Posts Tagged ‘antivirus’

Spy vs SpyEye

Wednesday, August 25th, 2010

In late December 2009, a new bot (known as SpyEye), which has properties that compare and compete with the Zeus Bot, appeared in the Russian underground market. Similar to other theft-based malware, it too has a web-based command-and-control backend that collects and sorts the stolen data and its statistics. Features include specifically targeting Bank of America customers, and sorting can be based on infected processes, Bot GUID (Globally Unique Identifier) and ftp logins.  The configuration requires a standard LAMP (Linux, Apache, MySQL and PHP environment). The installation is simple, and the majority of the frontend web code utilizes AJAX (XMLHTTP) to post the data queries to the viewer. Spy-Eye divides itself into two setups, the CnC controller (this houses the statistics and communication with the machines interactively), and the Form Grabber which is used to collect the login data and store in a database for querying. The Form Grabber and the CnC identify themselves to an outside observer via the html title tag found usually at the top of the browser when accessing the page.

Figure 1 C&C Identifier within the “<title>” tag (CN 1)

Figure 2 Formgrabber Identifier within the “<title>” tag (SYN 1)

To access either “CN 1”or“SYN 1”a password prompt is displayed to authenticate access.

Figure 3 Password Prompt

Latest Spy-Eye findings reveal certain botnet operators “skinning” their web panel:

Figure 4 “Show me the money” skin

Features for the CnC portion of the web panel include ftp back connect, socks 5, code insertion, binary uploads, task monitoring, global statistics and Settings.

Figure 5 Binary Update Function

Binary Update Function:

This function is used to continuously update the bots within the network. Further analysis indicates that this activity happens frequently, at minimum on a daily basis. The purpose of this is to replace binaries continuously that are unknown to the Anti-Virus community, since the updates are not distributed in the wild via exploits, but internally through the tunnel created between the C&C and the operator. Further investigation enables Damballa to identify the new MD5’s updated to the bots, and reveals how many active bots are receiving updates.

Figure 6 Real-time update log identifying the new MD5 and the originating MD5

Tests run by Damballa’s Threat Research team identify that the majority of these new md5’s are not identified by any major Anti-Virus vendors:

Figure 7 MD5 a3fe1f59d8d72699ad342adb992ba450 with 4.9% identification according to VirusTotal

Up Sell:

Within the “SYN 1” form grabber panel, a few features that have been updated for version 1.2 including a private certificate stealer. This feature allows the botnet operator to request certificates from the controlled bots.

Figure 8 Certificate Grabber

Also available is a specific “Bank of America” grabber. Both of these features require the buyers of the malware DIY kit to pay extra if they desire these features.

Backdoor Access:

Within the “CN 1” panel there are FTP Back Connect and SOCKS5 controls designed for miscellaneous use such as remote administration and sending spam. For each bot with SOCKS5 availability, the server binds a unique port on the C&C server for the botnet operators to perform a reverse connection with the infected host.

Figure 9 SOCKS5 Reverse Connection Status

Statistics and Data Collection

A common trend in many other botnet control panels is the Geographical IP location and version tracking and Spy-Eye also follows suit:

Figure 10 GeoIP and Version tracking

Other statistics acquired are infected OS versions, Internet Explorer versions, and user type:

The latest Spy-Eye malware is also enumerating the software information that exists on the victim hosts:

Figure 11 Enumerated Software on Infected Host

In addition, checkboxes have been added to the stolen data query page enabling wildcard lookups with the “LIKE?” option for Bot ID’s. These features were likely added to enable granularity for each query.

Conclusion

Spy-Eye’s evolution is progressing rapidly and the success rate of the malware itself appears to be increasing quietly, yet effectively. Combined with impactful distribution campaigns this malware appears to be an up and coming contender in the ongoing threats plaguing the Internet.

Part 2 will unveil specific information on the amount of stolen data that is acquired by Spy-Eye and will follow the flow of the activity of some of the specific bot operators.

by Lance James

Tags: , , , , , , ,
Posted in Threat Research | No Comments »

Killing Antivirus, One DLL At A Time

Tuesday, February 2nd, 2010

Browsing the Web for online virus scanners will yield an increasing array of available services. Ranging from vendor-specific portals featuring their latest antivirus engine through to public testing portals offering 40+ different scanning engines, these online scanning services allow visitors to submit suspicious files and help identify their true malicious nature.

The bigger portals – the ones offering dozens of popular antivirus products to test against – are quite useful to corporate security teams. They allow the organization to not only inspect suspicious files without the need of building and maintaining a whole malware testing lab, but also allow the organization to get a better feel for specific product coverage of the threat. I’ve also seen many organizations using the portals as a convenient source of malware naming correlation – i.e. which vendor calls the sample what?.

This handy feature hasn’t gone unnoticed by the malware authors either. They use these online portals as part of their Quality Assurance (QA) process to guarantee that their latest malware creation will go undetected when deployed against their target. They’ve been doing this for nearly a decade now though.

Many of the biggest virus testing portals (such as VirusTotal) work with the major antivirus product vendors by handing over copies of the submitted files to them. Obviously, this process isn’t so cool for the actual malware authors and, as you’d expect, enterprising individuals now offer similar malware testing portals with guarantees that they will never share the files with anyone. Which, obviously, has resulted in the growth of testing portals that cater exclusively to cybercriminals and offer monthly subscription testing services optimized for batch processing of malware.

The malware portal scanning ecosystem is rather interesting, but perhaps the most interesting aspect is how it’s become a critical tool by which vendors keep pace with the latest malware threats. Because the portals have become popular vehicles for checking and verifying coverage, they’ve attracted mainstream attention (and adoption) as a vehicle for tracking the relative performance and effectiveness of the antivirus vendors themselves. It’s not what the portals were originally intended for, but nevertheless that’s what they’ve become.

Now, because of this “competition” in coverage, samples submitted to popular portals like VirusTotal seem to have a higher probability that vendors will ensure some level of detection coverage – especially if at least one other vendor detected the sample or flagged it as suspicious. This was discussed a little in yesterdays blog on Kaspersky’s blog – On the way to better testing – in which they describe how the system can be rigged and abused (i.e. creating fake malware detections and watching who is copying who).

Anyhow, there’s another aspect of this ecosystem that’s both worrying and fun to explore at the same time. Given the mix of different detection engines and strategies all the antivirus products within these portals use, many files get marked as suspicious or incorrectly flagged as malicious. This applies especially to files that have been compressed, packed or armored to speed up Internet transfers or prevent the loss of intellectual property through reverse engineering. As such, the whole “signature copying” system is ripe for abuse.

To give you an example (names of the perpetrators/victims intentionally left out), I remember someone a year back intentionally grabbing the DLL’s of the most current version of a popular antivirus product and submitting them to one of these portals. Low and behold, by a few days later there was news about XXX vendor’s product killing/quarantining YYY vendors product.

Which I guess brings me to this blog’s title – Killing Antivirus, One DLL At A Time. Anyone can abuse these feedback-loop systems – and some people already do (for fun). If anyone wanted to cause a degree of havoc to the antivirus vendors that rely upon these testing portals as a crutch for their detection, here are some of the things that would likely have them tripping over their tails…

  • Every time antivirus vendor XXX updates their engine, the antagonist submits the newest DLL’s and EXE’s for vendor XXX’s product to a testing portal. They’d likely see all kinds of false positives immediately (especially for DLL’s), but after a few days they’d also discover increased “coverage” amongst other vendors – and maybe a news story that vendor YYY accidentally killed vendor XXX’s product.
  • Each time Microsoft or a major software vendor releases an new update of their product, they could submit the latest files and observe which vendors false-positive on them. They’re probably not a vendor you’d want to consider deploying in a large enterprise though.
  • Packing antivirus vendor XXX’s key DLL’s and EXE’s with popular “known bad” packers that also have well covered unpacking solutions will likely increase the immediate number of false positives – which may in turn result in a quicker turn around of vendor YYY’s signatures for detecting the new “threat”.
  • Binding vendor’s brand new (and critical operation) DLL’s and EXE files with known malware samples, or adding them to popular droppers will likely increase the “guilt by association” detection systems – and similarly result in more false positives.

I could probably think of many more ways that evil-doers could mess this signature generating ecosystem up, and even then I’d probably miss several that the bad guys are already doing or in the process of testing out.

Some may argue that by having pointed out the frailties of this ecosystem I’m in turn exposing the antivirus industry and their customers to more risk. But lets face facts, this stuff already happens. This is not rocket science. I can just as easily see some computer science under-grad over the road at GATech conducting his own tests and publishing a great paper on the topic. Perhaps he already is?

Regardless, there are lessons to be learned here and the ecosystem exposure is real. I’d be curious to see what the effect would be of criminals actively and persistently conducting the “attacks” described above – would that cause pain to enterprises that intentionally run multiple antivirus products together to help weed out false-negatives and improve overall coverage? Or would consistent abuse of these testing and submission portals result in lowering the probability that real malware submitted to them would eventually be covered in signature updates at a later date?

