原文始发于8ksecresearch:Dissecting Windows Malware Series – Creating Malware-Focused Network Signature – Part 5
Dissecting Windows Malware Series – Creating Malware-Focused Network Signature – Part 5
In the previous article https://8ksec.io/dissecting-windows-malware-series-risc-vs-cisc-architectures-part-4/, we took a little detour and learnt more about CPU architectures, in order to understand the underlying mechanisms assembly code analysis is build upon.
在上一篇文章 https://8ksec.io/dissecting-windows-malware-series-risc-vs-cisc-architectures-part-4/ 中,我们绕道而行,更多地了解了 CPU 架构,以便了解汇编代码分析的底层机制。
We mostly talked about: 我们主要谈论:
-
The differences between CISC and RISC architectures.
CISC 和 RISC 架构之间的差异。 -
Where are we heading in the future
未来我们将走向何方 -
How is it related to Malware Analysis
它与恶意软件分析有什么关系
Without further a due, let’s start learning how create malware-focused network signatures.
事不宜迟,让我们开始学习如何创建以恶意软件为中心的网络签名。
Table of Contents 目录
What’s In It For Me
对我 有什么好处
In this article we’ll: 在本文中,我们将:
-
Learn what OPSEC is and how to safely investigate a malware sample.
了解什么是 OPSEC 以及如何安全地调查恶意软件样本。 -
Explore various methods malware uses to disguise its objectives, focusing on manipulation of network-related components.
探索恶意软件用来掩饰其目标的各种方法,重点是操纵与网络相关的组件。 -
Discover how to create malware network signatures based on real malware samples.
了解如何基于真实恶意软件示例创建恶意软件网络签名。
Already familiar with creating malware network signatures?
已经熟悉创建恶意软件网络签名?
Feel free to scroll down to the ‘Creating Malware-Focused Network Signature Checklist‘.
随意向下滚动到“创建以恶意软件为中心的网络签名清单”。
How To Safely Investigate Malware Network Components
如何安全地调查恶意软件网络组件
When discussing the network functionality of malware, we’ll mainly focus on the following attributes:
在讨论恶意软件的网络功能时,我们将主要关注以下属性:
-
IP addresses IP 地址
-
Network Protocols: TCP, UDP, HTTP(S), etc.
网络协议:TCP、UDP、HTTP(S)等 -
Ports 港口
-
Domain Names 域名
-
Traffic Content 流量内容
Given the objective of understanding the network component of a handed malware sample, we might be tempted to run the malware and observe its behavior.
考虑到了解传递的恶意软件样本的网络组件的目标,我们可能会试图运行恶意软件并观察其行为。
This would be a mistake
这将是一个错误.
Instead, we should review the data we already have, including:
相反,我们应该审查我们已经拥有的数据,包括:
-
Logs 原木
-
Alerts 警报
-
Packet captures 数据包捕获
-
Any other data already generated by the malware.
恶意软件已生成的任何其他数据。
By running the malware as our first step, we risk leaking our analysis actions to the attacker, leading us to the next important concept.
通过运行恶意软件作为我们的第一步,我们冒着将分析操作泄露给攻击者的风险,从而引导我们进入下一个重要概念。
What Is OPSEC And Why Is It Important
什么是OPSEC,为什么它很重要
When using the Internet for research, understanding operation security (OPSEC) is crucial.
使用互联网进行研究时,了解操作安全 (OPSEC) 至关重要。
While performing investigations, certain actions we take can alert the malware author that we’ve identified the malware or even reveal personal information to the attacker.
在执行调查时,我们采取的某些操作可能会提醒恶意软件作者我们已经识别出恶意软件,甚至向攻击者透露个人信息。
For example: 例如:
-
Analyzing the malware from home, if it was initially sent to your corporate network via email, can lead to a DNS request being made from an IP address space outside the one normally used by your corporation.
