Malwares Demystified and Simplified

Everything you need to know about malwares.

Get Started. It's Free
or sign up with your email address
Malwares Demystified and Simplified by Mind Map: Malwares Demystified and Simplified

1. Detection, Prevention & Response

1.1. AV/Firewall/OS regularly updated & patched

1.1.1. Anti- Virus Les différentes détections ajoutées sont mentionnés par une suite de lettre ou des chiffres. ou bien la taille du fichier Antivirus Naming Scheme Exploit.HTML Exploit.PDF Exploit.SWF Vers se propage par messagerie instannée. HTML.IFrame Sdbot / Rbot / Spybot : : Désigne un type de malware se propageant via des failles systèmes à distance RPC etc. (comme le faisait Blaster dans le temps). Trojan-Spy.Win32.Banker Trojan.DNSChanger Trojan.Clicker Trojan.Downloader Trojan.Delf Trojan.Dropper Trojan.FakeAV Trojan.Inject Trojan.RogueSecurity Trojan.PWS Trojan.Small Trojan.Tiny Trojan.VB Trojan.WinUnlock Worms.Autorun

1.2. DMZ/Restrictions

1.3. Antis

1.3.1. Spam

1.3.2. Fishing

1.4. Honeywall

1.4.1. is a proof of concept of network security hardware device capable of translate and forward packets. Designed for high availability, Honeywall is able to provide load balancing and anti flooding. Unlike a firewall, it does not block packets. Features Building — All you need to deploy centralized services on remote Honeywalls. Managing — Create and allow administrators to manage system on the fly. Monitoring — Open source hypervisor technology over network.

1.5. IDPS

1.5.1. Network-based intrusion prevention (NIPS):

1.5.2. Wireless intrusion prevention systems (WIPS):

1.5.3. Network behavior analysis (NBA):

1.5.4. Host-based intrusion prevention (HIPS):

1.5.5. Rate-based intrusion prevention systems implemebted with specialized hardware

1.5.6. Global Correlated

1.5.7. Anomaly based detection systems

1.6. Application Execution Blockers

1.7. Web/email filtering

1.8. DNS Revooked

1.9. Education/Research/Social awareness about online security & privacy trends

1.10. Following the best practices for managing and using online host

1.11. Reword for reporting/Information exchange

1.12. Nullrouting DNS Entries

1.13. Greylisting (anti-smap)

1.14. Traffic Control (Firewalls, NAC, Proxis)

1.15. Detection

1.15.1. Traffic Monitoring Signature Based Detection Anomaly Based Detection DNS Based Detection Data Mining Based Detection

1.15.2. Anti-Malware Software

1.16. Tracking

1.16.1. Honeypot Malware Collection Vulnerability Emulation

1.16.2. Sandbox

1.16.3. Infiltration

1.17. Mitigation

1.17.1. Security Researchers

1.17.2. ISP, Domain registrars

1.17.3. Law Inforcement

1.17.4. (Collaboration and Cooperation)

1.18. How do botnets get taken down?

1.18.1. ● Common methods include ● Hosting provider de-peered – ● Example: McColo, Troyak Server hosting botnet cleans up/kicks off – Public IRC servers, free web hosting ● Compromised host cleaned up/rebuilt ● DNS Revoked ● IP of C&C server banned – Because Metus pwnz and I open a port on my router at home just like the tutorial told me!

1.19. New node

1.20. detection methods

1.21. Advanced Response

1.22. Roadmap to Botnet Prevention

1.23. You’ve detected it, now what?

1.23.1.  Begin incident response  Treat it like a virus infection  First priority is removal of malware  If possible, determine how it got on  This will help prevent further infections  Prevent it from happening again  Patch, user awareness, etc.

1.24. Why should you care?

1.25. High level of activity by botmaster makes them easier to detect than their bots

1.26. Network signatures can becreated without malware analysis, but signatures created with the help of malware analysis are usually far more effective, offering a higher detection rate and fewer false positives.

1.27. Hunting the ecosystem

1.27.1. Education Computer Security Basics Antivirus Update Apply vendors Security updates Relatively efficient Good Usage of IT Do not click on everything ! Avoid suspicisous sites Only use legal software and licenses No illegal download of MP3, DivX Stop believing everyobody wants to give you money ! Merely useless: humans will be humans

1.27.2. Laws Financial Common laws against crime money Increses risks and reduce interest for criminals Falls into organized crime prevention methods Efficient for 'big' business not for 10.000$ exploits IT Specefic Illegal behavior repression Prevention of ressearch

1.27.3. Technologies

1.27.4. Preventing technologies

1.28. Defending against Bots & Botnets

1.28.1. Home User: Prevention

1.28.2. Home User: Detection

1.28.3. Home User: Response

1.28.4. Sys-Admin: Prevention

1.28.5. Sys-Admin: Detection

1.28.6. Sys-Admin: Response

1.29. Botnets are moviong targets

1.30. No technique is perfect

1.31. All networks are not the same

2. Malware Taxonomy and Evolution

2.1. Remote Access Tools

2.1.1. Cybergate

2.1.2. Bifrost

2.1.3. DarkComet

2.1.4. ProRAT

2.1.5. Sub7

2.1.6. Permanent Connexion Between the Client and each server

2.1.7. Commun Features File Manager KeyLogger Cam Capture Reverse Shell

2.2. Auto-Routers

2.3. Botnets

2.3.1. Architecture Centralized IRC-Based HTTP/HTTPs-Based VoIP-Based SMS-Based in Mobiles Propriety channels Decentralized P2P-Based Different Types Randomized (Hybrid or Mix) Commnication betwwen the bot client and C&C server using HTTP Communication betwwen bots using TCP or encrypted ICMP Command transmission using P2P The detection of a single bot would never compromise the full botnet The message latency would be exteremely high, with no gurantee of delivery Cutsom TCP / IP Classification can be done: Based on the architecture of the botnet OR its communication protocols with the bots.

2.3.2. Internal Strucutre Monolithic Coherent, all features in one binary Evolution may not be trivial Kaiten, SDBot, Spybot Modular Evolution voluntarily made easy Choice of appropriate language (C++) AgoBot Barnum Set of heterogenous scripts Often relies on local interpreters PHP Bots, GTBot

2.3.3. Lifecycle Spread/Propagation Phase Activation I'm active, you can take control of me ! Update Add new features Auto-Protection Code Mutation / Self-Modifying Code Bypass and Block or Kill AntiVirus / Firewalls Managed crypting services System Hardening System FIle Protection Hiding DDNS - Dynamic DNS Domain Name (Fast Fluxing) Quality Assurance Server side polymorphism File Extension Manipulation / Double Extention Rallying mechanisms Modification du système (changeùment de regle de filtrage réseau, désactivation d'outils de sécurité. Action Attack Spam

2.3.4. Motivation Financial Gain Whos has the most of Bots ? The most resilient ? How easy is-it to control it ? The highest overall bandwith ? The most high quality infected machine ? Ideological Retorsion Counter-Attack Challenge Personal Blackmail Extortion

2.3.5. Taxonomy & Evolution 1999 Sub7 / PrettyPark 2000 GTbot 2002 SDBot AgoBot 2003 SpyBot rBot Sinit PolyBot Bagle Bobax SoBig MyTob 2004 PhatBot 2006 Rustock ZeuS 2007 Storm Cutwail Srizbi 2008 Mega-D Koobface Conficker ASprox 2009 BredoLab Waledac 2010 TDSS Armageddon Artro Aurora BlackEnergy Carberp ClickBot DSNX Bots Donbot DopeBot EggDrop 1993 IRC-Based Festi Forbot Gaobot Gheg Gozi Grum Tedroo Hodprot Kaiten Kelihos Kraken Lurk Lethic Maazben MayDay NuCrypt Perl Based bots Phatbot Ponmocup Q8 Bots Qhost Sality Shiz Spamthru Spy.Ranbyus SpyEye SpyRanbus Waledac Xarvester XtremBot odprot Pony Andromeda

2.3.6. Terminology Bot Master Bot Botnet Army Bot Binary Command and Control C&C Channel C&C Server C&C Infrastructure

2.3.7. Topology Star Multi-server Hierrarchical Random

2.3.8. Usage Legetimate Web crawler Game Managing Managing Databases Maintaining access lists Protect Channel, Carry out Conversations Malicious BitCoin Log Keystores Sniffing Traffic Online Fraud Host Illegal Data Spam/Spamdexing Information Theft Source Code Infection Spread new malwares Disabling Existing Security Selling infected Computers Access Number Replacement Manipulating Online Polls/Games DDoS (Distributed Denial of Service) Buy/Rent out the service of the bot to third parties Trade Bandwidth of high speed bots / Sale of Traffic Act as a proxy server to conceal the attacker's identity / provide anonymity Brute-forcing Remote Machines/Distributed Password Cracking (Computing Power / Scurmping) Gov CYber aTTACK Sold on the black market ! Result

2.4. Browser Hijackers

2.4.1. SpamBot

2.4.2. ClickBot

2.4.3. Browser Helper Object Malicious Plugins

2.5. Dialers

2.6. Downloaders

2.7. Droppers

2.7.1. Injectors

2.8. Exploits

2.8.1. Exploit Kits

2.9. Flooders

2.10. Germs

2.11. HackTool/RiskTool

2.12. Hoaxes: Chain Letters

2.13. Joke Programs

2.14. Kits (Virus Generators)

2.15. Logic Bombs

2.16. Potential Unwanted Program

2.16.1. Installing via Web Banners Google Sponsored Links Fake VLC/Activix Plugins VLC Plugins in Steaming

2.16.2. How it works ? SMS Rip-Off Repack GNU Free Software Add Affiliate Program (Toolbars)

2.16.3. To Clean HijackThis Submit Report to PPoint Configure your AV to block PUP AdwCleaner

2.16.4. Some examples Babylon Toolbar Boxore Complitly Ezlooker Eorezo Incredimail Toolbar SweetIM / SweetPack Searchqu / Searchnu Savings / SideKick PCTuto / Tuto4PC Wagram Yontoo

