Reverse Engineering Malware: A look inside Operation Tovar Brandon Tansey Security Researcher, Lancope © 2014 Lancope, Inc. All rights reserved. 1
Jan 15, 2015
1
Reverse Engineering Malware: A look inside Operation TovarBrandon TanseySecurity Researcher, Lancope
© 2014 Lancope, Inc. All rights reserved.
2© 2014 Lancope, Inc. All rights reserved.
Source: 2014 Verizon DBIR
3© 2014 Lancope, Inc. All rights reserved.
75% of malware contained functionality of spyware/keyloggers
55% of malware automatically collected pre-existing data on victim computers
Source: 2013 Verizon DBIR
4© 2014 Lancope, Inc. All rights reserved.
All malware leaves behind some information of its own
5© 2014 Lancope, Inc. All rights reserved.
Malware Analysis
6
• Command and control hosts• Encryption keys• Implementation flaws• Exploits• Malware capabilities• …
© 2014 Lancope, Inc. All rights reserved.
What information is there to find?
7© 2014 Lancope, Inc. All rights reserved.
What information do you need?
8© 2014 Lancope, Inc. All rights reserved.
9© 2014 Lancope, Inc. All rights reserved.
10© 2014 Lancope, Inc. All rights reserved.
Dynamic Analysis vs. Static Analysis
11© 2014 Lancope, Inc. All rights reserved.
Initialization1. Start the malware
12© 2014 Lancope, Inc. All rights reserved.
Initialization1. Start the malware
2. Malware loads RSAenh.dll (Microsoft Enhanced Cryptographic Provider)
13© 2014 Lancope, Inc. All rights reserved.
Establishing Persistence3. Copy self to Application Data
14© 2014 Lancope, Inc. All rights reserved.
Establishing Persistence3. Copy self to Application Data
4. Open second process
15© 2014 Lancope, Inc. All rights reserved.
Establishing Persistence5. Maintain auto-start registry keys
16© 2014 Lancope, Inc. All rights reserved.
Reaching Out6. Make network calls
17© 2014 Lancope, Inc. All rights reserved.
Reaching Out6. Make network calls
7. Start looking for command and control hosts
18© 2014 Lancope, Inc. All rights reserved.
19© 2014 Lancope, Inc. All rights reserved.
Establish C2
8. Find valid C2 host
20© 2014 Lancope, Inc. All rights reserved.
Compromise9. Store public key
21© 2014 Lancope, Inc. All rights reserved.
Compromise9. Store public key
10. Scan and encrypt files
22© 2014 Lancope, Inc. All rights reserved.
23© 2014 Lancope, Inc. All rights reserved.
Close loop11. Log encrypted files and start over
24© 2014 Lancope, Inc. All rights reserved.
25
• Takes advantage of advanced public key crypto– RSAenh.dll– PublicKey registry key
• Loops through DNS requests for tons of gibberish hosts until it finds active, real one– All samples appear to create the same domains
• Does not begin encrypting until it receives public key from C2 server
© 2014 Lancope, Inc. All rights reserved.
What do we think we know?
26© 2014 Lancope, Inc. All rights reserved.
Static Analysis
27© 2014 Lancope, Inc. All rights reserved.
28© 2014 Lancope, Inc. All rights reserved.
29© 2014 Lancope, Inc. All rights reserved.
30© 2014 Lancope, Inc. All rights reserved.
Source: microsoft.com
31© 2014 Lancope, Inc. All rights reserved.
32© 2014 Lancope, Inc. All rights reserved.
33© 2014 Lancope, Inc. All rights reserved.
34© 2014 Lancope, Inc. All rights reserved.
35© 2014 Lancope, Inc. All rights reserved.
36© 2014 Lancope, Inc. All rights reserved.
37© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
38© 2014 Lancope, Inc. All rights reserved.
Operation Tovar
39© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
40© 2014 Lancope, Inc. All rights reserved.
Operational Security(OPSEC)
Source: archive.gov
41© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
42© 2014 Lancope, Inc. All rights reserved.
“In cooperation with Luxembourg law enforcement agencies, pursuant to an
MLAT request, the FBI analyzed the contents of [second level Cryptolocker]
server, discovering HTTP access logs that showed which users were accessing this
server.”
Source: justice.gov
43© 2014 Lancope, Inc. All rights reserved.
“This consistent pattern of overlapping IP addresses and user agent strings establishes
that Bogachev was the individual utilizing and managing the [Gameover] infrastructure.
Moreover, the fact that Bogachev had elevated Administrative access to the critical UK GOZ
server establishes that he is not only a participant in the GOZ conspiracy, but a
leader.” Source: justice.gov
44© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
45© 2014 Lancope, Inc. All rights reserved.
Tovar Time-out!
46© 2014 Lancope, Inc. All rights reserved.
Source: virustotal.com
47© 2014 Lancope, Inc. All rights reserved.
Source: blackhat.com
Library of SpartaTom Cross, David Raymond, Greg Conti
Wednesday, August 5th at 10:15am
48© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
49© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
50© 2014 Lancope, Inc. All rights reserved.
Source: justice.gov
51© 2014 Lancope, Inc. All rights reserved.
52© 2014 Lancope, Inc. All rights reserved.
53
• YOUR FAVORITE SEARCH ENGINE!• Process Monitor (SysInternals)• Wireshark• Inetsim (via Remnux)• IDA Pro (alt. IDA shareware, radare, Hopper, objdump)
© 2014 Lancope, Inc. All rights reserved.
Tools
54
• OpenSecurityTraining.info• Practical Malware Analysis (Michael Sikorski and Andrew Honig)• The IDA Pro Book (Chris Eagle)
<shamelessPlug>• http://lancope.com/blog• https://twitter.com/stealth_labs• https://twitter.com/lancope</shamelessPlug>
© 2014 Lancope, Inc. All rights reserved.
Want to learn more?
56© 2014 Lancope, Inc. All rights reserved.