Stealing Data With Obfuscated Code

Weblver1 writes "A recent report by web security firm Finjan shows how easily data can be accessed on PCs by malware which circumvents existing defenses. With the use of obfuscated code, antivirus software and static Web filters could not identify the scrambled attack code as a threat. The report walks through a real-life scenario of the infection process step-by-step, and tracks what happens to the stolen data. This demonstrates how stealing sensitive data has become unbearably easy — especially, given the abundance of easy-to-use DIY crimeware toolkits. Finjan's report is available here (PDF, registration required). Shortly after this report, Security firm RSA has released their findings of a huge amount of stolen 'virtual wallets' in one of the largest discoveries of stolen data from computers compromised by the Sinowal trojan. While the trojan can be traced back to 2006, it managed to become more productive over time with frequent variants. Given the scale, ease of use, and hiding techniques making infections extremely difficult to find, no wonder today's crimeware achieves such 'impressive' results."

Obfuscation 101

[kbrasee]

X=1024; Y=768; A=3;

J=0;K=-10;L=-7;M=1296;N=36;O=255;P=9;_=1<<15;E;S;C;D;F(b){E="1""111886:6:??AAF"
"FHHMMOO55557799@@>>>BBBGGIIKK"[b]-64;C="C@=::C@@==@=:C@=:C@=:C5""31/513/5131/"
"31/531/53"[b ]-64;S=b<22?9:0;D=2;}I(x,Y,X){Y?(X^=Y,X*X>x?(X^=Y):0,  I (x,Y/2,X
)):(E=X);      }H(x){I(x,    _,0);}p;q(        c,x,y,z,k,l,m,a,          b){F(c
);x-=E*M     ;y-=S*M           ;z-=C*M         ;b=x*       x/M+         y*y/M+z
*z/M-D*D    *M;a=-x              *k/M     -y*l/M-z        *m/M;    p=((b=a*a/M-
b)>=0?(I    (b*M,_      ,0),b    =E,      a+(a>b      ?-b:b)):     -1.0);}Z;W;o
(c,x,y,     z,k,l,    m,a){Z=!    c?      -1:Z;c     <44?(q(c,x         ,y,z,k,
l,m,0,0     ),(p>      0&&c!=     a&&        (p<W         ||Z<0)          )?(W=
p,Z=c):     0,o(c+         1,    x,y,z,        k,l,          m,a)):0     ;}Q;T;
U;u;v;w    ;n(e,f,g,            h,i,j,d,a,    b,V){o(0      ,e,f,g,h,i,j,a);d>0
&&Z>=0? (e+=h*W/M,f+=i*W/M,g+=j*W/M,F(Z),u=e-E*M,v=f-S*M,w=g-C*M,b=(-2*u-2*v+w)
/3,H(u*u+v*v+w*w),b/=D,b*=b,b*=200,b/=(M*M),V=Z,E!=0?(u=-u*M/E,v=-v*M/E,w=-w*M/
E):0,E=(h*u+i*v+j*w)/M,h-=u*E/(M/2),i-=v*E/(M/2),j-=w*E/(M/2),n(e,f,g,h,i,j,d-1
,Z,0,0),Q/=2,T/=2,       U/=2,V=V<22?7:  (V<30?1:(V<38?2:(V<44?4:(V==44?6:3))))
,Q+=V&1?b:0,T                +=V&2?b        :0,U+=V    &4?b:0)     :(d==P?(g+=2
,j=g>0?g/8:g/     20):0,j    >0?(U=     j    *j/M,Q      =255-    250*U/M,T=255
-150*U/M,U=255    -100    *U/M):(U    =j*j     /M,U<M           /5?(Q=255-210*U
/M,T=255-435*U           /M,U=255    -720*      U/M):(U       -=M/5,Q=213-110*U
/M,T=168-113*U    /       M,U=111               -85*U/M)      ),d!=P?(Q/=2,T/=2
,U/=2):0);Q=Q<    0?0:      Q>O?     O:          Q;T=T<0?    0:T>O?O:T;U=U<0?0:
U>O?O:U;}R;G;B    ;t(x,y     ,a,    b){n(M*J+M    *40*(A*x   +a)/X/A-M*20,M*K,M
*L-M*30*(A*y+b)/Y/A+M*15,0,M,0,P,  -1,0,0);R+=Q    ;G+=T;B   +=U;++a<A?t(x,y,a,
b):(++b<A?t(x,y,0,b):0);}r(x,y){R=G=B=0;t(x,y,0,0);x<X?(printf("%c%c%c",R/A/A,G
/A/A,B/A/A),r(x+1,y)):0;}s(y){r(0,--y?s(y),y:y);}main(){printf("P6\n%i %i\n255"
"\n",X,Y);s(Y);}

Re:Obfuscation 101

ioccc

Re:Obfuscation 101

[fyrewulff]

Drink.... more.... Ovaltine?!?

