Bashing-up a BACKLOG of Malware - ASGS (Automated Signature Generation System)

Having to deal with a "backlog" of malware samples is nothing new for a typical AV-company. A backlog typically comprises of malware samples that are considered "not-so-important" at the moment or have not made it into the priority samples set. Each AV-company typically assigns its own priority levels to incoming malware samples. It is also well known that AV-companies co-operate with each other and exchange known malware samples with each other (personally, I think this type of co-operation is of utmost importance in order to fight the battle against todays' malware). Hence, it is not uncommon for an AV-company to treat a certain malware sample with higher priority while for another AV-company to treat the same malware sample with lower priority. Hence, while certain malware samples might be detected by a certain AV-company, the same malware samples might be awaiting to be processed (as backlog) by another AV-company. Typically for any AV-company, their current customer base and the prevalence of particular malware in their region determine their backlog collection.

Adding to the backlog

My recent visit to the Virus Bulletin conference 2007 in Austria, helped establish relations with other AV-companies who are now partnering with us in exchanging malware samples. These are reputed AV-companies based in India, China, Finland, Austria, Spain, etc. further diversifying our malware collection.

Apart from exchanging samples, there are a multitude of trusted sources and customer base from where we obtain malware samples each day. The numbers have been constantly growing within the past two years, contributing to an enormous backlog of malware samples. On a typical day, we could be receiving anywhere from 2,000 to 3,000 samples.

The need for Automation

The rate at which malware are being "thrown at us" is much greater than we (a few malware analysts) can manually analyze and add detection for them. Hence, instead of throwing more individuals at the problem, there is a definite need for "Automation", more so today.

The first step in the automation process is to be able to identify samples from the bulk (waiting to be processed) as "malware" (as reported by other scanners), and then automate the "signature" generation for detection of these malware samples. This takes away a huge chunk of human interaction or manual work, speeding up the process. A huge challenge in such a procedure is generating "safe" signatures, i.e. signatures with the probability of "close-to-zero" false-positives.

Enter ASGS (Automated Signature Generation System)

The ASGS took a few months for me to implement that involved quite a few iterations in improvements and testing. I implemented the system using two of my favorite scripting languages - 4nt and Perl. Most of the iterations were about improving efficiency and minimizing false positives by incorporating extra checks. The system is now fully functional and sits as a Window's-XP Virtual Machine image processing the backlog once a week. As of now, the ASGS automatically generates signatures for only Window's PE files (the most prevalent of malware types on today's Internet, and the larger chunk of existing backlog), but the intent is to eventually automate signature generation for other file types as well. The system is completely automated and takes extreme care in NOT generating signatures that could cause potential false-positives. A typical scenario would be where a malware analyst simply executes a single command line program and the rest is taken care of. Once the signatures are ready, the malware analyst is notified via e-mail and a complete false-positive test is carried out before the signatures are released.

Bashing-up the backlog

Since my initial work developing the ASGS in Nov 2006, followed by several months of tweaking/improvements and testing, the results produced are quite impressive and satisfying. Initially it was sporadically being used to generate signatures for a few thousand samples each week, but was still not fully automated. An initial "automated" first version of the ASGS (by April 2007) tackled about 20,000 malware samples. By June 2007 I had the second version of ASGS tackle another 25,000 malware samples and by August 2007 the third version of ASGS was able to tackle about 27,000 more malware samples. It was exciting to be able to come in and have "safe" and "ready" signatures to be tested and released, detecting thousands of pieces of malware. By September 2007 the final version of ASGS went into production that automatically generated signatures for an astounding 35,000 malware samples. The backlog has since been declining. As of today, the backlog stands at a more manageable number as most of the malware samples left are non-PE files (such as text, scripts, html, Microsoft office documents, *NIX files, etc.).

Future work

1. Automating signature generation for non-PE files.
2. Automating the analysis process and generate an initial report for suspicious files (or those that are not detected by any other scanners).
3. Integrate "automated analysis" and "automated signature generation" with e-mail honeypots and high-priority alert systems to fight todays' growing threats in real-time.

