SlideShare ist ein Scribd-Unternehmen logo

Feldo: Function Event Listing and Dynamic Observing for Detecting and Preventing Crypto Ransomware

T
Tzung-Bi Shih

Presentation slides for HITCON CMT 2016

Technologie
1 von 40
Downloaden Sie, um offline zu lesen
HITCON CMT 2016 FèlDo Function Event Listing and Dynamic Observing Tzung-Bi Shih <penvirus@gmail.com> - for Detecting and Preventing Crypto Ransomware
HITCON CMT 2016 “Most of us are misunderstanding when mentioning ransomware.” 2
HITCON CMT 2016 Introduction Ransomware[1][2] • DoS victims from accessing their system • "claim" something has been kidnapped and tell victims need to pay for retaining the kidnapee • anonymity of the transaction is the most difficult • cryptocurrency, voucher, Tor • no one can guarantee the kidnapee will be back after paid 3
HITCON CMT 2016 Introduction Example: DoS from Accessing Vehicles 4 ransom hardware
HITCON CMT 2016 Background Types of Ransomware • misleading application[3][4] • free vs. non-free • e.g. performance optimizer, fake AV • police ransomware • fake local law enforcement • crypto ransomware 5
HITCON CMT 2016 Background History of Ransomware on OS X[5] • July 2013, FBI ransomware[6][7] • June 2014, FileCoder[8] • Sep 2015, Gopher[9] • Nov 2015, Mabouia[10] • Feb 2016, GinX[11] • Mar 2016, KeRanger[12] (see Appendix A) 6
HITCON CMT 2016 Related Works • Toward Generic (Crypto) Ransomware Detection[5] • monitoring file I/O events • determining if a file is encrypted • determining if a process is untrusted • RansomWhere?[13] ➡sniffer mode limitation: still sacrificed a few files 7
HITCON CMT 2016 FèlDo Overview • an inline mode solution for detecting and preventing crypto ransomware • detection: correlating function calls • crypto ransomware is relatively simple (at least for now) • it is possible to detect them via observing function calling sequence • within a short time frame • prevention: hooking APIs • deferring unlink request 8
HITCON CMT 2016 FèlDo Correlating Function Calls (1/2) 9 observation on dtruss output
HITCON CMT 2016 FèlDo Correlating Function Calls (2/2) 10 open_nocancel("/Users/tester/.CFUserTextEncoding0", 0x0, 0x1B6) = 6 0 open_nocancel("/Users/tester/.CFUserTextEncoding.encrypted0", 0x601, 0x1B6) = 7 0 close_nocancel(0x6) = 0 0 close_nocancel(0x7) = 0 0 unlink("/Users/tester/.CFUserTextEncoding0", 0x7FFF5FBFDE00, 0x154) = 0 0 If frequency of two-pair greater than thresholdA, the corresponding process is likely a crypto ransomware. in-place vs. not-in-place encryption
HITCON CMT 2016 FèlDo Hooking APIs • acknowledged whenever a process request to unlink • put the request into a deferred queue • the queue purges in two criteria: space and time limit • if queue length is greater than thresholdB • if a request has deferred for thresholdC seconds • satisfies remaining requests while the process terminating 11 even non-existent
HITCON CMT 2016 Implementation OS X • userland solution • supports from dynamic linker "dyld" • DYLD_INSERT_LIBRARIES • DYLD_FORCE_FLAT_NAMESPACE • kernel extension solution • replace entries of system call table 12 application library system call kernel userland solution kext solution
HITCON CMT 2016 Simple Evaluation 13 unit
 (second) original userland solution kext solution round 1 round 2 round 3 average round 1 round 2 round 3 average round 1 round 2 round 3 average test1.sh 49.66 50.97 50.17 50.27 136.80 140.66 137.13 138.20 51.08 50.27 51.03 50.79 test2.sh 34.67 33.83 32.78 33.76 107.30 105.41 107.00 106.57 34.08 34.88 33.15 34.04 test3.sh 32.73 31.37 32.11 32.07 142.27 142.25 144.37 142.96 32.52 32.35 31.92 32.26 $ cat test1.sh for i in $(seq 1 10000) do touch $i rm $i done $ cat test2.sh for i in $(seq 1 4) do ( for k in $(seq 1 3000) do touch ${i}_${k} rm ${i}_${k} done ) & done wait $ cat test3.sh cd yara sh build.sh >/dev/null 2>&1 userland solution: too many performance penalties (2x~4x slower) kext solution: almost transparent
HITCON CMT 2016 Summary • ransomware is variable • crypto ransomware is just one kind of them • IMHO, a product for crypto ransomware should be • kernel mode and leverage existing mechanisms, e.g. KAuth • multiple detection criteria • white listing 14
HITCON CMT 2016 Reference 15 [1]: http://www.trendmicro.com/vinfo/us/security/definition/ransomware [2]: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf [3]: http://securityresponse.symantec.com/norton/theme.jsp?themeid=mislead [4]: https://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-0757-99 [5]: https://objective-see.com/blog/blog_0x0F.html [6]: https://blog.malwarebytes.org/threat-analysis/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/ [7]: http://www.makeuseof.com/tag/mac-user-ransomware-easily-remove-malware-threat/ [8]: https://securelist.com/blog/research/66760/unfinished-ransomware-for-macos-x/ [9]: https://github.com/gdbinit/gopher [10]: http://securityaffairs.co/wordpress/41755/cyber-crime/mabouia-ransomware-mac-os-x.html [11]: http://www.infosecisland.com/blogview/24699-OSX-Ransomware-Offered-for-Sale-in-the-Underground.html [12]: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/ [13]: https://objective-see.com/products/ransomwhere.html
