Day: November 23, 2015

Posted on

Upatre: Old Dog, New [Anti-Analysis] Tricks

Malware authors must constantly iterate on their techniques in order to stay relevant in today’s fast moving Information Security environment. The Upatre downloader has been around for nearly three years and has consistently evolved its anti-analysis capabilities to better ensure payload delivery. Using Palo Alto Networks AutoFocus, we identified several thousand functionally identical Upatre binaries with unique hashes that exhibited unusual anti-analysis behaviors. We dove into the most recent phishing campaign to identify the new anti-analysis routines designed to maneuver around behavioral analysis systems.

Diving In

Upatre’s new technique takes advantage of undocumented NtQuerySystemInformation structures. It attempts to call the ZwQuerySystemInformation API a few times to determine the idle time of the system. The ZwQuerySystemInformation API takes a SYSTEM_INFORMATION_CLASS as an argument for what to query. There are several options to query for, all with respective structures.

ZwQuerySystemInformation Function Specification

Upatre first calls ZwQuerySystemInformation querying for the SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION with a value of 0x0008.

SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION Struct

Screenshot Showing Upatre’s Anti-Analysis Technique in Assembly

The first call returns 0xC0000004 for STATUS_INFO_LENGTH_MISMATCH. On Windows 7 this successfully returns the size of the buffer required for the structure on the top of the stack. On Windows XP it returns 0 on the top of the stack for the ReturnLength. Upatre checks the ReturnLength by performing a shift-right by 2 and testing if the resulting value is 0.

Windows 7 returning the ReturnLength on the top of the stack

On Windows 7 Upatre calls ZwQuerySystemInformation again with the same SYSTEM_INFORMATION_CLASS 0x0008 and including the appropriate parameters to receive the structure into a buffer. If the function fails, Upatre exits.

Windows 7 Second Call to ZwQuerySystemInformation

Upatre then checks the second dword of the IdleTime to see if it is above 1 and if it is not, it exits. This value is the processor’s “total idle time, measured in units of 100-nanoseconds”[1] This check is designed to make sure that the system Upatre is running on has had a sufficient amount of idle time like a real system might have and not an analysis system.

Windows7 Comparing IdleTime to 1

On Windows XP Upatre uses a different SYSTEM_INFORMATION_CLASS for the second call. It queries for the SYSTEM_PERFORMANCE_INFORMATION with a value of 0x0002 and tests to make sure the API successfully completed. If it doesn’t complete, Upatre exits.

Upatre Querying ZwQuerySystemInformation for SYSTEM_PERFORMANCE_INFORMATION on WindowsXP

The SystemPerformanceInformation is an undocumented structure, but thanks to Matt Graeber’s research we can see that it holds the following information:

Snippet of SYSTEM_PERFORMANCE_INFORMATION Struct

Upatre checks the second dword of idleProcessTime to make sure that the IdleProcessTime is above 2.

Example Sample:

9eadcc852b87429dfb8c7e61da7951a8fb8c28eb88ec91d90eea290248747dff

Conclusion

Each of the techniques described above attempts to identify hosts which exhibit evidence of being part of a malware analysis system. WildFire, the Palo Alto Networks behavioral analysis system identifies these techniques and properly executes the malware to determine a malicious verdict.

Upatre continues to be distributed through mass phishing campaigns and relies heavily upon social engineering tactics to fool users into opening malicious attachments. Users should always be suspicious of all e-mail attachments, but especially those that they have received from senders they do not regularly communicate with.

November 16th Phishing Campaign: the subject and filename of this campaign were unique per recipient.

Indicators

Related Hashes

9eadcc852b87429dfb8c7e61da7951a8fb8c28eb88ec91d90eea290248747dff

6fea45fbc2590105b3a9e97a966e7c5928d5ce3e72c63ce3d9b187b79ea25baa

Upatre Command and Control Servers

109.196.1.13:4443

109.205.116.174:443

132.255.212.105:443

134.249.180.41:4443

141.105.69.251:443

150.129.49.11:443

162.243.249.68:443

172.242.228.68:4443

173.185.166.94:4443

173.252.50.124:4443

173.45.239.194:443

176.105.101.194:4443

176.106.122.32:443

176.97.40.144:443

181.174.76.17:4443

185.46.217.70:443

185.49.68.104:443

185.49.68.129:443

185.66.9.108:443

185.66.9.141:443

185.66.9.225:443

190.104.167.234:4443

190.95.138.66:443

193.151.240.79:4443

193.189.77.76:443

195.206.60.33:443

197.155.67.190:443

197.254.104.166:4443

203.183.172.196:3478

212.182.101.2:4443

217.17.108.47:4443

37.1.200.112:443

41.215.182.109:443

41.75.67.80:443

46.44.28.44:443

5.149.251.162:443

5.152.196.217:443

54.84.208.13:443

78.58.131.116:443

78.83.226.74:443

82.103.71.149:4443

83.241.176.230:4443

85.25.217.30:443

91.191.48.38:443

91.192.131.229:443

91.203.62.195:4443

[1] Nebbett, G. (2000). Windows NT/2000 native API reference. Indianapolis, IN: Macmillan Technical Pub.

, and

[Palo Alto Networks Blog]

Posted on

CSX 2015—From a Young Professional’s Perspective

ISACA’s inaugural CSX Conference took place in Washington, DC on 19-21 October, and it immediately raised the bar for IT security conferences. The hands-on pre-conference workshops and education sessions during the event provided tremendous value and insight into cybersecurity best practices and industry trends. As a young professional, the opportunity to hear from some industry experts and leading figures within the cybersecurity field was exceptionally beneficial.

The conference provided young professionals a chance to network with subject matter experts, vendors from large corporations or cybersecurity startups, as well as our peers. We were able to understand ways in which threats are evolving and the skills needed to keep up with the demands of protecting systems and sensitive information. It was easy to follow the rapid reactions and thoughts of attendees, as they discussed the conference topics on Twitter, as the updates were displayed on monitors throughout the expo hall or conference center.

Students attending the conference expressed enthusiasm about being able to provide direct feedback to ISACA Headquarters regarding the conference format, CSX career paths and volunteer opportunities. For them, a good challenge to have was deciding how to select the best possible session to attend, since there were so many good learning opportunities and speakers in each of the time slots. This only goes to show the depth and value of the education provided.

The CyberLympics competition added a new dynamic to the event. It was very exciting to observe and follow the progress through the second day of the conference. A previous colleague of mine was part of the team that represented Team USA. He felt the team had a complementary set of skills that enabled them to achieve the success they had in the earlier rounds of the competition to get to the finals.

Keynote speaker John Sileo gave a moving presentation on the value of identity theft, privacy and protecting your own personal information. For young professionals who are used to sharing so much on a daily basis, this session really resonated and demonstrated the real-life dangers of social engineering and sharing too much information. It made you think twice.

The conference concluded with a great keynote from Robert Herjavec, owner of the Herjavec Group and regular on the popular TV show, Shark Tank. His perspectives spanned a long entrepreneurial career and he emphasized the importance of cybersecurity professionals in this day and age, as we face such persistent threats from many sources.

Mark your calendars for the CSX Conference next year in Las Vegas at the Cosmopolitan from 17-19 October. It is an event you do not want to miss.

Jason Yakencheck, CISA, CISM, CISSP-ISSAP
Senior Managing Consultant, Cybersecurity & Privacy, IBM Global Business Services

[ISACA Now Blog]

English
English
Exit mobile version