iec t1_s1_oo_ps_session_08
Niit Care
 
PPS
11 iec t1_s1_oo_ps_session_16
Niit Care
 
PPS
12 iec t1_s1_oo_ps_session_17
Niit Care
 
PPS
08 iec t1_s1_oo_ps_session_11
Niit Care
 
PPS
07 iec t1_s1_oo_ps_session_10
Niit Care
 
09 iec t1_s1_oo_ps_session_13
Niit Care
 
04 iec t1_s1_oo_ps_session_05
Niit Care
 
05 iec t1_s1_oo_ps_session_07
Niit Care
 
06 iec t1_s1_oo_ps_session_08
Niit Care
 
11 iec t1_s1_oo_ps_session_16
Niit Care
 
12 iec t1_s1_oo_ps_session_17
Niit Care
 
08 iec t1_s1_oo_ps_session_11
Niit Care
 
07 iec t1_s1_oo_ps_session_10
Niit Care
 

What's hot (12)

PPS
13 iec t1_s1_oo_ps_session_19
Niit Care
 
PPS
10 iec t1_s1_oo_ps_session_14
Niit Care
 
PPS
01 iec t1_s1_oo_ps_session_01
Niit Care
 
PPTX
.Net platform an understanding
Binu Bhasuran
 
PDF
Let your Mach-O fly, Black Hat DC 2009
Vincenzo Iozzo
 
PPT
Csharp
Swaraj Kumar
 
PPS
01 gui 01
Niit Care
 
PDF
Tutorial c#
Mohammad Faizan
 
PPT
Synapse india reviews sharing asp.net
SynapseindiaComplaints
 
PPS
Java session02
Niit Care
 
PPTX
Session2 (3)
DrUjwala1
 
PDF
Basics of building a blackfin application
Pantech ProLabs India Pvt Ltd
 
13 iec t1_s1_oo_ps_session_19
Niit Care
 
10 iec t1_s1_oo_ps_session_14
Niit Care
 
01 iec t1_s1_oo_ps_session_01
Niit Care
 
.Net platform an understanding
Binu Bhasuran
 
Let your Mach-O fly, Black Hat DC 2009
Vincenzo Iozzo
 
Csharp
Swaraj Kumar
 
01 gui 01
Niit Care
 
Tutorial c#
Mohammad Faizan
 
Synapse india reviews sharing asp.net
SynapseindiaComplaints
 
Java session02
Niit Care
 
Session2 (3)
DrUjwala1
 
Basics of building a blackfin application
Pantech ProLabs India Pvt Ltd
 
Ad

Viewers also liked (20)

ODP
Virus&malware
Robin Garza
 
PDF
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
PDF
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
PDF
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
DefconRussia
 
PDF
Duqu: il nuovo Stuxnet?
Symantec Italia
 
KEY
JavaOne 2011 - JVM Bytecode for Dummies
Charles Nutter
 
PDF
Festi botnet analysis and investigation
Alex Matrosov
 
PDF
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
PPTX
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
PDF
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
PPTX
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
PDF
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
PDF
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
PPTX
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
PDF
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
PDF
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
PDF
Corporate espionage versus competitive intelligence
Martin Brunet
 
PDF
Cinema Volano - Programma Dicembre-Febbraio
kennywhite
 
PPTX
10 Spying Strategies To Generate More Profit
WhatRunsWhere
 
PPTX
Human as a virus
Yaniv sela
 
Virus&malware
Robin Garza
 
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
DefconRussia
 
Duqu: il nuovo Stuxnet?
Symantec Italia
 
JavaOne 2011 - JVM Bytecode for Dummies
Charles Nutter
 
Festi botnet analysis and investigation
Alex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
Corporate espionage versus competitive intelligence
Martin Brunet
 
Cinema Volano - Programma Dicembre-Febbraio
kennywhite
 
10 Spying Strategies To Generate More Profit
WhatRunsWhere
 
Human as a virus
Yaniv sela
 
Ad

Similar to Win32/Flamer: Reverse Engineering and Framework Reconstruction (20)

