DOCSLIB.ORG

Generic Binary Unpacking with Orders-Of-Magnitude Performance Boost

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Generic Binary Unpacking with Orders-Of-Magnitude Performance Boost Session 3A: Binary Analysis CCS’18, October 15-19, 2018, Toronto, ON, Canada Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost Binlin Cheng∗‡ Jiang Ming∗† Jianming Fu†‡ Wuhan University & Hubei Normal University of Texas at Arlington Wuhan University University Arlington, TX 76019, USA Wuhan, Hubei 430072, China Wuhan, Hubei 430072, China [email protected] [email protected] [email protected] Guojun Peng‡ Ting Chen Xiaosong Zhang Wuhan University University of Electronic Science and University of Electronic Science and Wuhan, Hubei 430072, China Technology of China Technology of China [email protected] Chengdu, Sichuan 611731, China Chengdu, Sichuan 611731, China [email protected] [email protected] Jean-Yves Marion Université de Lorraine, CNRS, LORIA F-54000 Nancy, France [email protected] ABSTRACT dynamic loader, will reconstruct IAT before original code resumes Binary packing, encoding binary code prior to execution and deco- execution. During a packed malware execution, if an API is invo- ding them at run time, is the most common obfuscation adopted ked through looking up a rebuilt IAT, it indicates that the original by malware authors to camouflage malicious code. Especially, most payload has been restored. This insight motivates us to design an packers recover the original code by going through a set of “written- efficient unpacking approach, called BinUnpack. Compared to the then-executed” layers, which renders determining the end of the previous methods that suffer from multiple “written-then-executed” unpacking increasingly difficult. Many generic binary unpacking unpacking layers, BinUnpack is free from tedious memory access approaches have been proposed to extract packed binaries without monitoring, and therefore it introduces very small runtime over- the prior knowledge of packers. However, the high runtime over- head. To defeat a variety of ever-evolving evasion tricks, we design head and lack of anti-analysis resistance have severely limited their BinUnpack’s API monitor module via a novel kernel-level DLL hi- adoptions. Over the past two decades, packed malware is always a jacking technique. We have evaluated BinUnpack’s efficacy extensi- veritable challenge to anti-malware landscape. vely with more than 238K packed malware and multiple Windows This paper revisits the long-standing binary unpacking problem utilities. BinUnpack’s success rate is significantly better than that of from a new angle: packers consistently obfuscate the standard use existing tools with several orders of magnitude performance boost. of API calls. Our in-depth study on an enormous variety of Win- Our study demonstrates that BinUnpack can be applied to speeding dows malware packers at present leads to a common property: up large-scale malware analysis. malware’s Import Address Table (IAT), which acts as a lookup table for dynamically linked API calls, is typically erased by packers for CCS CONCEPTS further obfuscation; and then unpacking routine, like a custom • Security and privacy → Software reverse engineering; ∗Both authors contributed equally to the paper. †Corresponding authors: [email protected] and [email protected]. ‡(1) Key Laboratory of Aerospace Information Security and Trust Computing; KEYWORDS (2) School of Cyber Science and Engineering, Wuhan University Windows Malware Analysis, Generic Binary Unpacking, Import Address Table, Kernel-level DLL Hijacking Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation ACM Reference Format: on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, Binlin Cheng, Jiang Ming, Jianming Fu, Guojun Peng, Ting Chen, Xiaosong to post on servers or to redistribute to lists, requires prior specific permission and/or a Zhang, and Jean-Yves Marion. 2018. Towards Paving the Way for Large-Scale fee. Request permissions from [email protected]. Windows Malware Analysis: Generic Binary Unpacking with Orders-of- CCS ’18, October 15–19, 2018, Toronto, ON, Canada Magnitude Performance Boost. In CCS ’18: 2018 ACM SIGSAC Conference on © 2018 Association for Computing Machinery. Computer & Communications Security Oct. 15–19, 2018, Toronto, ON, Canada. ACM ISBN 978-1-4503-5693-0/18/10...