Digg This | Slashdot This | Add to del.icio.us

Detecting the "Storm Trojan" botnet - network traffic anomalies

Since its first appearance in early January 2007, the "Storm Trojan" has aggregated an astounding number of infected hosts or bots (about 1 million to 10 million computers). The botnet is of command-and-control (C&C or C2) nature over a peer-to-peer (P2P) network and implements the e-donkey or Overnet protocol to communicate data and actions to its nodes. Such a botnet is extremely difficult to track and take down owing to its de-centralized nature.

According to a blog post from Microsoft's Anti-malware team, their Malicious Software Removal Tool (MSRT) - which is updated and shipped once a month on Patch Tuesday - disinfected a large number of computers (about 2.6 million Window's machines) from variants of the "Storm Trojan".

Latest developments in researching the "Strom Trojan" have revealed that certain anomalies or spikes in network traffic can be used to detect hosts (or nodes) belonging to its botnet.

An interesting blog post about this is from eset. It shows the nature of spike in network traffic whenever a new node joins the "Storm Trojan's" de-centralized botnet. You can find the blog post here.

There is also an article by SRI on the Storm Trojan. You can find the article here.

There is also a post on "The Register" about "Storm Trojan's" new encrypted traffic being used to detect its botnet. You can find that post here.

Bleeding Edge research posted more info about this as well. Encrypted storm traffic and Storm side CC channel. They also maintain a list of compromised host IPs.

According to a blog post by Ryan Naraine, the creators of the "Strom Trojan" are now partitioning their botnet in order to make it available for sale to spammers and denial of service attackers. This discovery was done by Secure Work's researcher Joe Stewart who has been tracking the Storm botnet for a while.

A very interesting blog post by Websense, detailing the chronological appearance of the "Storm Trojan" can be found here.

Frank Boldewin recently posted a nice writeup on the internal workings of the "Storm Trojan" based on the variant Peacomm.C. You can find that here.

Note: "Storm Trojan" (a.k.a. Nuwar, Tibs, Peacomm, Zhelatin, Fathom, Storm Worm, Dorf, Trojan.Peed, Trojan-Downloader.Win32.Small.dam, CME-711, etc.)

Digg This | Slashdot This | Add to del.icio.us

Virus Bulletin Conference 2007, Vienna

I had the privilege of attending the Virus Bulletin 2007 conference in Vienna, Austria and witnessing it first hand. Although this was my second attendance to a security conference (the first one being the AVAR conference in Auckland, New Zealand in Dec 2006 where I presented a paper about Rootkits on Windows), this was my first time attending the Virus Bulletin conference. It has truly been a pleasurable experience. Apart from enjoying the beautiful music, art, monuments and palaces of Vienna, the conference itself was very informative and interesting. The best part was to be able to meet some of the best minds in the AV-industry, as well as to connect with some of the well know and well respected figures in the AV-community.

AVPD and Wild List

I also had the opportunity to attend the AVPD (Anti Virus Product Development Consortium) & Wild List meetings that were held prior to the actual VB conference. Both of these organizations are supported and sponsored by ICSA labs that are known for their certification testing of AV-products (among other security products). Andrew Hayter, who led the AVPD meeting, introduced the current methodology used for testing and proposed some future improvements. The Wild List meeting led by Peter Chung had interesting ideas floating around in order to improve the quality of current Wild List.

Good ole Wild List

ICSA labs publishes its AV-product testing results in buyer’s guides for security products. Such results clearly influence buyers’ decisions toward AV-products. Another such influential AV-product testing results is published by AV-Test.org which is maintained by Andreas Marx and his team. It is worth mentioning here about Andreas Marx conference presentation on “death of the Wild List" where he emphasized upon known limitations and shortcomings of the current Wild List that render it irrelevant and misleading for AV-product testing. In other words Andreas states that the Wild List collection is non-dependable and trivial. Even though Andreas is quite right in stating so, my personal opinion is that the Wild List has potential. It is supposed to be a diverse collection of self-replicating pieces of malware that are actually prevailing “in the wild”. The quality of the Wild List is only as good as the quality, quantity and consistency of its reporters (malware researchers from reputable AV-companies – the chosen ones). This heavily requires more “active” reporters to respond and submit samples that are found in the wild, more frequently.