PDF
DTrace Topics: Introduction
Brendan Gregg
 
PPTX
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
PDF
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
 
PDF
Retrospective: Seven VM Engineering Years
ESUG
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
Inbot10 vxclass
zynamics GmbH
 
PDF
Digital Imaging with Free Software - Talk at Sheffield Astronomical Society J...
Jan Wedekind
 
PDF
Binary art - Byte-ing the PE that fails you (extended offline version)
Ange Albertini
 
PPTX
Ropython-windbg-python-extensions
Alin Gabriel Serdean
 
PDF
A bit more of PE
Ange Albertini
 
PDF
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
PPT
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
PDF
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
What the Fax!?
Priyanka Aash
 
PDF
CNIT 126 7: Analyzing Malicious Windows Programs
Sam Bowne
 
PDF
Advanced Components on Top of L4Re
Vasily Sartakov
 
PPTX
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Igor Korkin
 
PDF
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
PDF
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
DTrace Topics: Introduction
Brendan Gregg
 
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
 
Retrospective: Seven VM Engineering Years
ESUG
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Inbot10 vxclass
zynamics GmbH
 
Digital Imaging with Free Software - Talk at Sheffield Astronomical Society J...
Jan Wedekind
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Ange Albertini
 
Ropython-windbg-python-extensions
Alin Gabriel Serdean
 
A bit more of PE
Ange Albertini
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
What the Fax!?
Priyanka Aash
 
CNIT 126 7: Analyzing Malicious Windows Programs
Sam Bowne
 
Advanced Components on Top of L4Re
Vasily Sartakov
 
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Igor Korkin
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 

More from Alex Matrosov (9)

PDF
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
PDF
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
PDF
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
PDF
Bootkits: past, present & future
Alex Matrosov
 
PDF
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
PPTX
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
PDF
Cybercrime in Russia: Trends and Issues
Alex Matrosov
 
PPTX
Stuxnet msu
Alex Matrosov
 
KEY
RusCrypto'2009
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
Bootkits: past, present & future
Alex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Cybercrime in Russia: Trends and Issues
Alex Matrosov
 
Stuxnet msu
Alex Matrosov
 
RusCrypto'2009
Alex Matrosov
 

Recently uploaded (20)

PDF
Myanmar Dental Journal, The Journal of the Myanmar Dental Association (2013).pdf
Nay Aung
 
PDF
1.Salivary gland disease.pdf 3.Bleeding and Clotting Disorders.pdf important
MichaelShawky5
 
PPTX
Climate Change and Its Global Impact.pptx
vaishalidobhal148
 
PPTX
RIZALS-LIFE-HIGHER-EDUCATION-AND-LIFE-ABROAD.pptx
yugiyami955
 
PDF
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
PDF
plant tissues class 6-7 mcqs chatgpt.pdf
AkashDTejwani
 
PDF
semiconductor packaging in vlsi design fab
KarpoorasundariK
 
PDF
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
PDF
David L Page_DCI Research Study Journey_how Methodology can inform one's prac...
David L Page
 
PPTX
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
PDF
English Textual Question & Ans (12th Class).pdf
javaidpaswal33
 
PDF
LIFE & LIVING TRILOGY- PART (1) WHO ARE WE.pdf
sureshkumarsoni26
 
PPTX
Education and Perspectives of Education.pptx
Central University of South Bihar, Gaya, Bihar
 
PDF
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
PDF
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
PDF
M.Tech in Aerospace Engineering | BIT Mesra
BIT Mesra
 
PDF
LIFE & LIVING TRILOGY - PART - (2) THE PURPOSE OF LIFE.pdf
sureshkumarsoni26
 
PPTX
ELIAS-SEZIURE AND EPilepsy semmioan session.pptx
eyoba2172
 
PDF
Journal of Dental Science - UDMY (2020).pdf
Nay Aung
 
PPTX
DRUGS USED FOR HORMONAL DISORDER, SUPPLIMENTATION, CONTRACEPTION, & MEDICAL T...
SaravananKumar545925
 
Myanmar Dental Journal, The Journal of the Myanmar Dental Association (2013).pdf
Nay Aung
 
