SlideShare a Scribd company logo

Anoirel Issa Vb2009

G
guest6ca7b0

The document discusses a new type of malware attack called a Fragmented Distribution Attack (FDA). In an FDA, malware code is split into multiple fragments and each fragment is embedded within innocent files like images. When the files are opened, a separate reassembler program locates and recombines the fragments to rebuild the original malware without detection. The document presents a proof-of-concept FDA using fragments of a virus embedded within an image file and discusses the challenges of detecting this new evasion technique.

Technology
1 of 20
Download to read offline
Fragmented Distribution Attack Virus Bulletin Annual Conference 2009, Geneva September 18, 2009 Author: Anoirel S. Issa MessageLabs, now part of Symantec Anoirel_issa@symantec.com
Fragmented Distribution Attack: Abstract Through the years there has been a constant evolution of anti-virus evasion techniques. One of the latest trend that has been widely witnessed is the process code injection. However, a technique which has not been previously disclosed and may lead to some irreversible consequences is the “Fragmented Distribution Attack”. The scenario: An email with an attached image arrives in your mailbox from a recognized sender, you double click and open it. As expected, the image is displayed and nothing else happens. The system administrator may not have noticed anything suspicious from his system monitor logs and everything looks fine as the anti-virus product, along with the firewall, remain silent. Under this silence, the computer is possibly being compromised by a Fragmented Distribution Attack. 2
Agenda • An attempt to define the Fragmented Distribution Attack (FDA) • Exposing the attack: case study • The mystery of the bodiless header • P.O.C embedded code fragments and re-assembler • Live variant of a fragmented distribution attack • Consequences and possible implications • Detecting FDA • Conclusion 3
Terminology: Fragmented Distribution Attack • A new AV evasion technique • Aim to bypass Firewalls, IDS and Anti-virus • Exploiting different file formats for distribution • Code fragments embedded in innocent files • Fragment re-assembler used to rebuild original threat • Fragments locator – within the re-assembler 4
Exposing the Attack • File format exploitation and abuse • Data fragments embedded in normal file • Embedding code in innocent files a new method? • Not a new technique: seen on exploits • So what differentiates FDA to embedding technique? 5
A Schematic View of an FDA: Fragment Distribution • 1 malware split in 3 fragments • Segments embedded in innocent files • Fragment carriers sent over the protected network 6
The Fragment Re-assembler • A separate program • Not necessarily malware • Locates fragment carriers • Pre-assemble fragment in memory • May write code to disk • Executes re-assembled code in MEM or on Disk • System compromised 7
Case 1: Uncovered Live Fragment • Embedded PE Header • No other PE characteristics • No encryption • Clearly isolated fragment • Remaining part is elsewhere • Possibly an FDA 8
Detection of the previous live fragment • Discovered in 2008 • 7 AV detects the header today • Confusion: - Dropper? - Downloader? - No description Why ? an FDA?
What if the sample was an FDA? • Conclusion about previous sample: • Isolated fragment – no shellcode - no encryption • What if our conclusion was 100% accurate? • How would that work? • How a single fragment of a PE file would be used and executed to compromise systems? • FDA is the answer. • How would an FDA work then? • Research results and FDA POC follows
FDA Proof of concept: The Goat and the Smiling Image To validate our deduction of FDA in the previous case we develop an FDA POC using the image in the left and a goat file 11
Fragment 1: PE header • Goat file fragment embedded in the image • Image displays • No visible alteration • Fragment detected by 1 AV 12
Fragment 2 & 3: Code Section & Sec Table • Fragment marker “DEAD” • Fragment order 3-2 • Image displays • No detection 13
Extending the POC: Infectious Fragments: W32.Virut • Not modified Virut sample • “Unanimously” detected 14
Extending the POC: Infectious Fragments: W32.Virut • 4 fragments - embedded in same image • Not detected: - 4 fragments • PE Header fragment detected - 1 AV spotted the MZ/PE 15
A Serious Attack: Live sample • September 09 – FDA variant seen live • Targeting financial institutions • Use old shell code technique to run re- assembler code • Use of fragment marker • Hacked PE header values • Fragments of entire files • Attack involves: Rootkit - information stealer • Use Http to send / receive data
FDA: The Consequences • If successfully achieved, an FDA attack can result to some serious consequences • Depends on the victim's level of protection • Consequence not easily predictable but can lead to: • Data, intellectual property leakage • Government, military, industrial espionage • Irreversible financial losses
Detecting Fragmented Distribution Attacks • Detection would be tricky but possible • Depend on your scan engine capabilities
Conclusion • Hope you enjoyed this presentation which aimed to: - bring this type of threat to light - not demonstrating malware distribution technique for hackers
E.O.F. Questions? Thank you. anoirel_issa@symantec.com Also on LinkedIn 20