Re:Obfuscation 101

[bone_idol]

Best Use of Light and Spheres:

        Anders Gavare
        Gibraltargatan 82-156
        SE-412 79 Gothenburg
        Sweden

        http://www.mdstud.chalmers.se/~md1gavan/

Judges' Comments:

        To build:

        make gavare

        To run: ./gavare > ioccc_ray.ppm

        For users of systems that distinguish between text and binary mode
        (you know who you are), add a library call that specifies binary mode
        for stdout as the first statement of main(),
        or use freopen("ioccc_ray.ppm", "wb", stdout) and do not use redirection.

        A freely distributable command-line version of Microsoft Visual C
        exhibits an optimizer bug when compiling this entry. Disable /Og for
        best results.

        The judges were able to figure out how to control position
        (in all 3 coordinates), size, and color (to some extent) of the balls.

Selected Author's Comments:

        It is possible to write some kinds of programs in C without using reserved
        words. For very short and trivial programs, it usually isn't very hard to
        write a variant using no reserved words, but with this program I want to
        show that also non-trivial programs can be written this way. This IOCCC
        entry contains no reserved words (I don't count 'main' as a reserved word,
        although the compiler gives it special meaning) and no preprocessor
        directives.

        The program is a small ray-tracer. The first line of the source code may
        be modified if you want the resulting image to be of some other resolution
        than the predefined. The 'A' value is an anti-alias factor. Setting it to
        1 disables the anti-aliasing feature (this makes the output look bad), but
        setting it too high makes the trace take a lot more time to complete.

        The ppm image can then be viewed using an image viewer of your own choice.
        (Running the ray-tracer may take several minutes, even on fast machines,
        so be patient.)

        I am very much aware about the fact that I'm breaking the guidelines. For
        example, the word 'int' is a reserved word and therefore all variable
        declarations are implicit. There will no doubt be _lots_ of warnings,
        no matter which compiler is used. Still, the source code should be word-
        length-independent and endianess-independent.

        Another reason for writing code without using reserved words is that many
        text editors will make all reserved words turn BOLD when printed on
        paper. Since I care for the global environment, we shouldn't waste any
        more laser toner, or ink, than necessary. Everyone should write C code
        with no reserved words, and our world will be a better place.

Re:Obfuscation 101

[rugatero]

How come when I ran this on my PC all my porn files were emailed to everyone in my address book?

It's a denial-of-service attack in which your inbox becomes flooded with 'thank you' notes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not to push it too much

[James_Duncan8181]

But when people say that we should have only one distro, and that it's a problem that different distros use different versions of software and insert their own patches...this is why they are wrong wrong wrong.

Monocultures FTL.

Finjan Software has scammed people before

[antifoidulus]

Surfin'Shield sort of drowned. There is probably a similar scam behind this "research"....

Solve the EASIER problem. Known good.

[khasim]

http://www.ranum.com/security/computer_security/editorials/dumb/index.html

Why bother with anti-virus for the system itself? (Note: anti-virus is acceptable for mail servers or file servers.)

Instead, why not focus on identifying the known good code ... and quarantining anything else?

Maybe there aren't an infinite number of ways to obfuscate code (eventually your obfuscation would exceed the capacity of the local hard drive) but there are FAR more ways to obfuscate code so it bypasses the anti-virus scanners than there are bits of known good code.

I should be able to boot from some form of rescue CD with a HUGE list of filenames, checksums, etc ... and what application they are associated with ... and validate every single file on a workstation. And then quarantine everything else so it can be manually verified.

There, even if you get infected, the disinfection is simple AND effective.

Re:Solve the EASIER problem. Known good.

[bit01]

Yes. To verify a system is uncompromised from a possibly compromised system is idiotic. If a person doesn't understand this then they are not a competent programmer.

I've said for years that most "anti-virus" companies are engaged in fraud and the CEO's of most "anti-virus" companies should've been in jail for it a long time ago. It shows how low the IT industry has sunk when even quite basic fraud like this is being allowed to continue. At the very least there should have been a class-action lawsuit.

The only way to truly verify a system is good is to do it from a known good system. For a standalone PC that means booting off known-good read-only media, usually a CDROM, and using that to verify the checksums of all the critical files on the hard disk. To handle updates the CDROM needs to have enough smarts to download signed checksums of updates off the net and storing them in encrypted form (so malware can't tamper with it) on read-write media, preferably a memory key only inserted into the system when booted off the read-only media.