1.Salivary gland disease.pdf 3.Bleeding and Clotting Disorders.pdf important
MichaelShawky5
 
Climate Change and Its Global Impact.pptx
vaishalidobhal148
 
RIZALS-LIFE-HIGHER-EDUCATION-AND-LIFE-ABROAD.pptx
yugiyami955
 
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
plant tissues class 6-7 mcqs chatgpt.pdf
AkashDTejwani
 
semiconductor packaging in vlsi design fab
KarpoorasundariK
 
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
David L Page_DCI Research Study Journey_how Methodology can inform one's prac...
David L Page
 
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
English Textual Question & Ans (12th Class).pdf
javaidpaswal33
 
LIFE & LIVING TRILOGY- PART (1) WHO ARE WE.pdf
sureshkumarsoni26
 
Education and Perspectives of Education.pptx
Central University of South Bihar, Gaya, Bihar
 
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
M.Tech in Aerospace Engineering | BIT Mesra
BIT Mesra
 
LIFE & LIVING TRILOGY - PART - (2) THE PURPOSE OF LIFE.pdf
sureshkumarsoni26
 
ELIAS-SEZIURE AND EPilepsy semmioan session.pptx
eyoba2172
 
Journal of Dental Science - UDMY (2020).pdf
Nay Aung
 
DRUGS USED FOR HORMONAL DISORDER, SUPPLIMENTATION, CONTRACEPTION, & MEDICAL T...
SaravananKumar545925
 

Win32/Flamer: Reverse Engineering and Framework Reconstruction

  • 1. Win32/Flamer: Reverse Engineering and Framework Reconstruction Aleksandr Matrosov Eugene Rodionov
  • 2. Outline of The Presentation  Typical malware vs. Stuxnet/Flame  What the difference?  Flamer code reconstruction problems  C++ code reconstruction  Library code identification  Flamer framework overview  Object oriented code reconstruction  Relationship Stuxnet/Duqu/Flamer
  • 3. Typical Malware vs. Stuxnet/Flamer
  • 5. What’s the Difference?  Typical malware  Stuxnet/Flame …  Different motivation, budget …  Different motivation, budget …  Use 1-days for distribution  Use 0-days for distribution  Anti-stealth for bypassing all sec  Anti-stealth for bypassing AV soft  Stealth timing: months  Stealth timing: years  Developed in C or C++ in C style  Tons of C++ code with OOP  Simple architecture for plugins  Industrial OO framework platform  Traditional ways for obfuscation:  Other ways of code obfuscation:  packers  tons of embedded static code  polymorphic code  specific compilers/options  vm-based protection  object oriented wrappers for typical OS utilities  …
  • 7. Code Complexity Growth Gauss miniFlamer Stuxnet Duqu Flamer
  • 10. C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction  Identify constructors/destructors  Identify class members  Local/global type reconstruction  Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
  • 11. C++ Code Reconstruction Problems Class A vfPtr a1() A::vfTable a2() meta A::a1() RTTI Object Locator A::a2() signature pTypeDescriptor pClassDescriptor
  • 14. Identify Exact Virtual Function Call in vtable
  • 15. Identify Exact Virtual Function Call in vtable
  • 16. Identify Exact Virtual Function Call in vtable
  • 17. Identify Custom Type Operations
  • 21. Library Code Identification Problems  Compiler optimization  Wrappers for WinAPI calls  Embedded library code  Library version identification problem  IDA signatures used syntax based detection methods  Recompiled libraries problem  Compiler optimization problem
  • 23. Object Oriented API Wrappers and Implicit Calls
  • 24. Object Oriented API Wrappers and Implicit Calls
  • 25. Object Oriented API Wrappers and Implicit Calls
  • 26. Festi: OOP in kernel-mode
  • 27. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 28. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 29. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
  • 30. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
  • 31. Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
