Source: OST on "Malware Reverse Engineering", Professor Poz Goals:
Purpose of networking code in malware
How to detect If the intruder uses a specific tool, technique, or procedure, then it is likely possible to fingerprint Command and Control While each of the listed purposes of networking code offers an opportunity to detect and prevent an intrusion, we will focus on remote access tool (RAT) analysis in our examples and exercises. Windows Networking APIs [source: Sikorski, M. & Honig, A. (2012).“Practical Malware Analysis,” p. 313] Command and Control (C2)
Understanding a remote access tool (RAT) is all about understanding its network communication. All RATs are broken into two pieces, an implant, which is placed on the compromised system, and a controller, which the intruder uses to control the implant. The network communication is then one of four types:
Indicators Creating low false positive, low false negative signatures can be difficult. The best indicators come from hard-coded, static strings in the malware. For example, when the C2 is tunneled over HTTP and is using a unique User-Agent string, the string can be turned into a simple NIDS signature. When there are no strings that would yield a low false positive signature, attributes of the C2 can sometimes be used to create effective, though higher false positive, signatures. Examples:
IDS Rule Writing WARNING: Know where your signatures will be used! For example, HTTP communication through a proxy can change the headers or the requested resource depending on which side of the proxy the signature is implemented. Pre-proxy means the requested resource is a full URL, with protocol and domain name. Post-proxy means possible additional headers added by the proxy, such as X-Forwarded-For or Via. Don’t give up if the C2 is encrypted. Depending on the chosen encryption algorithm or implementation, a reasonable signature is still possible. For example, if the attacker is using RC4, has embedded the key in the malware itself, and the pre-encrypted C2 has well-defined fields that are NULL padded, you can pick an offset into the data that you know will always be NULL bytes before encryption and compute their encrypted values. Then a simple NIDS signature can be used to test for those specific bytes at the chosen offset.
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |