Why you should never use the internet

Overview

A Different Game

Infection

Characteristics

Techniques

Detection

Prevention

A Different Game

The players and the game have changed Criminal organizations

Governments

Profit/Politically driven Multimillion dollar industry

Cyber weapons

FBI vs Coreflood 1

Professionally developed User manuals

MaaS

Infiltration

Exploit Packs Phoenix Pack

Blackhole source released (plus others) 4

These aren’t going away

EaaS?

Legitimate Host Compromise Direct:

○ May 2011: Geek.com 1

○ April 2011: ribbs.usps.gov 2

○ April 2010: Wordpress.com 3

Indirect: Advertisements○ ~2 clicks away from malware

Search Engine Optimization hacks Breaking news

Celebrities

Social Facebook, Twitter, etc

Email: Spear Fishing

Techniques

API Hooking

Run-time Patching

Browser Content replacement

Filter Drivers

API Hooking

APIs are how Windows programs do just

about everything

Allows malware to intercept Windows API

calls

Can be done in user or kernel space, but in

kernel space it’s much more powerful

API Hooking

Program

KERNEL MODE

USER MODE

DeleteFile[A|W]

NtDeleteFile

ZwDeleteFile

System Service Descriptor Table

SSDT

API Hooking: SSDT Example

Program

KERNEL MODE

USER MODE

DeleteFile[A|W]

NtDeleteFile

ZwDeleteFile

System Service Descriptor Table

SSDT

fakeDelete

API Hooking

Allows malware to do a lot of nasty

things

Hide processes/files

Hide networking (to a degree)

Steal key stokes, website data, passwords,

mouse clicks, etc

Basically take over your system

Fairly straightforward to implement

However, it is easy to detect

Run-time Patching

Replaces API calls with your own by

patching the API routine itself

Can achieve the same goals as API

hooking, but harder to detect

Also called “detour hooks”

Run-time Patching: Example

Target Code

Run-time Patching: Example

Detour Jump Malicious Code

[Target Code]

Jump Back

Run-time Patching

Can be tricky to implement

Harder to detect

You have to scan the memory space

If it’s not permanent, an offline analysis isn’t

very helpful

Browser Content Replacement

Allows the malware to modify what you

see and send in your web browser

Can replace forms, GET request

responses, POST data, POST locations,

hide data…

“View Source” shows nothing:

modifications are done in memory

HTTPS is not relevant

Browser Content Replacement

WEBSITESEND/ RECEIVE

USER

DISPLAY EN/DECRYPT

Browser Content Replacement

WEBSITESEND/ RECEIVE

MALWARE

USER

DISPLAY EN/DECRYPT

Browser Content Replacement:

Zeus botnet From the user manual:“Intercepting HTTP/HTTPS-requests from wininet.dll

(Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries:1. Modification of the loaded pages content (HTTP-inject).

2. Transparent pages redirect (HTTP-fake).

3. Getting out of the page content the right pieces of data (for example the bank account balance).

4. Temporary blocking HTTP-injects and HTTP-fakes.

5. Temporary blocking access to a certain URL.

6. Blocking logging requests for specific URL.

7. Forcing logging of all GET requests for specific URL.

8. Creating a snapshot of the screen around the mouse cursor during the click of buttons.

9. Getting session cookies and blocking user access to specific URL.”

Detection

AV (loosing race)

Monitor outbound communications TCPView

Netstat

Border monitoring

Outbound watching IDS (snort)

System Internals TCPView

Procmon

RootKitRevealer

Detection: GMER

Rootkit detector

Detects:

Hidden processes, hidden files, hidden

DLLs, hidden registry keys, hidden*

SSDT, IAT, EAT hooks

MBR modification

Suspicious drivers

…lots more

Detection: GMER

Prevention

Update software (not just Windows)

Windows 7 (x64)

EMET 5

Uninstall Adobe Reader, install Foxit

Chrome/Firefox

VMs/Linux/OSX

NoScript for Firefox

Further Information

Blogs F-secure: http://www.f-secure.com/weblog/

Sophos: http://nakedsecurity.sophos.com/

Inreverse: http://www.inreverse.net/

Online tools Virus Total: http://www.virustotal.com/

Anubis: http://anubis.iseclab.org/

Samples: Malware domain list:

http://www.malwaredomainlist.com/

Offensive Security: http://www.offensivecomputing.net/

References

1. http://arstechnica.com/tech-policy/news/2011/04/fbi-vs-coreflood-botnet-round-one-goes-to-the-feds.ars

2. http://research.zscaler.com/2011/05/geekcom-hacked-with-exploit-kit.html

3. http://www.theregister.co.uk/2011/04/08/us_postal_service_exploit/

4. http://www.thehackernews.com/2011/05/blackhole-exploit-kit-download.html

5. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04

2010 Websense Threat Report: http://www.websense.com/content/threat-report-2010-introduction.aspx?cmpid=prblog

Verizon 2011 Data Breach Investigations Report: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf?&src=/worldwide/resources/index.xml&id=

Microsoft Security Intelligence Report v10: http://www.microsoft.com/security/sir/

Book: “The Rootkit Arsenal”, by Reverend Bill Blunden

Book: “Malware Analyst’s Cookbook”, by M. Ligh, S. Adair, B. Hartstein, M. Richard

Book: “Reversing: Secrets of Reverse Engineering”, by Eldad Eilam

MSDN Documentation: http://msdn.microsoft.com/en-us/library/default.aspx

Contact

Sean McAllister (gaten)

education.kills@gmail.com

Twitter: @gatenub