SlideShare una empresa de Scribd logo

Recent Rogueware

Kurt Baumgartner
Kurt Baumgartner

Virus Bulletin 2008 Ottawa presentation on recent, extremely prevalent, "rogueware".

Tecnología
1 de 27
Descargar para leer sin conexión
Recent Rogueware Kurt Baumgartner PC Tools ThreatFire Research Virus Bulletin 2008
Recent Rogueware • Rogueware? • Obfuscation Methods and Vundo Behaviors • Survey Multiple Recent Rogueware • MonaRonaDona Hoax • Recent Binder and Downloader Components and Behavioral Challenges • What Now?
Rogueware? • Sometimes clumsy descriptions found on sites and blogs. • Substantial definitions exist on well known sites like castlecops, spywarewarrior, and many others • My definition: Rogueware-based schemes coerce computer users to pay for removal of nonexistent malware. R og uew a re a re s elec t s oftw a re c om ponents us ed in thes e s c hem es to a id in c oerc io n.
Rogueware Certifed
Rogueware? • Recent active and prevalent examples over the past couple of weeks – AntiVirus2008 and 2009 – MultyCodecUpdr.7.2068.exe and its “promomodule” b..exe, which then drops sav components – pdf sploit -> 0xf9.exe -> AntiVirus2008, other adware • not-so-recent MonaRonaDona and Unigray Antivirus
Rogueware? • Shameless re branding, shuffling of domains, redistribution, shock messaging • Towards the end of last year, high level of active distribution channels and offers:
Rogueware? ~ Extras. Profit from downloads ~ .. from 70-150 $ c 1 thousand! If you load: grabber-soksbot-spambot and would like to receive additional income from your downloads, we offer our software and get 70-150 $ 1 to thousands of downloads (all depends on the country). As for software, we control: adware, which in turn actively promotes antispyware software! Adware does not conflict with either the botnetami, or trojan, and does not kill your bots!
Survey Multiple Fakealerts - Intro • Vundo obfuscation, behavior, commodity client side exploits • Codec distribution, often via spammed links – MultyCodecUpgr.7.20680.exe • P2P distribution and crack sites – binding keygen schemes, most active downloads • Shuffling web sites and domains • Common component behaviors – Shell_NotifyIcon
Vundo's Blatantly Intrusive Behavior • Vundo's prevalence seems to be on a steep downward slope towards the end of this year • Vundo loaders and dll's have maintained multiple layers of obfuscation, calls to random antiquated API's, polymorphism • Vundo distributors most commonly implemented commodity exploits to download and execute components that dropped a randomly named dll and loaded it into its own process, then the loaded dll made copies of itself that it injected first into winlogon, then globally into explorer and other processes • Process check – ad-aware, winlogon, explorer, other AV's
Vundo's Blatantly Intrusive Behavior • Anti-RE Obfuscation – Anti-RE: perverted code beyond recognition, i.e. prologues where normal “push ebp...move ebp,esp” is mangled – Anti-emulation: calling antiquated api's with “impossible” parameters to generate predictable values – this is not compiler “optimization”
Vundo's Blatantly Intrusive Behavior • Garbage assembly level instructions, loops and jmp flows: i.e. implement ridiculous custom GetProcAddress with multiple levels of needless instructions
Vundo's Blatantly Intrusive Behavior • Definitive Vundo loader winlogon injection
Vundo's Blatently Intrusive Behavior • Definitive SetWindowsHook WH_GETMESSAGE injection, from this injection, ads displayed, trayalert
Codec Distribution • Zcodec.1140.exe -> 5491.exe -> sav.exe, etc • 5491.exe is a simple self extracting compressed archive, no packing involved, drops sav.exe in %progfiles%AV2008 • No injections, no system tampering -- clearly “malicious” behavior?
MonaRonaDona Hoax - Intro • Bumbling rogueware scheme – early 2008 • “Virus” bound to version of quot;Registrycleaner2008quot; • Hoax postings and content regarding this “virus” • “Virus”? • Fraudulent postings about unigray antivirus scanner and its user base, google/search engine top results
MonaRonaDona Hoax -- Planning • Create AV product that performs no beneficial activity • Attempt to establish reputation and price point by comparison between it and legitimate solutions • Write phony “virus” • Create confusion and chatter about it on popular forums • Wait for $$$ -- you will wait a long time • This does not work
MonaRonaDona Hoax – Hoax postings • Create forum chatter and search engine hits:
MonaRonaDona Hoax – “Virus” • Svcspool.exe dropped to All Users StartMenu Startup by RegistryCleaner2008.exe • Really a “virus”? No – no replication code. IE WindowBar manipulation, Task Manager disabled by dropper. Some amount of hiding, obfuscation • “Top virus list”
Downloader Components – Intro • Malicious examples – 0xf9.exe, av2009install.exe • Static characteristics • Behavioral characteristics • Downloading sav.exe • Groups continue to use exploits to deliver downloaders, do testers know that?
Downloaders • Difficult for behavioral solutions to assess without using more hardcoded data – closer to signature based technologies • AV2009 UPX packed compiled Delphi executable – Simple and straightforward, like any other app...CreateWindow, InternetOpen, InternetOpenUrl, CreateProcess – Creating a dependence on static characteristics of file, connection endpoints,etc – InternetOpenUrl connects with http://securedownloads6.com/download/av_2009.exe
Downloaders • Simple CreateWindowEx for installer box, nothing obfuscated or injected here...
Downloaders • Adobe exploit kits – Dancho Danchev's blog, Secure Computing • 0xf9.exe is generally a ~20k upx packed Visual Basic compiled executable, standard part of a kit being reused – Names? “Downloader.MisleadApp”, Trojan- Downloader.Win32.VB.hww,Trojan-Downloader.Win32.VB.hyc – Trivial unpacking with upx, simple inspection of underlying code with Basic Decompiler – Straightforward download and setup of msadv.exe or mssadv_sp.exe in “Program FilesMicrosoft Security Adviser”
Recent Components -- MultyCodec • Multiple components delivered via phony video codec • MultyCodec.7.20680.exe drops c..exe, calls CreateProcess on the file, phones home – Based on http responses, “promomodule” carries out 'trayalert', 'winalert', 'excelalert', etc – Changing behaviors from b..exe based on response – spoils automated analysis – Shell_NotifyIcon call based on 'trayalert'...”you have a security problem'
Recent Components -- AntiVirus 2008 • Misleading scan results
Recent Components -- AntiVirus 2008 • Misleading browser redirection
Microsoft Legal Efforts • On Monday, Microsoft/State of Wash Atty General Office lawsuit filed against “John Doe”, maker of AV2008, Winfixer, etc • CAN-SPAM enforced against some Spam Kings, ineffective against global spam industry. See inbox/bulk. • Behavioral based products – will they have to hybridize, or will they just continue as another layer?
Questions?