如果恶意软件最初是通过电子邮件发送到您的公司网络,则在家中分析恶意软件可能会导致从公司通常使用的 IP 地址空间之外的 IP 地址空间发出 DNS 请求。 -
If the malware was sent to a specific individual as a spear-phishing email containing a link, any access attempts to that link from outside the geographical area of the IP address space can alert the attacker.
如果恶意软件是作为包含链接的鱼叉式网络钓鱼电子邮件发送给特定个人的,则从 IP 地址空间的地理区域外部访问该链接的任何尝试都会向攻击者发出警报。 -
Monitoring for attempts to resolve an unused domain included in the malware can indicate investigation activities.
监视解析恶意软件中包含的未使用域的尝试可能指示调查活动。 -
Designing an exploit with an encoded link on an Internet-accessible, editable site (e.g., blog comments) can create a private, publicly accessible infection audit trail.
在可访问 Internet 的可编辑站点(例如博客评论)上设计带有编码链接的漏洞利用可以创建私有的、可公开访问的感染审计跟踪。
Awareness of an ongoing investigation may prompt attackers to change tactics and vanish.
意识到正在进行的调查可能会促使攻击者改变策略并消失。
So How Can We Safely Investigate A Malware Sample
那么,我们如何才能安全地调查恶意软件样本
Indirect Tactics 间接战术
-
The most known one is to use services or mechanisms that provide anonymity, such as: Tor, Open Proxy, etc…
最广为人知的是使用提供匿名的服务或机制,例如:Tor、Open Proxy 等…… -
Another method is using a dedicated machine for research and hiding it’s location:
另一种方法是使用专用机器进行研究并隐藏其位置:
-
Using only cellular connection
仅使用蜂窝连接 -
Tunneling the connection through a remote infrastructure using SSH or VPN.
使用 SSH 或 VPN 通过远程基础架构建立连接隧道。 -
Using an ephemeral remote machine on a Cloud service, like Amazon EC2.
在云服务(如 Amazon EC2)上使用临时远程计算机。
Direct Tactics 直接战术
These core tactics are crucial for every malware analyst investigating a malware sample. Basic indicators, such as IP addresses and domain names, are mostly valuable for defending against a specific version of malware.
这些核心策略对于每个调查恶意软件样本的恶意软件分析师都至关重要。基本指标(例如 IP 地址和域名)对于防御特定版本的恶意软件最有价值。
Malware authors are adept at quickly changing addresses or domains, so the solution involves:
恶意软件作者擅长快速更改地址或域,因此该解决方案涉及:
So what’s the solution? 那么解决方案是什么呢?
-
Defining Behavior Based Countermeasures.
定义基于行为的对策。 -
Defining Content Based Countermeasures.
定义基于内容的对策。
When talking about Behavior based countermeasures – EDRs, XDRs, FWs, WAFs, NACs and similar security solutions are the way to go.
在谈论基于行为的对策时,EDR、XDR、FW、WAF、NAC 和类似的安全解决方案是必经之路。
This realm of solutions deserves a separate article.
这个解决方案领域值得单独写一篇文章。
When talking about Content based countermeasures – IDSs and IPSs are the first things that pops to mind – This is the aspect we’ll focus on in this article.
在谈论基于内容的对策时——IDS 和 IPS 是首先想到的事情——这是我们将在本文中重点介绍的方面。
Content-Based Network Countermeasures
基于内容的网络对策
Signature-based IDSs & IPSs are the oldest deployed systems for detecting malicious activity via network traffic.
基于签名的 IDS 和 IPS 是最早部署的系统,用于检测通过网络流量的恶意活动。
Signature based detection depends on knowing the characteristics of the malicious activity, and how does it look like.
基于签名的检测取决于了解恶意活动的特征及其外观。
A good signature will send an alert every time a malicious activity happens (true positive), but will not create an alert for anything that looks like malware but actually legitimate (false-positive).
