I have been gone for awhile and I intend to start posting once again. I was pursuing another one of my many interests but I am back now.
I will post the source code of a java virus I found, heavily commented, for all of you interested in the inner workings of a virus. I also hope this will cause anti-virus companies to start paying more attention to Java jars and such as there are many files like jars that AVs do not scan. A jar is essentially treated as a compressed archive, and not as an executable program. This needs to change as I have seen a large rise in java viruses myself.
Anyway, check back soon if you're interested.
Sunday, August 26, 2012
Monday, June 4, 2012
Some more on Flame
Flame, a virus I overviewed in my previous blog posting, has become common knowledge, and possibly even old news for some. It is for this reason that Microsoft states that it is not worried about it anymore. They have, however, released a patch fixing an exploit it used to digitally sign itself with official Microsoft certificates. It says that it is worried other viruses might also try to exploit this loop. If you have not done so, make sure to apply the latest updates to secure your computer. This update is "KB2718704" and should be applied automatically if you have that enabled.
Credits: The hacker news, krebsonsecurity
As always, tell me what to post about next in the comments below.
Friday, June 1, 2012
A quick overview of Skywiper/flame
I have read numerous reports and analysis of this (relatively) new virus discovered in the wild, including, but not limited to, those of The Hacker News, McAfee, TrendLabs, Eset, and Damballa. Here is what I have found so far.
Flame is an incredibly large and sophisticated piece of malware. It seems to be targeting the middle east, and has been around since 2010 (first detection). The file itself is about 20mb large and contains everything it needs to run (libraries, etc). There is speculation about who made it, a private entity or a nation state. I personally am leaning towards a government (possibly US) as it seems to be targeting political and military victims (this may just be the conspiracy theorist inside me). It is capable of monitoring keystrokes, capturing webcam data, taking screenshots, and listening though microphones connected to the infected machine. It spreads by through any connected removable storage, through printer sharing, and domain controllers. It is very careful to not leave any tracks and removes all traces of itself and other viruses when uninstalled. The main class itself is estimated to have 750,000 lines of C code (650,000 have been reversed by McAfee).
It is larger than StuxNet and some believe it to be created or used by the same group, while others think they may just be "recycling" some of StuxNet's code (more likely). Flame is the most sophisticated virus known to date, and contains a vast amount of obfuscation and anti-decompiler code. Accodording to McAfee, it is capable of at least the following:
I'll keep you all posted and give more info once I get it.
let me know what I should post about next!
Flame is an incredibly large and sophisticated piece of malware. It seems to be targeting the middle east, and has been around since 2010 (first detection). The file itself is about 20mb large and contains everything it needs to run (libraries, etc). There is speculation about who made it, a private entity or a nation state. I personally am leaning towards a government (possibly US) as it seems to be targeting political and military victims (this may just be the conspiracy theorist inside me). It is capable of monitoring keystrokes, capturing webcam data, taking screenshots, and listening though microphones connected to the infected machine. It spreads by through any connected removable storage, through printer sharing, and domain controllers. It is very careful to not leave any tracks and removes all traces of itself and other viruses when uninstalled. The main class itself is estimated to have 750,000 lines of C code (650,000 have been reversed by McAfee).
 |
| Initial detection map McAfee |
- Scanning network resources
- Stealing information as specified
- Communicating to control servers over SSH and HTTPS protocols
- Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
- Using both kernel- and user-mode logic
- Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
- Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
- Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB flash memory and local network (spreading slowly)
- Creating screen captures
- Recording voice conversations
- Running on Windows XP, Windows Vista, and Windows 7 systems
- Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
- Using SQLite database to store collected information
- Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
- Often located on nearby systems: a local network for both control and target infection cases
- Using PE-encrypted resources
I'll keep you all posted and give more info once I get it.
let me know what I should post about next!
Thursday, May 31, 2012
ZeroAccess Part 3: How to stop it.
If you have read Part 1 and Part 2, you should have a pretty good idea of what ZeroAccess is and how dangerous it is. In this post, I will go through multiple methods of removal that I have found while searching the web.
