imphash는 파일 자체가 가지고 있는 IAT 를 기반으로 생성된 것으로 판단된다. IAT에는 파일이 사용되는 API를 포함하고 있는데 이 API들이 무엇이 있고, 어떻게 호출되는지 흐름에 대해서 1차적으로 판단되는 기준 값으로 사용될 수 있는 듯하다. 따라서 imphash의 값에 따라 Packer의 종류도 대략적으로 구별할 수 있지 않을까 생각된다. 그렇다면 이 값을 이용해 악성 코드 분류하는 작업에 사용할 수 있을까? imphah만으로는 부족하지 않을까 생각된다. 그렇다면 어떤 값이 더해져야할까?
공부
- imphash를 이용하여 무엇을 할 수 있을까? 2015.01.26
- [악성코드] 유효한 디지털 서명 이용 Banker 2014.12.18
- Penquin Turla 2014.12.15
- Sony = Destover 2014.12.08
imphash를 이용하여 무엇을 할 수 있을까?
[악성코드] 유효한 디지털 서명 이용 Banker
Penquin Turla
KL_Epic_Turla_Technical_Appendix_20140806.pdf
http://securelist.com/analysis/publications/65545/the-epic-turla-operation/
http://securelist.com/blog/research/67962/the-penquin-turla-2/
http://www.phenoelit.org/stuff/cd00r.c
Sony = Destover
http://www.cyphort.com/labs/blog/
http://kizzmyanthia.com/?p=104969
http://securelist.com/blog/incidents/57784/shamoon-the-wiper-further-details-part-ii/
인증서 도난 - 8DF46B5FDAC2EB3B4757F99866C199FF2B13427A
The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself.
The driver is a signed component of RawDisk, a product from Eldos. In short, this software allows user-mode applications to operate with the file system in such cases when the operating system restricts the application. You can integrate your project with RawDisk in such a way that your software installs the driver that provides an access to the file system out from kernel-mode via created service ?ElRawDisk.
The Eldos driver
The fact that the Shamoon creators used legitimate signed drivers of Eldos-software RawDisk is rather confusiong
Shamoon 제작자가 합법적으로 서명된 Eldos 소프트웨어의 RawDisk를 사용하는 것은 다소 혼란 스럽게 만든다.
First, we thought that it was done for the purpose of getting the ability to rewrite MBR generally, for example, in Windows7, but it turned out that Windows7 gives access to that disk area even to user-mode applications running on behalf of the administrator.
첫 번째로, 우리는 MBR에 다시 쓸 수 있는 능력을 목적으로 사용한 것으로 생각했다. 예를 들어, Windows7은 Administrator 권한에서 user-mode의 동작하고 있는 application들의 디스크 영역에 접근할 수 있는 권한을 준다. 그래서 Shamoon은 무조건 administrator 권한으로 실행되어야 하고, 따라서 Shamoon을 만든 사람이 왜 합법적인 드라이버를 사용했는지에 대해서는 Open Question으로 남아 잇다.
You can download trial a package of Eldos- RawDisk which consists of header files, lib/dll-files and compiled in release/debug-modes x86 and x64 drivers. You can integrate that RawDisk blank with your project which could then use kernel-mode access to the file system via RawDisk driver. Nevertheless, the driver has an authenticating mechanism.
If we take a look at RawDisk API function ?Open:
HANDLE Open(IN LPCWSTR DeviceName, IN DWORD DesiredAccess, IN LPCWSTR LicenseKey)
...We-ll notice a parameter ?LicenseKey. Such a key has showed up in Shamoon. When the destructive module tries opening file descriptor on the ElRawDisk device, it adds to device name the string exactly looking like some key, for example:
\\?\ElRawDisk\Device\Harddisk0\Partition0#8F71FF7E2831A05D0B88FDAACFAC818E936FCAAA453404180419662BED76E9D70384F056F03ADF3C917CB8C3EE12832F7A7EC3E234BC7FBD0476CFC9F58AC1A1C248DA06E531D133A071
Such a key is easily obtained by making an order at Eldos- site during RawDisk installation routine:
You fill out a form to get an evaluation key and receive your code in the e-mail used during registration. Certainly you can use that key for a limited period of time. And the driver verifies whether the date of end of trial usage has already passed or not. This is why each time we see a date changing routine before opening an ElRawDisk device in Shamoon malware: the date is being set at any (random) day from 1st to 20th of August of 2012.
We also noticed that the Eldos driver exploited by Shamoon checks for the following values being passed in device name parameter and which could be located at the very start of the device name string:
\#{9A6DB7D2-FECF-41ff-9A92-6EDA696613DF}#
\#{8A6DB7D2-FECF-41ff-9A92-6EDA696613DE}#
These are control codes for the driver to define how to handle a request. But the Shamoon malware does not use these codes calling RawDisk open function.
In addition, the driver checks if the file name of program that works with the file system via driver is corresponding ?RawDiskSample.exe then driver ?considers that the call has been made from a trusted application and the check is gone successfully. This ruins all other verification attempts to block easy using the driver functionality by those who does not have permissions. For sure, it-s better to remove such a condition out from driver.