SlideShare a Scribd company logo

Recent Rogueware

Kurt Baumgartner
Kurt Baumgartner

Virus Bulletin 2008 Ottawa presentation on recent, extremely prevalent, "rogueware".

Technology
1 of 27
Download to read offline
Recent Rogueware Kurt Baumgartner PC Tools ThreatFire Research Virus Bulletin 2008
Recent Rogueware • Rogueware? • Obfuscation Methods and Vundo Behaviors • Survey Multiple Recent Rogueware • MonaRonaDona Hoax • Recent Binder and Downloader Components and Behavioral Challenges • What Now?
Rogueware? • Sometimes clumsy descriptions found on sites and blogs. • Substantial definitions exist on well known sites like castlecops, spywarewarrior, and many others • My definition: Rogueware-based schemes coerce computer users to pay for removal of nonexistent malware. R og uew a re a re s elec t s oftw a re c om ponents us ed in thes e s c hem es to a id in c oerc io n.
Rogueware Certifed
Rogueware? • Recent active and prevalent examples over the past couple of weeks – AntiVirus2008 and 2009 – MultyCodecUpdr.7.2068.exe and its “promomodule” b..exe, which then drops sav components – pdf sploit -> 0xf9.exe -> AntiVirus2008, other adware • not-so-recent MonaRonaDona and Unigray Antivirus
Rogueware? • Shameless re branding, shuffling of domains, redistribution, shock messaging • Towards the end of last year, high level of active distribution channels and offers:
Rogueware? ~ Extras. Profit from downloads ~ .. from 70-150 $ c 1 thousand! If you load: grabber-soksbot-spambot and would like to receive additional income from your downloads, we offer our software and get 70-150 $ 1 to thousands of downloads (all depends on the country). As for software, we control: adware, which in turn actively promotes antispyware software! Adware does not conflict with either the botnetami, or trojan, and does not kill your bots!
Survey Multiple Fakealerts - Intro • Vundo obfuscation, behavior, commodity client side exploits • Codec distribution, often via spammed links – MultyCodecUpgr.7.20680.exe • P2P distribution and crack sites – binding keygen schemes, most active downloads • Shuffling web sites and domains • Common component behaviors – Shell_NotifyIcon
Vundo's Blatantly Intrusive Behavior • Vundo's prevalence seems to be on a steep downward slope towards the end of this year • Vundo loaders and dll's have maintained multiple layers of obfuscation, calls to random antiquated API's, polymorphism • Vundo distributors most commonly implemented commodity exploits to download and execute components that dropped a randomly named dll and loaded it into its own process, then the loaded dll made copies of itself that it injected first into winlogon, then globally into explorer and other processes • Process check – ad-aware, winlogon, explorer, other AV's
Vundo's Blatantly Intrusive Behavior • Anti-RE Obfuscation – Anti-RE: perverted code beyond recognition, i.e. prologues where normal “push ebp...move ebp,esp” is mangled – Anti-emulation: calling antiquated api's with “impossible” parameters to generate predictable values – this is not compiler “optimization”
Vundo's Blatantly Intrusive Behavior • Garbage assembly level instructions, loops and jmp flows: i.e. implement ridiculous custom GetProcAddress with multiple levels of needless instructions
Vundo's Blatantly Intrusive Behavior • Definitive Vundo loader winlogon injection
Vundo's Blatently Intrusive Behavior • Definitive SetWindowsHook WH_GETMESSAGE injection, from this injection, ads displayed, trayalert
Codec Distribution • Zcodec.1140.exe -> 5491.exe -> sav.exe, etc • 5491.exe is a simple self extracting compressed archive, no packing involved, drops sav.exe in %progfiles%AV2008 • No injections, no system tampering -- clearly “malicious” behavior?
MonaRonaDona Hoax - Intro • Bumbling rogueware scheme – early 2008 • “Virus” bound to version of quot;Registrycleaner2008quot; • Hoax postings and content regarding this “virus” • “Virus”? • Fraudulent postings about unigray antivirus scanner and its user base, google/search engine top results
MonaRonaDona Hoax -- Planning • Create AV product that performs no beneficial activity • Attempt to establish reputation and price point by comparison between it and legitimate solutions • Write phony “virus” • Create confusion and chatter about it on popular forums • Wait for $$$ -- you will wait a long time • This does not work
MonaRonaDona Hoax – Hoax postings • Create forum chatter and search engine hits:
MonaRonaDona Hoax – “Virus” • Svcspool.exe dropped to All Users StartMenu Startup by RegistryCleaner2008.exe • Really a “virus”? No – no replication code. IE WindowBar manipulation, Task Manager disabled by dropper. Some amount of hiding, obfuscation • “Top virus list”
Downloader Components – Intro • Malicious examples – 0xf9.exe, av2009install.exe • Static characteristics • Behavioral characteristics • Downloading sav.exe • Groups continue to use exploits to deliver downloaders, do testers know that?
Downloaders • Difficult for behavioral solutions to assess without using more hardcoded data – closer to signature based technologies • AV2009 UPX packed compiled Delphi executable – Simple and straightforward, like any other app...CreateWindow, InternetOpen, InternetOpenUrl, CreateProcess – Creating a dependence on static characteristics of file, connection endpoints,etc – InternetOpenUrl connects with http://securedownloads6.com/download/av_2009.exe
Downloaders • Simple CreateWindowEx for installer box, nothing obfuscated or injected here...
Downloaders • Adobe exploit kits – Dancho Danchev's blog, Secure Computing • 0xf9.exe is generally a ~20k upx packed Visual Basic compiled executable, standard part of a kit being reused – Names? “Downloader.MisleadApp”, Trojan- Downloader.Win32.VB.hww,Trojan-Downloader.Win32.VB.hyc – Trivial unpacking with upx, simple inspection of underlying code with Basic Decompiler – Straightforward download and setup of msadv.exe or mssadv_sp.exe in “Program FilesMicrosoft Security Adviser”
Recent Components -- MultyCodec • Multiple components delivered via phony video codec • MultyCodec.7.20680.exe drops c..exe, calls CreateProcess on the file, phones home – Based on http responses, “promomodule” carries out 'trayalert', 'winalert', 'excelalert', etc – Changing behaviors from b..exe based on response – spoils automated analysis – Shell_NotifyIcon call based on 'trayalert'...”you have a security problem'
Recent Components -- AntiVirus 2008 • Misleading scan results
Recent Components -- AntiVirus 2008 • Misleading browser redirection
Microsoft Legal Efforts • On Monday, Microsoft/State of Wash Atty General Office lawsuit filed against “John Doe”, maker of AV2008, Winfixer, etc • CAN-SPAM enforced against some Spam Kings, ineffective against global spam industry. See inbox/bulk. • Behavioral based products – will they have to hybridize, or will they just continue as another layer?
Questions?