2.16.5. Download from Trusted Sources : Clubic /

2.17. Ransomeware

2.17.1. Winlockers

2.17.2. MBR Lockers

2.17.3. Exemples Gimemo Reveton Tobfy Lock Em All

2.18. Rootkits

2.18.1. Bootkits

2.18.2. Loading a driver Using an undocumented API The only time when this loading method is really safe is when it's specifically designed around the paging problem. Using the Service Control Manager When a driver is loaded using the SCM, it is non-pageable. This means your callback functions, IRP-handling functions, and other important code will not vanish from memory, be paged out, or cause Blue Screens of Death. This is a Good Thing.

2.18.3. Surviving Reboot Using the run key ("old reliable") Using a Trojan or infected file Using .ini files Registering as a driver Registering as an add-on to an existing application Modifying the on-disk kernel Modifying the boot-loader

2.18.4. API-Hooking IAT-Hooking asy to discover these types of hooks. On the other hand, hooks like these are used frequently, even by the operating system itself in a process called DLL forwarding. Even if someone is trying to detect a rootkit hook, determining what is a benign hook as opposed to a malicious hook is difficult. Another problem with this technique has to do with the binding time. Some applications do late-demand binding. With late-demand binding, function addresses are not resolved until the function is called. This reduces the amount of memory the application will use. These functions may not have addresses in the IAT when your rootkit attempts to hook them. Also, if the application uses LoadLibrary and GetProcAddress to find the addresses of functions, your IAT hook will not work.

2.18.5. Kernel Hooks As a general rule, processes cannot access kernel memory. The exception to this rule is when a process has debug privileges and goes through certain debugging APIs, or when a call gate has been installed. We will not cover these exceptions here. For more information on call gates refer to the Intel Architecture Manuals.[4]

2.18.6. Code / DLL Injection into a userland process The code cave method

2.18.7. The Problem with Hooking There are anti-rootkit applications that can rebuild the system call table. This can be done by reinitializing kernel memory from the original file, ntoskrnl.exe. If the system call table is rebuilt after your rootkit is installed, all hooks will be lost.

2.18.8. Virtual Rootkit ( ring 1) BluePill (supports AMD-V and recently VT-X) SubVirt (supports VT-X) VM aware malwares. (Not a root kit, but related.)

2.19. Scareware (Rogue) or (Blackmailwaire)

2.19.1. Antimalware Doctor

2.19.2. Spyware Guard 2009

2.19.3. Security Suite

2.19.4. HDD Defragmenter

2.19.5. Security essentials 2011

2.19.6. Advanced Virus Remover

2.19.7. type System Defragmenter Anti-Spyware

2.19.8. Infected Users need to send a text call to get a valid serial number to remove the Trojan.

2.19.9. Displays a lot of warning messages, change the desktop background, detects fake infections and blocks softwares execution. It comes from fake online scanners, malicious porn sites, fake cracks and exploits.

2.19.10. Windows Problems Protector is a fake security application from the same family as: Windows Problems Remover, Windows Health Center, Windows Shield Center, Windows Antispyware Solution, Windows Risk Eliminator, Windows Universal Tool, Windows Utility Tool, Windows Security & Control, Windows Optimization & Security, Windows System Optimizator, Windows Optimization Center, Privacy Corrector, Privacy Guard 2010.

2.19.11. A new version of the multi-rogue scareware has been released. This malware is looking for the OS version (XP, Vista, Seven) and changes its name and skin: XP Anti-Spyware, XP Home Security 2011, XP Anti-Virus 2011 (...). It belongs to the Braviax family. As usual it displays fake warning messages to push users into buying a license.

2.19.12. WindowsTool is a fake Defragmenter tool (rogue) from the same family as: WinScan, Disk Recovery, WinDisk, Windows Disk, Windows Scan, Memory Optimizer, Disk Optimizer, Good Memory, Fast Disk, Disk OK, My Disk, Memory Fixer, HDD Fix, HDD Low, Scanner, Disk Repair, Defragmenter, HDD Tools, Smart HDD, HDD Rescue, HDD Plus, HDDDiagnostic, Hard Drive Diagnostic, HDD Scan, Win Defragmenter, Win Defrag, Win HDD, Check Disk, Ultra Defragger, Quick Defragmenter, HDD Defragmenter, System Defragmenter

2.19.13. Malware will modify the registry key for go into safe mode on the next reboot, and will queue your antivirus for unistallation.

2.20. Spammer Programs

2.20.1. Mail Bombers

2.20.2. How it works? Bullet proof Servers Hacked servers Botnets The bot received the template of the spam message Mailing list Webmails Gmail, Hotmail, ...

