05.01.2014 Views

Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted

Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted

Turbo Unpacking: A Journey into Malicious Packers - Hacker Halted

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

<strong>Turbo</strong> unpacking:<br />

A <strong>Journey</strong> <strong>into</strong> <strong>Malicious</strong> <strong>Packers</strong><br />

Nicolas Brulez<br />

Senior Virus Analyst<br />

Global Research and Analysis Team<br />

Kaspersky Lab


Agenda<br />

• Introduction to <strong>Packers</strong><br />

• Challenges of <strong>Malicious</strong> <strong>Packers</strong><br />

• Case Studies<br />

– Gpcode<br />

– Hlux<br />

– Spyeye<br />

– CodecPack<br />

– Shaddows Crypt 2 Priv8 (for the lolz)<br />

• Conclusion


Introduction to « <strong>Packers</strong> »<br />

PECOFF<br />

Crypters<br />

SFX<br />

<strong>Packers</strong><br />

Archives<br />

Protectors<br />

Installers<br />

Bundlers<br />

Hybrids


Y0da Crypt<br />

Dot Fake Signer<br />

• Crypters<br />

• Multiple protection layers<br />

• Polymorphic decryptors / entry<br />

• Custom encryption algorithms<br />

• Numerous anti-reversing protections<br />

• Anti-debugging<br />

• Import protection (redirections)<br />

• Original entry point protection<br />

Code Virtualizer


Y0da Crypt<br />

Dot Fake Signer<br />

• Obfuscators<br />

• Multiple protection layers<br />

• Polymorphic entry point / fake identity<br />

• Custom encryption algorithms<br />

• Some anti-reversing protection<br />

• Anti-debugging<br />

• Memory protection<br />

Code Virtualizer


Y0da Crypt<br />

• Virtualization<br />

• Embedded virtual machine for selected functions<br />

• Obfuscations are used to make analysis more<br />

difficult<br />

• Compatible with other packers/protectors<br />

Dot Fake Signer<br />

Code Virtualizer


With compression<br />

<strong>Packers</strong><br />

UPX<br />

Protectors<br />

ASProtect<br />

Bundlers<br />

MoleBox<br />

• <strong>Packers</strong><br />

• Single or multiple code layers<br />

• Multiple compression algorithms in use<br />

• aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,…<br />

• Custom PECOFF table processing<br />

• Imports are usually* compressed<br />

• Resources are usually* compressed<br />

• Relocations are usually* compressed<br />

• TLS can be emulated<br />

• Can pack x86/x64/.net files<br />

• No anti-reversing protection<br />

– * If present and selected by the user


With compression<br />

<strong>Packers</strong><br />

UPX<br />

Protectors<br />

ASProtect<br />

Bundlers<br />

MoleBox<br />

• Protectors<br />

• Multiple encrypted code layers<br />

• Multiple compression algorithms in use<br />

• aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,…<br />

• Custom PECOFF table processing<br />

• Imports are usually* protected<br />

• Resources are usually* protected<br />

• Relocations are usually* protected<br />

• TLS can be emulated<br />

• Can protect x86/x64/.net files<br />

• Usually come with integrated licensing<br />

• Numerous anti-reversing protection<br />

• Every table you could think of and then some<br />

– * If present and selected by the user


With compression<br />

<strong>Packers</strong><br />

UPX<br />

Protectors<br />

ASProtect<br />

Bundlers<br />

MoleBox<br />

• Bundlers<br />

• Multiple encrypted code layers<br />

• Multiple compression algorithms in use<br />

• aplib, lzma, lzss, lzrw, lzbrs, ffce, jcalg,…<br />

• Custom PECOFF table processing<br />

• Imports are usually* protected<br />

• Resources are usually* compressed<br />