Recommended

Macdoored
MacdooredMacdoored
MacdooredShakacon
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareCyphort
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
 
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgradenullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgraden|u - The Open Security Community
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all frontsAOE
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...Baruch Sadogursky
 

Recommended

Macdoored
MacdooredMacdoored
MacdooredShakacon
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareCyphort
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
 
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgradenullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgraden|u - The Open Security Community
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all frontsAOE
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...
DevOps Patterns & Antipatterns for Continuous Software Updates @ NADOG April ...Baruch Sadogursky
 
How to Remove Codec v hijacker
How to Remove Codec v hijackerHow to Remove Codec v hijacker
How to Remove Codec v hijackeradelardbrown2
 
Java 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosJava 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosStephen Chin
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsAOE
 
Establish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoEstablish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoUnic
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMeet Magento Spain
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation PASCAL Jean Marie
 
מצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהמצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהgoodvibes
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberKurt Baumgartner
 
Learning With New Media
Learning With New MediaLearning With New Media
Learning With New Mediaguesteaa1f
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en MasseKurt Baumgartner
 
שיוף סריגים
שיוף סריגיםשיוף סריגים
שיוף סריגיםgoodvibes
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013Kurt Baumgartner
 
Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APTKurt Baumgartner
 
Jamcracker
JamcrackerJamcracker
JamcrackerSteve Crawford
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Marco Marcellini
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Glasgow Reversing Club
Glasgow Reversing ClubGlasgow Reversing Club
Glasgow Reversing Clubepokh
 

More Related Content

What's hot

How to Remove Codec v hijacker
How to Remove Codec v hijackerHow to Remove Codec v hijacker
How to Remove Codec v hijackeradelardbrown2
 
Java 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosJava 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosStephen Chin
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsAOE
 
Establish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoEstablish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoUnic
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMeet Magento Spain
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation PASCAL Jean Marie
 

What's hot (10)

How to Remove Codec v hijacker
How to Remove Codec v hijackerHow to Remove Codec v hijacker
How to Remove Codec v hijacker
 
Java 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and LegosJava 8 for Tablets, Pis, and Legos
Java 8 for Tablets, Pis, and Legos
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and Patterns
 
Establish reliable builds and deployments with Magento
Establish reliable builds and deployments with MagentoEstablish reliable builds and deployments with Magento
Establish reliable builds and deployments with Magento
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian Luszczymak
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation Nuxeo5 - Code Source Installation
Nuxeo5 - Code Source Installation
 

