Reverse Engineering Objectives Page

Sam Eldin	CV - Resume	Tools 4 Sharing	Architects 2 Show	Big Data Presentation	Android Training	Java-Unix Code Templates	Interviews QA & Code

Reverse Engineering Objectives
The never-ending Cybersecurity war between hackers and Cybersecurity specialists is taking on new features. Reverse Engineering is one big part of the arsenal hackers are exploiting to have their code hidden in plain sight. SolarWinds hacking is a perfect example of how hackers' code was hidden in plain sight. Our focus is to briefly cover the basic of reverse engineering and then present our approaches and tools using reverse engineering:

         • What is Decompiling code?
         • What is Reverse Engineering?
         • SolarWinds Hacking Lessons - Hidden in Plain Sight
         • Our Machine Learning Approach
         • Our DevOps and Virtualization Options:
         • Our DataOps and Virtualization Options:
         • Automation, Intelligence and Virtualization

What is Decompiling code?
A decompiler is a software which turns an executable program into source code.
The conversion is usually not a perfect one and sometimes reconstructing or restructuring the source may require a lot of effort, talent and time. With patience, time and team work, the result can be rewarding especially for hackers who need to know how to add their code without detection.

What is Reverse Engineering?
Reverse Engineering is the analysis of a device or program to determine its function or structure, often with the intent of re-creating or modifying it. Reverse engineering can be used by hackers to add their malicious code without detection, while Cybersecurity specialists use reverse engineering to detect malicious code. It is a never-ending cycle of outsmarting each other.

SolarWinds Hacking Lessons - Hidden in Plain Sight
What is SolarWinds Hack (Orion)?
Breifly, SolarWinds is a major software company which provides system management tools for network and infrastructure monitoring, and other technical services to hundreds of thousands of organizations around the world. Among the company's products is an IT performance monitoring system called Orion.

In early 2020, hackers secretly broke into Texas-based SolarWind's systems and added malicious code into the company's software system. More than 30,000 public and private organizations, including local, state and federal agencies use the Orion network management system to manage their IT resources. As a result, the hack compromised the data, networks and systems of thousands when SolarWinds inadvertently delivered the backdoor malware as an update to the Orion software.

According to FireEye Site Posting:

         "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor"

From experience, updating or modifying someone else's code is not a small task. The added code must be tested to make sure it does what it suppose to do. Looking at the details and the total effort in inserting their malicious code, these hackers must have access or copies of DLLs, the interfaces and possible variations. The following are the goals and methodologies used by the hackers:

The Malware Performance:

1.	After an initial dormant period of up to two weeks, it retrieved and executed commands, called "Jobs"
2.	The hackers added their code in such a way that it has the same style of code, so no one would notice a difference
3.	Used the same names and structure
4.	Hide in plain site
5.	List of function calls
6.	Threads
7.	Tree processes
8.	Initialization
9.	Hash functions for data
10.	Hash functions for methods name calling
11.	IP addresses
12.	Tracing calls
13.	Sleep functions for days
14.	Threads sleep functions
15.	Date and timestamp
16.	Search function
17.	OS calls
18.	Zipping and unzipping function calls
19.	Compression and decompression
20.	Stop services from running
21.	Receive instructions from outside sites
22.	Interrupt or stop services
23.	Had the ability to transfer files
24.	Executed files
25.	Profiled the system
26.	Rebooted the machine
27.	Disabled system services
28.	The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol
29.	Stored reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity
30.	The backdoor used multiple obfuscated block lists to identify forensic and anti-virus tools running as processes, services, and drivers
31.	The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds
32.	Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds
33.	BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration)
34.	After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud.com
35.	The DNS response will return a CNAME record that points to a Command and Control (C2) domain
36.	The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications
37.	Hashing IP addresses, function names
38.	Run in memory only which allowed the adversary to blend into the environment, avoid suspicion, and evade detection
39.	IP Addresses located in Victim's Country
40.	The attacker's choice of IP addresses was also optimized to evade detection
41.	The attacker primarily used only IP addresses originating from the same country as the victim, leveraging Virtual Private Servers
42.	Temporary File Replacement and Temporary Task Modification
43.	The attacker used a temporary file replacement technique to remotely execute utilities
44.	They replaced a legitimate utility with their own
45.	Executed their payload and then restored the legitimate original file
46.	They similarly manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returning the scheduled task to its original configuration
47.	They routinely removed their tools, including removing backdoors once legitimate remote access was achieved
48.	They sent new login names and passwords to their sites to gain access
49.	What else? We may never know or figure it out
50.	Could their malicious code still be hidden and waiting for further instructions and commands?
51.	What would the next level of hacking be or look like?

It looks like the hackers are very familiar with SolarWinds code details and processes and schedules, ..etc. These hackers were able reverse engineer SolarWinds DLLs and reconstruct these DLLs with malicious code.

Our questions:
         Are the Cybersecurity specialists helpless?
         How do we stop such a hacking?

Our remedy is the following:
These hackers were using certain functions, OS calls, threads, IP addresses, sleep, hash, zipping, ..etc. In short any program or sever must be executed by the Operating System calls or scripts.

OS and CPU Basics:
The OS decides the best way to swap between running, runnable and waiting processes. It controls which process is being executed by the CPU at any point in time, and shares access to the CPU between processes. The job of working out when to swap processes is known as scheduling. The OS makes it possible to run several programs at once. Several programs can be stored in RAM at the same time

Therefore, we can do the following:

         1. List all the OS calls and scripts
         2. Give each call or script a grade of being used by anyone with bad intentions
         3. List of all the calls hackers often used
         4. Track any processes running in memory
         5. Prevent and trap any Hashing, inline, sleep, remote access functions ..etc
         6. .. misc and other hackers tools prevention

In short, monitor the OS execution and memory processes. The main job of the OS is to run all programs including the OS itself. Any OS works with scheduled processes, access permission, memory allocation, trap any illegal access, ..etc. Therefore we would be using the OS monitoring data and trap any code or execution, access, memory residences, ..etc. We need to obtain a picture of what the OS is doing and everything running on the system or servers. In other words:

         We keep our eyes on the OS and its data and everything running in memory.

May be the future OS software and hardware would be built to trap hackers and any unauthorized access.

Our Machine Learning Approach
We are presenting the following options, where our Machine Learning tools would be doing the OS monitoring:

•	The possible number of items which we need to track is immense and Machine Learning would be our best option.
•	Secondly, scanning and trapping any suspected call or script must be done at very fast speed so it would not end up as a bottleneck.
•	Our Machine Learning should also be intelligent enough to know if it is hacked or tampered with from internal and external hackers, employees and processes.

Our DevOps and Virtualization Options
The powers and the options DevOps would provide are the least understood nor being used. In a nutshell, DevOps is the hardware and the software connections-interfaces in term of infrastructure (servers and networks) and software (running software system). DevOps would also give the options to monitor both the infrastructure and the running system. DevOps would create virtual servers (as containers), virtual applications (as components), virtual connections (router, switches, firewall, ..etc), virtual networks and virtual clusters. DevOps and Virtualization can be used in creating, automation, securing, monitoring, deleting, trapping, rollback, backups, testing, evaluating performance, remote access, sand box, .. etc.

DevOps would be used to perform monitoring, detection, prevention, remedy, rollback, recovery and Zero-Day Attack.

Our DataOps and Virtualization Options
To make life easier for DevOps, there must be an independent intelligent DataOps as a service. Virtualization would give DataOps the same power and options of what we just mentioned in the Our DevOps and Virtualization Options section.

Automation, Intelligence and Virtualization
See the following Link:

Security Solution Architect - Adam's Blueprint for Security