Collection of affiliated topics – not dried flowers.

MALWARE POTPOURRI

Robert Vinson - IT Security Office - The University of Iowa

MALWARE – A DEFINITONMALWARE A DEFINITON

Malware = Malicious Software

Q: Why do we typically say malware and not “computer worm/virus/etc?/ /

A: BecauseNOT EQUIVALENT

Blended threat:Blended threats combine the characteristics of viruses, worms, Trojan Horses and malicio s code ith ser er and Internet Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spread and cause widespread damage.p p g

Robert Vinson - IT Security Office - The University of Iowa

TOPICSTOPICS

Anti-virus EvasionAnti virus EvasionAnti-debugging/Virtual Machine DetectionB t t d igBotnet designs

Robert Vinson - IT Security Office - The University of Iowa

POLYMORPHISM VS METAMORPHISMPOLYMORPHISM VS. METAMORPHISM

“The main difference […] is the fact that the The main difference […] is the fact that the Polymorphic virus ciphers its original code to avoid pattern recognition, and the Metamorphic avoid pattern recognition, and the Metamorphic virus changes its code to an equivalent one […]” –wikipedia.org[…] wikipedia.org

Robert Vinson - IT Security Office - The University of Iowa

METAMORPHISMMETAMORPHISM

Changing the words without changing the Changing the words without changing the message

MOV EAX, 0XOR EAX,EAX

Robert Vinson - IT Security Office - The University of Iowa

VIRTUAL MACHINE DETECTIONVIRTUAL MACHINE DETECTION

Used to hinder analysis effortsUsed to hinder analysis effortsMany methods

MOV EAX 564D5868 < "VMXh"MOV EAX,564D5868 <-- "VMXh"MOV EBX,0MOV ECX 0AMOV ECX,0AMOV EDX,5658 <-- "VX"IN EAX,DX <-- Check for VMWareCMP EBX,564D5868(Asm code obtained from http://handlers sans org/tliston/ThwartingVMDetection Liston Skoudis pdf)(Asm code obtained from http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf)

Robert Vinson - IT Security Office - The University of Iowa

PACKINGPACKING

Executable compression:“[ ] f i g t bl “[…] any means of compressing an executable file and combining the compressed data with th d i d it d i t i gl the decompression code it needs into a single executable.” - wikipedia.org

Robert Vinson - IT Security Office - The University of Iowa

PACKING – A VISUALPACKING A VISUAL

U ki g

File Unpacked FilePacked File

Unpacking algorithm

RunThrough

Executable Executable

ThroughPacker Program

Executable

Packed Executable

Executable

RestoredToOriginalOriginalInMemory

Robert Vinson - IT Security Office - The University of Iowa

AV Product

Version Definitions Results

AhnLab‐V3 2008.2.4.10 2008.02.04 –

AV Product

Version Definitions Results

Ikarus T3.1.1.20 2008.02.04 –

AntiVir 7.6.0.62 2008.02.04 –

Authentium 4.93.8 2008.02.04 –

Kaspersky 7.0.0.125 2008.02.04 –

McAfee 5222 2008.02.04 –

Avast 4.7.1098.0 2008.02.03 –

AVG7.5.0.516 2008.02.04 –

BitDefender 7.2 2008.02.04 –

Microsoft 1.3204 2008.02.04 –

NOD32v2 2847 2008.02.04 –

Norman 5.80.02 2008.02.01 –

CAT‐QuickHeal 9 2008.02.04 –

ClamAV 0.92 2008.02.04 –

D W b 4 44 0 09170 2008 02 04

Panda 9.0.0.4 2008.02.04 –

Prevx1 V2 2008.02.04 –

Ri i 20 29 22 00 2008 01 30DrWeb 4.44.0.09170 2008.02.04 –

eSafe 7.0.15.0 2008.01.28suspicious Trojan/Worm

eTrust‐Vet 31.3.5509 2008.02.04 –

Rising 20.29.22.00 2008.01.30 –

Sophos 4.26.0 2008.02.04 Sus/Dropper‐A

Sunbelt 2.2.907.0 2008.02.02 –

Ewido 4 2008.02.04 –

FileAdvisor 1 2008.02.04 –

Fortinet 3 14 0 0 2008 02 04 –

Symantec 10 2008.02.04 –

TheHacker 6.2.9.208 2008.02.04 –

VBA32 3 12 6 0 2008 02 03

Robert Vinson - IT Security Office - The University of Iowa

Fortinet 3.14.0.0 2008.02.04 –

F‐Prot 4.4.2.54 2008.02.03W32/Downloader.F.gen!Eldorado

F‐Secure 6.70.13260.0 2008.02.04 –

VBA32 3.12.6.0 2008.02.03 –

VirusBuster 4.3.26:9 2008.02.04 –

Webwasher‐Gateway 6.6.2 2008.02.04 –

TRADITIONAL BOTNET DESIGNTRADITIONAL BOTNET DESIGN

Robert Vinson - IT Security Office - The University of Iowa

TRADITIONAL BOTTRADITIONAL BOT

PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: System Information)..

PRIVMSG #gun5 :[KEYLOG]: insta (Return) (System Information)..PRIVMSG # 5 [KEYLOG] ll (R ) (S I f i )PRIVMSG #gun5 :[KEYLOG]: ll (Return) (System Information)..PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: Program

Manager)..Manager)..PRIVMSG #gun5 :[KEYLOG]: (Changed Windows: McAfee Alert

Window)..

Robert Vinson - IT Security Office - The University of Iowa

P2P BOTNETSP2P BOTNETS

Harder to shut downP t ti ll i t t ll Potentially easier to enumerate all compromised hosts

Robert Vinson - IT Security Office - The University of Iowa

P2P DESIGNP2P DESIGN

Robert Vinson - IT Security Office - The University of Iowa

STORM WORMSTORM WORM

p2p architecturep2p architectureUtilizes the Overnet protocolU d t th l t bl t l t Updates the malware executable at least every half hourNow utilizing encryptionPretty much spreads via emailCredited with some nasty DoS attacks

Robert Vinson - IT Security Office - The University of Iowa

FAST-FLUX DESIGNFAST FLUX DESIGN

Robert Vinson - IT Security Office - The University of Iowa

Obtained from http://www.honeynet.org/papers/ff/fast-flux.html

RESOURCESRESOURCES

http://en.wikipedia.org/wiki/Executable comprhttp://en.wikipedia.org/wiki/Executable_compressionhttp://handlers sans org/tliston/ThwartingVMDhttp://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdfhtt // iki di g/ iki/M t hi dhttp://en.wikipedia.org/wiki/Metamorphic_codehttp://www.honeynet.org/papers/ff/fast-flux.html

Robert Vinson - IT Security Office - The University of Iowa