2.20.3. Anti Spam SpamPal Spamihilator SpamFighter PharmaIncome Drugstore

2.21. Spywares

2.22. Trojan Horses

2.22.1. Backdoors (Trapdoors)

2.22.2. Password-Stealing Trojans (PWS)

2.22.3. Banking Trojans

2.23. Worms

2.23.1. Mailers and Mass-Mailer Worms

2.23.2. Octopus

2.23.3. Rabbits

2.24. Malware often spans multiple categories. For example, a program might have a keylogger that collects passwords and a worm component that sends spam. Don’t get too caught up inclassifying malware according to its functionality.

3. Malware Analysis

3.1. What is Malware Analysis ?

3.1.1. The action of taking the malware apart to study it in a Malware Laboratory

3.2. What is a Malware Lab ?

3.2.1. Controlled Environnement All the information must be recorded for later usage

3.2.2. Isolmated The malware must not be allowed to contact with any external source , but…

3.2.3. Full Simulated The laboratory must provide all the resources needed by the malware

3.3. Why Malware Analysis ?

3.3.1. Analysis of unknown/suscpious files

3.3.2. Public information from antivirus & Security Companies is not complete

3.3.3. Private information about the malware required an expensive paid service

3.3.4. To determine the sophistication level of the malware author

3.3.5. To identify the intruder or insider that is responsible for installing the malware

3.3.6. Questions broken down into Business What is the purpose of the malware ? How did it get here ? Who is targetting us and how good are they ? It is a customized malware that target small/particular organization ? What are the risks and the consequences ? What did they steal ? How can I get rid of it ? How long has it been here ? Does it spread on its own ? How does the malware propagate ? How can I find it in other machines ? How can you make sure I've deleted the entire malware package and not just one part of it? How do I prevent this from happening in the in the futur ? If you were a virus writer, how might you improve it ? Technicals What are the network-based indicators that reveal the precense and activity of the malware ? What are the host-based indicators that reveal the precense and activity of the malware ? Is it based on any other well-known tool ? Is it persistent ? If so, what mechanism does it use to ensure that it keeps running after a machine is rebooted ? What affects does the malware on the Windows Registry ? Does the malware create/tamper any files? When was the program written, compiled, and installed ? What languages was used to write the program ? Is it packed ? What packer was used ? It is a customized or a well-known packer ? Does it have any anti-reverse engineering functionality ? Does it include any rootkit/worm/trojan functionality ? What was the vulnerabilities that was exploited to allow the malware to get there in the first place or, to learn and have fun

3.4. How can we get the malware ?

3.4.1. From Online Sandboxes & Anti virus

3.4.2. Spamtrap

3.4.3. From honeypots Recovered from complete machines Automated capture systems. Nepenthes, Vulnerable service simulation (Ex: MS-RPC) ...and the good news are...  Do NOT execute the buffer overflow code  Parse the attack and simulate an infected system  Download and store those interesting payloads Untitled

3.4.4. Received from another CSIRT or group

3.4.5. From our costumer, when handling an incident

3.5. Lab Elements

3.5.1. Victim machines In which the malware can be run. OS-Unpached Firewall/AV disabled Applications unpatched (Microsoft Office, Browser, ...) Consider leaving some intentional traces of normal usage, such as browsing history, cookies, documents, images etc. If a malware is designed to operate, manipulate or steal such files you’ll be able to notice it.

3.5.2. Support Tools for building the lab VMTools-like

3.5.3. Analysis Tools that can be used to analyze the malware Static Analysis Tools Dynamic Analysis Tools Remote Analysis Tools File Exploration Tools

3.5.4. Network Simulation Internet connection DNS server DHCP server IRC server SMTP server Proxy Web server • Use a free address range We can configure a linux/Unix box that  Accept traffic like a router  Respond to the DNS queries  Accept traffic to some services

3.5.5. How many machines do we need for our lab ? Hardware is not only expense, but Difficult to maintain Too much space .. Virtualization software can be used to reduce this cost. Run different virtual machines at the same time Run unmodified version of most operating system Provide configurable resources, advanced disaster recovery, and isolation. Allow to have different, isolated networks for the machines Machines can be connected to the real interfaces Examples But .... Your virtualisation software is not perfect, and may allow information to leak from the virtual machine to your host machine in a way you didn't expect Malware is incorporing code to detect virtualization environment and may modify its behavior Sometimes we need to try with another virtualization software or use real machines or use real machines connected to the virtual lab Or, if you have a budget Use Norton Ghost for quickly restoring system images or any re-imaging machines softwares Updcast, Truman CoreProtect Card

3.6. Lab hardware

3.6.1. Intel based:

3.6.2. • Machine with

3.6.3.  Memory for running three virtual machines

3.6.4. ~2gb

3.6.5.  Network interfaces

3.6.6.  Disk space for storing virtual machines ~

3.6.7. 3Gb.