一个好的签名会在每次发生恶意活动时发送警报(真阳性),但不会为任何看起来像恶意软件但实际上合法的东西(误报)创建警报。
Good Old Snort IDS
Good Old Snort IDS的
One of the most popular IDSs out there is Snort. It is used to create a signature or a rule that links together a series of elements (called rule options).
最受欢迎的 IDS 之一是 Snort。它用于创建将一系列元素链接在一起的签名或规则(称为规则选项)。
Only if the rule options are true – The rule will fire.
仅当规则选项为 true 时 – 规则将触发。
We’ll want to create a signature – Generic as Possible. Preferably detecting a malware family as a whole and not just a specific version of a certain malware type.
我们需要创建一个签名 – 尽可能通用最好将恶意软件系列作为一个整体进行检测,而不仅仅是特定恶意软件类型的特定版本。
Malware will try to blend in the legitimate network traffic (HTTP, DNS, etc…) as much as possible – This in turn makes it more challenging to detect.
恶意软件将尝试尽可能多地混合合法网络流量(HTTP、DNS 等)——这反过来又使检测更具挑战性。
1. So what mechanisms malware will try to leverage for that purpose?
1. 那么恶意软件会尝试利用哪些机制来实现此目的?
2. How will they try to impose challenges on the analyst’s efforts to
2. 他们将如何尝试对分析师的努力提出挑战
create a precise signature?
创建精确的签名?
Next, we’ll see 2 malware samples that showcase and answer those questions.
接下来,我们将看到 2 个恶意软件示例,它们展示并回答了这些问题。
A Little Bit Of Snort Basics
一点点鼻息基础知识
But before we dive deep, let’s understand the attributes of Snort signatures:
但在我们深入研究之前,让我们先了解一下 Snort 签名的属性:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection Attempt Detected"; flow:to_server,established; content:"SELECT"; nocase; content:"FROM"; distance:0; within:40;content:"WHERE"; distance:0; within:40; pcre:"/(\%27)|(\')|(\-\-)|(\%23)|(#)/i"; classtype:web-application-attack; sid:1000001; rev:1;)
-
alert tcp – Specifies that the rule if for TCP traffic.
alert tcp – 指定 TCP 流量的规则。 -
$EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS – Defines the traffic flow direction – from any external network using HTTP on defined HTTP ports.
$EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS – 定义流量方向 – 来自定义的 HTTP 端口上使用 HTTP 的任何外部网络。 -
msg:”SQL Injection Attempt Detected” – The message that will be logged or shown when the rule triggers.
msg:“检测到 SQL 注入尝试” – 规则触发时将记录或显示的消息。 -
flow:to_server,established – Specifies that this rule applies to established connections heading towards the HTTP server.
flow:to_server,established – 指定此规则适用于指向 HTTP 服务器的已建立连接。 -
content – This specifies the specific content to look for in the packet payload.
content – 这指定要在数据包有效负载中查找的特定内容。In this case, it looks for common SQL keywords like “SELECT”, “FROM”, and “WHERE”, indicating a potential SQL injection attempt.
在本例中,它会查找常见的 SQL 关键字,如“SELECT”、“FROM”和“WHERE”,指示潜在的 SQL 注入尝试。 -
nocase – Makes the content match case insensitive. distance and within: These keywords are used to specify content location constraints relative to the previous match.
nocase – 使内容匹配不区分大小写。距离和内:这些关键字用于指定相对于上一个匹配的内容位置约束。
-
pcre – Perl Compatible Regular Expressions for more complex pattern matching. Here, it’s used to detect common SQL injection characters and patterns.
pcre – Perl 兼容正则表达式,用于更复杂的模式匹配。在这里,它用于检测常见的 SQL 注入字符和模式。 -
classtype:web-application-attack – This categorizes the type of attack the rule is designed to detect.
classtype:web-application-attack – 对规则旨在检测的攻击类型进行分类。 -
sid – The Snort ID for the rule. This should be unique.
sid – 规则的 Snort ID。这应该是唯一的。 -
rev – The revision number of the rule, useful for keeping track of updates to your signatures.
rev – 规则的修订号,可用于跟踪签名的更新。
An Important Side Note
一个重要的旁注
Before deploying, it’s crucial to test your signatures thoroughly to ensure they do not generate an excessive number of false positives or negatives.