Recomendados

Macdoored
MacdooredMacdoored
MacdooredShakacon
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareCyphort
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
 
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgradenullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgraden|u - The Open Security Community
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all frontsAOE
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...Baruch Sadogursky
 

Recomendados

Macdoored
MacdooredMacdoored
MacdooredShakacon
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareCyphort
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
 
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgradenullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgraden|u - The Open Security Community
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all frontsAOE
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...Baruch Sadogursky
 
How to Remove Codec v hijacker
How to Remove Codec v hijackerHow to Remove Codec v hijacker
How to Remove Codec v hijackeradelardbrown2
 
Java 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosJava 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosStephen Chin
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsAOE
 
Establish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoEstablish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoUnic
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMeet Magento Spain
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation PASCAL Jean Marie
 
מצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהמצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהgoodvibes
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberKurt Baumgartner
 
Learning With New Media
Learning With New MediaLearning With New Media
Learning With New Mediaguesteaa1f
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en MasseKurt Baumgartner
 
שיוף סריגים
שיוף סריגיםשיוף סריגים
שיוף סריגיםgoodvibes
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013Kurt Baumgartner
 
Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APTKurt Baumgartner
 
Jamcracker
JamcrackerJamcracker
JamcrackerSteve Crawford
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Marco Marcellini
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Glasgow Reversing Club
Glasgow Reversing ClubGlasgow Reversing Club
Glasgow Reversing Clubepokh
 

Más contenido relacionado

La actualidad más candente

How to Remove Codec v hijacker
How to Remove Codec v hijackerHow to Remove Codec v hijacker
How to Remove Codec v hijackeradelardbrown2
 
Java 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosJava 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosStephen Chin
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsAOE
 
Establish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoEstablish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoUnic
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMeet Magento Spain
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation PASCAL Jean Marie
 

La actualidad más candente (10)

How to Remove Codec v hijacker
How to Remove Codec v hijackerHow to Remove Codec v hijacker
How to Remove Codec v hijacker
 
Java 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosJava 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and Legos
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and Patterns
 
Establish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoEstablish reliable builds and deployments with Magento
Establish reliable builds and deployments with Magento
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian Luszczymak
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation
 

