|
Archive for the ‘Evasion technique’ Category
Monday, August 10th, 2009
Cutwail (also known as Pandex) malware is not a new family name on the bot scene. However, the Cutwail/Pandex botnet is described as one of the largest and most active botnets currently known. This resilient botnet managed to bounce back after both the McColo ISP and the more recent Pricewert/3FN ISP shutdowns in California, both of which brought down global levels of spam for a short time and cut off the control servers where many bots retrieved their command and control instructions.
To further the botnet’s resilience and spread, the distributors of the malicious executables attempt to re-pack and re-obfuscate the components to evade security file scanners on victim systems. The executable runtime behavior may change across variants just a bit, but the fingerprint and physical makeup changes dramatically. This type of evasion, of course, is ineffective against a behavioral-based solution like ThreatFire. Cutwail is succesfully prevented from running on ThreatFire community user systems on a daily basis.
Some of the latest Cutwail/Pandex variants are themselves delivered in a variety of ways to a user’s system, renamed to reader_s.exe and run (note, other prevalent and current variants are renamed to update.exe). Reader_s.exe drops 0.exe, which drops an ADS or “alternate data stream” to the drive. This sort of location on the drive is tricky for a user to spot, because the svchost.exe:ext.exe stream cannot be seen as a file within an explorer window. This ADS executable code is installed as a system service by the Cutwail dropped executable 0.exe. Then, 0.exe launches and hijacks a svchost.exe process, communicating from it over an encrypted channel to a set of ip addresses. These communications eventually result in the compromised system gathering information to spew enough spam to help generate over 74 billion messages a day from the botnet.
The packing and evasion techniques implemented within these executables changes over time. One of the recent techniques is one that we have seen before in a variety of Fakealert executables in the past — intermixing random mmx instructions into the compiled code itself. These instructions have no functional purpose whatsoever. They simply modify values within the mmx registers arbitrarily. Intermixing the mmx instruction set unexpectedly within functions using the general-purpose intel instructions can cause problems for recognizing Cutwail malcode for emulators, backend automation, and AV scanners themselves — the evasion technique can be effective.
You can see one such function that was modified with mmx “nop” filler:
Protecting your system from becoming a part of the largest, most active botnet on the web requires an effective behavioral based layer like ThreatFire.
Posted in Bot, Dropper, Evasion technique, FakeAlert, Undetected malware | No Comments »
Tuesday, August 4th, 2009
We examined a variant of this Clampi family of password stealers (also known as Ilomo) that was second most prevalent within the ThreatFire community. As described in previous posts, malware often injects malicious code into other processes (or hijacks other processes) running on a system for a variety of reasons. Two Win32 apis are most frequently called to do so: WriteProcessMemory and CreateRemoteThread. In the case of Clampi, we see that Clampi creates a new Internet Explorer process. Instead of using the worn out method of writing to the process memory space and then creating a thread on it, these guys pass a non-ASCII string of characters as a parameter to iexplorer.exe. For our fellow researchers, Ilomo’s CreateProcess lpCommandLine string starts like this:
“C:\Program Files\Internet Explorer\iexplore.exe” üë^‹þW¬Zt,AÀàŠØ¬,AêëìXÃèáÿÿÿILOMOIAJAAAAAAJAJAJAJAJAJAJAJAJAFOAPDBLJAIAAAAAAI
The parameter is copied to a region within the process virtual space by the process loader. Clampi’s malicious injector then calls VirtualQueryEx an arbitrary number of times on the Iexplore process until it finds a match on the memory region it is interested in, and then ReadProcessMemory and a lower level memory comparison to find an exact match on the shellcode content passed as parameter and maintained within the iexplore virtual memory space. Upon exact match, CreateRemoteThread is called on that memory location and the injected code runs within iexplore.
These sorts of unusual methods are invariably the result of determined efforts by the malware writers to evade security solutions that base their matches on WriteProcessMemory calls. This evasion is not effective against ThreatFire.
Posted in Crimeware, Evasion technique, Undetected malware | No Comments »
Thursday, July 30th, 2009
The banking password and information stealer Clampi recently was described as infecting anywhere from 100,000 and 1 million windows PC’s. Let’s take a closer look at this menace, and what interesting Clampi behaviors ThreatFire has been preventing in our community.
First, let’s talk about the distribution over the past year. Most of the Clampi executables appear to be unique, and appear to have been run on no more than one machine. The bulk of these executables are repacked and re-obfuscated to evade AV solutions, so only a quarter of the Clampi malware prevented in the ThreatFire community over the past year showed up on more than one system. Mostly all of the Clampi variants seen on multiple user desktops appear to have been delivered via an Adobe Acrobat client-side exploit. As posted previously about mainstream Windows pdf readers, be sure to update the software on your system, especially popular web browser third party plugins. A high number of these Clampi-delivering exploits successfully attacked Acrobat 7.0. Unfortunately, while the message may be getting out that third party plugins need to be updated on a regular basis, the advice does not seem to be followed reliably.
The trojan runs a new instance of Internet Explorer and injects it with executable code of its own, accesses the personal store of saved passwords, and phones the data off of the system to multiple web sites. It’s not a set of new malicious techniques, but highly problematic nonetheless. ThreatFire prevents these behaviors reliably, and PC Tools AV reliably detects the malware with one of several heuristic routines: Trojan.DL.Ilomo.Gen!Pac, Trojan.DR.Ilomo.Gen!Pac.2, Trojan.DL.Ilomo.Gen!Pac .
Symantec named this malware Trojan.Clampi, and it has been labelled inconsistently by other groups with a handful of other names, including Clomp, Downloader, Inject, Rscan, Small, Ilomo, Agent2, Agent, and often it is detected by its packer’s characteristics. Unfortunately, its packer changes and old signatures can become ineffective against this malware as it appears on systems around the world over time. PCTAV heuristics were effective over time, however.
Update: Please see post with a bit of technical information regarding Clampi variant’s injection technique.
Posted in Bot, Crimeware, Evasion technique, Exploit | No Comments »
|
|
|
|