  • 33. An overview of the Flamer Framework The main types used in Flamer Framework are:  Command Executers –the objects exposing interface that allows the malware to dispatch commands received from C&C servers  Tasks – objects of these type represent tasks executed in separate threads which constitute the backbone of the main module of Flamer  Consumers – objects which are triggered on specific events (creation of new module, insertion of removable media and etc.)  Delayed Tasks – these objects represent tasks which are executed periodically with certain delay.
  • 34. An overview of the Flamer Framework Vector<Consumer> Vector<Command Executor> DB_Query ClanCmd FileCollect Driller GetConfig Mobile Consumer Cmd Vector<Task> Consumer IDLER CmdExec Sniffer Munch FileFinder Lua Consumer Vector<DelayedTasks> Media Share LSS Consumer Euphoria Frog Beetlejuice Supplier Sender
  • 35. Some of Flamer Framework Components Identifying processes in the systems corresponding to Security security software: antiviruses, HIPS, firewalls, system information utilities and etc. Microbe Leverages voice recording capabilities of the system Idler Running tasks in the background BeetleJuice Utilizes bluetooth facilities of the system Telemetry Logging of all the events Gator Communicating with C&C servers
  • 36. Flamer SQL Lite Database Schema
  • 37. Flamer SQL Lite Database Schema
  • 39. Data Types Being Used  Smart pointers  Strings  Vectors to maintain the objects  Custom data types: wrappers, tasks, triggers and etc.
  • 40. Data Types Being Used: Smart pointers typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };
  • 41. Data Types Being Used: Strings struct USTRING_STRUCT { void *vTable; // pointer to the table int RefNo; // reference counter int Initialized; wchar_t *UnicodeBuffer; // pointer to unicode string char *AsciiBuffer; // pointer to ASCII string int AsciiLength; // length of the ASCII string int Reserved; int Length; // Length of unicode string int LengthMax; // Size of UnicodeBuffer };
  • 42. Data Types Being Used: Vectors struct VECTOR { void *vTable; // pointer to the table int NumberOfItems; // self-explanatory int MaxSize; // self-explanatory void *vector; // pointer to buffer with elements };  Used to handle the objects:  tasks  triggers  etc.
  • 43. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 44. Using Hex-Rays Decompiler  Identifying constructors/destructors  Usually follow memory allocation  The pointer to object is passed in ecx (sometimes in other registers)  Reconstructing object’s attributes  Creating custom type in “Local Types” for an object  Analyzing object’s methods  Creating custom type in “Local Types” for a table of virtual routines
  • 50. DEMO
  • 52. Source Code Base Differences
  • 53. Exploit Implementations Stuxnet Duqu Flame Gauss MS10-046 MS10-046 MS10-046 (LNK) (LNK) (LNK) MS10-061 MS10-061 (Print Spooler) (Print Spooler) MS08-067 MS08-067 (RPC) (RPC) MS10-073 (Win32k.sys) MS10-092 (Task Scheduler) MS11-087 (Win32k.sys)
  • 54. Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  • 55. Exploit Implementations: Stuxnet & Duqu  The payload is injected into processes from both kernel- mode driver & user-mode module  Hooks:  ZwMapViewOfSection  ZwCreateSection  ZwOpenFile  ZwClose  ZwQueryAttributesFile  ZwQuerySection  Executes LoadLibraryW passing as a parameter either:  KERNEL32.DLL.ASLR.XXXXXXXX  SHELL32.DLL.ASLR.XXXXXXXX
  • 56. Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
  • 57. Injection mechanism: Flame  The payload is injected into processes from user-mode module  The injection technique is based on using:  VirtualAllocEx  WriteProcessMemoryReadProcessMemory  CreateRemoteThreadRtlCreateUserThread  The injected module is disguised as shell32.dll  Hooks the entry point of msvcrt.dll by modifying PEB
  • 58. Exploit Implementations: Gauss  The payload is injected into processes from user-mode module
  • 60. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov [email protected] [email protected] @vxradius @matrosov