– Gunter Ollmann, VP Research

Tags: , , , ,
Posted in Threat Research | No Comments »

Feeling Secure

Monday, November 24th, 2008

The following depicts real, non-fictional events. Names have been altered to protect the victims.

On Monday, October 20th, Dave’s antivirus reported that it found and deleted a virus. Dave was relieved that his computer and his files were not damaged, and that he had antivirus turned on. Phew!

Forensic Chronicle

October 7th 14:10

Malware named Sinowal (aka Torpig) made its way onto Dave’s work computer. Sinowal is a sophisticated trojan designed to steal banking and other login information.

…………………………………..

October 7th 15:59

Dave logged into his SunTrust online banking account. Sinowal captured and transmitted his login credentials to a Command-and-Control (CnC) server located in California.

…………………………………..

October 8th 10:26

Dave logged into his Bank of America online banking account. Sinowal captured and transmitted his login credentials along with additional security question-answer challenges.

…………………………………..

October 8th 13:21

Dave logged in to check his email, and Sinowal captured and transmitted his Gmail username and password to the CnC server.

…………………………………..

October 20th 11:40

Last communication from the bot to the CnC server recorded.

The trojan was prolific in its communication, checking in with the CnC at times as often as every 10 minutes. During the two-week period it proceeded to send passwords every time Dave logged into his accounts.

Luckily for Dave, shortly after these incidents occurred, the computer security team at his work was notified about them. Dave was promptly informed of what happened. The thieves did not get a chance to withdraw money …

After recovering from the initial dismay of what happened, Dave got serious about what he could do to protect himself. He now pays attention to what online security features each of his financial institutions offer. He is also grateful to his employer for looking out for him. But Dave has also learned a very important lesson – he must always look out for himself.

- Irina Connelly, Damballa Researcher

Tags: , , , ,
Posted in Threat Research | No Comments »

Rogue AV: Just Blame the Dog

Friday, October 17th, 2008

Every thread in a computer troubleshooting forum begins about the same. “My wife was messing around on the Internet and got this strange virus,” or “my kids were goofing on the computer and now I’m sure we’ve got a trojan or something.” First off, I’m fairly sure CastleCops doesn’t demand to know who is at fault when you approach them for assistance. Secondly, in an age where we have commercials about erectile dysfunction and TV game show contestants fail to match wits with fifth grade children, is it really that emasculating or embarrassing to admit your computer got compromised? So when my girlfriend calls and tells me she was looking for decorative additions to her MySpace page and her computer is now spewing pop up alerts about a possible infection, I felt a twinge of kinship for these troubled men and their unfortunate circumstances. It was also quite coincidental that I was neck deep in rogue AV analysis and knew instantly what had happened to her.

Rogue AV has been giving people false impressions for years now, spouting exaggerations on par with anyone in the early stages of courtship. So while the rogue dater is all flowers and joy, the rogue software is free scans and fear. Unknown to the inexperienced is that this thing (person or software) may just end up taking your money with only empty promises in return.

For those with no base of understanding on the subject, rogue AV is fake antivirus software, designed to fool you into believing you have an infected system when the newly installed rogue AV may be the only legitimate infection you have. It fakes virus scans of your computer, almost always alerting you of massive findings. Once you’re convinced that your computer is infested with malware, you’re offered the assistance of the bogus product to remediate the problem. Of course, even after purchase of the full version, the product fails to work and only continues to make false claims of compromise. The big difference is that now the bad guys have your credit card information.

One reason for my blooming interest in rogue AV is in witnessing just how widespread this problem is, now emphasized by its presence in my home. I see it daily in my research, adding list after list of domains involved with its propagation. It has stemmed from fake codecs, fake or hacked ad banners on key sites, and has even bombarded OS straddling clipboards that force pasting of relevant URLs into forums, unbeknownst to the user. Rogue AV is an international epidemic, as seen by the rogue AV sites written in German, Swedish, Dutch, French, Spanish, Italian, and Chinese. It has affected users of sites like Photobucket.com, Newsweek, 123greetings, ClassMates, Metacafe, Expedia, MySpace, CNN, and Rhapsody. Presumably this malware has reached millions, but how many have been duped and actually purchased these products? How much money is being shelled out for these hollow applications? At $50 a pop this could be quite a profitable grift, especially when I see complaints filed by customers claiming to have been charged triple that amount. According to PandaLabs’ blog they estimate profits for rogue AV to be $15,000,000 per month. (I can’t help but picture Scrooge McDuck swimming through a pool of gold pieces.)

