SAVE seeks to classify closely related pieces of malicious software for the purposes of identifying future ones. The core idea is a good one: Byte code is modified for the purpose of obfuscating the signature of a piece of malware. The stated goal is to modify it in such a way that it is possible fool antivirus scanners. This is done in five different ways.
- Null operations are inserted into dead code. Assuming that one is modifying a section of code, insert null operations into the region. Nops are inserted at various places.
Spyware Guide is running an article detailing the usage of a quicktime to start the infection process.
SPiKE: Engineering Malware Analysis Tools using Unobtrusive Binary-Instrumentation is a paper by Amit Vasudevan and Ramesh Yerraballi from UT Arlington. This paper outlines several different methods to control a running process. In this case, it is used for controlling malware.
The SPiKE method uses a kernel solution to implement "drifters" or memory read/write breakpoints. These breakpoints are then used to control the execution of the malware. The breakpoints are done via setting the target memory page in the kernel to a "not-present" flag, and then through "subtle software techniques" (their quote, not mine) they are able to transfer execution to the SPiKE API. This is very similar to Joe Stewart's OllyBone method of setting region based breakpoints. The rest of the interception points are based on the Windows API hooking via CreateProcess, OpenProcess, and others.
"The internal mechanisms of what allows user-mode debugging to work have rarely ever been fully explained. Even worse, these mechanisms have radically changed in Windows XP, when much of the support was re-written, as well as made more subsystem portable by including most of the routines in ntdll, as part of the Native API. This three part series will explain this functionality, starting from the Win32 (kernel32) viewpoint all the way down (or up) to the NT Kernel (ntoskrnl) component responsible for this support, called Dbgk, while taking a stop to the NT System Library (ntdll) and its DbgUi component."
Following chamuco's post, here are three papers I thought were interesting.
How to 0wn the Internet in Your Spare Time was presented at Usenix in 2002, it describes some new techniques that could be used by malware to increase their propagation speed.
The Future of Internet Worms, even if worms are not as hot as they used to be, this article is a good read. It relates new organisation techniques that can be used by groups of malware to coordinate, among other things.
While reading through some papers, I found a particularly good one. While the methods are not ground breaking, and the paper is somewhat old (circa 2000) it does outline some of the good methods for detecting a viruses. These methods are still being rehashed today. Stripping Down an AV Engine by Igor Muttik is a good read. Check it out.
Do you have a particular paper you like? Post it in a blog or forum post with a brief description and share with the community.
Ero Carrera created an excellent portable executable parser for python called PEFile. We've taken his file and run it across our entire malware collection for use in a future version of our malware analyzer. Attached is a collection of all the bug fixes we've made. If anyone has any comments on the modifications, I would very much appreciate hearing them.
Read the full article for all the bugs that have been fixed.
BinBLAST is an extension of Karlin and Altschul's Basic Local Alignment and Search Tool (BLAST) to work with binaries. This technique has proved invaluable in aiding reverse engineering of genomes and its variants have become mainstays of modern bioinformatics. The analog developed for security analysis of binary executables, binBLAST, demonstrates sensitivity to code versions, compiler variations, and can be used to generate antivirus signatures.
Attached to this post is the code as of the DefCon presentation, provided without much documentation. If you have the DefCon CD, there is an outline in the slides of the programs and how they fit together. This includes the proof-of-concept code necessary to produce signatures of uniqueness.
I read Robert Lemos latest article:
And i thought, how could someone do this more simple?
So i thought, "why not pack code twice"?
I booted up my VMWare XP system, grabbed an old copy of Sircam + 2 EXE packers and did the following:
1. I packed the Sircam binary with UPX and a separate mod program (so it can be repacked without being ID'd as UPX) and validated using virustotal.com that it would be detected. It was successfully detected by almost every major scanner except one which surprised me alot (*caugh* Symantec *caugh*).
The slides and videos from the Offensive Computing presentation at Defcon 14 are now available. In our talk we demoed several new tools including a generic virtual machine detector. This VM detector tries a variety of methods including the new machine status word (MSW) method. This will allow you to generically detect virtual machines regardless of whether acceleration is enabled.
- Further Down the VM Spiral Paper describing the new VM detection techniques
- VMDetect tool C Source, EXE - Implementation of the VM concepts we spoke about
- Hacking Malware: Offense is the new Defense
- Sasser FTPD Metasploit Exploit Module