December 13, 2012 at 01:47Crown Malware Chips
The development of information technology affects the development of the entire spectrum of software (software). It does not bypass the malware . We can distinguish the basic techniques used in the development of "advanced" malicious software (malware).
For a general understanding of what is the technology of electronic digital signature (EDS), which will be discussed later, it is necessary to disclose the basic concepts of cryptography . Existing encryption methods can be divided into symmetric - DES , 3DES , AES , RC4 , RC6 and asymmetric (or public key encryption) - RSA , ECDSA . The main differences between them:
With symmetric encryption, there is a need for a key exchange between two users (which is very inconvenient, especially if they are very far from each other), asymmetric encryption is deprived of this drawback. Its main essence: there are two keys - a private and a public one, and it is impossible to select or calculate a public key in an acceptable time (for example, during the life of an cracker) from the public one using the available computing power of today. Naturally, right now an 8-bit key can be calculated in less than a second, while a 1024-bit key will have to be selected for many years. Another property of the public and private keys is that any of them can encrypt the message, and decrypt the other. That is, two operations are possible:
Operation 1 is used for signing, operation 2 is used for encryption, while two key pairs are used by the number of participants in the exchange (users A and B):
The private key should be stored only by the user and nowhere else, the public key in the form of a user-key bundle can be freely distributed anywhere. In the first case (identity card or signature), user B is sure that user A sent the message, since no one except A can encrypt the message so that it can be decrypted with public key A (the private key cannot be calculated using the public key). In the second case (encryption), only user B can decrypt using his private key B a message encrypted by any user with his public key B (the private key cannot be calculated using the public key).
In practice, the scheme is somewhat more complicated, as it was already mentioned that asymmetric encryption is ten times slower than symmetric. Therefore, when signing, encryption is not used for the entire amount of data, but for some function of this data, called a hash function . As a simple hash function, we can consider a technique often used in astrology, for example, the year 1998 is 1 + 9 + 9 + 8 = 27 = 2 + 7 = 9. In a first approximation, this is how a hash function works, but instead of adding, many other functions are used. In the above example, it can be seen that, for example, the year 1899 will also have the number 9, this situation is called a collision , which means that different data sets correspond to one hash function value (or just a hash). The most common types of hashes are MD5, MD6 , SHA-1 , SHA-2 . Thus, technically EDS is an additional data block that contains a hash of the transmitted data encrypted with the user's private key. Collision can be used to fake EDS. If we take the digital signature from any file and form our forged file with the same hash, then the end user will agree on all the calculations, and he will think that the file was sent from a person known to him (and not from us). The problem is that it is impossible to create an algorithm, which bytes to add to our file, so that the specified hash value is obtained. Of course, you can, say, add a byte with a value of 0 to our file, then 1, 2, and so on up to 255, then add a second, third, etc., in the same way, but it will take a lot of time.
As for encryption, some modifications are also applied there. So, with the asymmetric algorithm, again, not the entire data set is encrypted, but the so-called session key, randomly generated. With this session key, the data set is encrypted using a symmetric algorithm, which is much faster. The session key itself is encrypted with the recipient's public key and added to the source data. The recipient decrypts the session key with his private key, and with it, decrypts the original message.
Using cryptographic methods, attackers solve the following tasks:
In its development of the management system, the following stages have passed:
Obviously, everything that was set statically was blocked sooner or later by antivirus companies. To solve these problems, DGA and P2P technologies are used.
The essence of DGA is that the names of command centers for control are not hard-coded, but are generated according to a pseudo-random algorithm using the current date and time, and the number of such domains should be quite large, for example, 1000 per day. This leads to the fact that registering or blocking all such names is a very difficult and practically impossible task. However, the use of DGA in malware allows antivirus companies to use the so-called sinkhole router, a fake control center that bots are starting to perceive as their own. Thus, it becomes possible to assess the extent of infections and their geographical distribution by analyzing the IP addresses of incoming connections. In some cases, this even allows you to take control and give a command for self-destruction, which, however,
Using P2P allows you to completely abandon the concept of a control center; management or distribution of new versions of the bot can be done from any infected computer.
P2P (peer-to-peer, peer-to-peer network) involves a large number of computers, each of which contains some information about other such computers, for example, IP address. The list of such computers (peers, peers) is called the bootstrap list (initial initialization list). Depending on where this list comes from, partially decentralized and fully decentralized P2P networks are distinguished.
