文字列曖昧検索によるマルウェアバイナリ解析

1. AVTokyo 2012 201211 17

2. l / @marugorithm l / @suma90hl l l l l l l 2 3. 70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0l JUL AUG SEP OCT NOV DECJAN FEB MAR APR MAY JUN 2011 2011 2011 2011 2011 2011 2012 2012 2012 2012 2012 2012l New Malware10,000,000 8,000,000 6,000,000 4,000,000 2,000,0000 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q22009 2009 2009 2009 2010 2010 2010 2010 2011 2011 2011 2011 2012 2012Source: McAfee Threats Report: Second Quarter 2012 3 McAfee Threats Report: Second Quarter 2012 4. Reverse Code Engineering l l l l By Ma-games.de(GNU-FDL)l l l with grepl l OSS2006l l Python 4 5. vs l l l l l l l IDA Prol API Calll PolyUnpackl l l 5 6. l l l l (RCE)l l l l l l 6 7. l l l OSS 1 A2 XBY7 8. IDAScopel IDAscope plugin (Hex-Rays 2012 Contest Results) l l l IDA Prol l l l l l 8 9. 55 8b ec 56 8b 75 08 57 8b 3d38 10 41 00 6a 1f 56 6a 07 68l 00 04 00 00 ff d7 f7 d8 1b c0l c6 46 03 00 f7 d8 89 45 08 7416 68 cc 30 41 00 56 e8 e2 b3l 00 00 59 85 c0 59 74 05 6a 0158 eb 16 6a 1f 56 6a 07 68 00l 08 00 00 ff d7 f7 d8 1b c0 f7d8 80 66 03 00 5f 5e 5d c3l 55 8b ec 56 8b 75 08 57 8b 3d38 20 41 00 6a 1f 56 6a 07 68l 00 04 00 00 ff d7 f7 d8 1b c0l c6 46 03 00 f7 d8 89 45 08 7416 68 08 41 41 00 56 e8 56 b900 00 59 85 c0 59 74 05 6a 0158 eb 16 6a 1f 56 6a 07 68 0008 00 00 ff d7 f7 d8 1b c0 f7d8 80 66 03 00 5f 5e 5d c3 10. l 2 d (S, R) ACGTGATC d (ACGTGATC, ACTAATC) = 3 ACTA ATC l 1 l l 11. l S, Rl 1l (|S|+1) (|R|+1) D s u r g e r y 0 1 2 3 4 5 6 7 s 1 u 2 r 3 v 4 e 5 y 6 12. l l if S[i]=R[ j],D[i, j] D[i 1, j 1], elseD[i, j] min(D[i 1, j], D[i, j 1], D[i 1, j 1]) +1. s u r ge r y 0 1 2 3 4 56 7 s 1 0 1 2 3 45 6 u 2 1 0 1 2 34 5 r 3 2 1 0 1 23 4 v 4 3 2 1 1 23 4d(S, R) e 5 4 3 2 2 12 3 y 6 5 4 3 3 22 2 13. l l 2 l l l DNA Smith-Waterman l l 14. l l 10 fd 2d 4f 3d fd 2d53 3d0 000000 00 fd 1 2d 2 4f 3 3d 4 15. l l fd 2d 4f 3d fd 2d53 3d0 000000 00 fd 1 011101 11 2d 2 101210 12 4f 3 210121 12 3d 4 321012 21 16. l l l 1 fd 2d 4f 3d fd 2d53 3d 0 000000 00fd 1 011101 11 2d2 101210 124f 3 210121 12 3d4 321012 21 17. l l fd 2d 4f 3d fd 2d53 3d0 000000 00 fd 1 011101 112d 2 101210 12 4f 3 210121 12 3d 4 321012 21 18. l l l fd 2d 4f 3dfd 2d 53 3d fd 2d 4f 3d fd 2d53 3d 0 000000 00fd 1 011101 11 2d 2 101210 124f 3 210121 123d 4 321012 21 19. l Factor Filter [2000, JDA], Suffix Filter [2007, ALENEX] l l l [2012, PFI]l .l 2012PFIl l l 119 20. l l l /home/maruyama/data/malware/dump/1a1f6496107b1063313aba6af99fce8e.GUnPacker.dump l hit: id = 14 IDhit: distance = 28query: name = sub_401000 hit: beg_pos = 4096query: beg_pos = 4096hit: length = 266offset offsetquery: length = 266query: threshold = 5355 8b ec 81 ec 60 02 00 00 53 33 db 39 1d 00 30 41 00 89 5d55 8b ec 81 ec 60 02 00 00 53 f4 0f 84 e9 00 00 00 56 b8 00 33 db 39 1d 00 20 41 00 89 5d 30 41 00 57 8b 3d 08 20 41 00 f4 0f 84 e9 00 00 00 56 b8 00 89 45 e8 be 04 01 00 00 ff 30 20 41 00 57 8b 3d 08 10 41 00 8d 45 a8 50 e8 7d 04 01 00 8d 89 45 e8 be 04 01 00 00 ff 30 45 a8 50 e8 9d a5 00 00 83 c4 8d 45 a8 50 e8 e5 f7 00 00 8d 0c 8d 45 f8 50 6a 03 8d 45 a8 45 a8 50 e8 0a 9c 00 00 83 c4 53 50 ff 75 08 e8 a6 ef 0a 01 0c 8d 45 f8 50 6a 03 8d 45 a8 69 8d 45 fc 89 5d f0 50 8d 85 53 50 ff 75 08 ff 15 00 10 41 a4 fe ff ff 50 8d 45 e4 50 8d 00 8d 45 fc 89 5d f0 50 8d 85 45 ec 53 50 8d 85 a0 fd ff ff a4 fe ff ff 50 8d 45 e4 50 8d 89 75 ec 50 89 75 fc 53 ff 75 45 ec 53 50 8d 85 a0 fd ff ff f8 ff d7 85 c0 75 5f 83 7d e4 89 75 ec 50 89 75 fc 53 ff 7501 75 30 ff 75 0c 8d 85 a4 fe ff ff ff 75 fc 50 e8 6c 49 0020 21. l l 2007l 141l 50,515,632l l PoeBot.CFlashFXP password stealerl l Core i5, 16GB RAM l 141l l 14 l 8606 21 22. l l 1IDAl 22 23. Demo23 24. RCEl l l l l l l l =l l l 24 25. l l l l l l l l l l 25 26. l l l l l l l printf, sprintf CPU l 26 27. l x86l IDA Prol JavaCLIl l l l l l OSSl 27

文字列曖昧検索によるマルウェアバイナリ解析

Technology

Transcript of 文字列曖昧検索によるマルウェアバイナリ解析