보안쟁이-회사원의 일상

http://blog.reverseco.de/post/2011/01/20/Hiding-Malicious-PDFs-from-AVs




I recently discovered that one can hide a malicious PDF from a good portion of antivirus software by embedding it into a valid executable file. For this example, I used notepad.exe from Windows XP. As you can see, the PDF file before embedding is detected by quite a lot of the AV vendors:


  After wrapping it in notepad.exe, however, the detection is significantly lower. In fact, it's detected by only 1/3 of the AVs that previously detected it:

 

The method used to wrap this file in notepad.exe is extremely simple.  First, I insert the PDF header and the opening tags for a stream object at the end of the PE header.  The size of the stream object is the size of the code from 0x401000 to the end of the PE file:



Then at the end of the PE file, I end the stream object and continue with the rest of the malicious PDF:



This leaves us with a valid, running executable file that doubles as a working PDF.  You can try it yourself with a malicious or benign PDF to see that it works, but why does it work?  Well, the AVs that do not detect this little trick simply pick the first file-type they detect as their only method of scanning.  So, when they see the PE header, they proceed to scan the file as if it were simply an executable.

While this method of hiding malicious PDFs is still a far cry from fully undetected malicious PDFs, it's still dangerous enough to cause problems especially with some of the most popular AVs not detecting the file.  It should be easy enough to fix, so get to work AV vendors!

오늘은 간단히 네트워크에서 캡쳐한 Packet에서 파일을 추출하는 방법을 간단하게 써보겠습니다.

이 글을 쓰는 이유는?
혹시라도 누군가 나에게 이런걸 물어본다면.. 대답해주지 않고 "내 블로그 봐봐" 라고 말해주기 위해서 입니다. ^^; 어느정도 스킬이 있으신 분들이야 이런 내용은 그냥 말로 간단히 해드리면 하실 수 있지만 아무것도 모르는 분들에게는 말로만해서는 어렵더라고요 ^^;

일단 네트워크에서 캡쳐한 파일이 필요합니다.
저는 SMTP를 이용한 메일을 보낼때 첨부된 파일을 추출해보겠습니다.
80포트인 HTTP 프로토콜을 이용한 방법도 BASE64 디코딩을 제외하고 똑같으니 잘 적용해보세요.


저는 이렇게 메일로 전송된 패킷을 가지고 해보았습니다. 이 글을 읽으시는 분들은 메일로 SMTP로 테스트 해보셔도 되고 HTTP를 가지고 테스트 해보셔도 상관없습니다.
이런 글을 보고 직접 따라하면서 자기 것으로 만드는 것이 중요합니다.
그럼 시작하도록 할께요.


1. 패킷 보기.

패킷을 보면 위와 같이 특정 파일이 있는 부분을 확인하실 수 있습니다. 이 부분(파일내용)을 찾아서 아래 <그림 2>와 같이 드레그 해주신 다음 COPY~를 해주시면 되겠습니다. <그림 1>을 잘 보면 파일이 이상하죠? 분명히 ZIP 파일인데 ZIP파일에서 보이는 특정 문자열(매직넘버)가 보이지 않습니다. 헤더부분을 보면 Content-Transfer-Encoding라는 필드값이 있는데 보면 BASE64로 인코딩 되어 있는 것을 쉽게 확인 할 수 있습니다.


이렇게 복사한 데이터를 TextEdit 툴을 이용해서 붙여넣으면 아래 <그림 3>에서 보는 것과 같이 줄바꿈(\n)이 된 모습을 확인 할 수 있습니다. 이는 해당 툴에서 지원하는 Replace 기능을 이용하여 [줄바꿈문자]->[아무것도 없는 Null문자]로 바꾸면 <그림 4>처럼 됩니다.




위 <그림 4>의 좌측을 보면 1줄에 모든 내용이 붙어있는 것을 확인 할 수 있습니다.
HTTP같이 파일을 전송할때 암호화하지 않는 프로토콜들은 그냥 이 내용을 저장하면 정상 파일이 되지만 우리는 SMTP를 이용하여 전송을 해서 BASE64로 인코딩 되어 있기 때문에 이를 디코딩 해줘야 합니다.



<그림 5>를 보면 저는 Malzilla라는 툴을 이용해서 BASE64 디코딩을 한 모습입니다. Malzilla 말고도 BASE64 디코딩해주는 툴이 많습니다. 찾아보시기 바랍니다.

나중에 누구한테 배우건, 어느 회사에 가던,
"저 BASE64 디코딩하는 툴(사이트) 어디있을까요?"
라고 묻지 마세요.