Viewers also liked

מצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהמצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהgoodvibes
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberKurt Baumgartner
 
Learning With New Media
Learning With New MediaLearning With New Media
Learning With New Mediaguesteaa1f
 
שיוף סריגים
שיוף סריגיםשיוף סריגים
שיוף סריגיםgoodvibes
 
Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APTKurt Baumgartner
 

Viewers also liked (8)

מצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהמצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקה
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red October
 
Learning With New Media
Learning With New MediaLearning With New Media
Learning With New Media
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
שיוף סריגים
שיוף סריגיםשיוף סריגים
שיוף סריגים
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013
 
Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APT
 
Jamcracker
JamcrackerJamcracker
Jamcracker
 

Similar to Recent Rogueware

Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Marco Marcellini
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Glasgow Reversing Club
Glasgow Reversing ClubGlasgow Reversing Club
Glasgow Reversing Clubepokh
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-stepMichelangelo van Dam
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Dakiry
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Atlassian
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apacheguestd9aa5
 
symfony: An Open-Source Framework for Professionals (PHP Day 2008)
symfony: An Open-Source Framework for Professionals (PHP Day 2008)symfony: An Open-Source Framework for Professionals (PHP Day 2008)
symfony: An Open-Source Framework for Professionals (PHP Day 2008)Fabien Potencier
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Da-Chang Guan
 
ZendCon Security
ZendCon SecurityZendCon Security
ZendCon Securityphilipo
 

Similar to Recent Rogueware (20)

Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Glasgow Reversing Club
Glasgow Reversing ClubGlasgow Reversing Club
Glasgow Reversing Club
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-step
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
 
Hardening Enterprise Apache
Hardening Enterprise ApacheHardening Enterprise Apache
Hardening Enterprise Apache
 
Ht w23
Ht w23Ht w23
Ht w23
 
symfony: An Open-Source Framework for Professionals (PHP Day 2008)
symfony: An Open-Source Framework for Professionals (PHP Day 2008)symfony: An Open-Source Framework for Professionals (PHP Day 2008)
symfony: An Open-Source Framework for Professionals (PHP Day 2008)
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009
 
ZendCon Security
ZendCon SecurityZendCon Security
ZendCon Security
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Recently uploaded (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Recent Rogueware

