# The Real Shim Shady ###### William Ballenthin, FireEye Jonathan Tomczak, Mandiant ----- ## Bio, plan ####  William Ballenthin, Reverse Engineer ###### - FLARE (FireEye Labs Advanced Reverse Engineering) team - Malware analysis, forward and backward engineering ####  Jonathan Tomczak, Consultant ###### - Mandiant Professional Services - Incident response, forensics, tool development ####  Todays Topic: Case Study and Investigative Techniques for Hijacked Application Compatibility Infrastructure. ----- ## Put out the Fire! ####  Working the malware triage queue, encountered interesting situation: ###### - Client targeted by phishing emails - Large deployment FireEye boxes didn’t fire - Malware maintained persistence, somehow ####  What’s going on? How to fix detection & investigative methodology? ----- ## DLL Injection via Shims ####  Malware: self-extracting RAR drops KORPLUG launcher (elogger.dll) loading shellcode backdoor (elogger.dat)  elogger.dat does a little of everything: manually loads PE payload, injects, privesc, installs service, HTTP protocol  Also, installs an ACI shim: ###### - Writes two (32/64-bit) hardcoded, embedded SDB files to disk - Invokes sdbinst.exe ----- ## WHAT’S THE ACI? ### What are shims and why are they on my system? ----- ## Application Compatibility Infrastructure ####  Manages and resolves application compatibility issues with updates to Microsoft Windows  Configured via freely available Application Compatibility Toolkit (ACT)  API hooking (& more) built into the executable Loader ###### - “Shims” typically implemented as code (DLLs) or configuration (disable feature) - Shims described by databases (SDB files) indicating source and target - SDBs registered with the OS, queried by loader ----- ## Application Compatibility Infrastructure, II ####  Targets specified by executable file metadata, including: ###### - Filename - PE checksum - File size - Version info fields, etc. ####  Lots of shims to play with ###### - Dozens of preconfigured quickfixes (redirect file reads, change heap behavior) - Thousands of SDB entries distributed by MS - Some undocumented features EMET ACI t i j t it DLL i t ti ----- ## SDB contents ``` OREGON32.EXE The Oregon Trail v1.2 Minnesota Educational Computing Corp. 568058f1-da4f-4105-8f72-edd5d2a4aaf3 82f31111-af62-4849-b866-14c4e748e33c 0x2 OREGON32.DLL EmulateGetDiskFreeSpace 0x23298 ``` ----- ## SHIM TECHNIQUES ### Shim development, creation, and deployment ----- ## The Application Compatibility Toolkit ----- ## SDB deployment ###  sdbinst.exe registers SDB files with operating system #### - Creates uninstallation entries in the control panel - Add values to Registry keys: ###### • HKLM\SOFTWARE\Microsoft\Windows ``` NT\CurrentVersion\AppCompatFlags\Custom • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB ####  Microsoft recommends packaging in an MSI and deploying via GPO  Directly adding the Registry values circumvent sdbinst.exe and extra control panel entries ``` ----- ## Fun shims #### Shim Name Purpose DisableWindowsDefender “The fix disables Windows Defender for ###### security applications that do not work with Windows Defender.” #### CorrectFilePaths Redirect file system paths LoadLibraryRedirectFlag Change load directory of DLLs NoSignatureCheck ???  RelaunchElevated Ensure an EXE runs as admin TerminateExe ???  VirtualRegistry Registry redirection and expansion |Shim Name|Purpose| |---|---| |DisableWindowsDefender|“The fix disables Windows Defender for security applications that do not work with Windows Defender.”