$15.00 https://doi.org/10.1145/3243734.3243771 ACM, New York, NY, USA, 17 pages. https://doi.org/10.1145/3243734.3243771 395 Session 3A: Binary Analysis CCS’18, October 15-19, 2018, Toronto, ON, Canada 1 INTRODUCTION a well-known commercial packer, even applies virtualization obfus- Malicious software (malware) has become a significant threat to cy- cation to its unpacking routine [85, 102], which will result in 630X bersecurity. Big malware attacks such as ransomware ripple across instruction size explosion when tracing unpacking progress [63]. the world and cause catastrophic damage [6, 66]. Driven by the rich Worse still, malware authors can customize new packers from exis- 2 profit, cyber-criminals are highly motivated to undermine malware ting ones, as many packers are open source (e.g., UPX and Yoda’s 3 detection/analysis by applying numerous obfuscation schemes [94]. Protector ). The lack of anti-analysis resistance renders existing Among them, binary packing is believed to be a panacea to thwart generic unpacking futile for sophisticated packers. Security com- the widely used anti-virus scanning [11, 50, 65, 70]. Binary packers panies have been overwhelmed by packed malware over the past first encode malware code through encryption or compression and two decades, which slows down the response to emerging malware attach an unpacking routine to the packed malware. In addition, threats [15, 64, 73]. An online packing service even utilizes existing packers also erase the Portable Executable (PE) file’s import address packers and anti-malware scanners as a feedback mechanism, and table (IAT) to complicate the analysis of API calls. When a packed it returns the packer that presents the optimal evasion result [69]. malware starts running, the unpacking routine first decodes the In this paper, we present a new generic unpacking idea by stu- payload binary to memory pages and reconstructs its IAT. After dying how packers obfuscate payload binary’s API call resolution. that, the execution flow will jump to the original entry point (OEP) Our approach, named BinUnpack, is motivated by two key observa- to resume malware payload execution. In this way, the actual mali- tions. The first one is, no matter how sophisticated a packer may cious code and data stays unrecognizable until run time, making it evolve, malware payload always interacts with Windows OS to immune to malware analysis techniques that measure static featu- perform malicious behavior (e.g., code remote injection and ran- res. For example, applying machine learning to large-scale packed somware’s file encryption). Malware authors achieve this mainly 4 malware will lead to the detection of packers rather than malicious by calling user-level Windows APIs rather than native APIs , since behavior [100]. An embarrassing fact is many anti-virus scanners, most API semantic information is missing at the native level. Typi- which are widely deployed at the end host, take a particular pac- cally, binary code resolves a Windows API’s address by visiting PE ker’s signature as the identification of malware [93, 104]. A study header’s IAT, which is an address lookup table when calling APIs in 2013 shows that nearly 70% of packed Windows system files are exported by a dynamic-link library (DLL). As the Windows APIs in falsely labeled as malware [67]. payload reveal rich semantics about malware and hence can provide Binary packing technique has evolved from the simple, single- security analysts with an upper hand, our second observation is a layer packer to the complicated, multi-layer packer with a variety packer usually removes the payload’s import address table (IAT) of anti-analysis tricks [97]. When a packed binary starts running, to impede reverse engineering. Afterwards, the unpacking routine the original code is written in memory pages sometime and then will obtain each API’s address and rebuild the IAT at run time. In get executed. Besides, this “written-then-executed” procedure can this way, the restored payload can invoke Windows APIs properly. iterate many times, i.e., the dynamically generated code itself may These observations inspire us to chase down a new heuristic to continue generating new code and executing it. Each iteration of determine the end of unpacking: if an API call is invoked through dynamically generated code is called a layer [97] or wave [14]. The looking up a rebuilt IAT, it indicates that the original code has been 5 previous generic unpacking tools have fully utilized this feature restored, and the control flow has reached OEP already . We call by tracking the “written-then-executed” instructions [3, 9, 36, 55, this property as “rebuilt-then-called”. The key idea of BinUnpack is 77, 81] or memory pages [28, 31, 49, 56]. However, no silver bullet to capture such a “rebuilt-then-called” feature instead of “written- can sharply determine the end of multi-layer unpacking because it then-executed” behavior. To this end, BinUnpack hooks API calls has been proven to be an undecidable problem [83] 1. The existing and finds the first one whose related IAT is rebuilt at run time. Then, approaches have to continuously monitor all possible “written- tracing back from that API, BinUnpack is able to locate OEP within then-executed” layers and detect the existence of original code a very short distance. Compared to the existing work, BinUnpack in a certain layer with several heuristics [28, 35, 37, 55].