在部署之前,必须彻底测试签名,以确保它们不会生成过多的误报或误报。
Let’s Start Reversing
1. Network Content Signature Based On Endpoint’s Unique Data
Given the malware sample, we see there is no associated packet capture. This forces us to start with Basic Dynamic Analysis to help us understand how the malware operates.
给定恶意软件示例,我们看到没有关联的数据包捕获。这迫使我们从基本动态分析开始,以帮助我们了解恶意软件的运作方式。
Running the malware with FakeNet running in the background, we observe the following beacon:
在后台运行 FakeNet 的情况下运行恶意软件,我们观察到以下信标:
It appears the HTTP GET request contains encoded data and downloads an image file from a certain domain (obfuscated in the picture).
HTTP GET 请求似乎包含编码数据,并从某个域下载图像文件(在图片中混淆)。
Our goal, as stated, is to find hard-coded data or ephemeral coded data we could use in creating our Snort signature.
如前所述,我们的目标是找到可用于创建 Snort 签名的硬编码数据或临时编码数据。
Running the malware a couple more times produces the same beacon.
再运行几次恶意软件会产生相同的信标。
Let’s then continue to analyze the assembly code.
然后,让我们继续分析汇编代码。
Usually, we would scroll through the import address table (if there is one, and the malware is not packed) and look for network-related API calls.
通常,我们会滚动浏览导入地址表(如果有,并且恶意软件未打包)并查找与网络相关的 API 调用。
But, as the main function opens in IDA Pro (after automatically determining the entry point), we cannot help but see and analyze the following assembly code snippets:
但是,当 main 函数在 IDA Pro 中打开时(在自动确定入口点之后),我们不禁要查看和分析以下汇编代码片段:
It appears the data passed to the function sub_4010BB is ephemeral data gathered from the endpoint profile data (this includes username, MAC address, etc.).
Analyzing the function sub_4010BB, we observe the following assembly code:
It appears the endpoint queried information is used as the data to be sent in the HTTP GET request using the API call: URLDownloadToCacheFileA
似乎终端节点查询的信息被用作使用 API 调用在 HTTP GET 请求中发送的数据:URLDownloadToCacheFileA.
Since we observed the network generated content data is based on the host information, our guess is to try and run the malware on a different host.
由于我们观察到网络生成的内容数据是基于主机信息的,因此我们的猜测是尝试在不同的主机上运行恶意软件。
This time, the beacon the malware sends has different GET request data (also Base64 encoded) and uses a different User-Agent:
这一次,恶意软件发送的信标具有不同的 GET 请求数据(也是 Base64 编码)并使用不同的用户代理:
Following the data we gathered, we can conclude what the hard-coded data is and create the network signature.
根据我们收集的数据,我们可以得出硬编码数据是什么并创建网络签名。
The key static elements to target when analyzing a network signature are the colons and the dash that provide padding among the hardware profile bytes and the username.
分析网络签名时要瞄准的关键静态元素是冒号和破折号,它们在硬件配置文件字节和用户名之间提供填充。
Targeting these elements is challenging because the malware applies a layer of Base64 encoding before sending this content onto the network.
针对这些元素具有挑战性,因为恶意软件在将此内容发送到网络之前应用了一层 Base64 编码。
However, inspecting the Base64 strings we gathered, we can infer the following:
但是,通过检查我们收集的 Base64 字符串,我们可以推断出以下内容:
-
Each colon in the original string is the third character of each triple.
原始字符串中的每个冒号都是每个三元组的第三个字符。 -
In Base64, all the bits in the fourth character of each quad come from the third character.
在 Base64 中,每个四边形的第四个字符中的所有位都来自第三个字符。
And that’s why: 这就是为什么:
-
Every fourth character under the colon is a 6.