An interesting presentation…

An interesting, well versed and technically rich presentation was by Dr. Vesselin Bontchev from FRISK Software. His presentation introduced various points of susceptibility in modern mobile platforms that would allow virus (or self-replicating code) to thrive. He also gave some predictions about the future of viruses on such platforms.

Building relations…

I also had the privilege of connecting with a diverse group of people: from prominent researchers, tech junkies, and marketing personal to people from the academia. I was also able to build relations with representatives from globally know AV-companies as well as with those from localized AV-companies. Some of these localized AV-companies are actually very well known and thriving in their local geographical regions.

A sense of community in the AV-industry

Any AV-company, while always striving to improve its technology, also tries to diversify its malware collection and rely on reputable sources to contribute to an ever-growing set of samples. Attending conferences such as these and building relations helps any AV-company to establish a base line of trust allowing the exchange and influx of newer malware samples from other AV-vendors. This also helps them to see the bigger picture in terms of newer evolving threats. This in turn, also helps the AV-community as a whole, to work and fight as a team against today’s commercialized malware crime.

The Feds need our help…

Finally the conference was commenced with a panel of international law enforcement representatives chaired by David Thomas (FBI special agent, Cyber Crime division). The discussions provided insight into workings of the world police in fighting Internet crime. The panel described that they really take cyber crime very seriously and that the Internet is actually “killing people”. They also admit that they cannot fight this battle all by themselves and require help from the AV-community. Their plea was for partnership and co-operation from the AV-community in providing information about organized computer crime that we might come across on a day-to-day basis. They also acknowledged that as a business, we still have to provide services to our customers and appreciate any time we spend in helping out law enforcement officials. The representatives in the panel admitted that they are limited in their resources and man-power to fight this battle, and that sometimes, reported incidents might seem like un-noticed by them, but those might later be re-surfaced to build up a case against the bad-guys. Hence no information is useless information. My personal opinion: as a community we should be able to, as time and resources permit, provide useful information to law enforcement agencies to help curb this scum of internet crime.

The fun part…

Conferences such as these are specifically geared toward the AV-community (also popularly known as “white hats”), in an attempt to exchange information & technology, educate each other of the types of threats being dealt with, and prepare for emerging threats. The conference was a perfect combination of technology, passion, and fun. The gala dinner on the second day of the conference was profoundly entertaining, presented with good food, and Viennese waltz performance.

They also arranged for a complete casino set for those post dinner partiers. Free chips were given away for those who wanted to try their luck, and needless to say I happened to try my hand as well.

Surprisingly, I won a whole stack of chips (not too bad for a first timer) until in the end I put it “all in” and lost it all!! (a mixture of over confidence and greed I suppose). Oh well! “easy come, easy go”. If only I had followed my wife’s advice and stopped at that moment I might have won her an ipod (which was the first prize to be given away to the person who won the most number of chips). All in all, the conference was a great experience in every respect.

Me and my wife, Amy, at the gala dinner.

Digg This | Slashdot This | Add to del.icio.us

The Eye of the Storm

The recent massive spam run by the makers of the infamous “Storm Trojan” resulted in numerous variants hitting our honey pots. Dynamic re-packing and server-side polymorphism allows the creators of the "Storm Trojan" to create new binaries every few minutes. The variants are then spammed out using the strong de-centralized botnet they have created in an attempt to thwart signature based detections. The "Storm" botnet is several million computers strong, most of which are un-suspecting users who have become victim to the trojan's social engineering tactics.