| |CorrectFilePaths|Redirect file system paths| |LoadLibraryRedirectFlag|Change load directory of DLLs| |NoSignatureCheck|??? | |RelaunchElevated|Ensure an EXE runs as admin| |TerminateExe|??? | ----- ## Trick 1: DLL Injection via shims (seen in wild) ####  Self-extracting RAR drops KORPLUG launcher (elogger.dll) loading shellcode backdoor (elogger.dat)  elogger.dat does some of everything: manually loads PE payload, injects, privesc, installs service, HTTP protocol  Also, installs an ACI shim: ###### - Writes two (32/64-bit) hardcoded, embedded SDB files to disk - Invokes sdbinst.exe ----- ## SDB contents ``` Brucon_Database 503ec3d4-165b-4771-b798-099d43b833ed Brucon_Shim Custom\elogger.dll svchost.exe Brucon_Apps e8cc2eb6-469d-43bc-9d6a-de089e497303 * Brucon_Shim ``` ----- ## Analysis ####  Persistence configured via opaque file format  Hardcoded SDB file easily sig-able via filenames, IDs ###### - Payload file exists in the clear, in very limited set of directories • C:\Windows\AppPatch\Custom\ • C:\Windows\AppPatch\Custom\Custom64\ ####  FireEye identified filename elogger.dll often reused in KORPLUG & SOGU campaigns. ----- ## Trick 2: Argument replacement via shims (seen in lab) ####  CorrectFilePath fix redirects arguments from the application’s path to an attacker’s specified path ###### - Trivial to hook into CreateProcess, WinExec, ShellExecute ####  Custom program mine.exe, launches C:\windows\temp\1.exe ###### - Add shim: redirects C:\windows\temp\1.exe to C:\dump\1.exe - CorrectFilePath: “C:\windows\temp\1.exe; C:\dump\1.exe” ----- ## SDB contents ``` minesdb 2840a82e-91ff-4f29-bff2-fd1e9780b6eb mine.exe * CorrectFilePaths "C:\Windows\Temp\1.exe; C:\dump\1.exe“ ``` ----- ## Trick 2: Argument replacement via shims, II ####  Analysis: ###### - Consider the targeted process is cmd.exe • Hidden persistence, MITM of process creation • #DFIR confusion - Configured via opaque file format - Payload not limited to specific directories ----- ## Trick 3: Shellcode injection via shims (seen in wild) ####  Phishing email leads to dropper dropper installs template SDB and modifies them dynamically SDB declares shellcode that it injects on executable load payload is a downloader for other stages  First identified by TrendMicro… ----- ## SDB contents ``` opera.exe 538f5e1c-932e-4426-b1c9-60a6e15bcd7f patchdata0 040000c…0000000000000000 opera.exe opera.exe patchdata0 0x6c ``` ----- ## PATCH_BITS ###  Windows loader writes arbitrary bytes into module memory #### - PATCH_MATCH to verify target of memory write - PATCH_REPLACE stamps in raw bytes - Can target both EXE and DLL modules ----- ## Patch details ``` 00000000 (04) opcode: PATCH_MATCH 0000000c (04) rva: 0x00053c2e 00000014 (64) module_name: u'kernel32.dll' 00000054 (05) pattern: 9090909090 disassembly: 0x53c2e: nop 0x53c2f: nop 0x53c30: nop 0x53c31: nop 0 53c32 nop ``` ``` 00000000 (04) opcode: PATCH_REPLACE 0000000c (04) rva: 0x00053c2e 00000014 (64) module_name: u'kernel32.dll' 00000054 (07) pattern: e8321a0700ebf9 disassembly: 0x53c2e: call 0x000c5665 0x53c33: jmp 0x00053c29 ``` ----- ## Patch details, II ``` 00000000 (04) opcode: PATCH_MATCH 00000000 (04) opcode: PATCH_REPLACE ``` ``` 0000000c (04) rva: 0x000c5665 00000014 (64) module_name: u'kernel32.dll' 00000054 (08) pattern: 0000000000000000 ``` ``` 0000000c (04) rva: 0x000c5665 00000014 (64) module_name: u'kernel32.dll' 00000054 (14) pattern: 83042402609ce8030000009d61c3 disassembly: 0xc5665: add dword [esp],2 0xc5669: pushad 0xc566a: pushfd 0xc566b: call 0x000c566d 0xc5670: popfd 0xc5671: popad ``` ----- ## Patch details, III ``` < Multi-kilobyte shellcode downloader > ``` ----- ## Patch details, summary #### Legit Call #### Legit Code #### Legit Call ----- ## Patch details, summary #### Hook #### Legit Call #### Legit Call #### Legit Code #### Legit Call ----- ## Patch details, summary #### Trampoline Legit Call #### Legit Call #### Legit Code #### Legit Call ----- ## Patch details, summary #### Legit Call #### Legit Call #### Fetch & exec Legit Code backdoor ----- ## Patch details, summary #### Return to trampoline Legit Call #### Legit Call #### Legit Code ----- ## Patch details, summary #### Kernel32.dll Return to legit code #### Legit Call #### Legit Call #### Legit Code #### Legit Call #### Legit Call ----- ## Patch details, summary #### Legit Call #### Legit Call #### Legit Code #### Legit Call ----- ## Analysis ####  Persistence & injection by MS infrastructure!  