冒号下每四个字符是 6。 -
Because of the dash, the sixth quad will always end with a t.
由于破折号,第六个四边形将始终以 t 结尾。
This leads us to the following final conclusions:
这使我们得出以下最终结论:
1. The URI that will be used will always be at least 24 characters long with specific locations for the four 6 characters and the ‘t’.
1. 将使用的 URI 将始终至少为 24 个字符,四个 6 个字符和“t”的特定位置。
2. We know the character set that may be used to represent the rest of the URI.
2. 我们知道可用于表示 URI 其余部分的字符集。
3. We also know the download name is a single character that is the same as the end of the path.
3.我们也知道下载名称是一个与路径末尾相同的字符。
All this information allows us to create the following two Snort signatures:
It’s in the form of:
/\/XXX6XXX6XXX6XXX6XXX6XXXt(XXXX){1,}\//
Where:
-
X represents the character set: [A-Z0-9a-z+\/]
-
It captures blocks of four characters ending in 6 and t.
-
It targets the first segment if the URI with static characters.
The second Snort rule will be based on the following pattern:
/\/[A-Z0-9a-z+\/]{24,}\([A-Z0-9a-z+\/]\)\/\1.png/
And can created in a similar manner.
并且可以以类似的方式创建。
2. Network Content Signature – Leveraging HTML Attributes
2. 网络内容签名 – 利用 HTML 属性
Given the malware sample, and since we don’t have a packet capture, we’ll start with Basic Dynamic Analysis
给定恶意软件示例,并且由于我们没有数据包捕获,因此我们将从基本动态分析开始.
Running the malware with FakeNet in the background, we observe the following request:
在后台使用 FakeNet 运行恶意软件,我们观察到以下请求:
We notice the attacker has mistakenly hard-coded the keyword ‘User-Agent’, which can later be used in our Snort signature.
我们注意到攻击者错误地硬编码了关键字“User-Agent”,该关键字稍后可以在我们的 Snort 签名中使用。
We also observe the file requests an HTML file named ‘start.htm’.
我们还观察到文件请求一个名为“start.htm”的 HTML 文件。
Inspecting the relevant Windows API calls, we see there is heavy use of the WinINet DLL library and the Windows COM object model.
检查相关的 Windows API 调用,我们发现大量使用 WinINet DLL 库和 Windows COM 对象模型。
Cross-referencing these functions in the assembly code, we get to the following code snippet:
在汇编代码中交叉引用这些函数,我们得到以下代码片段:
First Goal – Identify The Beacon Content
Doing some backtracking, we find out this function is called from Winmain with two arguments.
The one used before the call to InternetOpenUrlA is the URL and defines the beacon destination.
This URL is set in another function in Winmain, which contains the following code:
In case the .exe file doesn’t exist, a call will be made to the static URL, requesting the start.htm we saw earlier.
如果.exe文件不存在,将对静态 URL 进行调用,请求我们之前看到的start.htm。
Further analysis reveals that the ReadFile function takes a buffer as an argument, which is eventually passed all the way back to the InternetOpenUrlA function.
进一步的分析表明,ReadFile 函数将缓冲区作为参数,该参数最终一直传递回 InternetOpenUrlA 函数。
Thus, we can conclude that autobat.exe is a configuration file that stores the URL in plaintext.
因此,我们可以得出结论,autobat.exe是一个以明文形式存储 URL 的配置文件。
Second Goal – Identify How The Malware Responds
第二个目标 – 确定恶意软件的响应 方式
Following the InternetReadFile call, we notice the following code snippet:
在 InternetReadFile 调用之后,我们注意到以下代码片段:
The strstr function (returns a pointer to the first occurrence of a search string in a string) is placed within two loops—the outer one containing the call to InternetReadFile, and the inner one containing strstr and a call to another function, sub_401000
strstr 函数(返回指向字符串中搜索字符串首次出现的指针)放置在两个循环中 – 外部循环包含对 InternetReadFile 的调用,内部循环包含 strstr 和对另一个函数的调用,sub_401000.
sub_401000 is called when the string ‘<no’ is found and a comparison to validate whether we found the correct content.