• Relocations are usually* compressed<br />

• TLS can be emulated<br />

• Can protect x86/x64 files<br />

• Some anti-reversing protection<br />

• Usually limited to import table/entry point<br />

– * If present and selected by the user


Malware<br />

<strong>Packers</strong><br />

shadow’s pack<br />

Obfuscators<br />

pohernah<br />

Bundlers<br />

p0ke Crypt<br />

• “Custom” packers<br />

• <strong>Packers</strong><br />

• Multiple versions (per request)<br />

• High use of polymorphism<br />

• Usually simple memory overwrites<br />

• Obfuscators<br />

• Multiple versions (per request)<br />

• Highly obfuscated entry point<br />

• Bundlers<br />

• Usually simple overlay packers


Standard packed File layout<br />

• Original file layout<br />

• Packed file layout<br />

DOS<br />

PE<br />

Sections<br />

(code, data,<br />

imports)<br />

(compression)<br />

DOS<br />

PE<br />

Sections<br />

Resources<br />

Resources<br />

Overlay<br />

STUB<br />

Overlay


<strong>Malicious</strong> « packed » File layout<br />

• Original file layout<br />

• Packed file layout<br />

DOS<br />

PE<br />

Sections<br />

(code, data,<br />

imports)<br />

(Embedded in<br />

encrypted form)<br />

DOS<br />

PE<br />

Sections<br />

(code, data,<br />

imports)<br />

Resources<br />

Overlay<br />

Resources<br />

Encrypted File<br />

Overlay


Challenges of <strong>Malicious</strong> <strong>Packers</strong><br />

• Highly polymorphic (server side)<br />

• Anti Emulation<br />

• Anti Sandboxing<br />

• Anti Debugging<br />

• Crazy code flow : Code moved around the<br />

heap<br />

• Long to trace till the end


Case Study : Gpcode<br />

• Gpcode is a ransomware<br />

• It will encrypt a specific sets of files (office<br />

documents, text, pictures etc)<br />

• Uses AES 256 for file encryption<br />

• Uses RSA 1024 to protect the AES key from<br />

Security companies<br />

• Uses custom packers<br />

• http://www.securelist.com/en/blog/6165/Ranso<br />

mware_GPCode_strikes_back


Case Study : Hflux<br />

• Peer 2 Peer Botnet<br />

• Very similar to the Waledac botnet<br />

• Uses custom packers<br />

• http://www.securelist.com/en/blog/20819313<br />

7/Botnet_Shutdown_Success_Story_How_Kas<br />

persky_Lab_Disabled_the_Hlux_Kelihos_Botn<br />

et


Case Study : SpyEye<br />

• Infamous Banking Trojan<br />

• Remote configuration file<br />

• Targets lots of banks<br />

• Able to inject html/javascript code <strong>into</strong> the<br />

banking site on the local machine<br />

• Using the sample provided for the Honeynet<br />

Challenge<br />

• Uses custom packers


Case Study : CodecPack<br />

• Advertising Botnet<br />

• Downloads Adware and clickers<br />

• Uses custom packers<br />

• http://www.securelist.com/en/analysis/20479<br />

2172/The_Advertising_Botnet


Shaddows Crypt v2 Priv8 (for the lolz)<br />

• Custom packer sold to encrypt malwares<br />

• Uses Anti Debugging, Anti SandBoxing, Anti<br />

VM and so on.<br />

• Written in Delphi *cough*<br />

• Very lame *double cough*


Conclusion<br />

• Don’t bother <br />

• Uses simple API breakpoints: VirtualAllocEx,<br />

VirtualProtectEx, ZwProtectVirtualMemory,<br />

VirtualFree, LoadLibraryExA/W<br />

• Locate original file and dump when possible<br />

• If not, use them as entry point <strong>into</strong> the code<br />

• Allows to skip thousands of garbage routines<br />

• Most of them should be unpacked in less than 10<br />

minutes, don’t spend hours


Thank you<br />

Questions ?<br />

nicolas.brulez@kaspersky.fr

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!