HITCON CMT 2016 Appendix A Case Study: OSX.KeRanger - Introduction - Analysis - Fake C2 Server - Experiment - Rescue
HITCON CMT 2016 OSX.KeRanger (1/14) Introduction 17
HITCON CMT 2016 OSX.KeRanger (2/14) Attach the DMG 18 $ hdiutil attach OSX.KeRanger Checksumming Protective Master Boot Record (MBR : 0)… Protective Master Boot Record (MBR :: verified CRC32 $C0C6CB47 Checksumming GPT Header (Primary GPT Header : 1)… GPT Header (Primary GPT Header : 1): verified CRC32 $933E6577 Checksumming GPT Partition Data (Primary GPT Table : 2)… GPT Partition Data (Primary GPT Tabl: verified CRC32 $0AE534AA Checksumming (Apple_Free : 3)… (Apple_Free : 3): verified CRC32 $00000000 Checksumming disk image (Apple_HFS : 4)… ............................................................................... disk image (Apple_HFS : 4): verified CRC32 $4D10DABF Checksumming (Apple_Free : 5)… (Apple_Free : 5): verified CRC32 $00000000 Checksumming GPT Partition Data (Backup GPT Table : 6)… GPT Partition Data (Backup GPT Table: verified CRC32 $0AE534AA Checksumming GPT Header (Backup GPT Header : 7)… GPT Header (Backup GPT Header : 7): verified CRC32 $D2F721FA verified CRC32 $BC3C912F /dev/disk1 GUID_partition_scheme /dev/disk1s1 Apple_HFS /Volumes/Transmission $ file /Volumes/Transmission/Transmission.app/Contents/MacOS/Transmission /Volumes/Transmission/Transmission.app/Contents/MacOS/Transmission: Mach-O 64-bit executable x86_64 sha256(OSX.KeRanger) = d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1
HITCON CMT 2016 OSX.KeRanger (3/14) Drop File 19 fork, exec, wait copy General.rtf to kernel_service There will be a process named "kernel_service".
HITCON CMT 2016 OSX.KeRanger (4/14) UPX Packed 20 sha256(General.rtf) = 31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9 $ hexdump -C General.rtf | grep -i upx 000002c0 1c 03 f2 dc 55 50 58 21 a7 06 0d 22 00 00 00 00 |....UPX!..."....| 00020ff0 ff 00 00 00 00 55 50 58 21 00 00 00 00 00 00 00 |.....UPX!.......| 00021150 6b 65 72 20 68 74 74 70 3a 2f 2f 75 70 78 2e 73 |ker http://upx.s| 00021190 68 65 20 55 50 58 20 54 65 61 6d 2e 20 41 6c 6c |he UPX Team. All| 00021330 14 14 85 d2 ef ba db ff 75 15 81 fe 55 50 58 21 |........u...UPX!| 000216a0 69 c3 00 00 00 00 00 00 00 90 ff 55 50 58 21 0d |i..........UPX!.|
HITCON CMT 2016 OSX.KeRanger (5/14) Unlink Itself 21 sha256(General.rtf.unpacked) = 84a60c8bb2cdf454fdb593318e7c26ba93cc48ba3058530998c8886050981f11 to hide itself
HITCON CMT 2016 OSX.KeRanger (6/14) Daemonlize and Wait 22 fork, setsid, chdir sleep 300 seconds until 3 days has elapsed its parent "Transmission" can keep going done flag
HITCON CMT 2016 OSX.KeRanger (7/14) Generate UUID and Query String 23 $ sysctl hw.model hw.model: MacBookPro11,1 $ sysctl -a | grep 'hw.model' $ sysctl hw.model hw.model: VMware7,1
HITCON CMT 2016 OSX.KeRanger (8/14) C2 Communication (1/2) 24 • gethostbyname • connect • send • recv
HITCON CMT 2016 OSX.KeRanger (9/14) C2 Communication (2/2) 25 • server will respond 2 lines (base64-encoded) • 1st line • RSA public key • 2nd line • ransom statement
HITCON CMT 2016 OSX.KeRanger (10/14) File Encryption (1/4) 26 encrypt files excepts: • *.encrypted • README_FOR_DECRYPT.txt • .kernel_complete • .kernel_time • .kernel_pid
HITCON CMT 2016 OSX.KeRanger (11/14) File Encryption (2/4) 27 encrypt files if in the list of filename extensions
HITCON CMT 2016 OSX.KeRanger (12/14) File Encryption (3/4) 28 target filename extensions: .3dm .3ds .3g2 .3gp .7z .ab4 .accdb .accde .accdr .accdt .ach .acr .act .adb .ads .ai .ait .al .apj .arw .asf .asm .asp .asx .avi .back .backup .bak .bank .bay .bdb .bgt .bik .bkf .bkp .blend .bpw .c .cdb .cdf .cdr .cdx .ce1 .ce2 .cer .cfp .cgm .class .cls .cmt .cnv .cpi .cpp .cr2 .craw .crt .crw .cs .csh .csl .csv .dac .db .db3 .dbf .dbr .dbs .dc2 .dcr .dcs .dcx .ddd .ddoc .dds .der .des .design .dgc .djvu .dng .doc .docm .docx .dot .dotm .dotx .drf .drw .dtd .dwg .dxb .dxf .dxg .ebd .edb .eml .eps .erf .exf .fdb .ffd .fff .fh .fhd .fla .flac .flv .fm .fp7 .fpx .fxg .gdb .gray .grey .grw .gry .h .hbk .hpp .ibd .idx .iif .indd .java .jpe .jpeg .jpg .kdbx .kdc .key .laccdb .lua .m .m4v .maf .mam .maq .mar .maw .max .mdb .mdc .mde .mdf .mdt .mef .mfw .mmw .mos .mov .mp3 .mp4 .mpg .mpp .mrw .mso .myd .ndd .nef .nk2 .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .nwb .nx1 .nx2 .nyf .obj .odb .odc .odf .odg .odm .odp .ods .odt .oil .one .orf .otg .oth .otp .ots .ott .p12 .p7b .p7c .pages .pas .pat .pbo .pcd .pct .pdb .pdd .pdf .pef .pem .pfx .php .pip .pl .plc .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .prf .ps .psafe3 .psd .pspimage .ptx .pub .puz .py .qba .qbb .qbm .qbw .qbx .r3d .raf .rar .rat .raw .rdb .rm .rtf .rwz .sas7bdat .say .sd0 .sda .sdf .snp .sql .sr2 .srf .srt .srw .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stw .stx .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .tex .tga .thm .tlg .txt .vob .vsd .vsx .vtx .wav .wb2 .wbk .wdb .wll .wmv .wpd .wps .x11 .x3f .xla .xlam .xlb .xlc .xlk .xll .xlm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xpp .xsn .yuv .zip .tar .tgz .gzip .tib .sparsebundle