( Source of the picture: sro.hse.gov.uk )

Newer attack vector…

The most recent variants are being spammed as encrypted zip file attachments via spoofed e-mails. The password for the encrypted zip is included as a GIF image within the e-mail. The GIF image also includes a message posing as a security patch being offered by some arbitrary Customer Support Center. This new variant employs numerous anti-debugging techniques in order to thwart analysis. It is also packed with a polymorphic packer.

The Intent…

The Trojan displays tactical use of social engineering techniques arriving as an attachment to an e-mail. The goal is to lure an un-suspecting user to execute the Trojan which would render the victim machine part of a huge botnet. The primary purpose of the botnet being to send out penny stock spam (also called pump-and-dump penny stock) or to initiate Distributed Denial of Service (DDoS) attacks. Subsequent versions of the Trojan were distributed by means of embedding it within an open source e-mail worm.

Shying away from IRC!!

The botnet that is being created communicates over a peer-to-peer network (P2P) for its Command and Control (C&C) rather than the traditional IRC communication. This ensures creation of a “headless” botnet that is not bogged down by a single point of failure. The Storm Trojan’s implementation of Web HTTP and P2P methods of communication are indicative of the shift toward stealthier means of building a botnet. Such a de-centralized network allows for data and information to be "sync-ed" among each of the nodes of the botnet and to any of the newer nodes that are being added to the botnet. Each of the infected nodes will also carry a "peers list".

What drives the Storm?

When the Trojan is executed, it drops a kernel mode driver (wincom32.sys) that it registers as a service via the Service Control Manager (SCM). Initial versions of this driver did not attempt to hide any files or registry entries but did include stealth in order to execute its payload. Subsequent versions of this driver program started to incorporate more and more rootkit like functionalities in order to hide registry entries, files, and active communication ports.

This driver program is instrumental in executing the Trojan’s payload. The payload is an embedded executable within the driver program. In order to execute the payload the driver employs stealth techniques. The payload is injected from kernel space into the user space of “services.exe” and scheduled for execution by queuing an Asynchronous Procedure Call (APC) for it. Due to this, there is no “visible” process executing the payload if we were to use tools such as Window’s Task Manager or Process Explorer. Initial versions showed significant network activity via newly opened ports (UDP traffic). Subsequent versions of the driver program incorporated rootkit techniques in order to hide files and registry keys (by hooking the Service Descriptor Table) as well as any active communication ports (by hooking IRP_MJ_DEVICE_CONTROL of the ‘\Device\Tcp’ object).

Digg This | Slashdot This | Add to del.icio.us

ANI Exploits, NX-bit, DEP, Protected Mode… jargon

Since its discovery in the wild, there are now hundreds of specially crafted websites that host malicious ANI files that exploit the “Windows Animated Cursor Handling” vulnerability. This vulnerability is exploitable on fully patched Windows XP SP2 and Vista running Microsoft’s Internet Explorer 7 or Mozilla FireFox 2. Simply visiting such a rigged website will render a victim machine infected. The malicious ANI files can also be embedded within specially crafted e-mails or attachments within e-mails. When such an attachment is viewed or opened with Outlook or Outlook Express the victim machine will be infected by a host of malware. Also, if a malicious ANI file is viewed using Explorer (file extension matters in this case), the exploit will be triggered.

Speaking of browsers, the damage is mitigated if Internet Explorer 7 is running in Protected Mode. This will still permit the malware to have read-only access to a user’s files, allowing it to steal and copy personal data, but will not be able to alter or delete any data. UAC (User Account Control) in Vista might only be able to prevent installation of persistent malware, but won’t prevent damage to user’s data unless the browser is running in Protected Mode. FireFox does not have Protected Mode under Vista, and if exploited using the ANI file vulnerability, will allow malicious code to execute with similar privileges as the logged on user allowing complete disk read and write. Do not get confused with “Safe Mode” in FireFox which is purely for debugging purposes.