Destacado

מצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהמצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהgoodvibes
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberKurt Baumgartner
 
Learning With New Media
Learning With New MediaLearning With New Media
Learning With New Mediaguesteaa1f
 
שיוף סריגים
שיוף סריגיםשיוף סריגים
שיוף סריגיםgoodvibes
 
Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APTKurt Baumgartner
 

Destacado (8)

מצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהמצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקה
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red October
 
Learning With New Media
Learning With New MediaLearning With New Media
Learning With New Media
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
שיוף סריגים
שיוף סריגיםשיוף סריגים
שיוף סריגים
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013
 
Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APT
 
Jamcracker
JamcrackerJamcracker
Jamcracker
 

Similar a Recent Rogueware

Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Marco Marcellini
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Glasgow Reversing Club
Glasgow Reversing ClubGlasgow Reversing Club
Glasgow Reversing Clubepokh
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-stepMichelangelo van Dam
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Dakiry
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Atlassian
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apacheguestd9aa5
 
symfony: An Open-Source Framework for Professionals (PHP Day 2008)
symfony: An Open-Source Framework for Professionals (PHP Day 2008)symfony: An Open-Source Framework for Professionals (PHP Day 2008)
symfony: An Open-Source Framework for Professionals (PHP Day 2008)Fabien Potencier
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Da-Chang Guan
 
ZendCon Security
ZendCon SecurityZendCon Security
ZendCon Securityphilipo
 

Similar a Recent Rogueware (20)

Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Glasgow Reversing Club
Glasgow Reversing ClubGlasgow Reversing Club
Glasgow Reversing Club
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-step
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apache
 
Ht w23
Ht w23Ht w23
Ht w23
 
symfony: An Open-Source Framework for Professionals (PHP Day 2008)
symfony: An Open-Source Framework for Professionals (PHP Day 2008)symfony: An Open-Source Framework for Professionals (PHP Day 2008)
symfony: An Open-Source Framework for Professionals (PHP Day 2008)
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009
 
ZendCon Security
ZendCon SecurityZendCon Security
ZendCon Security
 

Último

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Último (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Recent Rogueware