HITCON CMT 2016 OSX.KeRanger (13/14) File Encryption (4/4) 29 drop ransom statement
HITCON CMT 2016 OSX.KeRanger (14/14) Finalize 30 Be honest! Don't touch this; or it will encrypt your files again in some day ...
HITCON CMT 2016 Fake C2 Server (1/3) Modify /etc/hosts 31 # cat /etc/hosts 127.0.0.1 lclebb6kvohlkcml.onion.link 127.0.0.1 lclebb6kvohlkcml.onion.nu 127.0.0.1 bmacyzmea723xyaz.onion.link 127.0.0.1 bmacyzmea723xyaz.onion.nu 127.0.0.1 nejdtkok7oz5kjoc.onion.link 127.0.0.1 nejdtkok7oz5kjoc.onion.nu
HITCON CMT 2016 Fake C2 Server (2/3) Generate Private and Public Key 32 # openssl genrsa -out private.pem 2048 Generating RSA private key, 2048 bit long modulus ....................................................+++ ...............................................+++ e is 65537 (0x10001) # openssl rsa -in private.pem -pubout -outform PEM -out public.pem writing RSA key # printf "x00" >> public.pem # base64 public.pem LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE3eGd TWW9MVWljNWxadnBiaXZ3NApXZzJFNUJpdk4vcW9vUmVTUEl4Z3lvYzZNMGdXR01pUUZmdVlMQjVxS2hXR2hmQjViWVh5K2hrak hYWC84Z2l1CmJCa0szYU9RdmdlUmtKemR4NVFvbG5XNWxqRzVFUU9hZ0pCRk1RSHFIaHFqbXJDY0dFTis3c0N4YngrMGdYUGMKV URJUEE1VXhLdjlneGFhMHQweHVoeWovUVhNMjF3V25mUkVxclU5MmdMSHIwdEpqR0E5Y2FPZ1cxbXVZM2U4UwpjQno5K3NJaWxv RVBNSVNqa3N3dGR5OE96Q2FQYS9LU1J2T1lleXhsVGlCNDJrbEV2WmpyVkJ2ODZza09uQ0xNCkdSaWpCRkNyVnkwVVNKTDh4WHR RMEJJNjZWTzB1b21oOXV4cC9Na1pLWk4yNmhraDNUSEVXL2xUdnBnYXlPSW8KbFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS 0tLS0tCgA= un-usual practice
HITCON CMT 2016 Fake C2 Server (3/3) Dummy Web Application 33 # cat dummy.py from flask import Flask from flask import request web_app = Flask('dummy') @web_app.route('/osx/ping', methods=['GET']) def dummy(): r = list() r.append('LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ 0FRRUE3eGdTWW9MVWljNWxadnBiaXZ3NApXZzJFNUJpdk4vcW9vUmVTUEl4Z3lvYzZNMGdXR01pUUZmdVlMQjVxS2hXR2hmQjVi WVh5K2hrakhYWC84Z2l1CmJCa0szYU9RdmdlUmtKemR4NVFvbG5XNWxqRzVFUU9hZ0pCRk1RSHFIaHFqbXJDY0dFTis3c0N4Yng rMGdYUGMKVURJUEE1VXhLdjlneGFhMHQweHVoeWovUVhNMjF3V25mUkVxclU5MmdMSHIwdEpqR0E5Y2FPZ1cxbXVZM2U4UwpjQn o5K3NJaWxvRVBNSVNqa3N3dGR5OE96Q2FQYS9LU1J2T1lleXhsVGlCNDJrbEV2WmpyVkJ2ODZza09uQ0xNCkdSaWpCRkNyVnkwV VNKTDh4WHRRMEJJNjZWTzB1b21oOXV4cC9Na1pLWk4yNmhraDNUSEVXL2xUdnBnYXlPSW8KbFFJREFRQUIKLS0tLS1FTkQgUFVC TElDIEtFWS0tLS0tCgA=') r.append('c29tZSByYW5zb20gc3RhdGVtZW50Li4uCg==') return 'n'.join(r) web_app.run(host='0.0.0.0', port=80) indented; don't be confused
HITCON CMT 2016 Experiment (1/2) Cheat the Malware 34 $ cp General.rtf AAAA $ ./AAAA $ killall AAAA $ ls -a Library/.kernel* Library/.kernel_pid Library/.kernel_time $ echo 0 > Library/.kernel_time will be unlinked will be detached cheat the malware 3+ days has elapsed
HITCON CMT 2016 Experiment (2/2) Hook Sleep Function 35 $ cat hook_sleep.c unsigned int sleep(unsigned int seconds) { return 0; } $ gcc hook_sleep.c -shared -fPIC -o hs.dylib $ DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=hs.dylib ./General.rtf # python dummy.py * Running on http://0.0.0.0:80/ (Press CTRL+C to quit) 127.0.0.1 - - [16/Mar/2016 04:06:48] "GET /osx/ping? user_id=general&uuid=4a8832aa8056fceebee520f8eae577ee52b51e5826ee79b75a8f3 14d3980129&model=VMware7,1 HTTP/1.0 200 -
HITCON CMT 2016 Rescue (1/5) Encrypted File Format 36 XXX.encrypted len {seed}pub IV cipher text HMAC 4 bytes 256 bytes 16 bytes 32 bytes (determined by len)
HITCON CMT 2016 Rescue (2/5) Get Secret Key 37 IV16 bytes key md seed 32 bytes 32 bytes run over 8 times message digest
HITCON CMT 2016 Rescue (3/5) Decryption 38 IV AES cipher text key plain text 16 bytes 32 bytes 32 bytes 32 bytes IV will be replaced after the first round
HITCON CMT 2016 Rescue (4/5) Trim File Until Matches HMAC 39 plain text may exist some (garbage) paddings; at most 31 bytes AES cipher text
HITCON CMT 2016 Rescue (5/5) Decryption Tool 40 $ cat decrypt_file.c [snip] if (!get_seed(argv[1], encrypted_seed, encrypted_seed_len, seed, &seed_len)) { ERR("failed to get_seed"); goto leave; } dump_binary("seed", seed, seed_len); if (!get_key(iv, seed, key)) { ERR("failed to get_key"); goto leave; } dump_binary("key", key, 32); if (!decrypt_file(encrypted_seed_len, iv, key, fin, fout)) { ERR("failed to decrypt_file"); goto leave; } DBG("decrypt_file success"); if (!trim_file(key, hmac, fout)) { ERR("failed to trim_file"); goto leave; } DBG("trim_file success"); [snip]

