7/2/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 1

DIY Malware Construction

The malware business and federated construction tactics
Gunter Ollmann - VP of Research
gollmann@damballa.com
Web http://www.damballa.com
Blog - http://blog.damballa.com
Blog - http://technicalinfodotnet.blogspot.com
About
Gunter Ollmann
VP of Research, Damballa Inc.
Damballa Inc.
Atlanta based security company focused on
enterprise detection and prevention of botnets
Brief Bio:
Been in IT industry for two decades over half of which has been
100% employed in security. Built and run international pentest teams,
R&D groups and consulting practices around the world.
Formerly Chief Security Strategist for IBM, Director of X-Force for ISS,
Professional Services Director for NGS Software, Head of Attack
Services EMEA, etc.
Frequent writer, columnist and blogger with lots of whitepapers
http://blog.damballa.com& http://technicalinfodotnet.blogspot.com/
7/2/2009 2 EC-Council Security Channel DIY Malware Construction
Agenda
Lets get started building malware
The DIY malware toolbox
Send in the clones
Protect your malware investment
The hybrid threat
7/2/2009 3 EC-Council Security Channel DIY Malware Construction
7/2/2009 Targeted Protection Against Targeted Attacks 4
Why join the malware business?
If youre a good coder you can make $$$
If youre not a good coder you can make $$$
If you can barely use a computer you can make $$$
Its an ecosystem that supports innovation
Lots of opportunities to add value
Rapid pace of change creating new
business opportunities all the time
Entry costs
are low!
7/2/2009 5 EC-Council Security Channel DIY Malware Construction
From Rags to Riches
The Criminal Element
Growing demand for reliable
malware, bots & crime-ware
Malware feeds in to existing
fraud and laundering systems
Swiss armyknife of cyber-crime
7/2/2009 6 EC-Council Security Channel DIY Malware Construction
More money and financial
transactions conducted online
Financial motivations growing
Greater opportunities and
vectors for fraud or theft
Hurdles Facing AV Companies
AV protection updates take time
2-5 days to turn around new signatures
14+ days for behavioral algorithms
QA takes time
Almost always need a sample first
Reliance on spam-traps, crawlers and submissions
Typically blind to non-public or targeted malware
Crime opportunity
Release new malware faster than AV updates
Serial-variant malware production
7/2/2009 7 EC-Council Security Channel DIY Malware Construction
Tools and Services
Crime-ware ecosystem supports new
tools and services:
Malware distribution and delivery
Drive-by, Spam, etc.
Support services
24x7, evasion guarantees
Subscription updates
Latest exploits & plug-ins
7/2/2009 8 EC-Council Security Channel DIY Malware Construction
1
7/2/2009 9 EC-Council Security Channel DIY Malware Construction
The DIY Malware Toolbox
DIY Ensemble
Whole industry centered around DIY kits
Experienced developers sell the kits
Open platforms encourage plug-ins
Latest exploits for malware self-propagation
Competitive landscape drives innovation
New features added (copied/stolen)
Federated build approach
New tools that make the malware
more dangerous & can be automated
7/2/2009 10 EC-Council Security Channel DIY Malware Construction
Kit Hunting Isnt Rocket Science
7/2/2009 11 EC-Council Security Channel DIY Malware Construction
1
2
Keylogger Octopus
Basic DIY kit
Evolution of free kit
(incl. source code)
$30 for commercial
version
7/2/2009 12 EC-Council Security Channel DIY Malware Construction
1
2
3
RAT Spy-Net v1.8
7/2/2009 13 EC-Council Security Channel DIY Malware Construction
1
4
3
2
RAT Aero-Rat v0.3
7/2/2009 14 EC-Council Security Channel DIY Malware Construction
2
3
1
7/2/2009 15
RAT Turkojan v4
Commercial dual-use
Trojan creator
V.4 New features
Remote Desktop
Webcam Streaming
Audio Streaming
Remote passwords
MSN Sniffer
Remote Shell
Advanced File Manager
Online & Offline keylogger
Information about remote
computer
Etc..
Three versions
Gold, Silver & Bronze
EC-Council Security Channel DIY Malware Construction
2
1
RAT PayDay v0.1
7/2/2009 16 EC-Council Security Channel DIY Malware Construction
1
6
7
5
4
3
2
RAT The Rat! v9.0XP
7/2/2009 17 EC-Council Security Channel DIY Malware Construction
Prices in WebMoney
The Rat! 9.0XP 35 WMZ
The Rat! 8.1XP
The Rat! 7.0XP - 29 WMZ
The Rat! 6.0XP/6.1 - 22 WMZ
The Rat! 5.8XP - 15 WMZ
The Rat! 5.5XP - 13 WMZ
The Rat! 5.0XP - 9 WMZ
The Rat! 4.0XP - 8 WMZ
The Rat! 3.xx - 7 WMZ
The Rat! 2.xx - 6 WMZ
4
3
2
1
RAT Shark v3
Added anti-debugger capabilities
VmWare, Norman Sandbox, Sandboxie,
VirtualPC, Symantec Sandbox, Virtual Box
etc.