当找到字符串“<no”时,将调用 sub_401000 并进行比较以验证我们是否找到了正确的内容。
Moving forward we find out that:
展望未来,我们发现:
-
The attacker tried to mix up the comparisons to the keyword < noscript > to avoid producing an obvious pattern.
攻击者试图将与关键字的比较混为一谈< noscript >以避免产生明显的模式。 -
The content the malware expects for a valid comparison are:
恶意软件期望进行有效比较的内容是:-
The file read from the Internet.
从 Internet 读取的文件。 -
The URL that originally came from the configuration file.
最初来自配置文件的 URL。
-
After that, there is a jump table based on the value of the register: ‘d’, ‘s’, ‘r’, ‘n’.
之后,有一个基于寄存器值的跳转表:’d’、’s’、’r’、’n’。
Analyzing the ‘d’ case, we find out calls to CreateFile and WriteFile altering the configuration file.
通过分析“d”的情况,我们发现对 CreateFile 和 WriteFile 的调用更改了配置文件。
The malware then: 然后恶意软件:
-
Creates a process. 创建流程。
-
Overwrites the configuration file in order to redirect the malware to beacon to a different site.
覆盖配置文件,以便将恶意软件重定向到信标到其他站点。 -
And generally, serving as a client in a C2 server allowing lots of other functionalities.
通常,作为 C2 服务器中的客户端,允许许多其他功能。
Generating The Snort Rules
生成 Snort 规则
Since the malware has a beacon component and a response component – we need to create multiple Snort rules to achieve full coverage.
由于恶意软件具有信标组件和响应组件,因此我们需要创建多个 Snort 规则以实现全面覆盖。
The Beacon 灯塔
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PM14.3.1 Specific
User-Agent with duplicate header"; content:"User-Agent|3a20|User-Agent|3a20|
Mozilla/4.0|20|(compatible\;|20|MSIE|20|7.0\;|20|Windows|20|NT|20|5.1\;|20|
.NET|20|CLR|20|3.0.4506.2152\;|20|.NET|20|CLR|20|3.5.30729)"; http_header;
sid:20001431; rev:1;)
We marked elements (below) are static and come from two different strings in the code. The rest, are ephemeral since they are defined by the URL.
我们标记的元素(如下)是静态的,来自代码中的两个不同字符串。其余的都是短暂的,因为它们是由 URL 定义的。
As we mentioned, since the attacker made a mistake with hard coding the User-Agent, it is a strong indicator, and the rule should include it.
正如我们所提到的,由于攻击者在对 User-Agent 进行硬编码时犯了一个错误,因此这是一个强有力的指标,规则应该包括它。
The Response
The responses will be in the following format:
... truncated_url/cmd_char.../arg96'
The malware searches for several static elements in the web page, including the noscript tag, the first characters of the URL (http://), and the trailing 96′.
恶意软件在网页中搜索多个静态元素,包括 noscript 标签、URL 的第一个字符 ( http://) 和 trailing96’。
Since the parsing function that reads the cmd_char structure is in a different area of the code and may be changed independently, it should be targeted separately. Thus, the following is the signature for targeting just the static elements expected by the malware:
由于读取 cmd_char 结构的分析函数位于代码的不同区域,并且可以独立更改,因此应单独定位它。因此,以下是仅针对恶意软件预期的静态元素的签名:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PM14.3.2 Noscript
tag with ending"; content:""; content:"http\://"; distance:0;
within:512; content:"96'"; distance:0; within:512; sid:20001432; rev:1;)
The download and redirect functions both share the same routine to decode the URL, so we will target these two commands together:
download 和 redirect 函数共享相同的例程来解码 URL,因此我们将同时针对这两个命令:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PM14.3.3 Download
or Redirect Command"; content:"/08202016370000"; pcre:"/\/[dr][^\/]*\/
08202016370000/"; sid:20001433; rev:1;)
This signature uses the string 08202016370000, which we previously identified as the encoded representation of http://.
