Stealing Data With Obfuscated Code

Weblver1 writes "A recent report by web security firm Finjan shows how easily data can be accessed on PCs by malware which circumvents existing defenses. With the use of obfuscated code, antivirus software and static Web filters could not identify the scrambled attack code as a threat. The report walks through a real-life scenario of the infection process step-by-step, and tracks what happens to the stolen data. This demonstrates how stealing sensitive data has become unbearably easy — especially, given the abundance of easy-to-use DIY crimeware toolkits. Finjan's report is available here (PDF, registration required). Shortly after this report, Security firm RSA has released their findings of a huge amount of stolen 'virtual wallets' in one of the largest discoveries of stolen data from computers compromised by the Sinowal trojan. While the trojan can be traced back to 2006, it managed to become more productive over time with frequent variants. Given the scale, ease of use, and hiding techniques making infections extremely difficult to find, no wonder today's crimeware achieves such 'impressive' results."

Obfuscation 101

[kbrasee]

X=1024; Y=768; A=3;

J=0;K=-10;L=-7;M=1296;N=36;O=255;P=9;_=1<<15;E;S;C;D;F(b){E="1""111886:6:??AAF"
"FHHMMOO55557799@@>>>BBBGGIIKK"[b]-64;C="C@=::C@@==@=:C@=:C@=:C5""31/513/5131/"
"31/531/53"[b ]-64;S=b<22?9:0;D=2;}I(x,Y,X){Y?(X^=Y,X*X>x?(X^=Y):0,  I (x,Y/2,X
)):(E=X);      }H(x){I(x,    _,0);}p;q(        c,x,y,z,k,l,m,a,          b){F(c
);x-=E*M     ;y-=S*M           ;z-=C*M         ;b=x*       x/M+         y*y/M+z
*z/M-D*D    *M;a=-x              *k/M     -y*l/M-z        *m/M;    p=((b=a*a/M-
b)>=0?(I    (b*M,_      ,0),b    =E,      a+(a>b      ?-b:b)):     -1.0);}Z;W;o
(c,x,y,     z,k,l,    m,a){Z=!    c?      -1:Z;c     <44?(q(c,x         ,y,z,k,
l,m,0,0     ),(p>      0&&c!=     a&&        (p<W         ||Z<0)          )?(W=
p,Z=c):     0,o(c+         1,    x,y,z,        k,l,          m,a)):0     ;}Q;T;
U;u;v;w    ;n(e,f,g,            h,i,j,d,a,    b,V){o(0      ,e,f,g,h,i,j,a);d>0
&&Z>=0? (e+=h*W/M,f+=i*W/M,g+=j*W/M,F(Z),u=e-E*M,v=f-S*M,w=g-C*M,b=(-2*u-2*v+w)
/3,H(u*u+v*v+w*w),b/=D,b*=b,b*=200,b/=(M*M),V=Z,E!=0?(u=-u*M/E,v=-v*M/E,w=-w*M/
E):0,E=(h*u+i*v+j*w)/M,h-=u*E/(M/2),i-=v*E/(M/2),j-=w*E/(M/2),n(e,f,g,h,i,j,d-1
,Z,0,0),Q/=2,T/=2,       U/=2,V=V<22?7:  (V<30?1:(V<38?2:(V<44?4:(V==44?6:3))))
,Q+=V&1?b:0,T                +=V&2?b        :0,U+=V    &4?b:0)     :(d==P?(g+=2
,j=g>0?g/8:g/     20):0,j    >0?(U=     j    *j/M,Q      =255-    250*U/M,T=255
-150*U/M,U=255    -100    *U/M):(U    =j*j     /M,U<M           /5?(Q=255-210*U
/M,T=255-435*U           /M,U=255    -720*      U/M):(U       -=M/5,Q=213-110*U
/M,T=168-113*U    /       M,U=111               -85*U/M)      ),d!=P?(Q/=2,T/=2
,U/=2):0);Q=Q<    0?0:      Q>O?     O:          Q;T=T<0?    0:T>O?O:T;U=U<0?0:
U>O?O:U;}R;G;B    ;t(x,y     ,a,    b){n(M*J+M    *40*(A*x   +a)/X/A-M*20,M*K,M
*L-M*30*(A*y+b)/Y/A+M*15,0,M,0,P,  -1,0,0);R+=Q    ;G+=T;B   +=U;++a<A?t(x,y,a,
b):(++b<A?t(x,y,0,b):0);}r(x,y){R=G=B=0;t(x,y,0,0);x<X?(printf("%c%c%c",R/A/A,G
/A/A,B/A/A),r(x+1,y)):0;}s(y){r(0,--y?s(y),y:y);}main(){printf("P6\n%i %i\n255"
"\n",X,Y);s(Y);}

