Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted
Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted
Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Turbo</strong> unpacking:<br />
A <strong>Journey</strong> <strong>into</strong> <strong>Malicious</strong> <strong>Packers</strong><br />
Nicolas Brulez<br />
Senior Virus Analyst<br />
Global Research and Analysis Team<br />
Kaspersky Lab
Agenda<br />
• Introduction to <strong>Packers</strong><br />
• Challenges of <strong>Malicious</strong> <strong>Packers</strong><br />
• Case Studies<br />
– Gpcode<br />
– Hlux<br />
– Spyeye<br />
– CodecPack<br />
– Shaddows Crypt 2 Priv8 (for the lolz)<br />
• Conclusion
Introduction to « <strong>Packers</strong> »<br />
PECOFF<br />
Crypters<br />
SFX<br />
<strong>Packers</strong><br />
Archives<br />
Protectors<br />
Installers<br />
Bundlers<br />
Hybrids
Y0da Crypt<br />
Dot Fake Signer<br />
• Crypters<br />
• Multiple protection layers<br />
• Polymorphic decryptors / entry<br />
• Custom encryption algorithms<br />
• Numerous anti-reversing protections<br />
• Anti-debugging<br />
• Import protection (redirections)<br />
• Original entry point protection<br />
Code Virtualizer
Y0da Crypt<br />
Dot Fake Signer<br />
• Obfuscators<br />
• Multiple protection layers<br />
• Polymorphic entry point / fake identity<br />
• Custom encryption algorithms<br />
• Some anti-reversing protection<br />
• Anti-debugging<br />
• Memory protection<br />
Code Virtualizer
Y0da Crypt<br />
• Virtualization<br />
• Embedded virtual machine for selected functions<br />
• Obfuscations are used to make analysis more<br />
difficult<br />
• Compatible with other packers/protectors<br />
Dot Fake Signer<br />
Code Virtualizer
With compression<br />
<strong>Packers</strong><br />
UPX<br />
Protectors<br />
ASProtect<br />
Bundlers<br />
MoleBox<br />
• <strong>Packers</strong><br />
• Single or multiple code layers<br />
• Multiple compression algorithms in use<br />
• aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,…<br />
• Custom PECOFF table processing<br />
• Imports are usually* compressed<br />
• Resources are usually* compressed<br />
• Relocations are usually* compressed<br />
• TLS can be emulated<br />
• Can pack x86/x64/.net files<br />
• No anti-reversing protection<br />
– * If present and selected by the user
With compression<br />
<strong>Packers</strong><br />
UPX<br />
Protectors<br />
ASProtect<br />
Bundlers<br />
MoleBox<br />
• Protectors<br />
• Multiple encrypted code layers<br />
• Multiple compression algorithms in use<br />
• aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,…<br />
• Custom PECOFF table processing<br />
• Imports are usually* protected<br />
• Resources are usually* protected<br />
• Relocations are usually* protected<br />
• TLS can be emulated<br />
• Can protect x86/x64/.net files<br />
• Usually come with integrated licensing<br />
• Numerous anti-reversing protection<br />
• Every table you could think of and then some<br />
– * If present and selected by the user
With compression<br />
<strong>Packers</strong><br />
UPX<br />
Protectors<br />
ASProtect<br />
Bundlers<br />
MoleBox<br />
• Bundlers<br />
• Multiple encrypted code layers<br />
• Multiple compression algorithms in use<br />
• aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,…<br />
• Custom PECOFF table processing<br />
• Imports are usually* protected<br />
• Resources are usually* compressed<br />
• Relocations are usually* compressed<br />
• TLS can be emulated<br />
• Can protect x86/x64 files<br />
• Some anti-reversing protection<br />
• Usually limited to import table/entry point<br />
– * If present and selected by the user
Malware<br />
<strong>Packers</strong><br />
shadow’s pack<br />
Obfuscators<br />
pohernah<br />
Bundlers<br />
p0ke Crypt<br />
• “Custom” packers<br />
• <strong>Packers</strong><br />
• Multiple versions (per request)<br />
• High use of polymorphism<br />
• Usually simple memory overwrites<br />
• Obfuscators<br />
• Multiple versions (per request)<br />
• Highly obfuscated entry point<br />
• Bundlers<br />
• Usually simple overlay packers
Standard packed File layout<br />
• Original file layout<br />
• Packed file layout<br />
DOS<br />
PE<br />
Sections<br />
(code, data,<br />
imports)<br />
(compression)<br />
DOS<br />
PE<br />
Sections<br />
Resources<br />
Resources<br />
Overlay<br />
STUB<br />
Overlay
<strong>Malicious</strong> « packed » File layout<br />
• Original file layout<br />
• Packed file layout<br />
DOS<br />
PE<br />
Sections<br />
(code, data,<br />
imports)<br />
(Embedded in<br />
encrypted form)<br />
DOS<br />
PE<br />
Sections<br />
(code, data,<br />
imports)<br />
Resources<br />
Overlay<br />
Resources<br />
Encrypted File<br />
Overlay
Challenges of <strong>Malicious</strong> <strong>Packers</strong><br />
• Highly polymorphic (server side)<br />
• Anti Emulation<br />
• Anti Sandboxing<br />
• Anti Debugging<br />
• Crazy code flow : Code moved around the<br />
heap<br />
• Long to trace till the end
Case Study : Gpcode<br />
• Gpcode is a ransomware<br />
• It will encrypt a specific sets of files (office<br />
documents, text, pictures etc)<br />
• Uses AES 256 for file encryption<br />
• Uses RSA 1024 to protect the AES key from<br />
Security companies<br />
• Uses custom packers<br />
• http://www.securelist.com/en/blog/6165/Ranso<br />
mware_GPCode_strikes_back
Case Study : Hflux<br />
• Peer 2 Peer Botnet<br />
• Very similar to the Waledac botnet<br />
• Uses custom packers<br />
• http://www.securelist.com/en/blog/20819313<br />
7/Botnet_Shutdown_Success_Story_How_Kas<br />
persky_Lab_Disabled_the_Hlux_Kelihos_Botn<br />
et
Case Study : SpyEye<br />
• Infamous Banking Trojan<br />
• Remote configuration file<br />
• Targets lots of banks<br />
• Able to inject html/javascript code <strong>into</strong> the<br />
banking site on the local machine<br />
• Using the sample provided for the Honeynet<br />
Challenge<br />
• Uses custom packers
Case Study : CodecPack<br />
• Advertising Botnet<br />
• Downloads Adware and clickers<br />
• Uses custom packers<br />
• http://www.securelist.com/en/analysis/20479<br />
2172/The_Advertising_Botnet
Shaddows Crypt v2 Priv8 (for the lolz)<br />
• Custom packer sold to encrypt malwares<br />
• Uses Anti Debugging, Anti SandBoxing, Anti<br />
VM and so on.<br />
• Written in Delphi *cough*<br />
• Very lame *double cough*
Conclusion<br />
• Don’t bother <br />
• Uses simple API breakpoints: VirtualAllocEx,<br />
VirtualProtectEx, ZwProtectVirtualMemory,<br />
VirtualFree, LoadLibraryExA/W<br />
• Locate original file and dump when possible<br />
• If not, use them as entry point <strong>into</strong> the code<br />
• Allows to skip thousands of garbage routines<br />
• Most of them should be unpacked in less than 10<br />
minutes, don’t spend hours
Thank you<br />
Questions ?<br />
nicolas.brulez@kaspersky.fr