Stealing Data With Obfuscated Code

Weblver1 writes "A recent report by web security firm Finjan shows how easily data can be accessed on PCs by malware which circumvents existing defenses. With the use of obfuscated code, antivirus software and static Web filters could not identify the scrambled attack code as a threat. The report walks through a real-life scenario of the infection process step-by-step, and tracks what happens to the stolen data. This demonstrates how stealing sensitive data has become unbearably easy — especially, given the abundance of easy-to-use DIY crimeware toolkits. Finjan's report is available here (PDF, registration required). Shortly after this report, Security firm RSA has released their findings of a huge amount of stolen 'virtual wallets' in one of the largest discoveries of stolen data from computers compromised by the Sinowal trojan. While the trojan can be traced back to 2006, it managed to become more productive over time with frequent variants. Given the scale, ease of use, and hiding techniques making infections extremely difficult to find, no wonder today's crimeware achieves such 'impressive' results."

Obfuscation 101

[kbrasee]

X=1024; Y=768; A=3;

J=0;K=-10;L=-7;M=1296;N=36;O=255;P=9;_=1<<15;E;S;C;D;F(b){E="1""111886:6:??AAF"
"FHHMMOO55557799@@>>>BBBGGIIKK"[b]-64;C="C@=::C@@==@=:C@=:C@=:C5""31/513/5131/"
"31/531/53"[b ]-64;S=b<22?9:0;D=2;}I(x,Y,X){Y?(X^=Y,X*X>x?(X^=Y):0,  I (x,Y/2,X
)):(E=X);      }H(x){I(x,    _,0);}p;q(        c,x,y,z,k,l,m,a,          b){F(c
);x-=E*M     ;y-=S*M           ;z-=C*M         ;b=x*       x/M+         y*y/M+z
*z/M-D*D    *M;a=-x              *k/M     -y*l/M-z        *m/M;    p=((b=a*a/M-
b)>=0?(I    (b*M,_      ,0),b    =E,      a+(a>b      ?-b:b)):     -1.0);}Z;W;o
(c,x,y,     z,k,l,    m,a){Z=!    c?      -1:Z;c     <44?(q(c,x         ,y,z,k,
l,m,0,0     ),(p>      0&&c!=     a&&        (p<W         ||Z<0)          )?(W=
p,Z=c):     0,o(c+         1,    x,y,z,        k,l,          m,a)):0     ;}Q;T;
U;u;v;w    ;n(e,f,g,            h,i,j,d,a,    b,V){o(0      ,e,f,g,h,i,j,a);d>0
&&Z>=0? (e+=h*W/M,f+=i*W/M,g+=j*W/M,F(Z),u=e-E*M,v=f-S*M,w=g-C*M,b=(-2*u-2*v+w)
/3,H(u*u+v*v+w*w),b/=D,b*=b,b*=200,b/=(M*M),V=Z,E!=0?(u=-u*M/E,v=-v*M/E,w=-w*M/
E):0,E=(h*u+i*v+j*w)/M,h-=u*E/(M/2),i-=v*E/(M/2),j-=w*E/(M/2),n(e,f,g,h,i,j,d-1
,Z,0,0),Q/=2,T/=2,       U/=2,V=V<22?7:  (V<30?1:(V<38?2:(V<44?4:(V==44?6:3))))
,Q+=V&1?b:0,T                +=V&2?b        :0,U+=V    &4?b:0)     :(d==P?(g+=2
,j=g>0?g/8:g/     20):0,j    >0?(U=     j    *j/M,Q      =255-    250*U/M,T=255
-150*U/M,U=255    -100    *U/M):(U    =j*j     /M,U<M           /5?(Q=255-210*U
/M,T=255-435*U           /M,U=255    -720*      U/M):(U       -=M/5,Q=213-110*U
/M,T=168-113*U    /       M,U=111               -85*U/M)      ),d!=P?(Q/=2,T/=2
,U/=2):0);Q=Q<    0?0:      Q>O?     O:          Q;T=T<0?    0:T>O?O:T;U=U<0?0:
U>O?O:U;}R;G;B    ;t(x,y     ,a,    b){n(M*J+M    *40*(A*x   +a)/X/A-M*20,M*K,M
*L-M*30*(A*y+b)/Y/A+M*15,0,M,0,P,  -1,0,0);R+=Q    ;G+=T;B   +=U;++a<A?t(x,y,a,
b):(++b<A?t(x,y,0,b):0);}r(x,y){R=G=B=0;t(x,y,0,0);x<X?(printf("%c%c%c",R/A/A,G
/A/A,B/A/A),r(x+1,y)):0;}s(y){r(0,--y?s(y),y:y);}main(){printf("P6\n%i %i\n255"
"\n",X,Y);s(Y);}

Re:Obfuscation 101

ioccc

Not to push it too much

[James_Duncan8181]

But when people say that we should have only one distro, and that it's a problem that different distros use different versions of software and insert their own patches...this is why they are wrong wrong wrong.