상당한 실례라고 생각합니다.
그정도도 찾아보지 않고 이야기 하는 것은 결과적으로
1. 이 사람은 이 일에 대해 관심이 없다.
2. 이 사람은 이걸 가르쳐줘도 몇일 이내에 까먹는다.

라는 인식이 생기게 됩니다. 관심이 있다면 직접 찾아보세요.



이렇게 Decoding된 내용을 HexEdit 툴을 이용해서 붙여넣기 한 다음 파일로 저장하면 됩니다.
그러면 파일 복구가 완료 됩니다.

실제로 이렇게 만들어진 파일이 정상적으로 복구가 되었는지 실행해보면 알 수 있겠죠? ^^


ps. 이 글에서 한가지 오류가 있습니다. 이 글에서 설명한 방법대로 하면 안되는 경우가 발생하죠. 그런 경우는 어떤 경우 일까요? ^^

펌 : http://dirk-loss.de/python-tools.htm

If you are involved in vulnerability research, reverse engineering or penetration testing, I suggest to try out the Python programming language. It has a rich set of useful libraries and programs. This page lists some of them.

Most of the listed tools are written in Python, others are just Python bindings for existing C libraries, i.e. they make those libraries easily usable from Python programs.

Some of the more aggressive tools (pentest frameworks, bluetooth smashers, web application vulnerability scanners, war-dialers, etc.) are left out, because the legal situation of these tools is still a bit unclear in Germany -- even after the decision of the highest court. This list is clearly meant to help whitehats, and for now I prefer to err on the safe side.

Network

• Scapy: send, sniff and dissect and forge network packets. Usable interactively or as a library
• pypcap, Pcapy and pylibpcap: several different Python bindings for libpcap
• libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission
• dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols
• Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB
• pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection
• Dirtbags py-pcap: read pcap files without libpcap
• flowgrep: grep through packet payloads using regular expressions
• httplib2: comprehensive HTTP client library that supports many features left out of other HTTP libraries

Debugging and reverse engineering

• Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH
• Immunity Debugger: scriptable GUI and command line debugger
• IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro
• PyEMU: fully scriptable IA-32 emulator, useful for malware analysis
• pefile: read and work with Portable Executable (aka PE) files
• pydasm: Python interface to the libdasm x86 disassembling library
• PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine
• uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory
• diStorm64: disassembler library for AMD64, licensed under the BSD license
• python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python

Fuzzing

• Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components
• Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing
• antiparser: fuzz testing and fault injection API
• TAOF, including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer
• untidy: general purpose XML fuzzer
• Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
• FileP: file fuzzer. Generates mutated files from a list of source files and feeds them to an external program in batches
• SMUDGE
• Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
• Fuzzbox: multi-codec media fuzzer
• Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
• Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
• WSBang: perform automated security testing of SOAP based web services
• Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
• fuzzer.py (feliam): simple fuzzer by Felipe Andres anzano

Web

• ProxMon: processes proxy logs and reports discovered issues
• WSMap: find web service endpoints and discovery files
• Twill: browse the Web from a command-line interface. Supports automated Web testing
• Windmill: web testing tool designed to let you painlessly automate and debug your web application
• FunkLoad: functional and load web tester

Forensics

• Volatility: extract digital artifacts from volatile memory (RAM) samples
• SandMan: read the hibernation file, regardless of Windows version
• LibForensics: library for developing digital forensics applications
• TrIDLib, identify file types from their binary signatures. Now includes Python binding

Malware analysis

• pyew: command line hexadecimal editor and disassembler, mainly to analyze malware
• Didier Stevens' PDF tools: analyse, identify and create PDF files (includes PDFiD, pdf-parser and make-pdf and mPDF)
• Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files
• Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content
• pyClamAV: add virus detection capabilities to your Python software

Misc

• InlineEgg: toolbox of classes for writing small assembly programs in Python
• Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
• RevHosts: enumerate virtual hosts for a given IP address
• simplejson: JSON encoder/decoder, e.g. to use Google's AJAX API

Other useful libraries and tools

• IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system
• Beautiful Soup: HTML parser optimized for screen-scraping
• matplotlib: make 2D plots of arrays
• Mayavi: 3D scientific data visualization and plotting
• RTGraph3D: create dynamic graphs in 3D
• Twisted: event-driven networking engine
• Suds: lightweight SOAP client for consuming Web Services
• M2Crypto: most complete OpenSSL wrapper
• NetworkX: graph library (edges, nodes)
• pyparsing: general parsing module
• lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language
• Pexpect: control and automate other programs, similar to Don Libes `Expect` system
• Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython

KISA 에서 Web Hacking Inspection Security Tool라는.. 줄여서 WHISTL..
휘슬이라는 툴을 민간에 배포하여 WebShell과 Malware Domain URL을 탐지하는 솔루션이다.