此签名使用字符串 08202016370000,我们之前将其确定为 http:// 的编码表示形式。
The PCRE rule option includes this string and forward slashes, and the ‘d’ and ‘r’ that indicate the download and redirect commands.
PCRE 规则选项包括此字符串和正斜杠,以及指示下载和重定向命令的“d”和“r”。
The \/ is an escaped forward slash, the [dr] represents either the character ‘d’ or ‘r’, the \/* matches zero or more characters that are not a forward slash, and the \/ is another escaped slash.
\/ 是转义的正斜杠,[dr] 表示字符“d”或“r”, \/ * 匹配零个或多个不是正斜杠的字符,\/ 是另一个转义斜杠。
In a similar way, we would create the signatures for the quit and sleep commands.
以类似的方式,我们将为 quit 和 sleep 命令创建签名。
So What Have We Seen
那么我们看到了 什么
We talked about: 我们谈到了:
-
What is OPSEC and how an analyst should safely investigate a malware online (indirect & direct).
什么是OPSEC以及分析师应该如何安全地在线调查恶意软件(间接和直接)。 -
Content based countermeasures – What are they, and how they differ from behavior based counter measures.
基于内容的对策 – 它们是什么,以及它们与基于行为的对策有何不同。 -
We analyzed two malware samples – Each one having a different network characteristic.
我们分析了两个恶意软件样本,每个样本都有不同的网络特征。
As expected, our ability to create a precise content based signature will be determined by our ability to dissect the malware and leverage our knowledge of network internals.
正如预期的那样,我们创建基于内容的精确签名的能力将取决于我们剖析恶意软件和利用我们对网络内部的了解的能力。
Tips To Creating Accurate Snort Signatures
创建准确的鼻息签名 的技巧
As a rule of thumb, we’ll want to create multiple signatures — each one targeting a different mechanism of the malicious code.
根据经验,我们需要创建多个签名,每个签名都针对不同的恶意代码机制。
This approach makes detection more resilient to attacker modifications.
这种方法使检测对攻击者的修改更具弹性。
Attackers may try to slightly change their software to avoid detection by a specific signature.
攻击者可能会尝试稍微更改其软件,以避免被特定签名检测到。
By creating multiple signatures that key off different aspects of the communication, you can still successfully detect the malware, even if the attacker has updated a portion of the code.
通过创建多个签名来关闭通信的不同方面,即使攻击者更新了部分代码,您仍然可以成功检测恶意软件。
Here are three additional key notes to remember when creating the signatures:
以下是创建签名时要记住的三个其他关键注意事项:
-
Focus on elements of the protocol that apply to both the client and server sides From the attacker’s perspective, changing code related to both the client and the server is much harder.
关注适用于客户端和服务器端的协议元素从攻击者的角度来看,更改与客户端和服务器相关的代码要困难得多。Look for elements of the protocol that use code on both the client and the server sides, and create a signature based on these elements.
查找在客户端和服务器端都使用代码的协议元素,并基于这些元素创建签名。The attacker will need to do a lot of extra work to render such a signature obsolete.
攻击者需要做很多额外的工作才能使这样的签名过时。 -
Focus on elements of the protocol known to be part of a key
重点关注已知属于密钥一部分的协议元素.Often, some hard-coded components of a protocol are used as a key.
通常,协议的某些硬编码组件被用作密钥。For example, an attacker may use a specific User-Agent string as an authentication key so that illegitimate probing can be detected (and possibly rerouted).
例如,攻击者可能使用特定的 User-Agent 字符串作为身份验证密钥,以便可以检测到非法探测(并可能重新路由)。To bypass such a signature, an attacker would need to change code at both endpoints.
