Diving into Malware's Furtive Plumbing

Presented at VB2016, Oct. 5, 2016, 4 p.m. (30 minutes)

While malware families frequently change their behaviour - in terms of persistency, malicious code injection techniques, the makeup of the configuration file, and of course, the encryption schemes - malware rarely updates its internal communications method. One of the preferred and most popular methods of internal malware communications is leveraging Named Pipes. In this talk, we will dive into that area to reveal the critical information that fuels malware and keeps its operators in control. Furthermore, we will present a new tool. When it comes to the domain of malware's internal communications, there may be a handful of dynamic analysis tools available for researchers to use, but we were not able to find one that allowed us to reliably sniff communication from Named Pipes. Nonetheless, we achieved our goal by developing our own specialized Named Pipes sniffing tool. We will present this tool to the audience, explain its inner workings, and share it with the research community. What we will share with participants in this technical lecture are applicable, valuable real-world use cases that they will recognize from their own work. For example: * How we obtained decrypted configuration from Dyre's encrypted files. The method worked from the early days of Dyre all the way until it vanished. * The mechanism used by Gozi to remove itself from compromised machines (to hide evidence), which can now be used to safely remove Gozi using a single pipe command! * How to find Shylock's executable location and run key by asking for it over its Named Pipe. The same Pipe can also be used to fetch its web-injections. * How Ramnit uses various modules for specific tasks (web-injections, VNC, etc.). We were able to get the list of currently running modules by sniffing Ramnit's Named Pipe communication. * We'll also show a buffer overflow in Dyre's pipe communication mechanism, which allowed us to remove Dyre from the memory of infected processes without rebooting the machine. This talk will benefit any participant who is tasked with researching malware as part of their daily routine, as well as participants interested in the overall subject of advanced reverse engineering.

Presenters:

• Or Safran - IBM
  Or Safran Or Safran has been a malware researcher at IBM Trusteer for two years and holds a Bachelor of Science degree in computer software engineering.
• Omer Yair - IBM
  Omer Yair Omer Yair has been malware researcher at IBM Trusteer for the past two years, focusing on financial malware families. In the past he has worked for six years at Algotec, developing medical imaging software, and at IDF's technology unit for three years as dev team lead. In his free time he revives historical photographic processes.

Links:

• https://www.virusbulletin.com/conference/vb2016/abstracts/diving-malwares-furtive-plumbing

Similar Presentations:

• Black Hat USA 2022 / Cautious: A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe
• THOTCON 0x7 (2016) / Cyber Vulnerabilities of America's Pipe Lines
• DEF CON 25 (2017) / Call the plumber - you have a leak in your (named) pipe