Two short talks in one deck. One on automated analysis tools for the novice. The second on reverse engineering malicious PDF files.

1. Paul Melson Two-For-One Talk:Malware Analysis for Everyone

2. MWA-101: Five Automated Analysis Tools You should Know

3. Why Do Malware Analysis? Client-side attacks that install malware are the #1 external threat. It’s not slowing down any time soon: “Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31% from the previous period.” “In 2008, Symantec created 1,656,227 new malicious code signatures. This is a 265% increase over 2007.” (Source: Symantec Internet Threat Report, April 2009)

4. Firewalls and Anti-Virus Have Lost Client-side attacks against web browsers and e-mail go right through most firewall policies Detection rates for current malware files by market leading anti-virus scanners are averaging 30-50% If you’re not adapting some other way, you’ve lost

5. Malware is Adapting Quickly Take away Local Administrator privileges? Malware that persists in HKCU Registry keys or StartUp group Whitelist apps with Windows Firewall? Malware that hooks into Internet Explorer plugin APIs Block IRC at the firewall? Malware that uses encrypted HTTP/HTTPS back-channels

6. “But it’s just spyware, right?” In the past 2 years, we’ve found malware in the wild that: Sends hundreds of spam e-mail messages per second Gives bot “herder” full desktop remote control Searches files in “Documents and Settings” for SSNs, credit card numbers, and saved Internet Explorer passwords Records all screen and text input and reports it in real-time to a server in Russia

7. VirusTotalhttp://www.virustotal.com Upload a suspicious file, they scan it with 40+ different anti-virus products using current signatures Pretty much everybody, except TrendMicro Useful for determining if a file is malicious Also for determining whether your anti-virus would detect a particular file Take advantage of heuristic/edge products without all of the false positives in production OK, but not great for brand new or custom malware Not great for obfuscated exploits, better with binaries

9. CWSandboxhttp://www.cwsandbox.org Upload a suspicious Windows executable, they run it in their sandbox and tell you what it did Great for figuring out what a file actually does It doesn’t establish malicious vs. benign, that’s up to you Requires some detailed understanding of Windows Registry, processes, file system to interpret report Some malware can detect this and other sandboxes, and won’t run Other similar services Norman Sandbox JoeBox

12. Threat Expert http://www.threatexpert.com Upload a suspicious Windows binary, they analyze it Supports web submission, but also Windows applet Must register to submit samples Combines the features of CWSandbox and VirusTotal Anti-virus scan File / registry modifications Packer identification Browse reports and statistics from other submitted files

15. Wepawethttp://wepawet.iseclab.org Upload a suspicious PDF, HTML, or Flash file, or submit a suspicious URL and it will analyze it for malicious JavaScript. Great for working with obfuscated JavaScript where reversing and debugging is complex and time-intensive. However, some forms of obfuscation, especially in PDF and SWF files, can be used to beat it.

17. Comodohttp://camas.comodo.com Upload a suspicious Windows binary, they analyze it for you Similar to CWSandbox Very fast Relatively new/unknown, so less likely to be targeted for evasion (Assuming they use technology different enough from Norman, CWSandbox)

19. MWA-101: Q&A

20. MWA-405: Unpacking PDF Exploit Payloads

21. PDF Files and Malware Malware relies on two methods to install Exploiting a browser vulnerability Tricking people into running a file Adobe Acrobat Reader is, right now, the most reliably vulnerable piece of software in the world It’s really hard to patch across the enterprise Predecessors: Internet Explorer QuickTime Player Adobe Flash Player

22. They Don’t Call it Pwndobe for Nothing Tuesday’s Acrobat Reader security bulletin That’s 29 unique vulnerabilities, in case you’re keeping score

23. PDF as an Attack Vector Acrobat Reader is executable from the web browser Called as a browser plugin via COM There is an IE killbit, but I dare you to use it in a business Each version of Acrobat Reader has its own CLSID, and killbit The PDF file format supports scripting and obfuscation JavaScript Embedding binary objects and scripts as streams Compressing and encoding these streams These are the same things that made Flash a good attack vector, so you may have some idea as to what’s next