Partially decentralized P2P networks involve loading the bootstrap list from pre-known servers. In particular, this is how uTorrrent works. There is a weak point in such a system - it is enough to block access to the servers containing the bootstrap list. Therefore, in the malware, a completely decentralized scheme is used. It should be noted that the concept of a fully decentralized P2P network in relation to malware implies that the distribution will take place in two stages. At the first stage, a bot is distributed with an empty bootstrap list, it periodically contacts the command center, which in turn fixes the bot's IP address. In addition to the IP address itself, botnet operators are interested in information whether the bot is located behind a gateway or a firewall. If this is not so, then the bot can act as a super peer (super peer, super node), that is, other peers can directly connect to it. As soon as the necessary number of super-peers is collected, their list is entered in the bootstrap list, and a new version of the bot with it begins to spread by attackers. After distribution, all bots exchange information about their neighbors and form their own bootstrap list. The result is a P2P network. It is resistant to the disappearance of a certain number of bots, as the list of neighbors is constantly changing. During the exchange, bots also exchange information about their version. If the bot discovers that it is "out of date", a new version is downloaded from one of the neighbors. When downloading, as a rule, the digital signature of the file is checked to exclude the possibility of the distribution of "not your" files. Thus, all bots in P2P keep themselves up to date.Sality and Zeus . The P2P implementation they use is based on the Kademlia protocol . Conficker uses its own implementation, the most interesting thing about it is that its bootstrap list is initially empty, it detects its neighbors by scanning IP addresses. In connection with its features, Conficker is more reminiscent of a means of developing the latest technologies in writing malware, than just another bot.
Summing up, we can conclude that the creators of modern malware are quite serious about ensuring the survivability of their malware. Moreover, there is a tendency that antivirus companies really lose in this race. The use of P2P and EDS practically does not give a chance to "deal" with botnets.
- Exploitation of vulnerabilities of software installed on the affected computer for its hidden launch or privilege escalation .
Examples - Stuxnet, instead of the traditional launch from a USB drive through autorun (autorun.inf), used the MS10-046 shortcut processing vulnerability, later Sality began to use the same vulnerability . Conficker used the vulnerability of the network service "Server" MS08-067, this allowed it to multiply by a large number of machines. The vulnerability, as a rule, refers to the buffer overflow class , but not necessarily, there may also be a heap overflow, etc. A brief summary of buffer overflows: in programming, they often usestack. The concept of the stack allows to simplify the transfer of parameters to the function and return control to the place where the function call came from. Example: we called our desired function, which should enter a line from the keyboard, the return address was put on the stack, let's say 4 bytes, then we reserved 255 bytes on the stack for the line - we do not mind. And comrade Ivanov, when working with our program, took yes and entered a string 364 bytes long. 4 bytes of the return address were overwritten with other bytes (from the string). Therefore, control will return back not to the place where the function was called from, but to some other. Including it is possible to fine-tune that our line will contain binary codes and the transition will occur to the address pointing to the memory area inside our line. Such a tailored sequence (generally data, not just rows) is calledshellcode , and malware that injects shellcode is exploited . The vulnerability of our program is that there is no verification of the length of the input string. To fix the vulnerability, a patch is applied . A patch is a program (or sequence of actions) that modifies certain files to fix vulnerabilities. - Application of polymorphism technology .
As you know, one of the antivirus methods for detecting malware is signature analysis . This means that for the malware, some characteristic sequence of data (bytes) is determined, which is called a signature. Such a signature should not be found in any other program. In general, it may look like this in a text description: 127 bytes from the beginning is 7, 145237 bytes from the end is 255, while 145235 bytes should be 0. Polymorphism is aimed at ensuring that each time the malware file is different, and it was impossible for him to single out any regularity (signature). For example, Zeuswith its hidden installation, it recoded its main module, so on different computers the same version differed in almost every byte. A particularly "advanced" method is the "server" (server-side) polymorphism, when a malicious server downloads a newly assembled copy of malware to each computer. Moreover, the file conversion algorithm is not contained in the malware itself, but is implemented on the server. This greatly increases the ability to create dissimilar copies, as the code "mutation" can be arbitrarily large and complex. This method was used, for example, in Storm. - The presence of rootkit functionality aimed at hiding the signs of malware in an infected computer.
As a rule, this implies the invisibility of malware files at the system level, the invisibility of malware processes in the "Task Manager", certain registry keys, and so on. - Implementation of the functions of self-defense.