Re:Obfuscation 101

ioccc

Not to push it too much

[James_Duncan8181]

But when people say that we should have only one distro, and that it's a problem that different distros use different versions of software and insert their own patches...this is why they are wrong wrong wrong.

Monocultures FTL.

Finjan Software has scammed people before

[antifoidulus]

Surfin'Shield sort of drowned. There is probably a similar scam behind this "research"....

Solve the EASIER problem. Known good.

[khasim]

http://www.ranum.com/security/computer_security/editorials/dumb/index.html

Why bother with anti-virus for the system itself? (Note: anti-virus is acceptable for mail servers or file servers.)

Instead, why not focus on identifying the known good code ... and quarantining anything else?

Maybe there aren't an infinite number of ways to obfuscate code (eventually your obfuscation would exceed the capacity of the local hard drive) but there are FAR more ways to obfuscate code so it bypasses the anti-virus scanners than there are bits of known good code.

I should be able to boot from some form of rescue CD with a HUGE list of filenames, checksums, etc ... and what application they are associated with ... and validate every single file on a workstation. And then quarantine everything else so it can be manually verified.

There, even if you get infected, the disinfection is simple AND effective.

Re:Solve the EASIER problem. Known good.

[bit01]

Yes. To verify a system is uncompromised from a possibly compromised system is idiotic. If a person doesn't understand this then they are not a competent programmer.

I've said for years that most "anti-virus" companies are engaged in fraud and the CEO's of most "anti-virus" companies should've been in jail for it a long time ago. It shows how low the IT industry has sunk when even quite basic fraud like this is being allowed to continue. At the very least there should have been a class-action lawsuit.

The only way to truly verify a system is good is to do it from a known good system. For a standalone PC that means booting off known-good read-only media, usually a CDROM, and using that to verify the checksums of all the critical files on the hard disk. To handle updates the CDROM needs to have enough smarts to download signed checksums of updates off the net and storing them in encrypted form (so malware can't tamper with it) on read-write media, preferably a memory key only inserted into the system when booted off the read-only media.

Part of the reason this has not been done until now is that third parties could not easily read the proprietary undocumented NTFS file system, because BS OS licensing made it difficult and expensive to have a separate boot and because M$, incredibly, stopped shipping CDROM's of their OS. Now that NTFS has been reverse engineered it is possible to create a third-party Linux CDROM that can do all of the above. This is the only practical way to stop the Windows virus pandemic. Ironic that the best way to verify a windows system may be to use a linux system.

To anticipate a few questions:

• Yes, Joe Sixpack is perfectly capable of inserting a CDROM, pressing the reset key and following the limited instructions (ie. get professional help if a virus is found or recover files off the known good distribution media).
• Yes, this approach perfectly capable of protecting Joe Sixpack's personal files if the CDROM has enough smarts to back up personal files and check sum them every time it is run. Even if it doesn't do this it's still verifying the system is uncompromised.
• Yes, it's perfectly capable of verifying every executable on the system, including those not initially distributed with the OS.
• Yes, both whitelist and blacklist checksumming is possible at the same time. What a concept!
• Good system/network administrators already automatically, regularly checksum verify all the systems they manage to verify their systems have not been corrupted, whether by a virus or a hardware error. It works. If they don't they are mediocre administrator at best.

M$ is perfectly capable of creating such a CDROM however those "professionals" have chosen not to and allow the virus/bot pandemic to continue. And they wonder why some people don't like them.

---

Ownership, by definition, is the right to control something. Any ethical (not legal) argument based on "because they own it" is bogus.