Smarter Incident Response with

Protocol Reverse Engineering

July 17th, 2012
Michael Cloppert Chief Research Analyst Lockheed Martin CIRT

What would you do with this?

<html> <!-- V0VMTCBOT1csIEFSRU4nVCBZT1UgQ0xFVkVSPw== --> ZHEFRQWHQW </html>

H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdRLrUgFADXOOVIcAAAA.bad.com H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdJLrUgFAOW0mRUcAAAA.bad.com H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdZLrUgFAFWd_SgcAAAA.bad.com H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdFLrUgFAEVB2ZocAAAA.bad.com H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdVLrUgFAPVouaccAAAA.bad.com

Incident response is fast

Scope is initially unknown

Detections cannot wait

Often information is incomplete

Reverse Engineering can be slow

Complex code is laborious and time-consuming

Bandwidth may not accommodate all

specimens in need of analysis short-cut

Tactical profiling of network activity needs a

Protocol Reverse Engineering

PRE is the process of extracting the structure, attributes, and data from a network protocol implementation without access to its specification

'XDOJRDOV
Tactical Strategic

Network signatures

Protocol Decoders

Available Data
Network activity (PCAPs)

Client binary / source code

Server binary / source code

The PRE Workflow

What Defines a Protocol?

Structure Protocol flow Encapsulation Command list Input range Output range Encoding

Easy example... ?
Below is a pcap from an iMessage WUDQVPLVVLRQ

22:08:00.050911 IP 10.0.0.116.22 > 10.0.0.100.60518: Flags [P.], seq 49:177, ack 48, win 8192, options [nop,nop,TS val 515235000 ecr 683597755], length 128 0x0000: 4510 00b4 6b48 4000 4006 ba14 0a00 0074 E...kH@.@......t 0x0010: 0a00 0064 0016 ec66 0ed8 8eae 2fb0 ec70 ...d...f..../..p 0x0020: 8018 2000 4400 0000 0101 080a 1eb5 dcb8 ....D........... 0x0030: 28be dfbb b58b e786 717d 1f3a 2a55 b828 (.......q}.:*U.( 0x0040: 230f cd47 43d7 8a14 4b4c ff85 b6ab ebfd #..GC...KL...... 0x0050: 732b 14ff 9c3b 2589 62dd 078d 5b81 da92 s+...;%.b...[... 0x0060: 850f 1d4d 9d97 8380 e642 303b 64d0 f3c5 ...M.....B0;d... 0x0070: 7bf4 186d 1487 a5f1 05f7 4607 4572 6d2a {..m......F.Erm* 0x0080: bdce c15d 0383 8f1f 4ef2 2ab0 5c68 7509 ...]....N.*.\hu. 0x0090: 128f 45f5 28c1 cc52 13d9 c1e4 620d a133 ..E.(..R....b..3 0x00a0: 880f 5cfd fd74 81c6 c920 1e18 be76 ed94 ..\..t.......v.. 0x00b0: 851c 2cba ..,.

Where can we get this information?

Protocol States
Protocols may exhibit behavior differently depending on what state they are in. I divide this five ways:
1. Idle

2. Interactive
3. Upload

4. Download
5. Errant

Principles of Analysis & Development

Completeness

Correctness
Spiral

Configuration

Analytical Techniques
Entropy analysis

Bitmasking
Manual structure identification

PCAP Construction
Behavioral & Code Analysis (FOR 610)

%DFNWRWKRVHH[DPSOHV
<html> <!-- V0VMTCBOT1csIEFSRU4nVCBZT1UgQ0xFVkVSPw== --> ZHEFRQWHQW </html>

H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdRLrUgFADXOOVIcAAAA.bad.com H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdJLrUgFAOW0mRUcAAAA.bad.com H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdZLrUgFAFWd_SgcAAAA.bad.com H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdFLrUgFAEVB2ZocAAAA.bad.com H4sIACeKBVAAA8soKSmw0tcvLy-XS0pM0UvOz9VPy8xJNdVLrUgFAPVouaccAAAA.bad.com

Common encoding techniques

Keep a look out for these!
Base64 encoding
LZH (zip) compression

Hex-ASCII encoding
Simple XOR obfuscation

%UXWHIRUFH"

Thank you!
For more in-depth training on malware reverse engineering, please register for FOR 610!

https://www.sans.org/community/event/for610- baltimore-aug-2012 For more on PRE, see http://computer- forensics.sans.org/blog/