  • 1. Recent Rogueware Kurt Baumgartner PC Tools ThreatFire Research Virus Bulletin 2008
  • 2. Recent Rogueware • Rogueware? • Obfuscation Methods and Vundo Behaviors • Survey Multiple Recent Rogueware • MonaRonaDona Hoax • Recent Binder and Downloader Components and Behavioral Challenges • What Now?
  • 3. Rogueware? • Sometimes clumsy descriptions found on sites and blogs. • Substantial definitions exist on well known sites like castlecops, spywarewarrior, and many others • My definition: Rogueware-based schemes coerce computer users to pay for removal of nonexistent malware. R og uew a re a re s elec t s oftw a re c om ponents us ed in thes e s c hem es to a id in c oerc io n.
  • 5. Rogueware? • Recent active and prevalent examples over the past couple of weeks – AntiVirus2008 and 2009 – MultyCodecUpdr.7.2068.exe and its “promomodule” b..exe, which then drops sav components – pdf sploit -> 0xf9.exe -> AntiVirus2008, other adware • not-so-recent MonaRonaDona and Unigray Antivirus
  • 6. Rogueware? • Shameless re branding, shuffling of domains, redistribution, shock messaging • Towards the end of last year, high level of active distribution channels and offers:
  • 7. Rogueware? ~ Extras. Profit from downloads ~ .. from 70-150 $ c 1 thousand! If you load: grabber-soksbot-spambot and would like to receive additional income from your downloads, we offer our software and get 70-150 $ 1 to thousands of downloads (all depends on the country). As for software, we control: adware, which in turn actively promotes antispyware software! Adware does not conflict with either the botnetami, or trojan, and does not kill your bots!
  • 8. Survey Multiple Fakealerts - Intro • Vundo obfuscation, behavior, commodity client side exploits • Codec distribution, often via spammed links – MultyCodecUpgr.7.20680.exe • P2P distribution and crack sites – binding keygen schemes, most active downloads • Shuffling web sites and domains • Common component behaviors – Shell_NotifyIcon
  • 9. Vundo's Blatantly Intrusive Behavior • Vundo's prevalence seems to be on a steep downward slope towards the end of this year • Vundo loaders and dll's have maintained multiple layers of obfuscation, calls to random antiquated API's, polymorphism • Vundo distributors most commonly implemented commodity exploits to download and execute components that dropped a randomly named dll and loaded it into its own process, then the loaded dll made copies of itself that it injected first into winlogon, then globally into explorer and other processes • Process check – ad-aware, winlogon, explorer, other AV's
  • 10. Vundo's Blatantly Intrusive Behavior • Anti-RE Obfuscation – Anti-RE: perverted code beyond recognition, i.e. prologues where normal “push ebp...move ebp,esp” is mangled – Anti-emulation: calling antiquated api's with “impossible” parameters to generate predictable values – this is not compiler “optimization”
  • 11. Vundo's Blatantly Intrusive Behavior • Garbage assembly level instructions, loops and jmp flows: i.e. implement ridiculous custom GetProcAddress with multiple levels of needless instructions
  • 12. Vundo's Blatantly Intrusive Behavior • Definitive Vundo loader winlogon injection
  • 13. Vundo's Blatently Intrusive Behavior • Definitive SetWindowsHook WH_GETMESSAGE injection, from this injection, ads displayed, trayalert
  • 14. Codec Distribution • Zcodec.1140.exe -> 5491.exe -> sav.exe, etc • 5491.exe is a simple self extracting compressed archive, no packing involved, drops sav.exe in %progfiles%AV2008 • No injections, no system tampering -- clearly “malicious” behavior?
  • 15. MonaRonaDona Hoax - Intro • Bumbling rogueware scheme – early 2008 • “Virus” bound to version of quot;Registrycleaner2008quot; • Hoax postings and content regarding this “virus” • “Virus”? • Fraudulent postings about unigray antivirus scanner and its user base, google/search engine top results
  • 16. MonaRonaDona Hoax -- Planning • Create AV product that performs no beneficial activity • Attempt to establish reputation and price point by comparison between it and legitimate solutions • Write phony “virus” • Create confusion and chatter about it on popular forums • Wait for $$$ -- you will wait a long time • This does not work
  • 17. MonaRonaDona Hoax – Hoax postings • Create forum chatter and search engine hits:
  • 18. MonaRonaDona Hoax – “Virus” • Svcspool.exe dropped to All Users StartMenu Startup by RegistryCleaner2008.exe • Really a “virus”? No – no replication code. IE WindowBar manipulation, Task Manager disabled by dropper. Some amount of hiding, obfuscation • “Top virus list”
  • 19. Downloader Components – Intro • Malicious examples – 0xf9.exe, av2009install.exe • Static characteristics • Behavioral characteristics • Downloading sav.exe • Groups continue to use exploits to deliver downloaders, do testers know that?
  • 20. Downloaders • Difficult for behavioral solutions to assess without using more hardcoded data – closer to signature based technologies • AV2009 UPX packed compiled Delphi executable – Simple and straightforward, like any other app...CreateWindow, InternetOpen, InternetOpenUrl, CreateProcess – Creating a dependence on static characteristics of file, connection endpoints,etc – InternetOpenUrl connects with http://securedownloads6.com/download/av_2009.exe
  • 21. Downloaders • Simple CreateWindowEx for installer box, nothing obfuscated or injected here...
  • 22. Downloaders • Adobe exploit kits – Dancho Danchev's blog, Secure Computing • 0xf9.exe is generally a ~20k upx packed Visual Basic compiled executable, standard part of a kit being reused – Names? “Downloader.MisleadApp”, Trojan- Downloader.Win32.VB.hww,Trojan-Downloader.Win32.VB.hyc – Trivial unpacking with upx, simple inspection of underlying code with Basic Decompiler – Straightforward download and setup of msadv.exe or mssadv_sp.exe in “Program FilesMicrosoft Security Adviser”
  • 23. Recent Components -- MultyCodec • Multiple components delivered via phony video codec • MultyCodec.7.20680.exe drops c..exe, calls CreateProcess on the file, phones home – Based on http responses, “promomodule” carries out 'trayalert', 'winalert', 'excelalert', etc – Changing behaviors from b..exe based on response – spoils automated analysis – Shell_NotifyIcon call based on 'trayalert'...”you have a security problem'
  • 24. Recent Components -- AntiVirus 2008 • Misleading scan results
  • 25. Recent Components -- AntiVirus 2008 • Misleading browser redirection
  • 26. Microsoft Legal Efforts • On Monday, Microsoft/State of Wash Atty General Office lawsuit filed against “John Doe”, maker of AV2008, Winfixer, etc • CAN-SPAM enforced against some Spam Kings, ineffective against global spam industry. See inbox/bulk. • Behavioral based products – will they have to hybridize, or will they just continue as another layer?