해당 툴을 받아서 으샤으샤!! 하면 툴안에 있는 다양한 패턴들을 확인할 수 있다.

별로 어렵진 않으니 휘슬을 구할 수 있게되면 한번정도씩 패턴이 어떤게 들어있는지 보면서 공부하는 것도 좋을 것 같다.



휘슬이란게 존재한다는 것만 알았지, 한번도 쓸 생각을 안해봤었는데
개인적으로 안타까운 점은 아래와 같다.
1. Not use packer.
2. Not use Anti-Reverse technic.
3. Decode code Locate to code head.
4. Not use decoding to need

영어를 못하는지라.. 당연히 문법에 맞지 않았을테지만.. 아쉬운건 저런 부분?
(알아서 해석? ^^;;)
4번의 경우는 속도면에서 당연히 뺀거겠지만.. 확장자를 지정해서 Search 하는데.. 굳이 저랬어야되었을까.. 라는 생각이 =_=;

http://www.exploit-db.com/google-dorks/

이런 좋은 사이트가 있다는걸.. 난 정말~ 몰랐~었~네~~~~오오오오~

http://sandsprite.com/blogs/index.php?uid=7&pid=57

This is a free tool for the analysis of malicious PDF documents. It also has some features that can make it useful for pdf vulnerability development. Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature. Javascript tools include integration with JS Beautifier for code formatting, the ability to run portions of the script live for live deobsfuscation, toolbox classes to handle extra canned functionality, as well as a pretty stable refactoring engine that will parse a script and replace all the screwy random function and variable names with logical sanitized versions for readability. Tool also supports unescaping/formatting manipulated pdf headers, as well as being able to decode filter chains (multiple filters applied to the same stream object.) Download: PDF Stream Dumper Setup 0.9.148 (includes full vb6 source) Training videos for PDFStreamDumper: Feature Overview (17mb / 40min) Analysis of a complex sample using page Data part 1 getPageNthWord (4mb / 10min) part 2 URL Decoder & this.info object (3mb / 8min) Analysis of a complex sample using getAnnots (4mb / 10min) Demo of the new Sample Database Search Plugin (4.5mb / 11min) Video for plugin developers and script writers (7mb / 17min) shows some new js_ui features on an arguments.callee encrypted script Sample 1 (6mb / 14min) Sample 2 (4mb / 10min) If you are looking for malicious pdf samples to analyze make sure to check out the Contagio and jsunpack sites. International users: This new build should now work on systems with extended character set languages set as their default language. If you encounter errors please let me know. Full feature list supported filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, ASCII85Decode, LZWDecode Integrated shellcode tools: sclog gui (Shellcode Analysis tool I wrote at iDefense) scTest gui libemu based Shellcode analysis tool Shellcode_2_Exe functionality Export unescaped bytes to file supports filter chaining (ie multiple filters applied to same stream) supports unescaping encoded pdf headers scriptable interface to process multiple files and generate reports view all pdf objects view deflated streams view stream details such as file offsets, header, etc save raw and deflated data search streams for strings scan for functions which contain pdf exploits (dumb scan) format javascript using js beautifier (see credits in readme) view streams as hex dumps zlib compress/decompress arbitrary files replace/update pdf streams with your own data basic javascript interface so you can run parts of embedded scripts PdfDecryptor w/source - uses iTextSharp and requires .Net Framework 2.0 Basic Javascript de-obsfuscator can hide: header only streams, duplicate streams, selected streams js ui also has access to a toolbox class to simplify fragmented strings read/write files do hexdumps do unicode safe unescapes disassembler engine Current Automation scripts include: csv_stats.vbs - Builds csv file with results from lower status bar for all files in a directory pdfbox_extract.vbs - use pdfbox to extract all images and text from current file string_scan.vbs - scan all decompressed streams in all files in a directory for a string you enter unsupported_filters.vbs - scan a directory and build list of all pdfs which have unsupported filters filter_chains.vbs - recursivly scans parent dir for pdfs that use multiple encoding filters on a stream. obsfuscated_headers.vbs - recursivly scans parent dir for pdfs that have obsfuscated object headers pdfbox_extract_text_page_by_page.vbs - uses pdfbox to extract page data into individual files Current Plugins include: Build_DB.dll obj_browser.dll Credits: --------------------------- stream parser was written by VBboy136 - 12/9/2008 http://www.codeproject.com/KB/DLL/PDF2TXTVB.aspx JS Beautify by Einar Lielmanis, _ conversion to Javascript code by Vital, http://jsbeautifier.org/ zlib.dll by Jean-loup Gailly and Mark Adler http://www.zlib.net/ CRC32 code by Steve McMahon http://www.vbaccelerator.com/home/vb/code/libraries/CRC32/article.asp iTextSharp code by Bruno Lowagie and Paulo Soares http://itextpdf.com/terms-of-use/index.php olly.dll GPL code Copyright (C) 2001 Oleh Yuschuk. http://home.t-online.de/home/Ollydbg/ libemu and sctest.exe written by Paul Baecher and Markus Koetter 2007. http://libemu.carnivore.it/about.html sclog is a tool i wrote back at iDefense source here http://labs.idefense.com/software/download/?downloadID=8 Interface by dzzie@yahoo.com http://sandsprite.com Other thanks to Didier Stevens for the info on his blog on tags and encodings. http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways

RSS Feed About Me Home Posts: random tip PDF Video trainers Exe as DLL Olly Plugins Strings on Stack Debugging Explorer Attach to hidden process sclog update Monster Graph display JS Refactoring Asm and Shellcode in CSharp Fancy Return Address Mem dump imports Wingraph32 Replacement PDF Stream Dumper SWF Decompilation IDC Dump Fix Patch Malcode Call API by Hash WinDbg Cheat Sheet new tool - unlocreate iDefense iDbg Debugger Library new tool - Alloc/Free Logger new tool - wininet hooks GPG Automation IDA Wingraph

Comments: (6) On 08.20.10 - 2:16pm Dave wrote: lotta noise searching for pdf decrypter source..here are some of the more interesting links: Pdf Encoding tricks (Didier Stevens) More PDF Obsfuscation techniques (Zynamics) Pdf parsers iText Java and c# pdf lib Couple open source pdf decrypters PDFBox - Java lib (also .NET usable) Pdf Toolkit Basic C# PDF Parser Pdf Specification. Lots of Open Srouce PDF Libraries IDA 5.6 PDF file loader/analysis script Free Malicious PDF Analysis e-book (Didier Stevens) Malicious PDFs find a novel way of running JavaScript (Sophos Labs) Pdf Examiner and their blog (Free Online PDF Analyzer) On 08.21.10 - 4:43pm Dave wrote: Reading the iText source is good info too, but its mammoth. Turns out if only the owner password is set, you can use iText to make a copy of the pages and transfer them into a new pdf so they are not encrypted anymore and then this can parse them again. Also I think the luckysploit pdf exploits use what may be a malformed pdf It is owner password encrypted, but has no password set. I could not create this condition in Acrobat pro 7.x anyway On 09.13.10 - 6:02am Dave wrote: Been digging, found source for some other decode filters to add in, waiting until they become required before i add them in though. Also have some updates to sclog I have slated for development. Since sclog was designed when i was analyzing mostly network shellcode, it didnt have to worry about file format exploit shellcode designs. Need to add another hook for GetiFileSize() to handle shellcode which scans the parent process for open file handles. They can do this to either locate stage 2 shellcode or extract executables. Will also have to add a /fileHandle option so you can have sclog open a handle to a target file for this specific purpose. Small mod but just need to find the time/energy to do it. On 09.18.10 - 1:02pm Dave wrote: Another small update..I spent another saturday  weekend (of my vacation no less) coding and it now supports a bunch of other filters from iText in an external .NET dll. Also updated the pdf header unescaping, and it now supports filter chaining. phew that sucked! On 09.25.10 - 4:44am dave wrote: The Force Decrypt menu item can be used to send the pdf through the iTextSharp parser for standardization even if its not encrypted. I have had this work, and I have had this fail. Sometimes iTextSharp strips out all the exploit parts on the conversion so its a mixed bag..I think I am going to add in a couple more menu items to send the PDF through different C# PDF libs for standardization and to try to compensate for this. DCTDecode and JPXDecode appear to be do nothing filters. At this point looks like they are talking about the actual image compression (like within the jog or whatever) iTextSharp just returns the raw stream bytes for these two cases anyway. So maybe only have CCTI and JBig2 to go still. Just integrated in the libemu sctest Shellcode analysis tool, as well as shellcode 2 exe. Now also supports automation scripts so you can use it to scan a directory of files and do stuff. If you have PDFBox installed, one of the scripts can be used to extract all the images and text (If the library didnt require 16mb I would just link to it directly but its some java .net frakenstein creation): On 12.05.10 - 6:55am Dave wrote: 0.9.125 is out, bugfix release..had to do some fixups in sclog to clean up output and make sure hooks for UrlDownloadToFile were being installed correctly. Couple small usability additions were added to main exe as well. New feature: If javascript is broken up across multiple streams, you can control select the streams and hit JS_UI menu item and it will grab them all and put them all into the JS ui together..also did a bunch of small bug fixes. Forcing all FlateDecode through zlib for now..noticable slower on some files, but the iText FlateDecode was causing unexpected crashs on long automation scripts.