Load more

Recommended publications
  • The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics
    Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin.
    [Show full text]
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Classification of Malware Persistence Mechanisms Using Low-Artifact Disk
    CLASSIFICATION OF MALWARE PERSISTENCE MECHANISMS USING LOW-ARTIFACT DISK INSTRUMENTATION A Dissertation Presented by Jennifer Mankin to The Department of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Electrical and Computer Engineering in the field of Computer Engineering Northeastern University Boston, Massachusetts September 2013 Abstract The proliferation of malware in recent years has motivated the need for tools to an- alyze, classify, and understand intrusions. Current research in analyzing malware focuses either on labeling malware by its maliciousness (e.g., malicious or benign) or classifying it by the variant it belongs to. We argue that, in addition to provid- ing coarse family labels, it is useful to label malware by the capabilities they em- ploy. Capabilities can include keystroke logging, downloading a file from the internet, modifying the Master Boot Record, and trojanizing a system binary. Unfortunately, labeling malware by capability requires a descriptive, high-integrity trace of malware behavior, which is challenging given the complex stealth techniques that malware employ in order to evade analysis and detection. In this thesis, we present Dione, a flexible rule-based disk I/O monitoring and analysis infrastructure. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and re- constructing high-level file system and registry changes as they occur. We evaluate the accuracy and performance of Dione, and show that it can achieve 100% accuracy in reconstructing file system operations, with a performance penalty less than 2% in many cases. ii Given the trustworthy behavioral traces obtained by Dione, we convert file system- level events to high-level capabilities.
    [Show full text]
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust
    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
    [Show full text]
  • BEGIN README.TXT-- PC Media Antivirus (PCMAV)
    --BEGIN README.TXT-- PC Media Antivirus (PCMAV) 9.9.1 Copyright (c) 2006-2014 Majalah PC Media Pinpoint Publications Group ************************************************************************ MEMANFAATKAN/MENGGUNAKAN PCMAV BERARTI ANDA MENGERTI DAN SETUJU DENGAN SELURUH KETENTUAN YANG ADA DI BAGIAN "KETENTUAN PENGGUNAAN (END-USER LICENSE)" YANG TERDAPAT PADA FILE README.TXT INI. PCMAV INI DIBUAT KHUSUS DAN DIPERSEMBAHKAN BAGI "PEMBACA SETIA" PC MEDIA DAN YANG KAMI CINTAI. MAKA DARI ITU, JIKA ANDA ADALAH PENGGUNA PEMULA DAN ATAU MERASA KESULITAN MEMAHAMI ISI README.TXT INI, BAIK SEBAGIAN MAUPUN SECARA KESELURUHAN, MAKA KAMI SANGAT MENYARANKAN ANDA UNTUK BERKONSULTASI TERLEBIH DULU DENGAN REKAN ANDA YANG LEBIH BERPENGALAMAN DALAM BERKOMPUTER. ATAU DEMI KENYAMANAN ANDA, MAKA KAMI SARANKAN UNTUK TIDAK MENGGUNAKAN PCMAV SAMA SEKALI. ************************************************************************ ------------------------------ ANTIVIRUS KEBANGGAAN INDONESIA ------------------------------ Tidak ada antivirus lain yang mampu mengatasi secara tuntas virus komputer, baik lokal maupun asing, yang banyak menyebar di Indonesia sebaik dan seaman PCMAV. Umumnya antivirus yang ada hanya mampu mengenali dan menghapus file yang dideteksi bervirus. PCMAV menyempurnakannya dengan tingkat akurasi pendeteksian yang lebih tinggi, sehingga lebih handal dalam mengembalikan file, dokumen dan sistem yang menjadi sasaran serangan virus hingga pulih 100%. Dengan PCMAV, Anda akan mendapatkan antivirus yang bukan hanya sekadar mendeteksi namun daya basminya