Empfohlen

The origin: Init (compact version)
The origin: Init (compact version)The origin: Init (compact version)
The origin: Init (compact version)Tzung-Bi Shih
 
Zone IDA Proc
Zone IDA ProcZone IDA Proc
Zone IDA ProcTzung-Bi Shih
 
Global Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealGlobal Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealTzung-Bi Shih
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCanSecWest
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 

Empfohlen

The origin: Init (compact version)
The origin: Init (compact version)The origin: Init (compact version)
The origin: Init (compact version)Tzung-Bi Shih
 
Zone IDA Proc
Zone IDA ProcZone IDA Proc
Zone IDA ProcTzung-Bi Shih
 
Global Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealGlobal Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealTzung-Bi Shih
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCanSecWest
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
TensorFlow XLA RPC
TensorFlow XLA RPCTensorFlow XLA RPC
TensorFlow XLA RPCMr. Vengineer
 
Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations DVClub
 
TVM VTA (TSIM)
TVM VTA (TSIM) TVM VTA (TSIM)
TVM VTA (TSIM) Mr. Vengineer
 
Multithreading done right
Multithreading done rightMultithreading done right
Multithreading done rightPlatonov Sergey
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Mr. Vengineer
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Ricon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeRicon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeSusan Potter
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Joel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDJoel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDSergey Platonov
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)Mr. Vengineer
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Máquina de Anestesia
Máquina de AnestesiaMáquina de Anestesia
Máquina de AnestesiaRigoberto José Meléndez Cuauro
 
Implantes Cocleares
Implantes CoclearesImplantes Cocleares
Implantes CoclearesRigoberto José Meléndez Cuauro
 

Weitere ähnliche Inhalte

Was ist angesagt?

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations DVClub
 
Multithreading done right
Multithreading done rightMultithreading done right
Multithreading done rightPlatonov Sergey
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Mr. Vengineer
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Ricon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeRicon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeSusan Potter
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)Mr. Vengineer
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 

Was ist angesagt? (20)

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
TensorFlow XLA RPC
TensorFlow XLA RPCTensorFlow XLA RPC
TensorFlow XLA RPC
 
Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations Architecture for Massively Parallel HDL Simulations
Architecture for Massively Parallel HDL Simulations
 
TVM VTA (TSIM)
TVM VTA (TSIM) TVM VTA (TSIM)
TVM VTA (TSIM)
 
Multithreading done right
Multithreading done rightMultithreading done right
Multithreading done right
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
Ricon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeRicon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak Pipe
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Joel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDJoel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMD
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)Bridge TensorFlow to run on Intel nGraph backends (v0.5)
Bridge TensorFlow to run on Intel nGraph backends (v0.5)
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 

Andere mochten auch

knowledge management
knowledge managementknowledge management
knowledge managementDipti Bohra
 
Reaching Audiences While They Reach You
Reaching Audiences While They Reach YouReaching Audiences While They Reach You
Reaching Audiences While They Reach Youfuzeconf
 
More Than Hair, Nails & Makeup
More Than Hair, Nails & MakeupMore Than Hair, Nails & Makeup
More Than Hair, Nails & MakeupHannah Slaughter
 
Social Media and Social Networking Town Hall Discussion - William Toll at Pro...
Social Media and Social Networking Town Hall Discussion - William Toll at Pro...Social Media and Social Networking Town Hall Discussion - William Toll at Pro...
Social Media and Social Networking Town Hall Discussion - William Toll at Pro...ProductCamp Boston
 
Hem ankle rehab reviews
Hem ankle rehab reviewsHem ankle rehab reviews
Hem ankle rehab reviewssprainedankles
 
7 waterwonderen pr2 skills masters
7 waterwonderen pr2 skills masters7 waterwonderen pr2 skills masters
7 waterwonderen pr2 skills mastersElse Boutkan
 
Design Thinking at Sparkloft
Design Thinking at SparkloftDesign Thinking at Sparkloft
Design Thinking at SparkloftMatt Alex
 
David costlow power point
David costlow power pointDavid costlow power point
David costlow power pointdc0615
 
Reuse, recycle, reduce: exploiting existing metadata at National Library of S...
Reuse, recycle, reduce: exploiting existing metadata at National Library of S...Reuse, recycle, reduce: exploiting existing metadata at National Library of S...
Reuse, recycle, reduce: exploiting existing metadata at National Library of S...Gill Hamilton
 
Trabajando con responsabilidad social
Trabajando con responsabilidad social Trabajando con responsabilidad social
Trabajando con responsabilidad social Dra. Roxana Silva Ch.
 