The ANI exploit is preventable by enabling DEP (Data Execution Prevention) in Windows XP SP2 or Vista. When enforced with hardware NX/XD support, DEP will prevent the exploit from being triggered. Beginning with Windows XP Service pack 2 and Windows Server 2003 Service Pack 1, the NX features were implemented for the first time on x86 architectures. The NX bit (as termed by AMD which stands for No eXecute) or XD bit (as termed by Intel which stands for eXecute Disable), is a technology used in CPUs to separate areas of memory for storage of processor instructions (i.e. code) and for storage of data. The section of memory designated with the NX attribute indicates it to be used for storing data. Hence, even if processor instructions reside in such a section of memory, they cannot be executed. This prevents malicious programs from executing their own code which they might have inserted into another program’s data storage area. This is precisely what the ANI exploit does, and DEP (OS feature) combined with NX/XD (CPU feature) can prevent this from happening.

But Microsoft ships most of its Window’s operating systems with DEP turned off by default. It is on the user to turn DEP “on” for all applications. This might render a few applications not functioning properly, but I believe this is a price well worth the bargain. This should also teach application developers to adhere to safe programming practices.

Microsoft will be releasing an out-of-cycle patch for this vulnerability today.

Digg This | Slashdot This | Add to del.icio.us

New “Zero Day” Vulnerability in Windows Animated Cursor Handling

A new zero day vulnerability has been discovered in the way Microsoft Windows handles animated cursor files (.ANI files). The ANI file format is based on Microsoft's RIFF file format. There have been reports of specially crafted ANI files being hosted on websites that exploit this vulnerability. When an unsuspecting user visits such a "rigged" website, using any of the popular browser applications such as IE7 or Mozilla Firefox, the vulnerable Window's code will be invoked in order to parse/render the specially crafted ANI file which in turn will invoke the exploit code. Resulting this, malware will be silently downloaded and launched on the victim machine (drive-by downloads). Remote code will be executed with the privileges of the logged on user.

The malicious ANI files can also be embedded within specially crafted e-mails or attachments within e-mails. The exploit works independent of file extensions making it useless to simply block .ANI files on e-mail gateways. Simply configuring Outlook or Outlook Express to read mail in plain text will still parse the ANI file and hit the exploit. Simply "viewing" such a malicious ANI file using Window's Explorer will allow the exploit code to be triggered.

Microsoft has released a security advisory regarding this: http://www.microsoft.com/technet/security/advisory/935423.mspx

A CVE-2007-0038 has been assigned to this vulnerability.

It seems like the vulnerability is already exploited in the wild:
http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

Digg This | Slashdot This | Add to del.icio.us

Back from New Zealand (AVAR2006 Conference)

I am back from the AVAR2006 conference in Auckland, New Zealand. This was my first security conference while pursuing my first professional job as an Anti-Virus Research Engineer. I am delighted to have been able to attend the conference. It was also a great experience to be able to present at the conference as well. I surely had a wonderful time.

You can access my "Rootkits on Windows" presentation and paper from my website: Anti-Malware Research

The best part of the conference was being able to meet and connect with some the well renowned researchers in the AV-industry, many of whom I highly revere and respect. Prominent among them are Peter Ferrie, Peter Szor, Dr. Vesselin Bontchev, Dr. Igor Muttik, Joe Telafici, Andrew Lee, Randy Abrams, and Tony Lee, to name a few.

Here is a picture of me just before delivering my presentaion :)


You can find some more of the pictures taken at the conference on the AVAR2006 website.

I was fortunate to be able to bring my wife with me on the trip as well. After the conference, we spent a few days vacationing in the North Island of New Zealand. A truely amazing and beautiful place I must say. We both had a great time. The people are very nice and laid back. There is so much fun and adventure stuff to do with such beauty surrounding, it was absolutely amazing!

My kind of adventure: "Free Flying"

We highly recommend visiting New Zealand for all those who love to travel. As for us, we will have to go back and visit the South Island next time, which the New Zea-landers say is much more awesome...

Digg This | Slashdot This | Add to del.icio.us