Monocultures FTL.

Finjan Software has scammed people before

[antifoidulus]

Surfin'Shield sort of drowned. There is probably a similar scam behind this "research"....

Solve the EASIER problem. Known good.

[khasim]

http://www.ranum.com/security/computer_security/editorials/dumb/index.html

Why bother with anti-virus for the system itself? (Note: anti-virus is acceptable for mail servers or file servers.)

Instead, why not focus on identifying the known good code ... and quarantining anything else?

Maybe there aren't an infinite number of ways to obfuscate code (eventually your obfuscation would exceed the capacity of the local hard drive) but there are FAR more ways to obfuscate code so it bypasses the anti-virus scanners than there are bits of known good code.

I should be able to boot from some form of rescue CD with a HUGE list of filenames, checksums, etc ... and what application they are associated with ... and validate every single file on a workstation. And then quarantine everything else so it can be manually verified.

There, even if you get infected, the disinfection is simple AND effective.

Re:Solve the EASIER problem. Known good.

[postbigbang]

To answer your question:

Because you'll be p0wn3d in no time. Trust what? AV libraries are mostly behind the times and can't smell subtle variations. They suck, generally. Test after test shows just how bad they are.

There doesn't have to be an infinite number of obfuscations. Just one will do. That's why trusting any code can be simply stupid. Anything can get infected, there are tons of vectors.

Getting disinfected doesn't necessarily work, either. Usually the initial infection vector still exists (the hapless user). The odd thing about computers is that you can enslave them to continue to make attempts 24/7, in huge variations. Patience is a virtue, but I've watched brute force attacks render highly-protected servers and workstations quivering in just seconds. It takes talent, boredom, tenacity, and a greed motive. There are stupendous numbers of people fitting just that profile.

Quarantining code is folly. Active and varied defenses and re-writes and restores to RO media help. If Windows, then even more techniques are mandatory. I scape so much crap from friends and relatives machines that I've got BartsCD built for most of them. I just re-write the registry after active scans, and re-write kernel, vmm, browser crap. Then I shutdown the ports that have been opened after finding out what can opener was used. Then I swear a little, accept the free beer, and move on.

Re:Solve the EASIER problem. Known good.

[bit01]

Yes. To verify a system is uncompromised from a possibly compromised system is idiotic. If a person doesn't understand this then they are not a competent programmer.

I've said for years that most "anti-virus" companies are engaged in fraud and the CEO's of most "anti-virus" companies should've been in jail for it a long time ago. It shows how low the IT industry has sunk when even quite basic fraud like this is being allowed to continue. At the very least there should have been a class-action lawsuit.

The only way to truly verify a system is good is to do it from a known good system. For a standalone PC that means booting off known-good read-only media, usually a CDROM, and using that to verify the checksums of all the critical files on the hard disk. To handle updates the CDROM needs to have enough smarts to download signed checksums of updates off the net and storing them in encrypted form (so malware can't tamper with it) on read-write media, preferably a memory key only inserted into the system when booted off the read-only media.

Part of the reason this has not been done until now is that third parties could not easily read the proprietary undocumented NTFS file system, because BS OS licensing made it difficult and expensive to have a separate boot and because M$, incredibly, stopped shipping CDROM's of their OS. Now that NTFS has been reverse engineered it is possible to create a third-party Linux CDROM that can do all of the above. This is the only practical way to stop the Windows virus pandemic. Ironic that the best way to verify a windows system may be to use a linux system.