Recommended

Ejercicios
EjerciciosEjercicios
Ejercicios
leonharo
 
Charles Darwin Tarea
Charles Darwin TareaCharles Darwin Tarea
Charles Darwin Tarea
guestdb336d
 
Show Me the Money: Connecting Performance Engineering to Real Business Results
Show Me the Money: Connecting Performance Engineering to Real Business ResultsShow Me the Money: Connecting Performance Engineering to Real Business Results
Show Me the Money: Connecting Performance Engineering to Real Business Results
Correlsense
 
48. Marketinski Fokus: Testiranje spletne uporabnosti
48. Marketinski Fokus: Testiranje spletne uporabnosti48. Marketinski Fokus: Testiranje spletne uporabnosti
48. Marketinski Fokus: Testiranje spletne uporabnosti
Semantia
 
Embeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularityEmbeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularity
Antiy Labs
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
rajakhurram
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt Baumgartner
 
Malicious software
Malicious softwareMalicious software
Malicious software
rajakhurram
 

Recommended

Ejercicios
EjerciciosEjercicios
Ejercicios
leonharo
 
Charles Darwin Tarea
Charles Darwin TareaCharles Darwin Tarea
Charles Darwin Tarea
guestdb336d
 
Show Me the Money: Connecting Performance Engineering to Real Business Results
Show Me the Money: Connecting Performance Engineering to Real Business ResultsShow Me the Money: Connecting Performance Engineering to Real Business Results
Show Me the Money: Connecting Performance Engineering to Real Business Results
Correlsense
 
48. Marketinski Fokus: Testiranje spletne uporabnosti
48. Marketinski Fokus: Testiranje spletne uporabnosti48. Marketinski Fokus: Testiranje spletne uporabnosti
48. Marketinski Fokus: Testiranje spletne uporabnosti
Semantia
 
Embeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularityEmbeddable Antivirus engine with high granularity
Embeddable Antivirus engine with high granularity
Antiy Labs
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
rajakhurram
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt Baumgartner
 
Malicious software
Malicious softwareMalicious software
Malicious software
rajakhurram
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
GTB Data Loss Prevention
GTB Data Loss PreventionGTB Data Loss Prevention
GTB Data Loss Prevention
refaeli
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
SelectedPresentations
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Nelson Brito
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
Lumension
 
Maemo 6 Platform Security
Maemo 6 Platform SecurityMaemo 6 Platform Security
Maemo 6 Platform Security
Peter Schneider
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
Christiaan Beek
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
mgianarakis
 
Technical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot AnalysisTechnical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot Analysis
Positive Hack Days
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
Michel Coene
 
AWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and securityAWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and security
AWS Chicago
 
Reversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into GatakaReversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into Gataka
jiboutin
 
Boutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gatakaBoutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gataka
DefconRussia
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Sunghun Kim
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
Tyler Shields
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 

More Related Content

Similar to Anoirel Issa Vb2009

Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
GTB Data Loss Prevention
GTB Data Loss PreventionGTB Data Loss Prevention
GTB Data Loss Prevention
refaeli
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
SelectedPresentations
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Nelson Brito
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
Lumension
 
Maemo 6 Platform Security
Maemo 6 Platform SecurityMaemo 6 Platform Security
Maemo 6 Platform Security
Peter Schneider
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
Christiaan Beek
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
mgianarakis
 
Technical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot AnalysisTechnical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot Analysis
Positive Hack Days
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
Michel Coene
 
AWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and securityAWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and security
AWS Chicago
 
Reversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into GatakaReversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into Gataka
jiboutin
 
Boutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gatakaBoutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gataka
DefconRussia
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Sunghun Kim
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
Tyler Shields
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
 

Similar to Anoirel Issa Vb2009 (20)

Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
GTB Data Loss Prevention
GTB Data Loss PreventionGTB Data Loss Prevention
GTB Data Loss Prevention
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
 
Maemo 6 Platform Security
Maemo 6 Platform SecurityMaemo 6 Platform Security
Maemo 6 Platform Security
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Technical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot AnalysisTechnical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot Analysis
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sample
 
AWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and securityAWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and security
 
Reversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into GatakaReversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into Gataka
 
Boutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gatakaBoutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gataka
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 