SharePoint Saturday Cambridge 2016 Session
SharePoint Saturday Cambridge 2016 SessionSharePoint Saturday Cambridge 2016 Session
SharePoint Saturday Cambridge 2016 SessionRick Van Rousselt
 
How to Empower Staff to be the Voice for your Organization Through Social Media
How to Empower Staff to be the Voice for your Organization Through Social MediaHow to Empower Staff to be the Voice for your Organization Through Social Media
How to Empower Staff to be the Voice for your Organization Through Social MediaFarra Trompeter, Big Duck
 
9.2.12 The Missional Church - Matthew 16:13-27
9.2.12 The Missional Church - Matthew 16:13-279.2.12 The Missional Church - Matthew 16:13-27
9.2.12 The Missional Church - Matthew 16:13-27Cody Nazarene Church
 

Andere mochten auch (19)

Máquina de Anestesia
Máquina de AnestesiaMáquina de Anestesia
Máquina de Anestesia
 
Implantes Cocleares
Implantes CoclearesImplantes Cocleares
Implantes Cocleares
 
knowledge management
knowledge managementknowledge management
knowledge management
 
Reaching Audiences While They Reach You
Reaching Audiences While They Reach YouReaching Audiences While They Reach You
Reaching Audiences While They Reach You
 
More Than Hair, Nails & Makeup
More Than Hair, Nails & MakeupMore Than Hair, Nails & Makeup
More Than Hair, Nails & Makeup
 
Social Media and Social Networking Town Hall Discussion - William Toll at Pro...
Social Media and Social Networking Town Hall Discussion - William Toll at Pro...Social Media and Social Networking Town Hall Discussion - William Toll at Pro...
Social Media and Social Networking Town Hall Discussion - William Toll at Pro...
 
Hem ankle rehab reviews
Hem ankle rehab reviewsHem ankle rehab reviews
Hem ankle rehab reviews
 
LJ52 40
LJ52 40LJ52 40
LJ52 40
 
7 waterwonderen pr2 skills masters
7 waterwonderen pr2 skills masters7 waterwonderen pr2 skills masters
7 waterwonderen pr2 skills masters
 
Design Thinking at Sparkloft
Design Thinking at SparkloftDesign Thinking at Sparkloft
Design Thinking at Sparkloft
 
David costlow power point
David costlow power pointDavid costlow power point
David costlow power point
 
Sound waves
Sound wavesSound waves
Sound waves
 
Reuse, recycle, reduce: exploiting existing metadata at National Library of S...
Reuse, recycle, reduce: exploiting existing metadata at National Library of S...Reuse, recycle, reduce: exploiting existing metadata at National Library of S...
Reuse, recycle, reduce: exploiting existing metadata at National Library of S...
 
Trabajando con responsabilidad social
Trabajando con responsabilidad social Trabajando con responsabilidad social
Trabajando con responsabilidad social
 
Unit 3
Unit 3Unit 3
Unit 3
 
SharePoint Saturday Cambridge 2016 Session
SharePoint Saturday Cambridge 2016 SessionSharePoint Saturday Cambridge 2016 Session
SharePoint Saturday Cambridge 2016 Session
 
How to Empower Staff to be the Voice for your Organization Through Social Media
How to Empower Staff to be the Voice for your Organization Through Social MediaHow to Empower Staff to be the Voice for your Organization Through Social Media
How to Empower Staff to be the Voice for your Organization Through Social Media
 
Real World Games-INBADD
Real World Games-INBADDReal World Games-INBADD
Real World Games-INBADD
 
9.2.12 The Missional Church - Matthew 16:13-27
9.2.12 The Missional Church - Matthew 16:13-279.2.12 The Missional Church - Matthew 16:13-27
9.2.12 The Missional Church - Matthew 16:13-27
 

Ähnlich wie Feldo: Function Event Listing and Dynamic Observing for Detecting and Preventing Crypto Ransomware

Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Cybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from HoneypotsCybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from HoneypotsAPNIC
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxDefconRussia
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kievuisgslide
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Dariush Nasirpour
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...APNIC
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationssusercb4686
 

Ähnlich wie Feldo: Function Event Listing and Dynamic Observing for Detecting and Preventing Crypto Ransomware (20)

Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Cybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from HoneypotsCybersecurity Asia 2021 Conference: Learning from Honeypots
Cybersecurity Asia 2021 Conference: Learning from Honeypots
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)
 
Android Development Tools
Android Development ToolsAndroid Development Tools
Android Development Tools
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 

Kürzlich hochgeladen

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Kürzlich hochgeladen (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Feldo: Function Event Listing and Dynamic Observing for Detecting and Preventing Crypto Ransomware