  • 1. Recent Rogueware Kurt Baumgartner PC Tools ThreatFire Research Virus Bulletin 2008
  • 2. Recent Rogueware • Rogueware? • Obfuscation Methods and Vundo Behaviors • Survey Multiple Recent Rogueware • MonaRonaDona Hoax • Recent Binder and Downloader Components and Behavioral Challenges • What Now?
  • 3. Rogueware? • Sometimes clumsy descriptions found on sites and blogs. • Substantial definitions exist on well known sites like castlecops, spywarewarrior, and many others • My definition: Rogueware-based schemes coerce computer users to pay for removal of nonexistent malware. R og uew a re a re s elec t s oftw a re c om ponents us ed in thes e s c hem es to a id in c oerc io n.
  • 5. Rogueware? • Recent active and prevalent examples over the past couple of weeks – AntiVirus2008 and 2009 – MultyCodecUpdr.7.2068.exe and its “promomodule” b..exe, which then drops sav components – pdf sploit -> 0xf9.exe -> AntiVirus2008, other adware • not-so-recent MonaRonaDona and Unigray Antivirus
  • 6. Rogueware? • Shameless re branding, shuffling of domains, redistribution, shock messaging • Towards the end of last year, high level of active distribution channels and offers:
  • 7. Rogueware? ~ Extras. Profit from downloads ~ .. from 70-150 $ c 1 thousand! If you load: grabber-soksbot-spambot and would like to receive additional income from your downloads, we offer our software and get 70-150 $ 1 to thousands of downloads (all depends on the country). As for software, we control: adware, which in turn actively promotes antispyware software! Adware does not conflict with either the botnetami, or trojan, and does not kill your bots!
  • 8. Survey Multiple Fakealerts - Intro • Vundo obfuscation, behavior, commodity client side exploits • Codec distribution, often via spammed links – MultyCodecUpgr.7.20680.exe • P2P distribution and crack sites – binding keygen schemes, most active downloads • Shuffling web sites and domains • Common component behaviors – Shell_NotifyIcon
  • 9. Vundo's Blatantly Intrusive Behavior • Vundo's prevalence seems to be on a steep downward slope towards the end of this year • Vundo loaders and dll's have maintained multiple layers of obfuscation, calls to random antiquated API's, polymorphism • Vundo distributors most commonly implemented commodity exploits to download and execute components that dropped a randomly named dll and loaded it into its own process, then the loaded dll made copies of itself that it injected first into winlogon, then globally into explorer and other processes • Process check – ad-aware, winlogon, explorer, other AV's
  • 10. Vundo's Blatantly Intrusive Behavior • Anti-RE Obfuscation – Anti-RE: perverted code beyond recognition, i.e. prologues where normal “push ebp...move ebp,esp” is mangled – Anti-emulation: calling antiquated api's with “impossible” parameters to generate predictable values – this is not compiler “optimization”
  • 11. Vundo's Blatantly Intrusive Behavior • Garbage assembly level instructions, loops and jmp flows: i.e. implement ridiculous custom GetProcAddress with multiple levels of needless instructions
  • 12. Vundo's Blatantly Intrusive Behavior • Definitive Vundo loader winlogon injection
  • 13. Vundo's Blatently Intrusive Behavior • Definitive SetWindowsHook WH_GETMESSAGE injection, from this injection, ads displayed, trayalert
  • 14. Codec Distribution • Zcodec.1140.exe -> 5491.exe -> sav.exe, etc • 5491.exe is a simple self extracting compressed archive, no packing involved, drops sav.exe in %progfiles%AV2008 • No injections, no system tampering -- clearly “malicious” behavior?
  • 15. MonaRonaDona Hoax - Intro • Bumbling rogueware scheme – early 2008 • “Virus” bound to version of quot;Registrycleaner2008quot; • Hoax postings and content regarding this “virus” • “Virus”? • Fraudulent postings about unigray antivirus scanner and its user base, google/search engine top results
  • 16. MonaRonaDona Hoax -- Planning • Create AV product that performs no beneficial activity • Attempt to establish reputation and price point by comparison between it and legitimate solutions • Write phony “virus” • Create confusion and chatter about it on popular forums • Wait for $$$ -- you will wait a long time • This does not work
  • 17. MonaRonaDona Hoax – Hoax postings • Create forum chatter and search engine hits:
  • 18. MonaRonaDona Hoax – “Virus” • Svcspool.exe dropped to All Users StartMenu Startup by RegistryCleaner2008.exe • Really a “virus”? No – no replication code. IE WindowBar manipulation, Task Manager disabled by dropper. Some amount of hiding, obfuscation • “Top virus list”
  • 19. Downloader Components – Intro • Malicious examples – 0xf9.exe, av2009install.exe • Static characteristics • Behavioral characteristics • Downloading sav.exe • Groups continue to use exploits to deliver downloaders, do testers know that?
  • 20. Downloaders • Difficult for behavioral solutions to assess without using more hardcoded data – closer to signature based technologies • AV2009 UPX packed compiled Delphi executable – Simple and straightforward, like any other app...CreateWindow, InternetOpen, InternetOpenUrl, CreateProcess – Creating a dependence on static characteristics of file, connection endpoints,etc – InternetOpenUrl connects with http://securedownloads6.com/download/av_2009.exe
  • 21. Downloaders • Simple CreateWindowEx for installer box, nothing obfuscated or injected here...
  • 22. Downloaders • Adobe exploit kits – Dancho Danchev's blog, Secure Computing • 0xf9.exe is generally a ~20k upx packed Visual Basic compiled executable, standard part of a kit being reused – Names? “Downloader.MisleadApp”, Trojan- Downloader.Win32.VB.hww,Trojan-Downloader.Win32.VB.hyc – Trivial unpacking with upx, simple inspection of underlying code with Basic Decompiler – Straightforward download and setup of msadv.exe or mssadv_sp.exe in “Program FilesMicrosoft Security Adviser”
  • 23. Recent Components -- MultyCodec • Multiple components delivered via phony video codec • MultyCodec.7.20680.exe drops c..exe, calls CreateProcess on the file, phones home – Based on http responses, “promomodule” carries out 'trayalert', 'winalert', 'excelalert', etc – Changing behaviors from b..exe based on response – spoils automated analysis – Shell_NotifyIcon call based on 'trayalert'...”you have a security problem'
  • 24. Recent Components -- AntiVirus 2008 • Misleading scan results
  • 25. Recent Components -- AntiVirus 2008 • Misleading browser redirection
  • 26. Microsoft Legal Efforts • On Monday, Microsoft/State of Wash Atty General Office lawsuit filed against “John Doe”, maker of AV2008, Winfixer, etc • CAN-SPAM enforced against some Spam Kings, ineffective against global spam industry. See inbox/bulk. • Behavioral based products – will they have to hybridize, or will they just continue as another layer?