Self-defense implies counteraction to antivirus programs, for example, forced termination of their work, or user actions, for example, blocking the launch of the registry editor. Access to the portals of anti-virus companies or sites for information security can also be prevented, from where you can get instructions for removing a malware, download the update to the antivirus or the antivirus itself. True, the incorrect operation of the antivirus is a unmasking factor for malware. A separate item is the removal from the affected computer of its "competitors" - other malicious programs. A classic case of such a confrontation is the struggle between the Srizbi and Storm bot families. - Using a control system to send commands and receive information from malware that is resistant to the actions of antivirus companies aimed at stopping the botnet .
A botnet is a collection of bots (malware of the same variety) that receive commands from a single source - from an operator or operators (attackers).
Cryptography Basics
For a general understanding of what is the technology of electronic digital signature (EDS), which will be discussed later, it is necessary to disclose the basic concepts of cryptography . Existing encryption methods can be divided into symmetric - DES , 3DES , AES , RC4 , RC6 and asymmetric (or public key encryption) - RSA , ECDSA . The main differences between them:
- symmetric encryption is much faster than asymmetric (tens of times);
- in symmetric encryption, the key is one, in asymmetric - two.
With symmetric encryption, there is a need for a key exchange between two users (which is very inconvenient, especially if they are very far from each other), asymmetric encryption is deprived of this drawback. Its main essence: there are two keys - a private and a public one, and it is impossible to select or calculate a public key in an acceptable time (for example, during the life of an cracker) from the public one using the available computing power of today. Naturally, right now an 8-bit key can be calculated in less than a second, while a 1024-bit key will have to be selected for many years. Another property of the public and private keys is that any of them can encrypt the message, and decrypt the other. That is, two operations are possible:
- sender - source text - private key - encrypted text - public key - decrypted text - recipient;
- sender - source text - public key - encrypted text - private key - decrypted text - recipient.
Operation 1 is used for signing, operation 2 is used for encryption, while two key pairs are used by the number of participants in the exchange (users A and B):
- sender A - source text - private key A - encrypted text - public key A - decrypted text - recipient B;
- sender A - source text - public key B - encrypted text - private key B - decrypted text - recipient B.
The private key should be stored only by the user and nowhere else, the public key in the form of a user-key bundle can be freely distributed anywhere. In the first case (identity card or signature), user B is sure that user A sent the message, since no one except A can encrypt the message so that it can be decrypted with public key A (the private key cannot be calculated using the public key). In the second case (encryption), only user B can decrypt using his private key B a message encrypted by any user with his public key B (the private key cannot be calculated using the public key).
In practice, the scheme is somewhat more complicated, as it was already mentioned that asymmetric encryption is ten times slower than symmetric. Therefore, when signing, encryption is not used for the entire amount of data, but for some function of this data, called a hash function . As a simple hash function, we can consider a technique often used in astrology, for example, the year 1998 is 1 + 9 + 9 + 8 = 27 = 2 + 7 = 9. In a first approximation, this is how a hash function works, but instead of adding, many other functions are used. In the above example, it can be seen that, for example, the year 1899 will also have the number 9, this situation is called a collision , which means that different data sets correspond to one hash function value (or just a hash). The most common types of hashes are MD5, MD6 , SHA-1 , SHA-2 . Thus, technically EDS is an additional data block that contains a hash of the transmitted data encrypted with the user's private key. Collision can be used to fake EDS. If we take the digital signature from any file and form our forged file with the same hash, then the end user will agree on all the calculations, and he will think that the file was sent from a person known to him (and not from us). The problem is that it is impossible to create an algorithm, which bytes to add to our file, so that the specified hash value is obtained. Of course, you can, say, add a byte with a value of 0 to our file, then 1, 2, and so on up to 255, then add a second, third, etc., in the same way, but it will take a lot of time.
As for encryption, some modifications are also applied there. So, with the asymmetric algorithm, again, not the entire data set is encrypted, but the so-called session key, randomly generated. With this session key, the data set is encrypted using a symmetric algorithm, which is much faster. The session key itself is encrypted with the recipient's public key and added to the source data. The recipient decrypts the session key with his private key, and with it, decrypts the original message.