To anticipate a few questions:

• Yes, Joe Sixpack is perfectly capable of inserting a CDROM, pressing the reset key and following the limited instructions (ie. get professional help if a virus is found or recover files off the known good distribution media).
• Yes, this approach perfectly capable of protecting Joe Sixpack's personal files if the CDROM has enough smarts to back up personal files and check sum them every time it is run. Even if it doesn't do this it's still verifying the system is uncompromised.
• Yes, it's perfectly capable of verifying every executable on the system, including those not initially distributed with the OS.
• Yes, both whitelist and blacklist checksumming is possible at the same time. What a concept!
• Good system/network administrators already automatically, regularly checksum verify all the systems they manage to verify their systems have not been corrupted, whether by a virus or a hardware error. It works. If they don't they are mediocre administrator at best.

M$ is perfectly capable of creating such a CDROM however those "professionals" have chosen not to and allow the virus/bot pandemic to continue. And they wonder why some people don't like them.

---

Ownership, by definition, is the right to control something. Any ethical (not legal) argument based on "because they own it" is bogus.

What are the best tools for detecting this?

[Phizzle]

For the truly paranoid, what are the best tools to run on your system to detect potential intrusion of this type?

Re:What are the best tools for detecting this?

[symbolset]

Most of the major antiviruses should be able to detect this, except maybe Norton. Kapersky adds detection code to their database for newly discovered variants within minutes of when they appear - 17 times on 10/24/2008 for example. With a metamorphic engine this advanced it's likely that you can find a variant that Kapersky will never see. Kapersky is now watching nearly 700 variants of this one threat to date. This is what makes the databases for a modern antivirus engine so huge.

Removal is not hard for the "truly paranoid". Although you'll find a host of removal instructions on the internet none of them is reliable for this level of security threat. Your best option if you find you're compromised with this threat is to backup your data, use Darik's Boot and Nuke (DBAN) to completely erase your hard drive, and start over with a clean install using a good process for your installation. Be aware that DBAN can make your HDD firmware unrecoverable in certain rare instances, so be prepared to buy a new drive if you must. If you find yourself repeatedly compromised, you might reconsider your commitment to online banking and stock trading or to the software you're using to do it.

For this sort of threat prevention is the best cure. For over a decade systems have been available that have a BIOS boot option to check the boot sector and refuse to boot if it has changed. Most of the Sinowal variants compromise the boot sector. Also, use a browser and/or operating system less susceptible to drive-by downloading.

Although the focus in the article is about financial data it's fairly trivial to modify Sinowal to steal access credentials for other systems such as GIS databases, CAD databases, and other high value information targets not directly associated with finance. Data is money.

Some Sinowal variants are compatible with Vista. I know of no Sinowal variants that are compatible with GNU/Linux OS-X or BSD.

Good luck.

Web 2.0 RIP

[PPH]

That will kill Web 2.0 technologies. Or anything where content/service providers expect you to run their code on your system. None of the schemes for whitelisting, signed certificates, checksums, etc. can handle the sheer volume of apps. that these new services expect you to handle. They work well for manually downloaded and installed applications and packages. But not when every kid with a FaceBook page has a game or other cure widget they want you to download.

The sheer volume of web apps of this type will provide numerous opportunities for people to find weakneses and use it to deliver something evil.

Re:That's what I said.

[postbigbang]

It's possible to write a known good kernel and a matching set of registry hives (the whole thing can be dangerous) along with vmm, hiberfile and so on to DVD. Using BartsCD, one boots XP, does the restoration, and easily moves on.

There's a certain amount of sense in trying to protect groups of users, in business environments, and so on. An individual will be eventually cracked somehow on Windows. It's tougher to do on Linux, and still tougher on MacOS and xBSD and OpenSolaris.

Still, I watch everyone ignore responsibility, the ISPs and mail providers refusing to write any kind of parsers for their subscribers (fearing latency and liability) and then civilians get hurt. Sure education is a good thing. We try to tell people this. When they go to a legitimate site that's been infected with a cross-post exploit, or a truly well-crafted email, or open up an attachment from an infected friend, relative, or colleague, they're beaten.

IMHO, for Windows users, they've come to accept that they're going to get infected and must then remedy the problem. I protect a few of them by using a cd/dvd of my own design with their stuff on it, so that it takes less than a half-hour to do the repair from beginning to end. There's no use in educating someone when they go to, say, an ancestry site that has a browser exploit in it that can sail right through AVG, Norton, or McAfee, as recently happened to five of my relatives. Same damage, same exploit, same site was the common denominator. When I went to the site, the site didn't bother my machine, likely because someone fixed the problem, maybe unwittingly.

Minimizing is important, sure. But nothing is foolproof because fools are so ingenious.