People who buy these rogue AV products aren’t stupid and shouldn’t feel embarrassed about sharing their stories. Why shouldn’t they listen to what their computer tells them? That’s what it looks like to the layman, an alert from Windows, and it is understandable that people are fooled. From the virus scans, to the desktop alerts, the blue screen screen savers, and the product website, down to design of the packaging, the logos, the color schemes, testimonials and endorsements. It all looks real and trustworthy. It doesn’t feel like advertising and it wasn’t promoted to them via spam, but appears to be endorsed by the OS. The user may be suspicious of this savior showing up only moments after a gang of hooligans, but they are in trouble and any help becomes welcome. Following the button clicking trail to eventual purchase seems natural, safe, and the anticipation of relief from this disaster greases the process. This is a sophisticated and well formed ruse making the misspellings and questionable grammar unseen at first glance. These people are good at what they do and they’re taking advantage of people’s trust and lack of information, which is why this problem needs to be publicized as much as possible.

Inform the people you know about rogue AV. Research it and tell them what to look for. Pay attention to what site you were on when you received the first alert and let the site owners know what happened. I failed to talk about this particular malware with my girlfriend, but she knew who to call when things got shady. (Sorry for the after school special wrap up but seriously, this stuff is rampant.)

Last bit: Beyond antivirus software, there are other rogue programs floating around out there as well, including data encryption, system optimization, and filtering programs. One of the filtering programs claims to “guard your family from: violence…addictions…drugs…pornography…adult chats…religion…gambling (and)…politics.” If you extract these subjects from the Internet experience I’m really unsure what would remain. Guess I could still order a pizza, but without drugs, violence and porn my weekends are sure going to be dull.

- Matt Sully, Damballa Researcher

Tags: , , , ,
Posted in Threat Research | No Comments »

Circumstantial Evidence

Thursday, September 18th, 2008

Damballa’s engineering team uses an interesting internal lexicon for the various technologies employed by our Failsafe solution for enterprises. In many ways, our product architecture is modeled on the American legal system. Evidence is collected, perpetrators and victims are identified by name and other known aliases, a jury is assembled, a trial conducted, and the presence of a crime is decided by the jury’s consideration of all of the evidence.

Network security staff in many enterprises often struggle to grasp this concept, because they have been well trained in the model of host-based antivirus. They expect to be shown host-based evidence, such as a specific virus name and information about which files, registry keys, or other modifications to the compromised system confirm that the compromise is present. Damballa often cannot provide this level of precise host-based information for compromises we identify, and some of our customers initially view this as a weakness of our solution. It’s the network equivalent of lacking habeas corpus.

In many ways, however, this “weakness” is actually a key strength. Our Failsafe solution is incredibly non-disruptive compared with deployment requirements for the plethora of other, much less effective security tools. You don’t have to deploy software to each of your 100,000 Windows workstations or pass all of your Internet traffic through one of our devices in order to get the actionable information you need about compromises that exist on your network and how to eliminate them.

Instead, we look at the circumstantial evidence. It’s the network monitoring equivalent of who talked to whom, when, and what is said to each other. Some of our technologies are focused specifically on identifying patterns in these communications that are indicative of Command-and-Control (CnC) and/or attack behaviors (who, whom, and when). Other parts of our proprietary technology stack inspect what was said in the more suspicious of these conversations. Finally, we use sophisticated decision logic to correlate communication patterns with the transmission of high-risk content to draw our conclusions about who the victims are, what crimes were perpetrated against them, and by whom.

Our enterprise customers receive a full summary of each of these network crimes and the ability to view all of the evidence we collected that lead to the verdict that was rendered. Damballa provides network-derived evidence for these network-enabled crimes. That said, we are increasingly able to extract more intelligence from the network about specific host-based modifications, as well.

Much of our proprietary technology currently in development is focused on extending the actionable intelligence we provide to include specific instances of malware that have likely been installed on victim hosts, and detailed information about what modifications that malware likely made to them. These details are especially useful intelligence, as a vast amount of malware we identify is not recognized by the latest host-based tools and signatures from other vendors. Stay tuned as Damballa continues to lead the industry in these innovative technologies.

- Tripp Cox, Damballa VP of Engineering

Tags: , , , , , , ,
Posted in Threat Research | No Comments »