Collection of affiliated topics – not dried flowers. MALWARE POTPOURRI
Robert Vinson - IT Security Office - The University of Iowa MALWARE – A DEFINITON
Malware = Malicious Software
Q: Why do we typically say malware and not “computer worm///virus/etc? A: Because NOT EQUIVALENT
Blended threat: « Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spppgread and cause widespread damage.
Robert Vinson - IT Security Office - The University of Iowa TOPICS
´ Anti-virus Evasion ´ Anti-debugging/Virtual Machine Detection ´ BtBotne tdigdesigns
Robert Vinson - IT Security Office - The University of Iowa POLYMORPHISM VS. METAMORPHISM
“The main difference […] is the fact that the Polymorphic virus ciphers its original code to avoid pattern recognition, and the Metamorphic virus changes its code to an equivalent one […]” –wikipedia.org
Robert Vinson - IT Security Office - The University of Iowa METAMORPHISM
Changing the words without changing the message
´ MOV EAX, 0 ´ XOR EAX,EAX
Robert Vinson - IT Security Office - The University of Iowa VIRTUAL MACHINE DETECTION
´ Used to hinder analysis efforts ´ Many methods MOV EAX, 564D5868 <-- "VMXh" MOV EBX,0 MOV ECX,0A MOV EDX,5658 <-- "VX" IN EAX,DX <-- Check for VMWare CMP EBX,564D5868 (Asm code obtained from http://handlers. sans. org/torg/tliston/ThwartingVMDetectionliston/ThwartingVMDetection_ Liston_ Skoudis. pdf)
Robert Vinson - IT Security Office - The University of Iowa PACKING
Executable compression: “[… ] any means of compress in g an execu ta ble file and combining the compressed data with the decompressi on cod e it need s iitnto a si iglngle executable.” - wikipedia.org
Robert Vinson - IT Security Office - The University of Iowa PACKING – A VISUAL
FilePacked File Unpacked File
UUkignpacking algorithm Run Through Packer Program Executable Executable Packed Restored Executable To Original In Memory
Robert Vinson - IT Security Office - The University of Iowa AV Version Definitions Results AV Version Definitions Results Product Product
AhnLab‐V3 2008.2.4.10 2008.02.04 – Ikarus T3.1.1.20 2008.02.04 –
AntiVir 7.6.0.62 2008.02.04 – Kaspersky 7.0.0.125 2008.02.04 –
Authentium 4.93.8 2008.02.04 – McAfee 5222 2008.02.04 –
Avast 4.7.1098.0 2008.02.03 – Microsoft 1.3204 2008.02.04 – 7.5.0.516 AVG 2008.02.04 – NOD32v2 2847 2008.02.04 –
BitDefender 7.2 2008.02.04 – Norman 5.80.02 2008.02.01 –
CAT‐QuickHeal 9 2008.02.04 – Panda 9.0.0.4 2008.02.04 –
ClamAV 0.92 2008.02.04 – Prevx1 V2 2008.02.04 –
DWDrWeb 4.44 .0 .09170 2008.02 .04 – Ris ing 20.29 .22 .00 2008.01 .30 – suspicious eSafe 7.0.15.0 2008.01.28 Trojan/Worm Sophos 4.26.0 2008.02.04 Sus/Dropper‐A
eTrust‐Vet 31.3.5509 2008.02.04 – Sunbelt 2.2.907.0 2008.02.02 –
Ewido 4 2008.02.04 – Symantec 10 2008.02.04 –
FileAdvisor 1 2008.02.04 – TheHacker 6.2.9.208 2008.02.04 –
Fortinet 314003.14.0.0 2008.02 .04 – VBA32 312603.12.6.0 2008.02 .03 – W32/Downloader.F F‐Prot 4.4.2.54 2008.02.03 .gen!Eldorado VirusBuster 4.3.26:9 2008.02.04 – Robert Vinson - IT Security Office - The University Webwasher‐ F‐Secure 6.70.13260.0 2008.02.04 – Gateway 6.6.2 2008.02.04 – of Iowa TRADITIONAL BOTNET DESIGN
Robert Vinson - IT Security Office - The University of Iowa TRADITIONAL BOT
PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: System Information).. PRIVMSG #gun5 :[KEYLOG]: insta (Return) (System Information).. PRIVMSG #gun 5 : [KEYLOG]: ll (Return ) (System In format ion ).. PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: Program Manager).. PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: McAfee Alert Window)..
Robert Vinson - IT Security Office - The University of Iowa P2P BOTNETS
´ Harder to shut down ´ Po tenti all y easier to enumerat e all compromised hosts
Robert Vinson - IT Security Office - The University of Iowa P2P DESIGN
Robert Vinson - IT Security Office - The University of Iowa STORM WORM
´ p2p architecture ´ Utilizes the Overnet protocol ´ Upd at es the mal ware execut abl e at least every half hour ´ Now utilizing encryption ´ Pretty much spreads via email ´ Credited with some nasty DoS attacks
Robert Vinson - IT Security Office - The University of Iowa FAST-FLUX DESIGN
Obtained from http://www.honeynet.org/papers/ff/fast-flux.html Robert Vinson - IT Security Office - The University of Iowa RESOURCES
´ http://en.wikipedia.org/wiki/Executable_compr ession ´ http://handlers.sans .org/tliston/ThwartingVMD etection_Liston_Skoudis.pdf ´ http:// en.wiki pe dia.or g/w iki/Me tamorp hic_co d e ´ http://www.honeynet.org/papers/ff/fast- flux.html
Robert Vinson - IT Security Office - The University of Iowa