Wednesday, May 30, 2012

Malware Design Strategies (Part 2) - Virus Bulletin

   Last month, Malware Design Strategies (Part 1) paper  was published in virus bulletin magazine. Continuing from there, part 2 of the paper is published this month's. It is available here - http://secniche.blogspot.com/2012/05/malware-design-strategies.html.

In this paper, we have discussed about:-

1. Polymorphic and metamorphic encryption
2. Anti-debugging tricks
3. Ant-traffic analysis stuff
4. Deployed tactics to detect virulent code.

Right now, subscription is required to read paper. We will release it after couple of weeks.

Monday, May 14, 2012

IEEE Internet Computing (PrePrint) - Cybercrime - Dissecting the State of Underground Enterprise

Our paper on "Cybercrime - Dissecting the State of Underground Enterprise" is available in preprint is available at

http://www.computer.org/csdl/mags/ic/preprint/mic2012990274-abs.html

Abstract: Cybercrime’s tentacles are reaching deeply into the Internet. A complete, underground criminal economy has developed to steal money through the Web. We detail this underground enterprise showing how information, expertise and money flow through it. Understanding the structure of this economic enterprise is critical for fighting it.

We will update the information once it is out in hard copy.

Enjoy !

Thursday, May 3, 2012

Code Hiding in Images - JavaScript Manual Armor (3)

Attackers are always using interesting techniques of hiding code. Image files have been used extensively for hiding payloads in the headers and upon rendering, the payloads get executed. In the past, several applications have been pwned for XSS using this technique in which image header is used to inject the payload. Anyways, it works:). In this post, we came across a generic JavaScript code which is used to render an iframe for injecting code. However, the interesting part in this post is to understand the flow of infection.

We came across a website and found that the .js files that are used for JSON communication have been injected with some malicious code. At the bottom of the sample js file, we find the following code snippet


This JavaScript is not that heavy as it is using only unescape. However, the unescape has to be performed two times to get the URL. So we perform a simple step to tweak the code as follows

After doing this, we get the target URL as "http://incas.co.kr/image/k.jpg". The iframe is pointing to a image file. Interesting ! Let's see what we have


The image file is actually an ASCII file. We find that there is some hexadecimal code in it. So we clean the code and feed it to the converter as follows

So it is pointing to an image folder on  "http://www.spris.com/images/". On issuing a HTTP request to this URL, we are served with

The log.txt file is served only once to the IP.  When we fetch the page, it contains an iframe that is pointed to log.txt file.


Well, we do not find any data in the file. Anyways, that's not a problem :). The main point is to analyze the flow. Attackers can use hard obfuscated scripts and follow the same flow of infection.

Malware Design Strategies (Part 1) - Virus Bulletin

Our paper on "Malware Design Strategies (Part 1)" just got published in the may edition of virus bulletin magazine. In this paper,  we discuss some of the different techniques that are used by present-day malware to circumvent protection mechanisms. This paper delves into some of the most widely used tactics by malware to bypass protection solutions and to detect the presence of other type of malware in the system. In part 1 of this paper, we talk about following methods

1. Detection of windows x86 emulator for running 32 bit dlls on x64 bit systems.

2. Detailed information about various tactics of VM  code detection using memory, registry, Virtual
   Machine Configuration Interface (VMCI), Media Access Control (MAC), system processes etc.
   These  methods are typically used to design anti VM code.

3 DLL injections using Asynchronous Procedure Call (APC)

4. Mutex based detection

5. Explicit run time linking to verify the presence of specific DLLs.

For complete details fetch the paper (require subscription) from - http://www.virusbtn.com/virusbulletin/archive/2012/05/vb201205-malware-design-strategies

We will be continuing our discussion in the part 2 of this paper.

Enjoy!