Recommended
More Related Content
What's hot
What's hot (18)
Viewers also liked
Viewers also liked (10)
Similar to Malware Most Wanted: Evil Bunny
Similar to Malware Most Wanted: Evil Bunny (20)
More from Cyphort
More from Cyphort (8)
Recently uploaded
Recently uploaded (20)
Malware Most Wanted: Evil Bunny
- 2. EvilBunny Malware Marion Marschalek Security Researcher at Cyphort Labs
- 3. Your speakers today Marion Marschalek Security Researcher Cyphort Labs Shelendra Sharma Product Marketing Director
- 4. Agenda o Modern Threat Landscape o Wrap-up and Q&A CyphortLabsT-shirt
- 5. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
- 6. The Modern Threat Landscape
- 11. o You don‘t see your adversary o You don‘t know whose death star it is there on your machine o You probably won‘t even find the death star on your machine http://glee.wikia.com
- 12. o Intellectual property being stolen o Political opponents put to jail o Internet communication being blocked o Vendor finding a new exploit o Same time, hacker writes 5 more o Control of media o Enterprises loosing customer data o Nation states spying on their citizens o Nation states being hacked o Little paul loosing his homework
- 13. Bunny Offenders
- 14. SAMPLE #1 o Filesize:192512 o CompileTime: 2010:05:06 o C&C: callientefever.info o HTTP Accept-Language: fr
- 15. TFC o Dynamic API loading by name hash
- 16. TFC o PING o EXEC o HTTPF o ASPFLOOD o TCPFLOOD o WEBFLOOD o POSTFLOOD ATCLEAR STATISTICS KILL SET UPLOAD UPDATE PLUGIN FLOODING EVERYTHING
- 17. TFC command and control
- 18. SAMPLES #[2-4] o FileSize: 184320 o CodeSize: 139264 o CompileTime: 2010:02:16 18:05:54+01:00 o FileSize: 184320 o CodeSize: 139264 o CompileTime: 2010:03:11 17:55:03+01:00 o FileSize: 792064 o CodeSize: 583680 o CompileTime: 2011:10:25 20:28:39+01:00
- 19. EvilBunny o FileSize: 792064 o CompileTime: 2011:10:25 20:28:39+01:00 o API name hashing key AB34CD77h o http://1.9.32.11/bunny/test.php?rec=nvista o Anti-Analysis | Threads & Files | CPU Data | C&C Commands | LUA
- 20. Not funny.
- 21. SRSLY?
- 22. Evil Bunny AV Product Enumeration Firewall Product Enumeration Sandbox Check "klavme", "myapp", "TESTAPP", "afyjevmv.exe“, Timing Condition SELECT * FROM ANTIVIRUSPRODUCT SELECT * FROM FIREWALLPRODUCT
- 24. LUA Thread Cmd Parsing Execute Command Start LUA Thread Advanced Command and Script Parsing Lua magic
- 25. Advanced Command and Script Parsing Lua magic o 4 worker threads o Executing Lua scripts o Lua 5.1 + C/Invoke code o Callback from LUA to C++
- 26. C&c servers o Config stored in HKLMSoftwareMicrosoftIpsec o http://le-progres.net/images/php/test.php?rec=11206-01 o http://ghatreh.com/skins/php/test.php?rec=11206-01 o http://www.usthb-dz.org/includes/php/test.php?rec=11206-01
- 27. Location Remote Host Port Number Oakville, Canada 69.90.160.65 80 Montréal, Canada 70.38.107.13 80 Montréal, Canada 70.38.12.10 80 http://www.threatexpert.com/report.aspx?md5=c40e3ee23cf95d992b7cd0b7c01b8599 C&c servers
- 30. CVE-2011-4369 o Adobe Reader vulnerability o Discovered December 2011 o Original release date: Dec. 16, 2011 o Documented Bunny infection: Dec. 20, 2011
- 32. TRAITS OF SOPHISTICATED MALWARE o Tricking of security solutions o Showing uncommon features o Vast resources being used in development and spreading o Advanced stealth mechanisms
- 33. BUNNY ORIGINS o Project named bunny, version 2.3.2 o DDoS botnet operators o Accept-Language: fr o C&C Servers hosted in Canada o C&C domains resemble French/Iranian websites o Related to recently revealed Babar malware
- 34. THE HIDDEN LINK o Shared code o Proxy bypass o Anti-virus enumeration o Similar API obfuscation o Same level of complexity o Middle-eastern domain names
- 35. Q&A
- 36. Thank You!
Editor's Notes
- About Cyphort Labs