7/2/2009 18 EC-Council Security Channel DIY Malware Construction
1
2
Hire-a-Malware-Coder (Custom
Build)
Platform: software running on MAC OS to Windows
Multitasking: have the capacity to work on multiple projects
Speed and responsibility: at the highest level
Pre-payment for new customers: 50% of the whole price, 30%
pre-pay of the whole price for repeated customers
Rates: starting from100 Euro
courtesy Google translator
I can also offer you another deal, I will share the complete
source code in exchange to access to a botnet with at least
4000 infected hosts because I don't have time to play around
with me bot right now. courtesy Google translator
7/2/2009 19 EC-Council Security Channel DIY Malware Construction
Hire-a-malware-coder Pricing
Other models exist for hire-a-malware-coder pricing
Component/functionality based pricing
Loader 300
FTP & Grabber 150
Assembler Spam bases 220
Socks 4/5 70
Botnet manager 600
Scripts 70
AV-remover 70
Screen-grabber 70
Assembler password stealers (IE, MSN, etc.) 70
Typical Rules and License agreements by
malware code authors
Customer has no right to transfer any of his
three 3 persons except options for harmonizing
with me
Customer does not have the right to make
any decompile, research, malicious
modification of any three parts
For violating the rules - without any license
denial manibekov and further conversations
courtesy Google translator
7/2/2009 20 EC-Council Security Channel DIY Malware Construction
Zeus & Distribution
7/2/2009 21 EC-Council Security Channel DIY Malware Construction
1
2
3
ZEUS DIY Kit
RRP: $400 (street price ~$50)
Botnet CnC package with Web
management frontend.
Very popular many plug-ins
developed to extend functionality
Serial-Variants
6/16/2009 23
Code Metamorphism Noise Insertion Compilers Original Malware
Noise Insertion
EC-Council Security Channel DIY Malware Construction
Code Metamorphism/Polymorphism
Designed to defeat pattern
recognition systems in AV
Change the shape of the
malware code
Swap equivalent constructs
e.g. ForNext, Ifwhile, Casewhen
Change order of the code
e.g. Swapping registers, reordering
instructions
7/2/2009 24 EC-Council Security Channel DIY Malware Construction
Noise Insertion
Insertion of redundant
code segments
Whitespace and Noise
e.g. if 1=1, sleep(0)
NOP/NOOP
e.g. i+1;
Unused functions & procedures
e.g. calculate Pi if var.A is not equal
to var.A
Define unused variables and
arrays
7/2/2009 25 EC-Council Security Channel DIY Malware Construction
Compilers
Different compiler types, versions and settings
change the shape of the final malware code
7/2/2009 26 EC-Council Security Channel DIY Malware Construction
Serial-Variants
Designed to avoid existing pattern
recognition signatures
Requires new AV analysis
Automated code metamorphism and noise
insertion
Behaviors & commands still the same
Goal: to pump out new
malware faster than AV can
develop signatures
7/2/2009 27 EC-Council Security Channel DIY Malware Construction
7/2/2009 Targeted Protection Against Targeted Attacks 28
Getting ready for delivery
6/16/2009 29
Original Malware Binders Cryptors Packers
QA
EC-Council Security Channel DIY Malware Construction
Cryptors
Encrypt malware code
Decrypted in memory
Partial decryption as used
Initially used to thwart
pirates and
static-analysis
tools
7/2/2009 30 EC-Council Security Channel DIY Malware Construction
1
2
3
Packers
Objective to condense
Portable Executable
(PE) files
Some have polymorphic
output capabilities
Bypass checksum
technologies
Difficult if you dont
know what its packed
with
7/2/2009 31 EC-Council Security Channel DIY Malware Construction
1
2
Protectors
Detection and
evasion of sandbox
& virtualization
technologies
Different behaviors
upon detection
Fight-back capability
Use exploits
Break out
7/2/2009 32 EC-Council Security Channel DIY Malware Construction
1
2
Binders
Graft the malware in to
another application
Deploy multiple malware
in a single package
7/2/2009 33 EC-Council Security Channel DIY Malware Construction
QA
Test malware variants
before release to the wild...
7/2/2009 34 EC-Council Security Channel DIY Malware Construction
2
7/2/2009 35 EC-Council Security Channel DIY Malware Construction
Host or Network Threat?
7/2/2009 36 EC-Council Security Channel DIY Malware Construction
Networking capabilities built-in as standard
C&C backbone for constructing botnets
Cloud based attacks
Network and host-based threat aspects
Some aspects covered with host protection
Some vectors detected with network sensors
The Hybrid threat bucket
Threats not fully
prevented with host
or network defenses
Botnets = Hybrid Threat
Host and Network protection vendors
each define their own hybrid buckets
Hybrid bucket = largest threat bucket
Botnets are the hybrid threat
DIY malware kits make it easy to build
botnets and bot agents
New C&C management features & tools
New managed services for bot delivery
7/2/2009 37 EC-Council Security Channel DIY Malware Construction
Conclusions
Entry costs to the criminal
malware business are low
Technologies for malware
production are advanced
and easy to acquire
Current generation DIY kits
can be chained to make
undetectable malware
Giving malware network
wings and turning them in
to botnets is getting easier!
7/2/2009 38 EC-Council Security Channel DIY Malware Construction
7/2/2009 Targeted Protection Against Targeted Attacks 39
Gunter Ollmann - VP of Research
gollmann@damballa.com
Blog - http://blog.damballa.com
Blog - http://technicalinfodotnet.blogspot.com
Thank You!
All images copyright their respective authors