    [Show full text]
  • Download Slides
    Scott Wu Point in time cleaning vs. RTP MSRT vs. Microsoft Security Essentials Threat events & impacts More on MSRT / Security Essentials MSRT Microsoft Windows Malicious Software Removal Tool Deployed to Windows Update, etc. monthly since 2005 On-demand scan on prevalent malware Microsoft Security Essentials Full AV RTP Inception in Oct 2009 RTP is the solution One-off cleaner has its role Quiikck response Workaround Baseline ecosystem cleaning Industrypy response & collaboration Threat Events Worms (some are bots) have longer lifespans Rogues move on quicker MarMar 2010 2010 Apr Apr 2010 2010 May May 2010 2010 Jun Jun 2010 2010 Jul Jul 2010 2010 Aug Aug 2010 2010 1,237,15 FrethogFrethog 979,427 979,427 Frethog Frethog 880,246880,246 Frethog Frethog465,351 TaterfTaterf 5 1,237,155Taterf Taterf 797,935797,935 TaterfTaterf 451,561451,561 TaterfTaterf 497,582 497,582 Taterf Taterf 393,729393,729 Taterf Taterf447,849 FrethogFrethog 535,627535,627 AlureonAlureon 493,150 493,150 AlureonAlureon 436,566 436,566 RimecudRimecud 371,646 371,646 Alureon Alureon 308,673308,673 Alureon Alureon 441,722 RimecudRimecud 341,778341,778 FrethogFrethog 473,996473,996 BubnixBubnix 348,120 348,120 HamweqHamweq 289,603 289,603 Rimecud Rimecud289,629 289,629 Rimecud Rimecud318,041 AlureonAlureon 292,810 292,810 BubnixBubnix 471,243 471,243 RimecudRimecud 287,942287,942 ConfickerConficker 286,091286, 091 Hamwe Hamweqq 250,286250, 286 Conficker Conficker220,475220, 475 ConfickerConficker 237237,348, 348 RimecudRimecud 280280,440, 440 VobfusVobfus 251251,335, 335
    [Show full text]
  • Effective Malicious Features Extraction and Classification for Incident Handling Systems
    EFFECTIVE MALICIOUS FEATURES EXTRACTION AND CLASSIFICATION FOR INCIDENT HANDLING SYSTEMS CHO CHO SAN UNIVERSITY OF COMPUTER STUDIES, YANGON OCTOBER, 2019 Effective Malicious Features Extraction and Classification for Incident Handling Systems Cho Cho San University of Computer Studies, Yangon A thesis submitted to the University of Computer Studies, Yangon in partial fulfillment of the requirements for the degree of Doctor of Philosophy October, 2019 Statement of Originality I hereby certify that the work embodied in this thesis is the result of original research and has not been submitted for a higher degree to any other University or Institution. …..…………………………… .…………........………………………… Date Cho Cho San ACKNOWLEDGEMENTS First of all, I would like to thank Hist Excellency, the Minister for the Ministry of Education, for providing full facilities support during the Ph.D. course at the University of Computer Studies, Yangon. Secondly, my profound gratitude goes to Dr. Mie Mie Thet Thwin, Rector of the University of Computer Studies, Yangon, for allowing me to develop this research and giving me general guidance during the period of my study. I would like to express my greatest pleasure and the deepest appreciation to my supervisor, Dr. Mie Mie Su Thwin, Professor, the University of Computer Studies, Yangon, for her excellent guidance, caring, patient supervision, and providing me with excellent ideas throughout the study of this thesis. I would also like to extend my special appreciation to Dr. Khine Moe Nwe, Professor and Course-coordinator of the Ph.D. 9th Batch, the University of Computer Studies, Yangon, for her useful comments, advice, and insight which are invaluable through the process of researching and writing this dissertation.
