Top Banner

Click here to load reader

Reflective Memory Attacks Deep Dive: �How They Work; �Why They’re Hard to Detect

Jul 15, 2015

ReportDownload

Technology

lumension

Chapter 1 Windows Security Log and Auditing

Reflective Memory Attacks Deep Dive: How They Work; Why Theyre Hard to Detect 2013 Monterey Technology Group Inc.

Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.1Brought to you by

SpeakerDan Teal, Senior Architect

www.lumension.comAudit and Assessment of Active Directory 2012 Monterey Technology Group Inc.2Preview of Key Points 2013 Monterey Technology Group Inc.How did we get to where we are today with reflective memory attacks?How does reflective memory injection work?Why doesnt AV or application whitelisting detect it?What does a process look like that has been injected this way?How can it be detected via security software?

Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.3How did we get to where we are today with reflective memory attacks? 2013 Monterey Technology Group Inc.Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.4How does reflective memory injection work? 2013 Monterey Technology Group Inc.Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.5How does reflective memory injection work? 2013 Monterey Technology Group Inc.Malformed content sent to PCBuffer overflowShell code activatesDownloads larger malware from InternetWrites malware directly to heap memoryNo file accessDynamically links references to function callsFlags memory as executableSpins up a thread to run the malwareAudit and Assessment of Active Directory 2012 Monterey Technology Group Inc.6How does reflective memory injection work? 2013 Monterey Technology Group Inc.More detailsWrite the library into the address space of the target processPass execution to the Reflective LoaderDetermines its location in memory for parsing its own headersParse kernel32.dll export table to calculate addresses of GetProcAddress and VirtualAllocAllocate a contiguous block of memory for loading its imageLoad in its headers and sectionsProcess its import table, loading additional libraries as needed and resolving imported function addressesProcess its relocation tableCall its entry point function, DLLMain

Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.7In a way, Microsoft makes it easy 2013 Monterey Technology Group Inc.Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.8Why doesnt AV or application whitelisting detect it? 2013 Monterey Technology Group Inc.Nothing dropped onto the file systemDoes not use LoadLibrary()Will not show up in list of loaded modules for a processRMI places libraries into processes that are already authorized and runningDEP, ASLR, and other technologies great but not enoughBlacklisting involves collecting a list of bad threat signatures and preventing those apps from running Reactive: Always a step behind the latest threatsTraditional signature based anti-virus is not enough

Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.9What does a process look like that has been injected this way? 2013 Monterey Technology Group Inc.At a process level the only indicators that the library exists is that there will be a chunk of allocated memory present, via VirtualAlloc, where the loaded library resides. This memory will be marked as readable, writable and executable. There will also be a thread of execution which will be, periodically at least, executing code from this memory chunk.Stephen FewerHarmony Securityhttp://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.10How can it be detected via security software? 2013 Monterey Technology Group Inc.Synchronously Rock solid but prohibitively expense performance-wiseAsynchronouslyStack walkingPerformance prohibitiveCorrelate processes with legitimate codeCatches the attack without impacting performance

Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.11How can it be detected via security software? 2013 Monterey Technology Group Inc.Synchronously Sequence of eventsAllocate memory via VirtualAllocExCopy in the libraryLink it inStart a thread. Windows kernel only gives a few options for registering for callbacks. Security software used to be able to hook the kernel to monitor VirtualAllocEx, but that is no longer an option on x64 with PatchGuard. We can register to be notified when a thread is started but not when memory is allocatedAudit and Assessment of Active Directory 2012 Monterey Technology Group Inc.12How can it be detected via security software? 2013 Monterey Technology Group Inc.AsynchronouslyStack walkingPeriodically analyze the call stack ofevery running thread to ensure that the instruction pointer in every stack frame points to legitimate codePros: works very well if implemented correctly and can also detect types of buffer overflowsCons: performance impactAudit and Assessment of Active Directory 2012 Monterey Technology Group Inc.13How can it be detected via security software? 2013 Monterey Technology Group Inc.AsynchronouslyLegitimate code correlationContinually track every process from the kernel and correlate with legitimate codeThreads, memory regions, loaded module list (can be manipulated)Whitelisting provides great support for this control loading of kernel modulesPros: Low performance impactCons: Limited to detecting library injection

Audit and Assessment of Active Directory 2012 Monterey Technology Group Inc.14Lets see detection in action 2013 Monterey Technology Group Inc.Brought to you by

SpeakerDan Teal, Senior Architect

www.lumension.comAudit and Assessment of Active Directory 2012 Monterey Technology Group Inc.16More InformationFree Security Scanner ToolsVulnerability Scanner discover all OS and application vulnerabilities on your network Application Scanner discover all the apps being used in your networkDevice Scanner discover all the devices being used in your network http://www.lumension.com/special-offer/premium-security-tools.aspx

Lumension Endpoint Management and Security SuiteOnline Demo Video:http://www.lumension.com/Resources/Demo-Center/Vulnerability-Management.aspx Free Trial (virtual or download):http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#217

17Q&A18Global Headquarters8660 East Hartford DriveSuite 300Scottsdale, AZ 85255

[email protected]

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.