若要绕过此类签名,攻击者需要更改两个端点的代码。
-
Identify elements of the protocol that are not immediately apparent in traffic
识别协议中在流量中不明显的元素.Sometimes, the actions of multiple defenders can impede the detection of malware.
有时,多个防御者的行为可能会阻碍恶意软件的检测。If another defender creates a signature that achieves sufficient success against an attacker, the attacker may be compelled to adjust his malware to avoid the signature.
如果另一个防御者创建的签名在对抗攻击者时取得了足够的成功,则攻击者可能会被迫调整其恶意软件以避免签名。If you rely on the same signature, or a signature that targets the same aspects of the attacker’s communication protocol, the attacker’s adjustment will affect your signature as well.
如果您依赖于相同的签名,或者针对攻击者通信协议的相同方面的签名,则攻击者的调整也会影响您的签名。To avoid being rendered obsolete by the attacker’s response to another defender, try to identify aspects of malicious operations that other defenders might not have focused on.
若要避免因攻击者对其他防御者的响应而过时,请尝试识别其他防御者可能未关注的恶意操作方面。Knowledge gained from carefully observing the malware will help you develop a more robust signature.
通过仔细观察恶意软件获得的知识将帮助您开发更强大的签名。As a general conclusion, signatures based on malware analysis are more precise, reducing the trial and error needed to produce low false positive signatures.
一般来说,基于恶意软件分析的签名更加精确,减少了产生低误报签名所需的试错。Additionally, they have a higher likelihood of identifying new strains of the same malware.
此外,他们更有可能识别出同一恶意软件的新毒株。
So, What’s Next
那么,下一步 是什么
So far, we’ve acquired an impressive skill set of analyzing and reverse engineering malware samples. We’ve discussed major objectives malware will try to achieve: Persistance, Evasion and Stealth and saw various use cases where each one is being implemented.
到目前为止,我们已经掌握了分析和逆向工程恶意软件样本的令人印象深刻的技能。我们已经讨论了恶意软件将试图实现的主要目标:持久性、规避和隐身,并看到了每个用例的实施。
Now we’re in the major league.
现在我们进入了大联盟。
The next articles will focus on more advanced topics, such as:
接下来的文章将重点介绍更高级的主题,例如:
-
Analyzing Rootkits 分析 Rootkit
-
Unpacking Malware Samples
解压缩恶意软件样本 -
Identifying and Analyzing Shellcode
识别和分析 Shellcode -
And much more 还有更多
References 引用
-
The following resources are taken from an amazing book called:
以下资源摘自一本名为:Practical Malware Analysis By Michael Sikorski and Andrew Honig
实用恶意软件分析 作者:Michael Sikorski 和 Andrew Honig-
The two malware samples 两个恶意软件示例
-
The network attributes image
网络属性图像 -
The Base64 image comparing decoded and encoded data
比较解码和编码数据的 Base64 图像 -
Tips and tricks regarding creating snort signatures
有关创建鼻息签名的提示和技巧
-
-
All other resources were generated through the analysis process
所有其他资源都是通过分析过程生成的
GET IN TOUCH 取得联系
Excited to learn more about Windows Malware Analysis? We just released our latest training on Windows Malware Analysis And Memory Forensics! You can find more information about it here. Please don’t hesitate to reach out to us through our Contact Us page if you have any questions.
想了解有关 Windows 恶意软件分析的更多信息吗?我们刚刚发布了有关 Windows 恶意软件分析和内存取证的最新培训!您可以在此处找到有关它的更多信息。如果您有任何问题,请随时通过我们的“联系我们”页面与我们联系。
Visit our training page if you’re interested in learning more about our other course offerings and want to develop your abilities further. Additionally, you may look through our Events page and sign up for our upcoming Public trainings.
如果您有兴趣了解更多关于我们的其他课程并想进一步发展您的能力,请访问我们的培训页面。此外,您可以浏览我们的活动页面并报名参加我们即将举行的公开培训。
转载请注明:Dissecting Windows Malware Series – Creating Malware-Focused Network Signature – Part 5 | CTF导航