24. PDF With Malicious Payload PDF file header including JavaScript trigger

25. PDF With Malicious Payload PDF file body showing binary FlateDecode stream Note the /Filter and /Length tags

26. Unpacking FlateDecode Streams FlateDecode is stream compression using zlib compress() Several tools can decompress and extract the streams for you PDF Stream Inflater by Bobby Spasic (Malzilla) Not available for download anymore pdftk by Sid Steward (AccessPDF) Not specifically for malware http://www.accesspdf.com/pdftk/ pdf-parser.py by Didier Stevens This guy writes all sorts of awesome tools http://blog.didierstevens.com/programs/pdf-tools/

27. Unpacking FlateDecode Streams Using PDF Stream Inflater to extract FlateDecode stream

28. Unpacking FlateDecode Streams Viewing decoded stream containing obfuscated JavaScript

29. Unpacking FlateDecode Streams Pipe extracted stream through Didier Stevens’ SpiderMonkey mod The log files contain the output of the obfuscated JavaScript

30. Unpacking FlateDecode Streams Look! More JavaScript, but this time it’s readable. Hmmm, I wonder…

31. Unpacking FlateDecode Streams Oh, look, they copied the exploit from milw0rm.

32. Beyond FlateDecode Different versions of the PDF file standard support additional forms of encoding streams ASCIIHexDecode ASCII85Decode Encoding methods can be combined on a single stream Order of operations matters! Two methods for extracting and decoding: Manually decode Hex stream to zlib binary stream, reinsert, resize header, basically recreating the PDF as if it only contained the FlateDecode stream, then extract with inflater.exe (this sucks, BTW) Use pdf-parser.py

33. Beyond FlateDecode This stream is encoded with ASCIIHexDecode and FlateDecode

34. Beyond FlateDecode We decode the stream and find more obfuscated JavaScript ./pdf-parser.py -f boBAn.pdf | less

35. Beyond FlateDecode Throw <html> and <script> tags around the obfuscated JavaScript and upload it to Wepawet

36. Beyond FlateDecode Ooh, second stage executable downloads!

37. Beyond FlateDecode - Epilogue From the time that I started this research to the time I wrote this presentation, Wepawet has added support for ASCIIHexDecode in PDF files So, yes, the hours of work I did on this can be replicated in mere seconds with only a web browser But this underscores the ongoing arms race between security researchers and malware vendors That’s right, I said vendors

38. Some Extra Fun whois goodshoot1.com Note the goofy domain on those name servers

39. Some Extra Fun So we search malwareurl.com for that domain, and…

40. Some Extra Fun YES is a crimeware system made in Russia This is the login page for its web console

41. Network Detection Easy enough to find PDF files that use encoded streams with your IDS/IPS Your firewall and proxy logs are a good place to look, too Most sites hosting second-stage malware are in foreign countries, especially Russia, China Use language to your advantage – if your employees speak English, then documents downloaded from countries that don’t speak English could be suspicious

42. Network Detection alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL PDF mailto exploit HTTP download"; flow:from_server,established; content:"%PDF"; nocase; content:"RI(mailto:%/"; nocase; classtype:trojan-activity; sid:9000140; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with FlateDecode stream download"; flow:from_server,established; content:"%PDF"; content:"FlateDecode"; nocase; classtype:trojan-activity; sid:90000190; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with ASCIIHexDecode stream download"; flow:from_server,established; content:"%PDF"; content:"ASCIIHexDecode"; nocase; classtype:trojan-activity; sid:90000191; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL PDF with ASCII85Decode stream download"; flow:from_server,established; content:"%PDF"; content:"ASCII85Decode"; nocase; classtype:trojan-activity; sid:90000192; rev:1;) Snort rules to detect suspicious PDF files

43. Network Detection Firewall events for PDFs downloaded from countries other than the US, UK, and Canada

44. pmelson@gmail.com http://pmelson.blogspot.com Special Thanks to Sean Koessel MWA-405: Q&A