3.6.8. • Additional hardware/software

3.6.9.  Emulator of other hardware

3.6.10.  Real machines

3.6.11. Only two machines:

3.6.12.  One to simulate the net

3.6.13.  Another to execute & analyze the tool

3.6.14. Subtopic 14 Windows machine Unpatched Windows machine.  To execute the malware  To analyze the malware Tools installed in the machine Regshot  LordPE  Binhex , from foundstone tools  Ollydbg ,  Idapro ,

3.7. Build the lab

3.7.1. Caution before executing the malware

3.7.2. Check that all the machines are in the correct network

3.7.3. Check that the lab is not connected to any other network.

3.7.4. Check that you are executing the malware in the correct machine

3.8. Malware Analysis Methodology/Process

3.8.1. Preparation File Fingerprinting / Hashing Filtering (AntiVirus Scanning) Online Sandbox Services Weeding Quick Examination of Virus Code Inside the PE format (header/functions/IAT) String Dump Packer Detection Crypto Routines Disassembling Black-Boxing

3.8.2. Unpacking How do you know if a file is packed no import table sometime, in the start function, there are some xor eax, eax no strings a big portion of code is inside .data section high entropy The general way by using ESP registerHD BP on ESP register change OllyDBG SFX Features BP on access on the code section of the program. Tracing the program till Retn / jmp Exceptions generated by the packer File is packed? moddify the JMP to OEP to our own code ( code cave), patch the target, then jmp back to OEP < Inline Patching POSHAD/POPAD method Always verifi base of code and base of data after unpacking, so OLly won't caplain with EP outside code section insert unexisting addresses to distract the reverse ( IAT rebuilding) To unpack it, the easier way is to put a breakpoint on WriteProcessMemory. At this breakpoint, the packer writes the unpacked binary in a new process. Most Visual Basic packers are packers on the “heap”, so we can directly recover the binary by setting breakpoints on functions like VirtualAllocEx and WriteProcessMemory, Also LoadLibrary, LocalFree Packers Theory The Imports Table has been removed, the packer saves only (in a secure place) the hashes of the API names and their addresses at the IAT. The algorithm is well obfuscated and has lots of anti-debug, anti-trace... The packer doesn’t use GetProcAddress. Instead, it implements its own algorithm to find the APIs at the exports table of the DLLs. The IAT has been redirected Packers Theory 2 PE Packers compress the PE sections or some other data using some compression algorithms like LZMA ,LZSS,APLIB etc. So to before the running the actual malicious code the packer would How to unpack

3.8.3. Disassembling and Decryption

3.8.4. Dynamic Analysis Techniques File-change monitoring Goat file-based analysis Registry change tracking Process and thread monitoring CPU in use Memory in use Drivers/DLLs used Network port monitoring Network sniffing and capturing NetBIOS NetStat System call tracing Debugging Code emulation

3.8.5. Automation ? Processus manuel, fastidieux, erreurs possibles Scripts –Reboot / Snapshots automatisés:

3.8.6. You don't have to follow the process as it is. Most are done because of either lack of time, skills or understanding of how to reverse malware. Some may think, why reinvent the wheel? This is all OK.

3.8.7. Note down your finding so you will be able to see trends or recognize similar behaviors of samples that could help in reversing future samples that exhibit similar characteristics.

3.8.8. Methodology of Reverse Engineering Code Do always some investigation about the app you're reversing : EXE/DLLs + Configuration Files, Compiler Call Stack RET TO DISASSASEMBMER Stack Window / Pane Window Ressource Identifiers Search for commands -> Push (ID number) Magic Byte / Half Byte BP Particular APIs KillTimer () RegQueryKey () GetLastError () GetDlgItemText () ..... Find references to @ contstant Esthetical Patching Protections Server Check KeyFile Registry Key Time Limit Keygenning Routines ADD, SUB, ROR, ROL, SHL, SHR XOR, OR, AND, NOT BTSWAP, MODULO, SIGMA Simple Ciphers: Ceaser, Base64, .. Standard Ciphers Custom Encodin Algos Insert / replace a char between a stringcode Generate a stringcode and use it somewhere Algo/Math tricks: NUmber THeory, Prefect Numbers FPU instructions : Arctan, sin, cos, puissance, ..., PI Equations GetComputerName() / GetLocalTime ()

3.8.9. Done ?

3.9. Malware Analysis Report

3.9.1. Supporting Figures Logs Strings Function listings Screenshots

3.9.2. Observations Behavioral analysis Static code analysis Dynamic code analysis Memory analysis

3.9.3. Dependencies Targeted Archiecture / OS Targeted Format Patch level Required libraries Configuration files Scripts and executables URLs

3.9.4. Sample's Characteristics Infection capabilities Self-preservation capacity Spreading mechanics Payload Data leakage abilities Performance degradation Destruction of personal data to bot infection, Remote attacker interactions

3.9.5. Sample's Identification File name, type, size File hashes Anti-virus identifiers

3.9.6. Summary of the analysis Key observations Recommendations Limitations Report date and authors

3.10. Malware Analysis Tools

3.11. General Rules for Malware Analysis

3.11.1. don’t get too caught up in the details. Most malware programs are large and complex, and you can’t possibly understand every detail. Focus instead on the key features. When you run into difficult and complex sec-tions, try to get a general overview before you get stuck in the weeds.

