Monday, October 5, 2009

Breaking the conventional scheme of infection

After years of being in the field of information security, and security antivirus particularly, you have the opportunity to hear comments trying to justify the unjustifiable are more like myths than truths.

A journalist recently asked us what our feeling against moderately advanced users who claim not to need antivirus software because they know what they actually have on your computer.

While this may be true, I think we should not sin of arrogance. What I mean by this? Many times we are confident in knowing what we do and then we find that what seemed trivial turned out to be very dangerous. Obviously, the case would be a utopian user aware of the dangers that exist in the cloud (this word so fashionable to refer to the Internet) and act accordingly through prevention mechanisms.

However, many times, these trivial issues lead us to create in our minds a false sense of security, we believe that when they don't. Moved this issue to the world of malware, it's more common than believed.

Let's review the structure in the first instance of malicious code conventional. We could say that it's basically composed of three modules: of harm, self-defense and communication.

The damage module is designed to execute instructions such as removing harmful information, encryption of files, send spam messages to MSN contacts, to execute DDoS attacks, keylogging, among many other things.

The self-defense module will control those aspects that violate their malicious instructions, for example, disabling security programs (firewall, antivirus), blocking access to native operating system functionality (registry, CMD, Task Manager ), including also blocking access to antivirus websites to keep updated. This module also includes more advanced techniques such as rootkits, virtual machine detection, anti-debugging, among others.

As for the communication module, which need not be present but that is characteristic of current malware will be responsible for establishing communication against a malicious server (which may be a zombie) to download other malicious code, update their own code, continue their cycle of propagation, manipulate the network connection (DNS, SMTP, HTTP proxies), encrypt the stolen information, and more depending on the type of malware.

All these activities can reveal the presence of malware on your computer, and they cling antivirus solutions during the discovery process. However ... what if this scheme is broken? This happens in the following example:

We have a file that spreads via email pretending to be a video, his name is videotestimonio.mpeg.exe (Social Engineering applied to the file). The user runs the file and immediately run an instance of the browser that displays a video found on YouTube that refers to what referred to the file name.

That is, not memory resident processes aren't handled any registry key, the PC isn't unusual symptoms and the user envisioned what was promised. However, something happened in the background.

The malicious code added information in the host file running a local pharming attack, intended to perform phishing attacks against the victim. In this case, the malware does not own communication modules, or self-defense, only one form of attack that all he does is add information on the host file, breaking the conventional scheme of infection. On this basis ... the machine is infected? Yes... antivirus will detect it? Most likely not because the host file isn't malware.

Regarding the development of malicious code is also trivial. It simply consists of a file .bat (video.bat) possessing the necessary instructions to add information in the host, generating a compressed file with WinRAR SFX (videotestimonio.mpeg.exe) with two lines of code that run the .bat.

Regardless of how trivial the malware. The effects can be achieved through this technique are very dangerous. Furthermore, the detection rate is very low. Only 12/41 (29.27%).

Obviously, confidence isn't as healthy, especially in an environment as ambiguous as the Internet.

Related information
Propagación automática de códigos maliciosos vía http
Simbiosis del malware actual. Koobface
Análisis esquemático de un ataque de malware basado en web

Jorge Mieres

1 comment:

David Harley said...

I must admit that there was a time back in the 90s when not all my machines ran antivirus all the time. That wasn't completely arrogant: I wasn't in the AV business then, but I was fairly well-known in the research community, and pretty capable of spotting standard social engineering.

Today there's too much in the way of self-launching exploits and targeted malware to take that risk unless you're prepared to spend a lot of time maintaining alternative defences. Even then, I'd consider the extra layer of protection worth the investment for most people (and almost all Windows users.