- Tools
- cleanpcguide.com has a removal tool that you can download here
- Use ESET's removal tool downloaded here
- Use McAfee's RootkitRemover, available here
- Manual Removal (as Provided by http://www.cleanpcguide.com/remove-zeroaccess-removal-guide-how-to-remove-zeroaccess/ )
- Stop ZeroAccess process using the windows task manager. (This will most likely be some random name, if you see a process that you do not recognize, right click and view location to find files associated with it, this will be needed in step 4, then end it.)
- Uninstall ZeroAccess program from windows control panel Add/Remove Programs. (control panel --> Programs --> Remove/change, then find something you think looks fishy, or do not remember installing)
- Open windows registry using regedit.exe command. Find and Remove all ZeroAccess Registry Files. (will usually be under the HKLM or HKCU run directory (startup registry))
- Search for ZeroAccess Files on your computer and delete it. (files found in step 1)
If none of these work, the malwarbytes community is very helpful. You can ask for help here.
Tell me what you thought of this three part series, and remember to comment what I should blog about next.
Tuesday, May 29, 2012
ZeroAccess Part 2: What does it do?
First off, sorry this took so long. It is finals week so I have been quite busy.
Overview
ZeroAccess will install 2 different versions of itself depending on the system architecture (32 or 64 bit). Once it has dropped the correct version, and elevated it's privileges, it starts talking with other infected machines to get instructions. Most of the time, it is used to "Sell Installs". That is, other "hackers" can pay someone to install their virus onto the already infected machines. One of the most popular viruses that is installed with ZeroAccess is Zeus (see Zeus Continues to Evolve and New Variant of Zeus includes Ransomeware). Once that is installed, the "hacker" can steal your personal data including, but not limited to, your credit card number, login credentials to different sites (including banking sites) etc.
Installation
Credits to McAfee labs, Sophos, and PrevX
Overview
ZeroAccess will install 2 different versions of itself depending on the system architecture (32 or 64 bit). Once it has dropped the correct version, and elevated it's privileges, it starts talking with other infected machines to get instructions. Most of the time, it is used to "Sell Installs". That is, other "hackers" can pay someone to install their virus onto the already infected machines. One of the most popular viruses that is installed with ZeroAccess is Zeus (see Zeus Continues to Evolve and New Variant of Zeus includes Ransomeware). Once that is installed, the "hacker" can steal your personal data including, but not limited to, your credit card number, login credentials to different sites (including banking sites) etc.
- 32 bit
- When file dropper is executed, it checks whether it is on a 32 or 64 bit computer, then installs the corresponding kit. If it is on a 32 bit machine, it drops a kernel mode or Ring-0 rootkit. It drops itself into a hidden folder. It adds itself to startup, and checks it's list of predetermined C&C (Command and Controls). it then attempts to connect to them on TCP port 13620 and awaits commands.
- 64 bit
- The 64 bit version of ZeroAccess does not have a Ring-0 rootkit. It does, however, have a Ring-3 or User-mode kit. When initiated, it attempts to raise it's privileges as described in part 1. Once that is done it protects its process (makes it harder to kill) and waits for commands.
Communication
The virus comes with a list of known IPs of infected machines. If these machines have UPNP enabled and the ports are properly opened, they become server nodes. If not, then they are just clients. Once it has succesfully made a connection, it is added to the other bots list, and updates its own list. It then periodically checks in with the other servers to see if any new commands were issued. The bot uses TCP port 13620 to connect to others. All communication is encrypted with RC4 encryption.
Monetizing
The virus is most commonly used to install other viruses like Zeus. It also downloads a click fraud virus. This virus is almost always seen with ZeroAccess, so it is thought that it may be authored by the creator of ZeroAccess. And finally, it downloads a spam bot. This is a virus that is used to send spam, junk, or infected links via e-mail.
Conclusion
This is a very sophisticated piece of malware, and while it may not yet be on par with the TDL family, it is definitely getting there. While it is already dangerous now, imagine what it could become capable in 5 or 10 years from now. As soon it is detected, this must not be ignored. the only way to stop it effectively is to completly remove it from the system. While it is currently only used to download malware to monetize, this could and most likely will change as the owner rents out space and allows other files to be downloaded.
