Stealing Data With Obfuscated Code

Weblver1 writes "A recent report by web security firm Finjan shows how easily data can be accessed on PCs by malware which circumvents existing defenses. With the use of obfuscated code, antivirus software and static Web filters could not identify the scrambled attack code as a threat. The report walks through a real-life scenario of the infection process step-by-step, and tracks what happens to the stolen data. This demonstrates how stealing sensitive data has become unbearably easy — especially, given the abundance of easy-to-use DIY crimeware toolkits. Finjan's report is available here (PDF, registration required). Shortly after this report, Security firm RSA has released their findings of a huge amount of stolen 'virtual wallets' in one of the largest discoveries of stolen data from computers compromised by the Sinowal trojan. While the trojan can be traced back to 2006, it managed to become more productive over time with frequent variants. Given the scale, ease of use, and hiding techniques making infections extremely difficult to find, no wonder today's crimeware achieves such 'impressive' results."

Obfuscation 101

[kbrasee]

X=1024; Y=768; A=3;

J=0;K=-10;L=-7;M=1296;N=36;O=255;P=9;_=1<<15;E;S;C;D;F(b){E="1""111886:6:??AAF"
"FHHMMOO55557799@@>>>BBBGGIIKK"[b]-64;C="C@=::C@@==@=:C@=:C@=:C5""31/513/5131/"
"31/531/53"[b ]-64;S=b<22?9:0;D=2;}I(x,Y,X){Y?(X^=Y,X*X>x?(X^=Y):0,  I (x,Y/2,X
)):(E=X);      }H(x){I(x,    _,0);}p;q(        c,x,y,z,k,l,m,a,          b){F(c
);x-=E*M     ;y-=S*M           ;z-=C*M         ;b=x*       x/M+         y*y/M+z
*z/M-D*D    *M;a=-x              *k/M     -y*l/M-z        *m/M;    p=((b=a*a/M-
b)>=0?(I    (b*M,_      ,0),b    =E,      a+(a>b      ?-b:b)):     -1.0);}Z;W;o
(c,x,y,     z,k,l,    m,a){Z=!    c?      -1:Z;c     <44?(q(c,x         ,y,z,k,
l,m,0,0     ),(p>      0&&c!=     a&&        (p<W         ||Z<0)          )?(W=
p,Z=c):     0,o(c+         1,    x,y,z,        k,l,          m,a)):0     ;}Q;T;
U;u;v;w    ;n(e,f,g,            h,i,j,d,a,    b,V){o(0      ,e,f,g,h,i,j,a);d>0
&&Z>=0? (e+=h*W/M,f+=i*W/M,g+=j*W/M,F(Z),u=e-E*M,v=f-S*M,w=g-C*M,b=(-2*u-2*v+w)
/3,H(u*u+v*v+w*w),b/=D,b*=b,b*=200,b/=(M*M),V=Z,E!=0?(u=-u*M/E,v=-v*M/E,w=-w*M/
E):0,E=(h*u+i*v+j*w)/M,h-=u*E/(M/2),i-=v*E/(M/2),j-=w*E/(M/2),n(e,f,g,h,i,j,d-1
,Z,0,0),Q/=2,T/=2,       U/=2,V=V<22?7:  (V<30?1:(V<38?2:(V<44?4:(V==44?6:3))))
,Q+=V&1?b:0,T                +=V&2?b        :0,U+=V    &4?b:0)     :(d==P?(g+=2
,j=g>0?g/8:g/     20):0,j    >0?(U=     j    *j/M,Q      =255-    250*U/M,T=255
-150*U/M,U=255    -100    *U/M):(U    =j*j     /M,U<M           /5?(Q=255-210*U
/M,T=255-435*U           /M,U=255    -720*      U/M):(U       -=M/5,Q=213-110*U
/M,T=168-113*U    /       M,U=111               -85*U/M)      ),d!=P?(Q/=2,T/=2
,U/=2):0);Q=Q<    0?0:      Q>O?     O:          Q;T=T<0?    0:T>O?O:T;U=U<0?0:
U>O?O:U;}R;G;B    ;t(x,y     ,a,    b){n(M*J+M    *40*(A*x   +a)/X/A-M*20,M*K,M
*L-M*30*(A*y+b)/Y/A+M*15,0,M,0,P,  -1,0,0);R+=Q    ;G+=T;B   +=U;++a<A?t(x,y,a,
b):(++b<A?t(x,y,0,b):0);}r(x,y){R=G=B=0;t(x,y,0,0);x<X?(printf("%c%c%c",R/A/A,G
/A/A,B/A/A),r(x+1,y)):0;}s(y){r(0,--y?s(y),y:y);}main(){printf("P6\n%i %i\n255"
"\n",X,Y);s(Y);}

Re:Obfuscation 101

[bone_idol]

Best Use of Light and Spheres:

        Anders Gavare
        Gibraltargatan 82-156
        SE-412 79 Gothenburg
        Sweden

        http://www.mdstud.chalmers.se/~md1gavan/

Judges' Comments:

        To build:

        make gavare

        To run: ./gavare > ioccc_ray.ppm

        For users of systems that distinguish between text and binary mode
        (you know who you are), add a library call that specifies binary mode
        for stdout as the first statement of main(),
        or use freopen("ioccc_ray.ppm", "wb", stdout) and do not use redirection.