  • 1. HITCON CMT 2016 FèlDo Function Event Listing and Dynamic Observing Tzung-Bi Shih <penvirus@gmail.com> - for Detecting and Preventing Crypto Ransomware
  • 2. HITCON CMT 2016 “Most of us are misunderstanding when mentioning ransomware.” 2
  • 3. HITCON CMT 2016 Introduction Ransomware[1][2] • DoS victims from accessing their system • "claim" something has been kidnapped and tell victims need to pay for retaining the kidnapee • anonymity of the transaction is the most difficult • cryptocurrency, voucher, Tor • no one can guarantee the kidnapee will be back after paid 3
  • 4. HITCON CMT 2016 Introduction Example: DoS from Accessing Vehicles 4 ransom hardware
  • 5. HITCON CMT 2016 Background Types of Ransomware • misleading application[3][4] • free vs. non-free • e.g. performance optimizer, fake AV • police ransomware • fake local law enforcement • crypto ransomware 5
  • 6. HITCON CMT 2016 Background History of Ransomware on OS X[5] • July 2013, FBI ransomware[6][7] • June 2014, FileCoder[8] • Sep 2015, Gopher[9] • Nov 2015, Mabouia[10] • Feb 2016, GinX[11] • Mar 2016, KeRanger[12] (see Appendix A) 6
  • 7. HITCON CMT 2016 Related Works • Toward Generic (Crypto) Ransomware Detection[5] • monitoring file I/O events • determining if a file is encrypted • determining if a process is untrusted • RansomWhere?[13] ➡sniffer mode limitation: still sacrificed a few files 7
  • 8. HITCON CMT 2016 FèlDo Overview • an inline mode solution for detecting and preventing crypto ransomware • detection: correlating function calls • crypto ransomware is relatively simple (at least for now) • it is possible to detect them via observing function calling sequence • within a short time frame • prevention: hooking APIs • deferring unlink request 8
  • 9. HITCON CMT 2016 FèlDo Correlating Function Calls (1/2) 9 observation on dtruss output
  • 10. HITCON CMT 2016 FèlDo Correlating Function Calls (2/2) 10 open_nocancel("/Users/tester/.CFUserTextEncoding0", 0x0, 0x1B6) = 6 0 open_nocancel("/Users/tester/.CFUserTextEncoding.encrypted0", 0x601, 0x1B6) = 7 0 close_nocancel(0x6) = 0 0 close_nocancel(0x7) = 0 0 unlink("/Users/tester/.CFUserTextEncoding0", 0x7FFF5FBFDE00, 0x154) = 0 0 If frequency of two-pair greater than thresholdA, the corresponding process is likely a crypto ransomware. in-place vs. not-in-place encryption
  • 11. HITCON CMT 2016 FèlDo Hooking APIs • acknowledged whenever a process request to unlink • put the request into a deferred queue • the queue purges in two criteria: space and time limit • if queue length is greater than thresholdB • if a request has deferred for thresholdC seconds • satisfies remaining requests while the process terminating 11 even non-existent
  • 12. HITCON CMT 2016 Implementation OS X • userland solution • supports from dynamic linker "dyld" • DYLD_INSERT_LIBRARIES • DYLD_FORCE_FLAT_NAMESPACE • kernel extension solution • replace entries of system call table 12 application library system call kernel userland solution kext solution
  • 13. HITCON CMT 2016 Simple Evaluation 13 unit
 (second) original userland solution kext solution round 1 round 2 round 3 average round 1 round 2 round 3 average round 1 round 2 round 3 average test1.sh 49.66 50.97 50.17 50.27 136.80 140.66 137.13 138.20 51.08 50.27 51.03 50.79 test2.sh 34.67 33.83 32.78 33.76 107.30 105.41 107.00 106.57 34.08 34.88 33.15 34.04 test3.sh 32.73 31.37 32.11 32.07 142.27 142.25 144.37 142.96 32.52 32.35 31.92 32.26 $ cat test1.sh for i in $(seq 1 10000) do touch $i rm $i done $ cat test2.sh for i in $(seq 1 4) do ( for k in $(seq 1 3000) do touch ${i}_${k} rm ${i}_${k} done ) & done wait $ cat test3.sh cd yara sh build.sh >/dev/null 2>&1 userland solution: too many performance penalties (2x~4x slower) kext solution: almost transparent
  • 14. HITCON CMT 2016 Summary • ransomware is variable • crypto ransomware is just one kind of them • IMHO, a product for crypto ransomware should be • kernel mode and leverage existing mechanisms, e.g. KAuth • multiple detection criteria • white listing 14
  • 15. HITCON CMT 2016 Reference 15 [1]: http://www.trendmicro.com/vinfo/us/security/definition/ransomware [2]: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf [3]: http://securityresponse.symantec.com/norton/theme.jsp?themeid=mislead [4]: https://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-0757-99 [5]: https://objective-see.com/blog/blog_0x0F.html [6]: https://blog.malwarebytes.org/threat-analysis/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/ [7]: http://www.makeuseof.com/tag/mac-user-ransomware-easily-remove-malware-threat/ [8]: https://securelist.com/blog/research/66760/unfinished-ransomware-for-macos-x/ [9]: https://github.com/gdbinit/gopher [10]: http://securityaffairs.co/wordpress/41755/cyber-crime/mabouia-ransomware-mac-os-x.html [11]: http://www.infosecisland.com/blogview/24699-OSX-Ransomware-Offered-for-Sale-in-the-Underground.html [12]: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/ [13]: https://objective-see.com/products/ransomwhere.html