External storage of shellcode in opaque format  Dynamic modification of SDB files from template ###### - Generates unique GUIDs for database ID - Extensible payloads - PATCH_BYTES not documented ----- ## FLYING THROUGH THE MATRIX ### Understanding SDB files ----- ## SDB file format ####  The SDB file format is an undocumented Microsoft format ###### - apphelp.dll exposes ~254 exports for manipulating shims - That doesn’t help for forensic analysis! ----- ## SDB file format, II ####  So, we reverse engineered it  Conceptually, like an indexed XML document ###### - Three main nodes: the index, the database structure, and a string table - No compression, encryption, signatures, nor checksums ----- ## Consider the scenario ######  Shim definition: name & shim action ``` Brucon_Shim Custom\elogger.dll  Application definition: target & shim pointer svchost.exe Brucon_Apps Brucon_Shim 0x47c ``` ----- ## python sdb ####  Some tools exist for unpacking SDB files ###### - But they rely on the Windows API ####  python-sdb is a cross platform, pure Python library for parsing SDBs ###### - Python API makes it easy to build scripts that inspect SDB features - Provided sample scripts dump database as various XML flavors ####  https://github.com/williballenthin/python-sdb ----- ## DETECTION METHODOLOGY ### Investigating malicious shims at scale in a large environment ----- ## Consider the scenario ###  Trojan.mambashim ###### - Python (what, just read the source!?!) - Obfuscated bytecode - Installs service, or uses ctypes to dynamically create sdb and install - sdb causes Windows loader to inject DLL payload launcher into putty44.exe #### Would you have any idea this was happening to your environment? ----- ## Existing administrative tools? ####  Fact: Trojan.mambashim generates random sdb path using a dictionary of English words, installs using sdbinst.exe  ACI Fails:  No central management for SDBs on a system  No Active Directory tools for SDB management  No accounting of ACI changes or rollback features  Win?  Maybe catch sdbinst.exe via process auditing? ----- ## ACI Integrity checking? ####  SDB files are not signed   Whitelisting SDBs by hash does not work  eg. collection across 6,000 hosts yields 18,000 unique SDB files  Embedded timestamps and installation order affect SDB integrity checks  If Office is installed before Visual Studio, and then vice versa on another system, it may result in a different SDB. ----- ## Mass inspection & anomaly detection ####  Acquire, inspect %systemdrive%\*.sdb  Legitimate SDBs typically reside in Windows and Program Files  Attacker SDBs found in %USERSPROFILE%, working directories  Acquire, inspect ######  HKLM\SOFTWARE\Microsoft\Windows ``` NT\CurrentVersion\AppCompatFlags\Custom  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB ####  Default sdbs: drvmain, frxmain, msimain, pcamain, sysmain ``` ----- ## Mass inspection & anomaly detection ###  Trojan.mambashim #### - Random header timestamp (range 0-max int64 (!!!)) 