    [Show full text]
  • Malware Behavior Comportamento De Programas Maliciosos
    Andr´eRicardo Abed Gr´egio Malware Behavior Comportamento de Programas Maliciosos Campinas 2012 i ii Universidade Estadual de Campinas Faculdade de Engenharia El´etrica e de Computa¸c~ao Andr´eRicardo Abed Gr´egio Malware Behavior Comportamento de Programas Maliciosos Doctorate thesis presented to the School of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor in Electrical Engineering. Concentration area: Computer Engineering. Tese de doutorado apresentada `aFaculdade de Engenharia El´etrica e de Computa¸c~ao como parte dos requisitos exigidos para a obten¸c~aodo t´ıtulo de Doutor em Engenharia El´etrica. Area´ de concentra¸c~ao: Engenharia de Computa¸c~ao. Orientador (Tutor): Prof. Dr. Mario Jino Co-orientador (Co-Tutor): Prof. Dr. Paulo Licio de Geus Este exemplar corresponde `avers~aofinal da tese defendida pelo aluno, e orientada pelo Prof. Dr. Mario Jino. Campinas 2012 iii FICHA CATALOGRÁFICA ELABORADA PELA BIBLIOTECA DA ÁREA DE ENGENHARIA E ARQUITETURA - BAE - UNICAMP Grégio, André Ricardo Abed G861c Comportamento de programas maliciosos / André Ricardo Abed Grégio. --Campinas, SP: [s.n.], 2012. Orientador: Mario Jino. Coorientador: Paulo Licio de Geus. Tese de Doutorado - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação. 1. Redes de computadores - Medidas de segurança. 2. Tecnologia da informação - Segurança. 3. Software - Segurança. 4. Virus de computador. 5. Taxonomia. I. Jino, Mario, 1943-. II. Geus, Paulo Licio de, 1956-. III. Universidade
    [Show full text]
  • Containing Conficker to Tame a Malware
    &#4#5###4#(#%#5#6#%#5#&###,#'#(#7#5#+#&#8##9##:65#,-;/< Know Your Enemy: Containing Conficker To Tame A Malware The Honeynet Project http://honeynet.org Felix Leder, Tillmann Werner Last Modified: 30th March 2009 (rev1) The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to repel Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domain name generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download from [9], including source code. !"#$%&'()*+&$(% The big years of wide-area network spreading worms were 2003 and 2004, the years of Blaster [1] and Sasser [2]. About four years later, in late 2008, we witnessed a similar worm that exploits the MS08-067 server service vulnerability in Windows [3]: Conficker. Like its forerunners, Conficker exploits a stack corruption vulnerability to introduce and execute shellcode on affected Windows systems, download a copy of itself, infect the host and continue spreading. SRI has published an excellent and detailed analysis of the malware [4]. The scope of this paper is different: we propose ideas on how to identify, mitigate and remove Conficker bots.
    [Show full text]
  • THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network Worms Were Supposed to Be Dead. Turns O
    THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. This worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser. Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected. Case Conficker The sustained growth of malicious software (malware) during the last few years has been driven by crime. Theft – whether it is of personal information or of computing resources – is obviously more successful when it is silent and therefore the majority of today's computer threats are designed to be stealthy. Network worms are relatively "noisy" in comparison to other threats, and they consume considerable amounts of bandwidth and other networking resources.
    [Show full text]
  • G Data Malwarereport Half-Yearly Report July
    G Data MalwareReport Half-yearly report July - December 2010 Ralf Benzmüller & Sabrina Berkenkopf G Data SecurityLabs 2010 - MalwareReport_2 Go safe. Go safer. G Data. G Data MalwareReport 2/2010 Contents At a Glance ............................................................................................................................................ 2 Malware: Facts and Figures ................................................................................................................. 3 The end of the growth? ........................................................................................................................................... 3 Malware categories ................................................................................................................................................... 4 Malware families ........................................................................................................................................................ 4 Platforms: Windows and Web ............................................................................................................................... 6 Trends for 2011 ........................................................................................................................................................... 7 Top subjects for the second half of 2010 ............................................................................................ 7 WikiLeaks brings 'Hacktivists' into the arena ..................................................................................................
    [Show full text]