7/2/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 1
DIY Malware Construction
The malware business and federated construction tactics Gunter Ollmann - VP of Research gollmann@damballa.com Web http://www.damballa.com Blog - http://blog.damballa.com Blog - http://technicalinfodotnet.blogspot.com About Gunter Ollmann VP of Research, Damballa Inc. Damballa Inc. Atlanta based security company focused on enterprise detection and prevention of botnets Brief Bio: Been in IT industry for two decades over half of which has been 100% employed in security. Built and run international pentest teams, R&D groups and consulting practices around the world. Formerly Chief Security Strategist for IBM, Director of X-Force for ISS, Professional Services Director for NGS Software, Head of Attack Services EMEA, etc. Frequent writer, columnist and blogger with lots of whitepapers http://blog.damballa.com& http://technicalinfodotnet.blogspot.com/ 7/2/2009 2 EC-Council Security Channel DIY Malware Construction Agenda Lets get started building malware The DIY malware toolbox Send in the clones Protect your malware investment The hybrid threat 7/2/2009 3 EC-Council Security Channel DIY Malware Construction 7/2/2009 Targeted Protection Against Targeted Attacks 4 Why join the malware business? If youre a good coder you can make $$$ If youre not a good coder you can make $$$ If you can barely use a computer you can make $$$ Its an ecosystem that supports innovation Lots of opportunities to add value Rapid pace of change creating new business opportunities all the time Entry costs are low! 7/2/2009 5 EC-Council Security Channel DIY Malware Construction From Rags to Riches The Criminal Element Growing demand for reliable malware, bots & crime-ware Malware feeds in to existing fraud and laundering systems Swiss armyknife of cyber-crime 7/2/2009 6 EC-Council Security Channel DIY Malware Construction More money and financial transactions conducted online Financial motivations growing Greater opportunities and vectors for fraud or theft Hurdles Facing AV Companies AV protection updates take time 2-5 days to turn around new signatures 14+ days for behavioral algorithms QA takes time Almost always need a sample first Reliance on spam-traps, crawlers and submissions Typically blind to non-public or targeted malware Crime opportunity Release new malware faster than AV updates Serial-variant malware production 7/2/2009 7 EC-Council Security Channel DIY Malware Construction Tools and Services Crime-ware ecosystem supports new tools and services: Malware distribution and delivery Drive-by, Spam, etc. Support services 24x7, evasion guarantees Subscription updates Latest exploits & plug-ins 7/2/2009 8 EC-Council Security Channel DIY Malware Construction 1 7/2/2009 9 EC-Council Security Channel DIY Malware Construction The DIY Malware Toolbox DIY Ensemble Whole industry centered around DIY kits Experienced developers sell the kits Open platforms encourage plug-ins Latest exploits for malware self-propagation Competitive landscape drives innovation New features added (copied/stolen) Federated build approach New tools that make the malware more dangerous & can be automated 7/2/2009 10 EC-Council Security Channel DIY Malware Construction Kit Hunting Isnt Rocket Science 7/2/2009 11 EC-Council Security Channel DIY Malware Construction 1 2 Keylogger Octopus Basic DIY kit Evolution of free kit (incl. source code) $30 for commercial version 7/2/2009 12 EC-Council Security Channel DIY Malware Construction 1 2 3 RAT Spy-Net v1.8 7/2/2009 13 EC-Council Security Channel DIY Malware Construction 1 4 3 2 RAT Aero-Rat v0.3 7/2/2009 14 EC-Council Security Channel DIY Malware Construction 2 3 1 7/2/2009 15 RAT Turkojan v4 Commercial dual-use Trojan creator V.4 New features Remote Desktop Webcam Streaming Audio Streaming Remote passwords MSN Sniffer Remote Shell Advanced File Manager Online & Offline keylogger Information about remote computer Etc.. Three versions Gold, Silver & Bronze EC-Council Security Channel DIY Malware Construction 2 1 RAT PayDay v0.1 7/2/2009 16 EC-Council Security Channel DIY Malware Construction 1 6 7 5 4 3 2 RAT The Rat! v9.0XP 7/2/2009 17 EC-Council Security Channel DIY Malware Construction Prices in WebMoney The Rat! 9.0XP 35 WMZ The Rat! 8.1XP The Rat! 7.0XP - 29 WMZ The Rat! 6.0XP/6.1 - 22 WMZ The Rat! 5.8XP - 15 WMZ The Rat! 5.5XP - 13 WMZ The Rat! 5.0XP - 9 WMZ The Rat! 4.0XP - 8 WMZ The Rat! 3.xx - 7 WMZ The Rat! 2.xx - 6 WMZ 4 3 2 1 RAT Shark v3 Added anti-debugger capabilities VmWare, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box etc. 7/2/2009 18 EC-Council Security Channel DIY Malware Construction 1 2 Hire-a-Malware-Coder (Custom Build) Platform: software running on MAC OS to Windows Multitasking: have the capacity to work on multiple projects Speed and responsibility: at the highest level Pre-payment for new customers: 50% of the whole price, 30% pre-pay of the whole price for repeated customers Rates: starting from100 Euro courtesy Google translator I can also offer you another deal, I will