3.11.2. remember that different tools and approaches are available for different jobs. There is no one approach. Every situation is different, and the various tools and techniques that you’lllearn will have similar and sometimes overlapping functionality. If you’re not having luck with one tool, try another. If you get stuck, don’t spend too long on any one issue; move on to some-thing else. Try analyzing the malware from a different angle, or just try a dif-ferent approach.

3.11.3. remember that malware analysisis like a cat-and-mouse game. As new malware analysis techniques are developed, malware authors respond with new techniques to thwart analysis. To succeed as a malware analyst, you must be able to recognize, understand, and defeat these techniques, and respond to changes in the art of malware analysis.

4. Infection Vectors and Spreading Mechanisms

4.1. Malvertising

4.2. SPAM / eMail-Attach

4.2.1. Target users with – Fake delivery notices – Fake IRS notices – Fake orders from online retailers

4.3. Freeware

4.4. Instant Messaging

4.4.1. MSN Messenger

4.4.2. Yahoo Messenger

4.4.3. ...

4.5. Social Networks

4.5.1. Clickjacking

4.5.2. Likejacking

4.5.3. Likejacking

4.6. Warez/P2P Networks

4.6.1. Cracks, Keygens, .. flagged as maliciours Users think it's false positives To prevent illegal content but they are maliciours

4.7. Trojan Horses/Backdoors

4.8. Drive-by Download/Install

4.8.1. Fake Codecs

4.8.2. Fake ActiviX

4.8.3. Java Applet

4.8.4. ...

4.9. Exploits / Exploit Kits

4.9.1. Exploiting One Specific vulnerability / Known multiple Vulnerabilities / 0-days Browsers Firefox Chrome IE ... Software Java Adobe ... OS MS03-007 Unchecked Buffer In Windows Component Could Cause Server Compromise MS03-026 Buffer Overrun In RPC Interface Could Allow Code Execution MS04-011 Vulnerabiility in LSASS MS04_007 Microsoft ASN.1 Library Bitstring Heap Overflow MS04-045 Vulnerability in WINS Could Allow Remote Code Execution ms05017- ms05039 WebDAV, NETBIOS, DCOM LSAAS, VNC Exploit-kits Blackhole Bleeding Life BestPack CritXPack (Previously Vintage Pack) CoolPack Fiesta ICEPack MPack NeoSploit Nuclear Pack PhenixPack ProPack RedKit Sakura Styx Sweet Orange Yang Pack Sweet Orange Upas

4.10. Trusted Products/Services

4.10.1. Cacao web

4.10.2. BlackHat Forums People who install whatever they asked to To Earn Income

4.10.3. Profit for famous personalities/events spread becomes easy

4.11. Links in Social Networks / Blogs that leads to Malicious Web Pages

4.12. Combined with Social-Engineering Attacks

5. References/Resources

5.1. Certifications

5.1.1. Forensics 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

5.1.2. Security 569: Combating Malware in the Enterprise courses

5.2. eBooks

5.2.1. Rootkits: Subverting the Windows Kernel

5.2.2. Professional Rootkits

5.2.3. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

5.2.4. Hacking Exposed: Malware & Rootkits

5.2.5. The Art of Computer Virus Research and Defense

5.3. Links

5.3.1. Malware Database & Repositiries

5.4. Forums


5.4.2. www.ubers.og

6. Some Notes ...

6.1. Malware is tricky, and creators of it are trickier. 

6.2. Malware can be detected from user PCs / Mail traffic

6.3. Click fraud appears to be comparatively easy to manipulate with the further advantage of drawing little attention from law enforcement, unlike banking trojans.

6.4. Spam-botnet

6.4.1. the number of messages sent

6.4.2. the number of bytes-sent

6.4.3. the number of bot members

6.5. According to the MSDN, WNet* functions are used to enumerate networks resources and connections.

6.5.1. The most interesting is the import table from MPR.dll.

6.6. To sum up: Rob a bank and face a one-in-four or one-in-five chance of doing hard time. Steal someone's identity and your odds of being caught are almost infinitesimal. Consider, too, that identity theft comprises only 9.8 percent of all Internet crime, not including the likes of intellectual property theft. Factor in all Internet crime, and the numbers are likely to be far, far worse -- which is saying a lot.

6.7. Why botnets owners stop making money

6.7.1. Because security guys found it how did they found it ? maybe coz they advertise it qomeone leak it Honeypotd captured the sample and analyzed it making so much noise people are complaining about their data

6.8. Type of people

6.8.1. Normal Internet USer Surf Internet, facebook, social network Listen to music Watch youtube Check News Work in Office Protection is done by AV chiefly !

6.8.2. Advanced User Have some CS knowledge Some Security Background ScanFiles, Update Antivirus Remove entries from registre Protection is done by AV chiefly !

