Guide for CIOs, CFOs, and CISOs on why traditional security defenses are failing and how losing the security battle can hurt your business
Inside look at stopping zero-day attacks and advanced persistent threats with FireEye
Look into the changing nature of today's advanced targeted attacks and why traditional IT security is inadequate
Deep dive into spear phishing attacks and what is needed to combat this type of advanced threat
Insight into how FireEye is able to combat even the most sophisticated threats
Overview of the FireEye product family which protects against advanced cyber attacks
Black Hat is one of the leading conferences for security researchers. Having been a security researcher in the AV and IPS industry for a considerable amount of time, I want to share my observations related to some of the research in malware presented at BH.
By packing their malicious executable, malware authors can be sure that when they are opened in a disassembler they will not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process.
SimplePack is yet another packer often used by malware authors. Specifically, it uses LZMA compression. When the packed process is opened in the debugger, the packed code starts with the instruction PUSHAD as seen in Figure 1. The instruction then pushes all the general purpose registers onto the stack, with value stored in EDI being on top of the stack.
Recently, we came across a customized threat that, per our current understanding, was customized for a single individual—the president of a billion dollar corporation. As the goal of this posting is to share the findings about the targeted attack, the individual and corporation’s identity have been withheld and will not be discussed in this blog.
One of the primary aims of an anti-virus (AV) engine is to monitor all process activity—while malware, on the other hand, wants to avoid detection by AV. The philosophy of most rootkits is to run silent and deep, which also aligns with the goals of advanced malware as it evades detection by most enterprise class host-based security solutions (HBSS) and AV.
So how does malware evade detection when starting new rogue processes? Easy—it directly attacks the operating system’s kernel. Microsoft provides the kernel routine PsSetCreateProcessNotifyRoutine to allow security software to monitor process creation and termination events in the Windows kernel, and security software calls the PsSetCreateProcessNotifyRoutine in order to be notified by the kernel when these events occur. These security solutions will then act on process creation and termination events in order to track system activity and protect critical resources.
By packing their malicious executable, malware authors ensure that, when these malicious executables are opened in a disassembler, these executables do not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process. One method to locate the address of the code’s first instruction before it was packed, also known as the Original Entry Point (OEP) of a file, is to apply the breakpoint on the APIs that set up execution environments, like GetLoadLibraryA, and then use step-by-step tracing to locate the initialization of the stack frame. Initialization of the stack frame will denote that the file is unpacked.
For many commonly occurring packers, there are specific instructions for locating the OEP.