Part of the reason this has not been done until now is that third parties could not easily read the proprietary undocumented NTFS file system, because BS OS licensing made it difficult and expensive to have a separate boot and because M$, incredibly, stopped shipping CDROM's of their OS. Now that NTFS has been reverse engineered it is possible to create a third-party Linux CDROM that can do all of the above. This is the only practical way to stop the Windows virus pandemic. Ironic that the best way to verify a windows system may be to use a linux system.

To anticipate a few questions:

• Yes, Joe Sixpack is perfectly capable of inserting a CDROM, pressing the reset key and following the limited instructions (ie. get professional help if a virus is found or recover files off the known good distribution media).
• Yes, this approach perfectly capable of protecting Joe Sixpack's personal files if the CDROM has enough smarts to back up personal files and check sum them every time it is run. Even if it doesn't do this it's still verifying the system is uncompromised.
• Yes, it's perfectly capable of verifying every executable on the system, including those not initially distributed with the OS.
• Yes, both whitelist and blacklist checksumming is possible at the same time. What a concept!
• Good system/network administrators already automatically, regularly checksum verify all the systems they manage to verify their systems have not been corrupted, whether by a virus or a hardware error. It works. If they don't they are mediocre administrator at best.

M$ is perfectly capable of creating such a CDROM however those "professionals" have chosen not to and allow the virus/bot pandemic to continue. And they wonder why some people don't like them.

---

Ownership, by definition, is the right to control something. Any ethical (not legal) argument based on "because they own it" is bogus.

Re:What are the best tools for detecting this?

[Xakh]

A newspaper, typewriter, and calculator.

That's what I said.

[khasim]

Because you'll be p0wn3d in no time. Trust what? AV libraries are mostly behind the times and can't smell subtle variations.

That's what I said. While there isn't an infinite number of variations, there are far more variations possible than there are known good bits.

So do NOT try to solve this problem by matching "bad" patterns.

Match known good patterns and quarantine everything else.

Getting disinfected doesn't necessarily work, either. Usually the initial infection vector still exists (the hapless user).

The user will ALWAYS be the weakest link. As the article I linked to stated, if education could work, it would have worked by now.

Instead, focus on building systems that MINIMIZE the vulnerability and that make it EASY to RECOVER when it is cracked.

Quarantining code is folly.

That's your opinion. I can show that it does work.

Active and varied defenses and re-writes and restores to RO media help.

Huh? How about some specifics? Because that isn't making sense to me.

I scape so much crap from friends and relatives machines that I've got BartsCD built for most of them. I just re-write the registry after active scans, and re-write kernel, vmm, browser crap.

How do you "re-write the registry"?

Instead, imagine an anti-virus system that refuses to allow code to be installed in they system directories (or registered) unless it matches the checksums, names, etc on a list of known good apps. Then it just becomes a issue of keeping that list updated with the latest patches and upgrades.

Instead of downloading the daily list of suspected BAD patterns, you'd be downloading a list of known good patterns. And that would only need to be updated prior to something being installed on the system.

For a business looking to manage thousands of PC's ... all with the same basic apps and patch levels and such ... this would be so much easier than trying to maintain the current anti-virus system (engine upgrades, signature upgrades). Nothing would be installed that was not pre-approved by their department.

Re:WTF-squared

WTF? You don't know how to make your own BugMeNot to help OTHER people?

Re:WTF?

[tylerni7]

You must be new here. You aren't supposed to read the file, just make comments about what it might say.

Interesting attack vector

[psydeshow]

According to the Register article, the method of attack was DOM manipulation. The code waits until it sees a login form from a targeted site, and then it injects markup that sends the credentials to the bad guys on submit.

We can speculate on whether that's true or not, but if it is then it should be fairly easy to use a bit more javascript (why not? heh.) to check the integrity of the DOM. Banks should also be randomizing the structure of their forms and the names/ids of form fields as a matter of course.

Of course the attacks will evolve, but as long as you're going to play the game you've got to keep moving.

Re:Run a decent firewall....

[ShinmaWa]

Outbound firewalls are for people who don't know what they're doing

What an incredibly ignorant and stupid thing to say.

I definitely know what I'm doing and I use my outbound firewall to its fullest extent. Having the ability to proactively determine what software can and can't touch the network, be it establishing a connection or binding to a port, in conjunction with a proper hardware solution provides not only good protection, but also serves as an early warning system when an unknown program attempts to go to an unknown site for an unknown reason.

Granted, outbound firewalls are not perfect. If a whitelisted application is compromised, then it this firewall doesn't provide much protection. This is why outbound firewalls should be but one of several items in your security toolbox.

However, to wave your hand and claim they are only for people who don't know what they are doing shows a level of arrogance that usually gets corrected only after you are compromised.

Been around for 18 years

[Xenna]

We used to call it polymorphic code. A much prettier name if you ask me.

Been around since 1990:

http://en.wikipedia.org/wiki/1260_(computer_virus)