share the complete source code in exchange to access to a botnet with at least 4000 infected hosts because I don't have time to play around with me bot right now. courtesy Google translator 7/2/2009 19 EC-Council Security Channel DIY Malware Construction Hire-a-malware-coder Pricing Other models exist for hire-a-malware-coder pricing Component/functionality based pricing Loader 300 FTP & Grabber 150 Assembler Spam bases 220 Socks 4/5 70 Botnet manager 600 Scripts 70 AV-remover 70 Screen-grabber 70 Assembler password stealers (IE, MSN, etc.) 70 Typical Rules and License agreements by malware code authors Customer has no right to transfer any of his three 3 persons except options for harmonizing with me Customer does not have the right to make any decompile, research, malicious modification of any three parts For violating the rules - without any license denial manibekov and further conversations courtesy Google translator 7/2/2009 20 EC-Council Security Channel DIY Malware Construction Zeus & Distribution 7/2/2009 21 EC-Council Security Channel DIY Malware Construction 1 2 3 ZEUS DIY Kit RRP: $400 (street price ~$50) Botnet CnC package with Web management frontend. Very popular many plug-ins developed to extend functionality Serial-Variants 6/16/2009 23 Code Metamorphism Noise Insertion Compilers Original Malware Noise Insertion EC-Council Security Channel DIY Malware Construction Code Metamorphism/Polymorphism Designed to defeat pattern recognition systems in AV Change the shape of the malware code Swap equivalent constructs e.g. ForNext, Ifwhile, Casewhen Change order of the code e.g. Swapping registers, reordering instructions 7/2/2009 24 EC-Council Security Channel DIY Malware Construction Noise Insertion Insertion of redundant code segments Whitespace and Noise e.g. if 1=1, sleep(0) NOP/NOOP e.g. i+1; Unused functions & procedures e.g. calculate Pi if var.A is not equal to var.A Define unused variables and arrays 7/2/2009 25 EC-Council Security Channel DIY Malware Construction Compilers Different compiler types, versions and settings change the shape of the final malware code 7/2/2009 26 EC-Council Security Channel DIY Malware Construction Serial-Variants Designed to avoid existing pattern recognition signatures Requires new AV analysis Automated code metamorphism and noise insertion Behaviors & commands still the same Goal: to pump out new malware faster than AV can develop signatures 7/2/2009 27 EC-Council Security Channel DIY Malware Construction 7/2/2009 Targeted Protection Against Targeted Attacks 28 Getting ready for delivery 6/16/2009 29 Original Malware Binders Cryptors Packers QA EC-Council Security Channel DIY Malware Construction Cryptors Encrypt malware code Decrypted in memory Partial decryption as used Initially used to thwart pirates and static-analysis tools 7/2/2009 30 EC-Council Security Channel DIY Malware Construction 1 2 3 Packers Objective to condense Portable Executable (PE) files Some have polymorphic output capabilities Bypass checksum technologies Difficult if you dont know what its packed with 7/2/2009 31 EC-Council Security Channel DIY Malware Construction 1 2 Protectors Detection and evasion of sandbox & virtualization technologies Different behaviors upon detection Fight-back capability Use exploits Break out 7/2/2009 32 EC-Council Security Channel DIY Malware Construction 1 2 Binders Graft the malware in to another application Deploy multiple malware in a single package 7/2/2009 33 EC-Council Security Channel DIY Malware Construction QA Test malware variants before release to the wild... 7/2/2009 34 EC-Council Security Channel DIY Malware Construction 2 7/2/2009 35 EC-Council Security Channel DIY Malware Construction Host or Network Threat? 7/2/2009 36 EC-Council Security Channel DIY Malware Construction Networking capabilities built-in as standard C&C backbone for constructing botnets Cloud based attacks Network and host-based threat aspects Some aspects covered with host protection Some vectors detected with network sensors The Hybrid threat bucket Threats not fully prevented with host or network defenses Botnets = Hybrid Threat Host and Network protection vendors each define their own hybrid buckets Hybrid bucket = largest threat bucket Botnets are the hybrid threat DIY malware kits make it easy to build botnets and bot agents New C&C management features & tools New managed services for bot delivery 7/2/2009 37 EC-Council Security Channel DIY Malware Construction Conclusions Entry costs to the criminal malware business are low Technologies for malware production are advanced and easy to acquire Current generation DIY kits can be chained to make undetectable malware Giving malware network wings and turning them in to botnets is getting easier! 7/2/2009 38 EC-Council Security Channel DIY Malware Construction 7/2/2009 Targeted Protection Against Targeted Attacks 39 Gunter Ollmann - VP of Research gollmann@damballa.com Blog - http://blog.damballa.com Blog - http://technicalinfodotnet.blogspot.com Thank You! All images copyright their respective authors