Using cryptography in malware
Using cryptographic methods, attackers solve the following tasks:
- through the use of electronic digital signatures, they confirm that the updated version of the malware or the command was actually received from the operators, and not from competing attackers or employees of anti-virus companies. To do this, the public key is "wired" into the bot, and the private key is stored in a safe place (of course, not on the server). It is no secret that many programs contain vulnerabilities, and botnet command servers are no exception in this sense. In some cases, it was possible to hack such servers, then it became possible to issue a command for self-destruction of bots, distribute an antivirus utility under the guise of a new version of the bot, or change the address of the control center. Using EDS removes the problem of intercepting control over a botnet;
- encrypt information stolen from an infected computer. Thus, only its operators (who have a private key) can use the botnet’s results, that is, hacking the management server will not work;
- many anti-virus tools do not analyze the actions of programs (monitoring of suspicious actions, for example, introducing their code into another process) if they are signed by digital signatures of large software companies and driver developers. This feature is successfully used by cybercriminals to bypass anti-virus protection systems. The signature is generated using the stolen private keys (Stuxnet signed with the Realtek stolen key), a collision method (Flame allegedly signed by Microsoft), in some cases it was possible to register a fictitious software development company and get its own private key legally;
- anti-virus experts say that ransomware has become more common recently- ransomware. A classic example of ransomware is GPCode. This malicious program encrypts user files with a random session key, which it stores in an encrypted form using the public key (located in GPCode). The source data is naturally erased. To perform the reverse operation, you need to transfer a certain amount of money according to the details left by the attacker and send him this encrypted session key. It is decrypted using the private key (located at the attacker) and sent back to the user, after which the files will be successfully decrypted. The only reliable protection against the impact of such programs is backup.
Varieties of control systems
In its development of the management system, the following stages have passed:
- hard-set e-mail addresses;
- the use of IRC chats, bots were connected to certain channels on given servers, while the servers could be both legal and hacked, with the subsequent installation of IRC server software on it;
- hardcoded domain names or IP addresses;
- use of DGA (Domain Generation Algorithm);
- use of P2P technologies.
Obviously, everything that was set statically was blocked sooner or later by antivirus companies. To solve these problems, DGA and P2P technologies are used.
The essence of DGA is that the names of command centers for control are not hard-coded, but are generated according to a pseudo-random algorithm using the current date and time, and the number of such domains should be quite large, for example, 1000 per day. This leads to the fact that registering or blocking all such names is a very difficult and practically impossible task. However, the use of DGA in malware allows antivirus companies to use the so-called sinkhole router, a fake control center that bots are starting to perceive as their own. Thus, it becomes possible to assess the extent of infections and their geographical distribution by analyzing the IP addresses of incoming connections. In some cases, this even allows you to take control and give a command for self-destruction, which, however,
Using P2P allows you to completely abandon the concept of a control center; management or distribution of new versions of the bot can be done from any infected computer.
P2P (peer-to-peer, peer-to-peer network) involves a large number of computers, each of which contains some information about other such computers, for example, IP address. The list of such computers (peers, peers) is called the bootstrap list (initial initialization list). Depending on where this list comes from, partially decentralized and fully decentralized P2P networks are distinguished.
Partially decentralized P2P networks involve loading the bootstrap list from pre-known servers. In particular, this is how uTorrrent works. There is a weak point in such a system - it is enough to block access to the servers containing the bootstrap list. Therefore, in the malware, a completely decentralized scheme is used. It should be noted that the concept of a fully decentralized P2P network in relation to malware implies that the distribution will take place in two stages. At the first stage, a bot is distributed with an empty bootstrap list, it periodically contacts the command center, which in turn fixes the bot's IP address. In addition to the IP address itself, botnet operators are interested in information whether the bot is located behind a gateway or a firewall. If this is not so, then the bot can act as a super peer (super peer, super node), that is, other peers can directly connect to it. As soon as the necessary number of super-peers is collected, their list is entered in the bootstrap list, and a new version of the bot with it begins to spread by attackers. After distribution, all bots exchange information about their neighbors and form their own bootstrap list. The result is a P2P network. It is resistant to the disappearance of a certain number of bots, as the list of neighbors is constantly changing. During the exchange, bots also exchange information about their version. If the bot discovers that it is "out of date", a new version is downloaded from one of the neighbors. When downloading, as a rule, the digital signature of the file is checked to exclude the possibility of the distribution of "not your" files. Thus, all bots in P2P keep themselves up to date.Sality and Zeus . The P2P implementation they use is based on the Kademlia protocol . Conficker uses its own implementation, the most interesting thing about it is that its bootstrap list is initially empty, it detects its neighbors by scanning IP addresses. In connection with its features, Conficker is more reminiscent of a means of developing the latest technologies in writing malware, than just another bot.
Summing up, we can conclude that the creators of modern malware are quite serious about ensuring the survivability of their malware. Moreover, there is a tendency that antivirus companies really lose in this race. The use of P2P and EDS practically does not give a chance to "deal" with botnets.