Recently uploaded

Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 

Recently uploaded (20)

Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 

Anoirel Issa Vb2009

  • 1. Fragmented Distribution Attack Virus Bulletin Annual Conference 2009, Geneva September 18, 2009 Author: Anoirel S. Issa MessageLabs, now part of Symantec Anoirel_issa@symantec.com
  • 2. Fragmented Distribution Attack: Abstract Through the years there has been a constant evolution of anti-virus evasion techniques. One of the latest trend that has been widely witnessed is the process code injection. However, a technique which has not been previously disclosed and may lead to some irreversible consequences is the “Fragmented Distribution Attack”. The scenario: An email with an attached image arrives in your mailbox from a recognized sender, you double click and open it. As expected, the image is displayed and nothing else happens. The system administrator may not have noticed anything suspicious from his system monitor logs and everything looks fine as the anti-virus product, along with the firewall, remain silent. Under this silence, the computer is possibly being compromised by a Fragmented Distribution Attack. 2
  • 3. Agenda • An attempt to define the Fragmented Distribution Attack (FDA) • Exposing the attack: case study • The mystery of the bodiless header • P.O.C embedded code fragments and re-assembler • Live variant of a fragmented distribution attack • Consequences and possible implications • Detecting FDA • Conclusion 3
  • 4. Terminology: Fragmented Distribution Attack • A new AV evasion technique • Aim to bypass Firewalls, IDS and Anti-virus • Exploiting different file formats for distribution • Code fragments embedded in innocent files • Fragment re-assembler used to rebuild original threat • Fragments locator – within the re-assembler 4
  • 5. Exposing the Attack • File format exploitation and abuse • Data fragments embedded in normal file • Embedding code in innocent files a new method? • Not a new technique: seen on exploits • So what differentiates FDA to embedding technique? 5
  • 6. A Schematic View of an FDA: Fragment Distribution • 1 malware split in 3 fragments • Segments embedded in innocent files • Fragment carriers sent over the protected network 6
  • 7. The Fragment Re-assembler • A separate program • Not necessarily malware • Locates fragment carriers • Pre-assemble fragment in memory • May write code to disk • Executes re-assembled code in MEM or on Disk • System compromised 7
  • 8. Case 1: Uncovered Live Fragment • Embedded PE Header • No other PE characteristics • No encryption • Clearly isolated fragment • Remaining part is elsewhere • Possibly an FDA 8
  • 9. Detection of the previous live fragment • Discovered in 2008 • 7 AV detects the header today • Confusion: - Dropper? - Downloader? - No description Why ? an FDA?
  • 10. What if the sample was an FDA? • Conclusion about previous sample: • Isolated fragment – no shellcode - no encryption • What if our conclusion was 100% accurate? • How would that work? • How a single fragment of a PE file would be used and executed to compromise systems? • FDA is the answer. • How would an FDA work then? • Research results and FDA POC follows
  • 11. FDA Proof of concept: The Goat and the Smiling Image To validate our deduction of FDA in the previous case we develop an FDA POC using the image in the left and a goat file 11
  • 12. Fragment 1: PE header • Goat file fragment embedded in the image • Image displays • No visible alteration • Fragment detected by 1 AV 12
  • 13. Fragment 2 & 3: Code Section & Sec Table • Fragment marker “DEAD” • Fragment order 3-2 • Image displays • No detection 13
  • 14. Extending the POC: Infectious Fragments: W32.Virut • Not modified Virut sample • “Unanimously” detected 14
  • 15. Extending the POC: Infectious Fragments: W32.Virut • 4 fragments - embedded in same image • Not detected: - 4 fragments • PE Header fragment detected - 1 AV spotted the MZ/PE 15
  • 16. A Serious Attack: Live sample • September 09 – FDA variant seen live • Targeting financial institutions • Use old shell code technique to run re- assembler code • Use of fragment marker • Hacked PE header values • Fragments of entire files • Attack involves: Rootkit - information stealer • Use Http to send / receive data
  • 17. FDA: The Consequences • If successfully achieved, an FDA attack can result to some serious consequences • Depends on the victim's level of protection • Consequence not easily predictable but can lead to: • Data, intellectual property leakage • Government, military, industrial espionage • Irreversible financial losses
  • 18. Detecting Fragmented Distribution Attacks • Detection would be tricky but possible • Depend on your scan engine capabilities
  • 19. Conclusion • Hope you enjoyed this presentation which aimed to: - bring this type of threat to light - not demonstrating malware distribution technique for hackers