  • 16. HITCON CMT 2016 Appendix A Case Study: OSX.KeRanger - Introduction - Analysis - Fake C2 Server - Experiment - Rescue
  • 17. HITCON CMT 2016 OSX.KeRanger (1/14) Introduction 17
  • 18. HITCON CMT 2016 OSX.KeRanger (2/14) Attach the DMG 18 $ hdiutil attach OSX.KeRanger Checksumming Protective Master Boot Record (MBR : 0)… Protective Master Boot Record (MBR :: verified CRC32 $C0C6CB47 Checksumming GPT Header (Primary GPT Header : 1)… GPT Header (Primary GPT Header : 1): verified CRC32 $933E6577 Checksumming GPT Partition Data (Primary GPT Table : 2)… GPT Partition Data (Primary GPT Tabl: verified CRC32 $0AE534AA Checksumming (Apple_Free : 3)… (Apple_Free : 3): verified CRC32 $00000000 Checksumming disk image (Apple_HFS : 4)… ............................................................................... disk image (Apple_HFS : 4): verified CRC32 $4D10DABF Checksumming (Apple_Free : 5)… (Apple_Free : 5): verified CRC32 $00000000 Checksumming GPT Partition Data (Backup GPT Table : 6)… GPT Partition Data (Backup GPT Table: verified CRC32 $0AE534AA Checksumming GPT Header (Backup GPT Header : 7)… GPT Header (Backup GPT Header : 7): verified CRC32 $D2F721FA verified CRC32 $BC3C912F /dev/disk1 GUID_partition_scheme /dev/disk1s1 Apple_HFS /Volumes/Transmission $ file /Volumes/Transmission/Transmission.app/Contents/MacOS/Transmission /Volumes/Transmission/Transmission.app/Contents/MacOS/Transmission: Mach-O 64-bit executable x86_64 sha256(OSX.KeRanger) = d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1
  • 19. HITCON CMT 2016 OSX.KeRanger (3/14) Drop File 19 fork, exec, wait copy General.rtf to kernel_service There will be a process named "kernel_service".
  • 20. HITCON CMT 2016 OSX.KeRanger (4/14) UPX Packed 20 sha256(General.rtf) = 31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9 $ hexdump -C General.rtf | grep -i upx 000002c0 1c 03 f2 dc 55 50 58 21 a7 06 0d 22 00 00 00 00 |....UPX!..."....| 00020ff0 ff 00 00 00 00 55 50 58 21 00 00 00 00 00 00 00 |.....UPX!.......| 00021150 6b 65 72 20 68 74 74 70 3a 2f 2f 75 70 78 2e 73 |ker http://upx.s| 00021190 68 65 20 55 50 58 20 54 65 61 6d 2e 20 41 6c 6c |he UPX Team. All| 00021330 14 14 85 d2 ef ba db ff 75 15 81 fe 55 50 58 21 |........u...UPX!| 000216a0 69 c3 00 00 00 00 00 00 00 90 ff 55 50 58 21 0d |i..........UPX!.|
  • 21. HITCON CMT 2016 OSX.KeRanger (5/14) Unlink Itself 21 sha256(General.rtf.unpacked) = 84a60c8bb2cdf454fdb593318e7c26ba93cc48ba3058530998c8886050981f11 to hide itself
  • 22. HITCON CMT 2016 OSX.KeRanger (6/14) Daemonlize and Wait 22 fork, setsid, chdir sleep 300 seconds until 3 days has elapsed its parent "Transmission" can keep going done flag
  • 23. HITCON CMT 2016 OSX.KeRanger (7/14) Generate UUID and Query String 23 $ sysctl hw.model hw.model: MacBookPro11,1 $ sysctl -a | grep 'hw.model' $ sysctl hw.model hw.model: VMware7,1
  • 24. HITCON CMT 2016 OSX.KeRanger (8/14) C2 Communication (1/2) 24 • gethostbyname • connect • send • recv
  • 25. HITCON CMT 2016 OSX.KeRanger (9/14) C2 Communication (2/2) 25 • server will respond 2 lines (base64-encoded) • 1st line • RSA public key • 2nd line • ransom statement
  • 26. HITCON CMT 2016 OSX.KeRanger (10/14) File Encryption (1/4) 26 encrypt files excepts: • *.encrypted • README_FOR_DECRYPT.txt • .kernel_complete • .kernel_time • .kernel_pid
  • 27. HITCON CMT 2016 OSX.KeRanger (11/14) File Encryption (2/4) 27 encrypt files if in the list of filename extensions
  • 28. HITCON CMT 2016 OSX.KeRanger (12/14) File Encryption (3/4) 28 target filename extensions: .3dm .3ds .3g2 .3gp .7z .ab4 .accdb .accde .accdr .accdt .ach .acr .act .adb .ads .ai .ait .al .apj .arw .asf .asm .asp .asx .avi .back .backup .bak .bank .bay .bdb .bgt .bik .bkf .bkp .blend .bpw .c .cdb .cdf .cdr .cdx .ce1 .ce2 .cer .cfp .cgm .class .cls .cmt .cnv .cpi .cpp .cr2 .craw .crt .crw .cs .csh .csl .csv .dac .db .db3 .dbf .dbr .dbs .dc2 .dcr .dcs .dcx .ddd .ddoc .dds .der .des .design .dgc .djvu .dng .doc .docm .docx .dot .dotm .dotx .drf .drw .dtd .dwg .dxb .dxf .dxg .ebd .edb .eml .eps .erf .exf .fdb .ffd .fff .fh .fhd .fla .flac .flv .fm .fp7 .fpx .fxg .gdb .gray .grey .grw .gry .h .hbk .hpp .ibd .idx .iif .indd .java .jpe .jpeg .jpg .kdbx .kdc .key .laccdb .lua .m .m4v .maf .mam .maq .mar .maw .max .mdb .mdc .mde .mdf .mdt .mef .mfw .mmw .mos .mov .mp3 .mp4 .mpg .mpp .mrw .mso .myd .ndd .nef .nk2 .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .nwb .nx1 .nx2 .nyf .obj .odb .odc .odf .odg .odm .odp .ods .odt .oil .one .orf .otg .oth .otp .ots .ott .p12 .p7b .p7c .pages .pas .pat .pbo .pcd .pct .pdb .pdd .pdf .pef .pem .pfx .php .pip .pl .plc .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .prf .ps .psafe3 .psd .pspimage .ptx .pub .puz .py .qba .qbb .qbm .qbw .qbx .r3d .raf .rar .rat .raw .rdb .rm .rtf .rwz .sas7bdat .say .sd0 .sda .sdf .snp .sql .sr2 .srf .srt .srw .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stw .stx .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .tex .tga .thm .tlg .txt .vob .vsd .vsx .vtx .wav .wb2 .wbk .wdb .wll .wmv .wpd .wps .x11 .x3f .xla .xlam .xlb .xlc .xlk .xll .xlm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xpp .xsn .yuv .zip .tar .tgz .gzip .tib .sparsebundle
