Reverse Engineering: Offensive Black Box Software Security Assessment

Author: Omer Coskun Supervisor: Bogumila Hnatkowska

Talk is cheap. Show me the code. Torvalds, Linus (2000)

Todays Agenda
Overview
Understanding Subject Motivations & Challenges Missions of Thesis Incidents from Real Life Software Vulnerabilities RATs (Remote Administration Tools) Counterfeit Applications Case Study: Counterfeit RAT Analysis Software Application Licenses Case Study: Software Protection Schemes Demonstration of Tools Conclusions Questions ?

Understanding Subject
Reverse Engineering: Offensive Blackbox Software Security Assessment. Reverse Engineering: is process of discovering technological principles of object, system or through analysis or its operation.

Why Reverse Engineering ? Its empirical study field involves lots of analysis and research. Why Offensive ? If you know strategies of your enemy, you can develop your own strategies to defeat him. Why Blackbox ? Not necessarily we need to have source code, nor we could be provided with.

Motivation & Challenges

Interoperability Software Modernization Product Analysis Software Maintenance Security Auditing

Challenges
Lack of technical documentation Lack of scientific works in the same field Technically complex and commercial systems Entirely particular empirical challenges with low success rate

Thesis Mission
Behavioral
Analysis

How applications are loaded into memory and executed by operating system. Knowing operating system internals and structure of program its enough to analyze behaviors.

Extending Functionalities

Its possible to extend functionalities of programs. Even though we dont have the source code application. Reverse engineering is an excellent weapon to do so.

Security Assessment

Not only spotting vulnerabilities or errors. But also defeating protection schemes is possible knowing fundamentals about Assembly language.

Innocent-Looking Software Vulnerabilities

Process Memory Regions

Easy Chat Server handy applications allows to chat without any additional application except web browser

What if human life under danger?

DarkComet RAT

February 17th the CNN published an interesting article, where some Syrians regime opponents claimed that the government was using a Trojan to monitor and disrupt the protestors network.

Counterfeit Applications
Counterfeit applications:
Information gathering Criminal justice & law enforcement Industrial espionage ID Theft and Financial Fraud Cyber Wars ( e.g. Duqu Flame - Stuxnet )

Case Study: Counterfeit RAT Analysis

Prorat Pro Groups Remote Administration Tool
Most complex RAT the time it was created Offers wide range of functionalities; key-logging, remote file download, password logging, hardware interaction It hides itself from task managers starts automatically whenever computer restarts

Its enough to execute server.exe place prorat on any system

Prorat client offers wide range of functionalities. Any computers on which server.exe placed can easily managed by this tool.

Case Study: Counterfeit RAT Analysis (contd)

Prorat Pro Groups Remote Administration Tool
It also converts every server into a zombie Every zombie can easily be governed by RAT programmers

Everything recorded into their system, sockets connection binded waiting for connection

Software Application Licenses

Programmers rather focus on functionality of their application

10

Adding fake license checking routines does not influence complexity of algorithm Recklessly implementing license checking systems without being familiar with reverse engineer is simply weak

Programmers prefer to put this on third-party applications

Some statics suggest software piracy significantly influences on revenues

Software piracy not only endangers the revenue but also reputations of company and its product

Case Study: License Scheme Analysis and Jump-Pruning Attack Demonstration

Super EZ Wave Editor:
is a visual music file editor designed for home studio recording and for people who are just getting started with audio editing Application offered 90 days trial, afterwards or during trial application should be purchased for prolongation of usage period.

11

Application offered as 90-day trial, having purchased application firm provides a license key to remove trial limitation.

Super EZ Wave Editor really successful handy tool provides lots of effects, plug-ins, audio editing functionalities.

Case Study: License Scheme Analysis and Jump-Pruning Attack Demonstration (contd)
Super EZ Wave Editor:
There isnt any exe compression tool or third-party tool used to protect application itself There isnt any effective license verification or calculation algorithm except some fake calculation in order deceive crackers. However its useless.

12

Super EZ Wave Editor explicitly calculates the license key of application according to given name. Then it compares whether given license keys matches with original one placed in memory.

Contemporary Software Protection Schemes

As the software firms faced software piracy issues, they wanted to control their consumers behavior, installation numbers, time period of software usage and more. Hence software keys, hardware limitation, time limitation, and similar techniques are being implemented to get these intentions.

13

ASProtect Features: Resource Protection

Anti-Debugger Protection Check Sum Protection

Dongles are very effective protection system, though they are less preferred.

CD/DVD Copy Protections

14

Exemplary software delivered by DVD, Cambridge TOEFL Prep, application requires physical presence of original DVD applying couple of verification techniques, in case of pirated DVD or absence of DVD gives such error without any further explanation

Debugger view of exemplary software delivered by DVD, Cambridge TOEFL Prep, application protected by Securom (https://www2.securom.com/), checks whether CD/DVD inserted and authentic, otherwise refuses execution

Demonstration of Tools

15

Couple different portable executable tools have been implemented in order to analyze, demonstrate weaknesses of commercial applications which generally solve particular problem.

Conclusions
Developers shouldnt solely rely on third-party application protectors. Before distributing application, protecting and packing will increase the security level. Designing license protection and correction schema is really hard job to do. Highly experienced reverse analysts must implement these protections schemes where complex cryptography is implemented. Endangering license scheme not only cause financial loss but also damages applications & companys prestige. Reverse engineering is a great tool when its used properly. There is no hundred percent secure system.

16

Questions ?

17

18