        A freely distributable command-line version of Microsoft Visual C
        exhibits an optimizer bug when compiling this entry. Disable /Og for
        best results.

        The judges were able to figure out how to control position
        (in all 3 coordinates), size, and color (to some extent) of the balls.

Selected Author's Comments:

        It is possible to write some kinds of programs in C without using reserved
        words. For very short and trivial programs, it usually isn't very hard to
        write a variant using no reserved words, but with this program I want to
        show that also non-trivial programs can be written this way. This IOCCC
        entry contains no reserved words (I don't count 'main' as a reserved word,
        although the compiler gives it special meaning) and no preprocessor
        directives.

        The program is a small ray-tracer. The first line of the source code may
        be modified if you want the resulting image to be of some other resolution
        than the predefined. The 'A' value is an anti-alias factor. Setting it to
        1 disables the anti-aliasing feature (this makes the output look bad), but
        setting it too high makes the trace take a lot more time to complete.

        The ppm image can then be viewed using an image viewer of your own choice.
        (Running the ray-tracer may take several minutes, even on fast machines,
        so be patient.)

        I am very much aware about the fact that I'm breaking the guidelines. For
        example, the word 'int' is a reserved word and therefore all variable
        declarations are implicit. There will no doubt be _lots_ of warnings,
        no matter which compiler is used. Still, the source code should be word-
        length-independent and endianess-independent.

        Another reason for writing code without using reserved words is that many
        text editors will make all reserved words turn BOLD when printed on
        paper. Since I care for the global environment, we shouldn't waste any
        more laser toner, or ink, than necessary. Everyone should write C code
        with no reserved words, and our world will be a better place.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What are the best tools for detecting this?

[Xakh]

A newspaper, typewriter, and calculator.

Re:Solve the EASIER problem. Known good.

[bit01]

Yes. To verify a system is uncompromised from a possibly compromised system is idiotic. If a person doesn't understand this then they are not a competent programmer.

I've said for years that most "anti-virus" companies are engaged in fraud and the CEO's of most "anti-virus" companies should've been in jail for it a long time ago. It shows how low the IT industry has sunk when even quite basic fraud like this is being allowed to continue. At the very least there should have been a class-action lawsuit.

The only way to truly verify a system is good is to do it from a known good system. For a standalone PC that means booting off known-good read-only media, usually a CDROM, and using that to verify the checksums of all the critical files on the hard disk. To handle updates the CDROM needs to have enough smarts to download signed checksums of updates off the net and storing them in encrypted form (so malware can't tamper with it) on read-write media, preferably a memory key only inserted into the system when booted off the read-only media.

Part of the reason this has not been done until now is that third parties could not easily read the proprietary undocumented NTFS file system, because BS OS licensing made it difficult and expensive to have a separate boot and because M$, incredibly, stopped shipping CDROM's of their OS. Now that NTFS has been reverse engineered it is possible to create a third-party Linux CDROM that can do all of the above. This is the only practical way to stop the Windows virus pandemic. Ironic that the best way to verify a windows system may be to use a linux system.

To anticipate a few questions:

• Yes, Joe Sixpack is perfectly capable of inserting a CDROM, pressing the reset key and following the limited instructions (ie. get professional help if a virus is found or recover files off the known good distribution media).
• Yes, this approach perfectly capable of protecting Joe Sixpack's personal files if the CDROM has enough smarts to back up personal files and check sum them every time it is run. Even if it doesn't do this it's still verifying the system is uncompromised.
• Yes, it's perfectly capable of verifying every executable on the system, including those not initially distributed with the OS.
• Yes, both whitelist and blacklist checksumming is possible at the same time. What a concept!
• Good system/network administrators already automatically, regularly checksum verify all the systems they manage to verify their systems have not been corrupted, whether by a virus or a hardware error. It works. If they don't they are mediocre administrator at best.

M$ is perfectly capable of creating such a CDROM however those "professionals" have chosen not to and allow the virus/bot pandemic to continue. And they wonder why some people don't like them.

---

Ownership, by definition, is the right to control something. Any ethical (not legal) argument based on "because they own it" is bogus.

Re:Run a decent firewall....

[ShinmaWa]

Outbound firewalls are for people who don't know what they're doing

What an incredibly ignorant and stupid thing to say.

I definitely know what I'm doing and I use my outbound firewall to its fullest extent. Having the ability to proactively determine what software can and can't touch the network, be it establishing a connection or binding to a port, in conjunction with a proper hardware solution provides not only good protection, but also serves as an early warning system when an unknown program attempts to go to an unknown site for an unknown reason.

Granted, outbound firewalls are not perfect. If a whitelisted application is compromised, then it this firewall doesn't provide much protection. This is why outbound firewalls should be but one of several items in your security toolbox.

However, to wave your hand and claim they are only for people who don't know what they are doing shows a level of arrogance that usually gets corrected only after you are compromised.