  • 29. HITCON CMT 2016 OSX.KeRanger (13/14) File Encryption (4/4) 29 drop ransom statement
  • 30. HITCON CMT 2016 OSX.KeRanger (14/14) Finalize 30 Be honest! Don't touch this; or it will encrypt your files again in some day ...
  • 31. HITCON CMT 2016 Fake C2 Server (1/3) Modify /etc/hosts 31 # cat /etc/hosts 127.0.0.1 lclebb6kvohlkcml.onion.link 127.0.0.1 lclebb6kvohlkcml.onion.nu 127.0.0.1 bmacyzmea723xyaz.onion.link 127.0.0.1 bmacyzmea723xyaz.onion.nu 127.0.0.1 nejdtkok7oz5kjoc.onion.link 127.0.0.1 nejdtkok7oz5kjoc.onion.nu
  • 32. HITCON CMT 2016 Fake C2 Server (2/3) Generate Private and Public Key 32 # openssl genrsa -out private.pem 2048 Generating RSA private key, 2048 bit long modulus ....................................................+++ ...............................................+++ e is 65537 (0x10001) # openssl rsa -in private.pem -pubout -outform PEM -out public.pem writing RSA key # printf "x00" >> public.pem # base64 public.pem LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE3eGd TWW9MVWljNWxadnBiaXZ3NApXZzJFNUJpdk4vcW9vUmVTUEl4Z3lvYzZNMGdXR01pUUZmdVlMQjVxS2hXR2hmQjViWVh5K2hrak hYWC84Z2l1CmJCa0szYU9RdmdlUmtKemR4NVFvbG5XNWxqRzVFUU9hZ0pCRk1RSHFIaHFqbXJDY0dFTis3c0N4YngrMGdYUGMKV URJUEE1VXhLdjlneGFhMHQweHVoeWovUVhNMjF3V25mUkVxclU5MmdMSHIwdEpqR0E5Y2FPZ1cxbXVZM2U4UwpjQno5K3NJaWxv RVBNSVNqa3N3dGR5OE96Q2FQYS9LU1J2T1lleXhsVGlCNDJrbEV2WmpyVkJ2ODZza09uQ0xNCkdSaWpCRkNyVnkwVVNKTDh4WHR RMEJJNjZWTzB1b21oOXV4cC9Na1pLWk4yNmhraDNUSEVXL2xUdnBnYXlPSW8KbFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS 0tLS0tCgA= un-usual practice
  • 33. HITCON CMT 2016 Fake C2 Server (3/3) Dummy Web Application 33 # cat dummy.py from flask import Flask from flask import request web_app = Flask('dummy') @web_app.route('/osx/ping', methods=['GET']) def dummy(): r = list() r.append('LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ 0FRRUE3eGdTWW9MVWljNWxadnBiaXZ3NApXZzJFNUJpdk4vcW9vUmVTUEl4Z3lvYzZNMGdXR01pUUZmdVlMQjVxS2hXR2hmQjVi WVh5K2hrakhYWC84Z2l1CmJCa0szYU9RdmdlUmtKemR4NVFvbG5XNWxqRzVFUU9hZ0pCRk1RSHFIaHFqbXJDY0dFTis3c0N4Yng rMGdYUGMKVURJUEE1VXhLdjlneGFhMHQweHVoeWovUVhNMjF3V25mUkVxclU5MmdMSHIwdEpqR0E5Y2FPZ1cxbXVZM2U4UwpjQn o5K3NJaWxvRVBNSVNqa3N3dGR5OE96Q2FQYS9LU1J2T1lleXhsVGlCNDJrbEV2WmpyVkJ2ODZza09uQ0xNCkdSaWpCRkNyVnkwV VNKTDh4WHRRMEJJNjZWTzB1b21oOXV4cC9Na1pLWk4yNmhraDNUSEVXL2xUdnBnYXlPSW8KbFFJREFRQUIKLS0tLS1FTkQgUFVC TElDIEtFWS0tLS0tCgA=') r.append('c29tZSByYW5zb20gc3RhdGVtZW50Li4uCg==') return 'n'.join(r) web_app.run(host='0.0.0.0', port=80) indented; don't be confused
  • 34. HITCON CMT 2016 Experiment (1/2) Cheat the Malware 34 $ cp General.rtf AAAA $ ./AAAA $ killall AAAA $ ls -a Library/.kernel* Library/.kernel_pid Library/.kernel_time $ echo 0 > Library/.kernel_time will be unlinked will be detached cheat the malware 3+ days has elapsed
  • 35. HITCON CMT 2016 Experiment (2/2) Hook Sleep Function 35 $ cat hook_sleep.c unsigned int sleep(unsigned int seconds) { return 0; } $ gcc hook_sleep.c -shared -fPIC -o hs.dylib $ DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=hs.dylib ./General.rtf # python dummy.py * Running on http://0.0.0.0:80/ (Press CTRL+C to quit) 127.0.0.1 - - [16/Mar/2016 04:06:48] "GET /osx/ping? user_id=general&uuid=4a8832aa8056fceebee520f8eae577ee52b51e5826ee79b75a8f3 14d3980129&model=VMware7,1 HTTP/1.0 200 -
  • 36. HITCON CMT 2016 Rescue (1/5) Encrypted File Format 36 XXX.encrypted len {seed}pub IV cipher text HMAC 4 bytes 256 bytes 16 bytes 32 bytes (determined by len)
  • 37. HITCON CMT 2016 Rescue (2/5) Get Secret Key 37 IV16 bytes key md seed 32 bytes 32 bytes run over 8 times message digest
  • 38. HITCON CMT 2016 Rescue (3/5) Decryption 38 IV AES cipher text key plain text 16 bytes 32 bytes 32 bytes 32 bytes IV will be replaced after the first round
  • 39. HITCON CMT 2016 Rescue (4/5) Trim File Until Matches HMAC 39 plain text may exist some (garbage) paddings; at most 31 bytes AES cipher text
  • 40. HITCON CMT 2016 Rescue (5/5) Decryption Tool 40 $ cat decrypt_file.c [snip] if (!get_seed(argv[1], encrypted_seed, encrypted_seed_len, seed, &seed_len)) { ERR("failed to get_seed"); goto leave; } dump_binary("seed", seed, seed_len); if (!get_key(iv, seed, key)) { ERR("failed to get_key"); goto leave; } dump_binary("key", key, 32); if (!decrypt_file(encrypted_seed_len, iv, key, fin, fout)) { ERR("failed to decrypt_file"); goto leave; } DBG("decrypt_file success"); if (!trim_file(key, hmac, fout)) { ERR("failed to trim_file"); goto leave; } DBG("trim_file success"); [snip]