👍 - Random compiler version (rand.rand.rand.rand) 👍 - EXE vendor name vendor 👍 - Random database ID (well, it’s a GUID…) 👍 - Random EXE ID (also GUID…) 👍 ###  But, blacklist won’t scale  Good for hunting, not fire and forget ----- ## Mass inspection & anomaly detection, II ``` Microsoft-Windows-Application-Experience-Program-Telemetry.evtx Compatibility fix applied to C:\PROGRAM FILES\Putty\putty44.exe. Fix information: vendor, {7e4053fe-ade9-426f-9dc2-0bbfa76b5366}, 0x80010156. ###  Do you have technology that can detect “unusual entries”? #### - Count tuple (hostname, vendor, application) & sort ASC - Alert on new tuples? ``` ----- ## Domain specific hashing ####  Realistically, Trojan.mambashim could be much nastier.  We don’t expect blacklisting to scale, that’s just playing catch up  We really want to whitelist: ######  But, can’t whitelist entire files by hash (see earlier)  Can hash shim & application definitions  Don’t expect these to change  Use this to build a whitelist!  shims_hash_shims.py ----- ## Prepare for this scenario #  https://github.com/ganboing/sdb_packer ####  Extract existing legit sysmain.sdb  Add new shim for explorer.exe, etc.  Payload: keylog data & shellcode that does exfil  Re-pack sysmain.sdb  Deploy  ???  Profit ----- ## Shims are real. Don t get shimmed. ###  Both targeted and commodity threats are actively using ACI shims  There is no existing infrastructure for detection  Consider the risk  You are now the front line. ----- ## Prior work #####  “Persist It - Using and Abusing Microsoft Fix It Patches” - Jon Erickson/iSIGHT @ BH ’14 [https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-](https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf) [Patches.pdf](https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf) #####  “Shim: A new method of injection” (in Russian) [ftp://os2.fannet.ru/fileechoes/programming/XA_159.PDF](ftp://os2.fannet.ru/fileechoes/programming/XA_159.PDF) #####  “Roaming Tiger” - Anton Cherepanov/ESET @ ZeroNights ’14 ###### http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf #####  “Windows - Owned By Default!” – Mark Baggett @ DerbyCon 2013  “Compatibility Fix Descriptions” - MSDN ###### https://technet.microsoft.com/en-us/library/cc722305%28v=ws.10%29.aspx ----- ## THE END ### Questions? ----- ## File Timestamp Indicators ######  Filesystem created timestamp indicates installation of SDB to the system  Windows Patch  Application Install  Malicious SDB that was pre-compiled before installation.  Registry timestamps show installation timestamp  Filesystem modified timestamp indicates that the SDB was recompiled.  Windows Patch  Application Install  Malicious injection into an existing SDB such as sysmain.sdb ----- ## Notes on artifacts ######  FireEye identified filename elogger.dll often reused in KORPLUG & SOGU campaigns.  elogger.dll exports ShimMain and NotifyShims, which are undocumented shim entry points. Some KORPLUG loaders also export these without SOGU payloads referencing the ACI.  “Roaming Tiger” (ESET) campaign distributed SDB files with similar naming schemes: |elogger.dat|“Roaming Tiger”| |---|---| |Brucon_Shim|AcProtect_Shim| |Brucon_Apps|AcProtect_Apps| |Brucon_Database|AcProtect_Database| ----- ## Shim DLL exports ###### Shim DLL export name Shim DLL export purpose ``` SE_DllLoaded Callback during DLL load SE_DLLUnloaded Callback during DLL unload SE_DynamicShim Unknown SE_GetProcAddress Callback during GetProcAddress SE_InstallAfterInit Callback after shim complete SE_InstallBeforeInit Callback before shim application SE_IsShimDLL Callback when shimming shim DLL SE Process Callback when EXE exiting ``` |Shim DLL export name|Shim DLL export purpose| |---|---| |SE_DllLoaded|Callback during DLL load| |SE_DLLUnloaded|Callback during DLL unload| |SE_DynamicShim|Unknown| |SE_GetProcAddress|Callback during GetProcAddress| |SE_InstallAfterInit|Callback after shim complete| |SE_InstallBeforeInit|Callback before shim application| |SE_IsShimDLL|Callback when shimming shim DLL| -----