6.8.3. Malware Analyst Avanced User + Know how malware infection happen, and how it spreads Know how to reverse / analyse classical malware but not advanced He chould manage to delete it from the system if found Protection is done by User knowledge then AV / IDS come second

6.8.4. Virus Expert Antivirus Companies Have advanced tools for monitoring § capuring malwares Just a question of time to demystify the malicious code and write a desinfector for it ! The knowledge pure & dure !

6.9. steal gauss data

7. Defense mechanisms of Malware

7.1. Anti-Reversing Tools

7.1.1. Blacklisting some processes Process Monitor Process Explorer Total Commander

7.2. Anti-Sandbox / Anti-VM

7.2.1. Generic or Specific

7.2.2. Advapi32.RegOpenKeyExW” API and looks for keys present in “System\ControlSet001\Services\Disk\Enum”. Enum key stores values for the various drives present in the system. The malware checks for the presence of emulators through strings like vmware, vbox, virtual, qemu etc

7.2.3. Advapi32.RegOpenKeyExW” API and looks for keys present in “System\ControlSet001\Services\Disk\Enum”. Enum key stores values for the various drives present in the system. The malware checks for the presence of emulators through strings like vmware, vbox, virtual, qemu etc

7.3. Anti-Dumping

7.3.1. SizeOfImage

7.3.2. Erasing the header

7.3.3. Nanomites

7.3.4. Page Guard

7.3.5. Stolen Bytes

7.3.6. IAT Elimination / API Redirection

7.4. Anti-Intercepting

7.4.1. Write -> Execute Some interceptors watch for write-then-exec Executing dummy just-written instruction can fool them Used by ASPack, but probably for multi-processor support

7.4.2. Write^Execute Change can be detected indirectly Kernel functions return error when writing to read-only pages VirtualQuery() and VirtualProtect() return old page attributes

7.5. Anti-Emulating

7.5.1. Interrupt 3

7.5.2. Time-locks

7.5.3. Invalid API parameters

7.5.4. GetProcAddress

7.5.5. "Modern" CPU instructions

7.5.6. Undocumented instructions

7.5.7. Selector verification

7.5.8. Memory Layout

7.5.9. File Format Tricks Non-aligned SizeOfImage Windows will silently round up the value Overlapping structures Tools such as IDA have a problem with this Non-standard NumberOfRvaAndSizes SoftICE and OllyDbg have a problem with this Non-aligned SizeOfRawData Windows will silently round up the value Non-aligned PointerToRawData Windows will silently round down the value No section table Allowed when SectionAlignment is less than 4kb Header becomes writable and executable

7.6. Anti-Breakpoint

7.6.1. Hardware Breakpoint Context Structure

7.6.2. Memory Breakpoints

7.6.3. Software Breakpoints

7.7. Anti-Tampering

7.7.1. Self-Checking / Self-Validation or Integrity checking : CRC Static : Verity only on startup Dynamic : Repeatedly verifies its integrity as it is running

7.7.2. rolling checksum, CRC32, md5, sha1, adler, md4

7.8. Anti-Attaching/Debugging

7.8.1. NtGlobalFlag

7.8.2. Heap Flags

7.8.3. Heap

7.8.4. IsDebuggerPresent()

7.8.5. CheckRemoteDebuggerPresent()

7.8.6. Debug Objects NtQueryInformationProcess() ProcessDebugObjectHandle class ProcessDebugFlags class SystemKernelDebuggerInformation class (kernel) NtQueryObject (kernel)

7.8.7. Thread hiding NtSetInformationThread() HideThreadFromDebugger class

7.8.8. OpenProcess() & SeDebugPrivilege

7.8.9. CloseHandle()

7.8.10. ReadFile()

7.8.11. WriteProcessMemory()

7.8.12. UnhandledExceptionFilter() SetUnhandledExceptionFilter ()

7.8.13. BlockInput()

7.8.14. SuspendThread()

7.8.15. Guard pages / CopyMem2

7.8.16. Multi-Threads Packing

7.8.17. Heap Flags

7.8.18. Alternative Desktop

7.8.19. Prefetch queue

7.8.20. Execution timing GetTickAccount, TimeGetTime() or QueryPerformanceCounter() RDTSC

7.8.21. Instruction counting Count Hardware Breakpoint

7.8.22. Parent Process

7.8.23. Exceptions Move EIP around

7.8.24. Header Entrypoint

7.8.25. Self-Execution

7.8.26. Process Name CreateToolhelp32Snapshot, Process32First/Next

7.8.27. Threads

7.8.28. Self-Debugging

7.8.29. TLS Callback

7.8.30. Disassembly

7.8.31. Device Names SoftIce Filemon Regmon Product and copyright strings can be compared to "watch list"

7.8.32. EventPairsHandle

7.8.33. Soft-ICE Specific Interrupt 1 is normally not invokable from ring 3 SoftICE hooks interrupt 1 and allows ring 3 access So wrong exception when SoftICE is running Used by SafeDisc

