Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Collection of affiliated topics – not dried flowers.
MALWARE POTPOURRI
Robert Vinson - IT Security Office - The University of Iowa
MALWARE – A DEFINITONMALWARE A DEFINITON
Malware = Malicious Software
Q: Why do we typically say malware and not “computer worm/virus/etc?/ /
A: BecauseNOT EQUIVALENT
Blended threat:Blended threats combine the characteristics of viruses, worms, Trojan Horses and malicio s code ith ser er and Internet Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spread and cause widespread damage.p p g
Robert Vinson - IT Security Office - The University of Iowa
TOPICSTOPICS
Anti-virus EvasionAnti virus EvasionAnti-debugging/Virtual Machine DetectionB t t d igBotnet designs
Robert Vinson - IT Security Office - The University of Iowa
POLYMORPHISM VS METAMORPHISMPOLYMORPHISM VS. METAMORPHISM
“The main difference […] is the fact that the The main difference […] is the fact that the Polymorphic virus ciphers its original code to avoid pattern recognition, and the Metamorphic avoid pattern recognition, and the Metamorphic virus changes its code to an equivalent one […]” –wikipedia.org[…] wikipedia.org
Robert Vinson - IT Security Office - The University of Iowa
METAMORPHISMMETAMORPHISM
Changing the words without changing the Changing the words without changing the message
MOV EAX, 0XOR EAX,EAX
Robert Vinson - IT Security Office - The University of Iowa
VIRTUAL MACHINE DETECTIONVIRTUAL MACHINE DETECTION
Used to hinder analysis effortsUsed to hinder analysis effortsMany methods
MOV EAX 564D5868 < "VMXh"MOV EAX,564D5868 <-- "VMXh"MOV EBX,0MOV ECX 0AMOV ECX,0AMOV EDX,5658 <-- "VX"IN EAX,DX <-- Check for VMWareCMP EBX,564D5868(Asm code obtained from http://handlers sans org/tliston/ThwartingVMDetection Liston Skoudis pdf)(Asm code obtained from http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf)
Robert Vinson - IT Security Office - The University of Iowa
PACKINGPACKING
Executable compression:“[ ] f i g t bl “[…] any means of compressing an executable file and combining the compressed data with th d i d it d i t i gl the decompression code it needs into a single executable.” - wikipedia.org
Robert Vinson - IT Security Office - The University of Iowa
PACKING – A VISUALPACKING A VISUAL
U ki g
File Unpacked FilePacked File
Unpacking algorithm
RunThrough
Executable Executable
ThroughPacker Program
Executable
Packed Executable
Executable
RestoredToOriginalOriginalInMemory
Robert Vinson - IT Security Office - The University of Iowa
AV Product
Version Definitions Results
AhnLab‐V3 2008.2.4.10 2008.02.04 –
AV Product
Version Definitions Results
Ikarus T3.1.1.20 2008.02.04 –
AntiVir 7.6.0.62 2008.02.04 –
Authentium 4.93.8 2008.02.04 –
Kaspersky 7.0.0.125 2008.02.04 –
McAfee 5222 2008.02.04 –
Avast 4.7.1098.0 2008.02.03 –
AVG7.5.0.516 2008.02.04 –
BitDefender 7.2 2008.02.04 –
Microsoft 1.3204 2008.02.04 –
NOD32v2 2847 2008.02.04 –
Norman 5.80.02 2008.02.01 –
CAT‐QuickHeal 9 2008.02.04 –
ClamAV 0.92 2008.02.04 –
D W b 4 44 0 09170 2008 02 04
Panda 9.0.0.4 2008.02.04 –
Prevx1 V2 2008.02.04 –
Ri i 20 29 22 00 2008 01 30DrWeb 4.44.0.09170 2008.02.04 –
eSafe 7.0.15.0 2008.01.28suspicious Trojan/Worm
eTrust‐Vet 31.3.5509 2008.02.04 –
Rising 20.29.22.00 2008.01.30 –
Sophos 4.26.0 2008.02.04 Sus/Dropper‐A
Sunbelt 2.2.907.0 2008.02.02 –
Ewido 4 2008.02.04 –
FileAdvisor 1 2008.02.04 –
Fortinet 3 14 0 0 2008 02 04 –
Symantec 10 2008.02.04 –
TheHacker 6.2.9.208 2008.02.04 –
VBA32 3 12 6 0 2008 02 03
Robert Vinson - IT Security Office - The University of Iowa
Fortinet 3.14.0.0 2008.02.04 –
F‐Prot 4.4.2.54 2008.02.03W32/Downloader.F.gen!Eldorado
F‐Secure 6.70.13260.0 2008.02.04 –
VBA32 3.12.6.0 2008.02.03 –
VirusBuster 4.3.26:9 2008.02.04 –
Webwasher‐Gateway 6.6.2 2008.02.04 –
TRADITIONAL BOTNET DESIGNTRADITIONAL BOTNET DESIGN
Robert Vinson - IT Security Office - The University of Iowa
TRADITIONAL BOTTRADITIONAL BOT
PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: System Information)..
PRIVMSG #gun5 :[KEYLOG]: insta (Return) (System Information)..PRIVMSG # 5 [KEYLOG] ll (R ) (S I f i )PRIVMSG #gun5 :[KEYLOG]: ll (Return) (System Information)..PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: Program
Manager)..Manager)..PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: McAfee Alert
Window)..
Robert Vinson - IT Security Office - The University of Iowa
P2P BOTNETSP2P BOTNETS
Harder to shut downP t ti ll i t t ll Potentially easier to enumerate all compromised hosts
Robert Vinson - IT Security Office - The University of Iowa
P2P DESIGNP2P DESIGN
Robert Vinson - IT Security Office - The University of Iowa
STORM WORMSTORM WORM
p2p architecturep2p architectureUtilizes the Overnet protocolU d t th l t bl t l t Updates the malware executable at least every half hourNow utilizing encryptionPretty much spreads via emailCredited with some nasty DoS attacks
Robert Vinson - IT Security Office - The University of Iowa
FAST-FLUX DESIGNFAST FLUX DESIGN
Robert Vinson - IT Security Office - The University of Iowa
Obtained from http://www.honeynet.org/papers/ff/fast-flux.html
RESOURCESRESOURCES
http://en.wikipedia.org/wiki/Executable comprhttp://en.wikipedia.org/wiki/Executable_compressionhttp://handlers sans org/tliston/ThwartingVMDhttp://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdfhtt // iki di g/ iki/M t hi dhttp://en.wikipedia.org/wiki/Metamorphic_codehttp://www.honeynet.org/papers/ff/fast-flux.html
Robert Vinson - IT Security Office - The University of Iowa