Collection of affiliated topics – not dried flowers. POTPOURRI

Robert Vinson - IT Security Office - The University of Iowa MALWARE – A DEFINITON

Malware = Malicious

Q: Why do we typically say malware and not “///virus/etc? A: Because NOT EQUIVALENT

Blended threat: « Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spppgread and cause widespread damage.

Robert Vinson - IT Security Office - The University of Iowa TOPICS

´ Anti-virus Evasion ´ Anti-debugging/Virtual Machine Detection ´ BtBotne tdigdesigns

Robert Vinson - IT Security Office - The University of Iowa POLYMORPHISM VS. METAMORPHISM

“The main difference […] is the fact that the Polymorphic virus ciphers its original code to avoid pattern recognition, and the Metamorphic virus changes its code to an equivalent one […]” –wikipedia.org

Robert Vinson - IT Security Office - The University of Iowa METAMORPHISM

Changing the words without changing the message

´ MOV EAX, 0 ´ XOR EAX,EAX

Robert Vinson - IT Security Office - The University of Iowa VIRTUAL MACHINE DETECTION

´ Used to hinder analysis efforts ´ Many methods MOV EAX, 564D5868 <-- "VMXh" MOV EBX,0 MOV ECX,0A MOV EDX,5658 <-- "VX" IN EAX,DX <-- Check for VMWare CMP EBX,564D5868 (Asm code obtained from http://handlers. sans. org/torg/tliston/ThwartingVMDetectionliston/ThwartingVMDetection_ Liston_ Skoudis. pdf)

Robert Vinson - IT Security Office - The University of Iowa PACKING

Executable compression: “[… ] any means of in g an execu ta ble file and combining the compressed data with the decompressi on cod e it need s iitnto a si iglngle .” - wikipedia.org

Robert Vinson - IT Security Office - The University of Iowa PACKING – A VISUAL

FilePacked File Unpacked File

UUkignpacking algorithm Run Through Packer Program Executable Executable Packed Restored Executable To Original In Memory

Robert Vinson - IT Security Office - The University of Iowa AV Version Definitions Results AV Version Definitions Results Product Product

AhnLab‐V3 2008.2.4.10 2008.02.04 – Ikarus T3.1.1.20 2008.02.04 –

AntiVir 7.6.0.62 2008.02.04 – Kaspersky 7.0.0.125 2008.02.04 –

Authentium 4.93.8 2008.02.04 – McAfee 5222 2008.02.04 –

Avast 4.7.1098.0 2008.02.03 – 1.3204 2008.02.04 – 7.5.0.516 AVG 2008.02.04 – NOD32v2 2847 2008.02.04 –

BitDefender 7.2 2008.02.04 – Norman 5.80.02 2008.02.01 –

CAT‐QuickHeal 9 2008.02.04 – Panda 9.0.0.4 2008.02.04 –

ClamAV 0.92 2008.02.04 – Prevx1 V2 2008.02.04 –

DWDrWeb 4.44 .0 .09170 2008.02 .04 – Ris ing 20.29 .22 .00 2008.01 .30 – suspicious eSafe 7.0.15.0 2008.01.28 Trojan/Worm 4.26.0 2008.02.04 Sus/Dropper‐A

eTrust‐Vet 31.3.5509 2008.02.04 – Sunbelt 2.2.907.0 2008.02.02 –

Ewido 4 2008.02.04 – Symantec 10 2008.02.04 –

FileAdvisor 1 2008.02.04 – TheHacker 6.2.9.208 2008.02.04 –

Fortinet 314003.14.0.0 2008.02 .04 – VBA32 312603.12.6.0 2008.02 .03 – W32/Downloader.F F‐Prot 4.4.2.54 2008.02.03 .gen!Eldorado VirusBuster 4.3.26:9 2008.02.04 – Robert Vinson - IT Security Office - The University Webwasher‐ F‐Secure 6.70.13260.0 2008.02.04 – Gateway 6.6.2 2008.02.04 – of Iowa TRADITIONAL DESIGN

Robert Vinson - IT Security Office - The University of Iowa TRADITIONAL BOT

PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: System Information).. PRIVMSG #gun5 :[KEYLOG]: insta (Return) (System Information).. PRIVMSG #gun 5 : [KEYLOG]: ll (Return ) (System In format ion ).. PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: Program Manager).. PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: McAfee Alert Window)..

Robert Vinson - IT Security Office - The University of Iowa P2P

´ Harder to shut down ´ Po tenti all y easier to enumerat e all compromised hosts

Robert Vinson - IT Security Office - The University of Iowa P2P DESIGN

Robert Vinson - IT Security Office - The University of Iowa STORM WORM

´ p2p architecture ´ Utilizes the Overnet protocol ´ Upd at es the mal ware execut abl e at least every half hour ´ Now utilizing ´ Pretty much spreads via ´ Credited with some nasty DoS attacks

Robert Vinson - IT Security Office - The University of Iowa FAST-FLUX DESIGN

Obtained from http://www.honeynet.org/papers/ff/fast-flux.html Robert Vinson - IT Security Office - The University of Iowa RESOURCES

´ http://en.wikipedia.org/wiki/Executable_compr ession ´ http://handlers.sans .org/tliston/ThwartingVMD etection_Liston_Skoudis.pdf ´ http:// en.wiki pe dia.or g/w iki/Me tamorp hic_co d e ´ http://www.honeynet.org/papers/ff/fast- flux.html

Robert Vinson - IT Security Office - The University of Iowa