Credits to McAfee labs, Sophos, and PrevX
Friday, May 25, 2012
ZeroAccess Part 1: What is it
ZeroAccess is quickly becoming one of the go to rootkits, and may surpass the TDL family in the coming years. Machines are most commonly infected using 2 techniques, the first being through an exploit kit, the second being Social Engineering.
Let's first take a look at how the exploit kit infection works. First, an Exploit Pack, is a webpage that is designed to exploit software commonly installed on computers, such as Flash, Java, Internet Explorer, etc. It tries to find loopholes to let it silently download and execute a program on the victims computer. Most Exploit Packs use outdated exploits that are already patched, although, a few extremely high-end packs use what are known as "0-Day" exploits. This means that it works for the newest version of exploited software, and is not yet know/detected. To drive traffic to these exploits, "hackers" find holes in legitimate websites, and embed a small code into the pages that will direct the user to their site unknowingly. This is most often done through an "IFrame" set to be 0px wide and 0px high. Since the user does not need to see or interact with the exploit site, this works perfectly. Sometimes a JavaScript is embedded, although this is less common as some web hosts have JavaScript disabled, and it is more noticeable. The exploit then goes through its list of exploits, and, if one is found working, downloads and executes the payload (ZeroAccess).
Sometimes, the "hacker" uses Social Engineering techniques to try and get the user to willing download and execute the file. This is usually done by attaching the file to some sort of program crack or keygen. The "hacker" will bind his virus (ZeroAccess) to the crack, and then upload it to a filehost, or torrent host. The user will download and execute this file and, since it works, won't be very suspicious. The "hacker" can also use something called a "Java Drive By". This is more of a mix of exploit and Social Engineering. The "Hacker" sets up a site where there is a browser game or camera that needs Java to run. When the victim goes to the website, he will first be prompted to allow java to run (see Figure 1.1), then he will be asked to download and install an "update". This update, of course, is actually the "hackers" virus. Then, once the user clicks ok, the page will "refresh" and the application that required Java will work. The user, being satisfied that it works, will not suspect a thing.
When the virus is executed, it first checks what architecture the computer is (32 or 64). It then drops the related file and dies. Once the file is dropped, if execute on a non-admin account, it will require a UAC popup window . It does this by acting as if it is an official adobe update. It replaces a .dll inside of the adobe installer folder, and prompts the user to download the update (see Figure 1.2). This "update" actually downloads the latest flash player, but also gives the virus admin permissions. It then goes on to connect to other infected computers, and await orders.
Stay tuned for Part 2: What does it do
then later, the final part Part 3: How to stop it
Credits to McAfee labs, Sophos, and PrevX
 |
| BlackHole Exploit Pack Infection Statistics |
 |
| Figure 1.1 |
 |
| Figure 1.2 |
Stay tuned for Part 2: What does it do
then later, the final part Part 3: How to stop it
Credits to McAfee labs, Sophos, and PrevX
Thursday, May 24, 2012
Open Source Malware: Is It Worse?
Lately alot of malware has been released "Open Source" meaning that it comes with the source. some bots that come this way are:
- µBOT
- Aldi Bot
- vnLoader
- osRat
- Darkflame
- Zeus 2.0.8.9
Now, why would these be more trouble, open source means easier to detect correct? While this is true, it also means that it can be easily modified without the need of s program called a "crypter." This means that any average joe can come along, download these sources, change the string names and it will be harder to detect. While this alone will not make the file FUD (fully un-detected), there are a few other tricks that more well-versed users can use. This also means that the "hacker" can create modifications to the code, and have a virus that is a lot "deadlier", if you will, than it originally was. Granted this requires that the "hacker" has at least some basic coding knowledge, but there are plenty of tutorials out there that can make most people into malware coders in no time (although don't expect to code the next Zeus anytime soon).
So, you might ask yourself, what is a good Anti-Virus to protect us from these mods?
- ESET SMART SECURITY is a pretty good AV.
- Malwarebytes Anti-Malware is also pretty good.
I also mentioned some coding tutorials,
- Coding for Penetration Testers: Building Better Tools
- Malware, Rootkits & Botnets A Beginner's Guide
Those two are some very basic books for those who want to learn more.'
So, what do you think? Is Open Source worse for us? Why or why not?
also remember, tell me what you want to hear about next!
Subscribe to:
Posts (Atom)