7.8.34. OllyDbg Specific Cannot handle unusual NumberOfRvaAndSizes value Some unchecked fields allow memory allocation DoS Initial ESI register value is -1 on Windows XP Looks like a detection method It's just a coincidence Passes user-defined data directly to _vsprintf() Leads to DoS condition Debugger window can be found by calling FindWindow("OLLYDBG") Hide-Debug Specific :Plug-in for OllyDbg Detectable by far jump at OpenProcess()+6 OllyDBG API Redirection

7.8.35. ImmunityDebug Specific Based on OllyDbg Shares many of the same vulnerabilities

7.8.36. WinDBG Specific Debugger window can be found by calling FindWindow("WinDbgFrameClass")

7.9. Self-Modifying Code

7.9.1. Oligomorphism

7.9.2. Polymorphism

7.9.3. Metamorphism

7.10. Garbage/Junk Code Insertion and Permutation

7.10.1. Opaque Predicates are false branches, where the branch appears to be conditional, but is not. For example, if( 1==1) is an unconditional jump, but because of the way decompilers like Olly work, the fact that this is not really a conditional is not known.

7.11. Rootkitting

7.11.1. hide files, directories, drivers, processes, and registry entries and config files.

7.12. Malformed PE Header

7.12.1. Fooling OllyDBG :)

7.13. Erase PE header if reversing detected

7.14. System FIle Protection Hiding

7.15. System Hardening

7.16. Bypass, Block, Blacklist or Kill AntiVirus / Firewalls / Desinfinctinf Forums

7.16.1. Dumphive, The Avenger, Gmer, IceSword, ComboFix, SDFix

7.17. DDNS - Dynamic DNS Domain Name (Fast Fluxing)

7.17.1. Single Utilisateur d'un ou de plusieurs domaines Bot : Choix de l'url destination en fonction du type de requete Changement régulièr des IP associés au nom du domaine (NDS) Utilisatation des machines zombies en Reverse Proxy ( Trasfert des reqêtes de la victime vers le serveur réel) + Camouflage de l'IP du serveur réél - @ du serveur de noms compromis

7.17.2. Double + disponibilité quasi optimale résiste à l'arrêt d'un serveur DNS

7.17.3. Double évolué Botnets run own DNS service to resolve the C&C servers. Use high port numbers to avoid detection by security devices and gateways

7.18. Managed malware crypting services

7.19. Quality Assurance

7.19.1. Cybercriminals aren't solppy about their work !

7.20. windows native API in NTDLL.DLL and NTFS ADSs, Alternate Data Streams. Malware will frequently  abuse these rather helpful tools to keep itself from being discovered. 

7.21. DDos Whos Studying it

7.22. Quality Assurance

7.23. Server side polymorphism

7.24. File Extension Manipulation / Double Extention

7.24.1. Ghost RAT

7.25. Rallying mechanisms

7.25.1. Hard-Coded IP address The bot communicates using C&C ip addresses that are hard-coded in it’s binary files. Easy to defend against, as ip addresses are easily detectable and blocked, which makes the bot useless.

7.25.2. Dynamic DNS Domain Name - Hard-coded C&C domains assigned by dynamical DNS providers. - Detection harder when botmaster randomly changes the location - Easier to resume attack with new, unblocked Domain Name - If connection fails the bot performs DNS queries to obtain the new C&C address for redirection.

7.25.3. Distributed DNS Service Hardest to detect & destroy. Newest mechanism. Sophisticated. Botnets run own DNS service out of reach of authorities Bots use the DNS addresses to resolve the C&C servers Use high port numbers to avoid detection by security devices and gateways

7.26. Modification du système (changeùment de regle de filtrage réseau, désactivation d'outils de sécurité.

7.27. To evade signature-based detection systems, it appends some randomly generated bytes to the end of the file.

7.28. Double Checks in separate places / on each startup

7.29. Do-it-yourself malwares cryptors

7.30. Hijack HOSTS file to point to the local host120.0.0.1

7.31. Delete SafeBoot Key to make access to the Safe Mode impossible

7.32. Disable CMD / Regedit / TaskManager / SystemRestore

7.33. Hide Folder Options in the explorer Menu to prevent show hidden files

7.34. Hook Mouse event to check if it is an automated system

7.35. SLeep for evading automated systems : NtDelayExecution() or SLeepEx ()

7.36. In order to hide itself, the bot duplicates the Modification, Access, and Creation times (MAC times) information from Ntdll.dll library, and applies them to the sdra64.exe. The intent of this is to make sdra64.exe appears to be a system file that has been around since Windows was first installed

7.37. In another level of hiding the created file, it sets the sdra64.exe file attributes to system and hidden, so that the user cannot see the file using the standard file explorer

7.38. Anti Cracking

7.38.1. Checks for good or bad serial should be as much far as possible

7.39. malware drop another malware than load VBS script from its ressources then inject it to another process

7.40. Throw BSOD

8. Known malwares techniques

8.1. persistence to reboot

8.1.1. adding an entry to the well-known "Run key" in the user's registry base, or creating a Windows service if the necessary privileges are available. Malware can also use Scheduled Tasks, Winlogon, AppInit, ActiveSetup