Date post: | 02-Jul-2015 |
Category: |
Technology |
Upload: | cyphort |
View: | 559 times |
Download: | 0 times |
How to tell BADware from adware
Your speakers today
Nick Bilogorskiy@belogor
Director of Security Research
Shelendra SharmaProduct Marketing Director
Agenda
o BADware defined
o BADware Case studies
o How to recognize BADware
o Q&A
Cyp
ho
rt L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
What is BADware
o Adware
computer software that is provided usually for free but contains advertisements.
o BADware
adware that collects personal information, changes computer’s configuration, or displays advertising without user consent. It qualifies as malware.
Adware, Malware, BADware
o Most malware are BADware
o Most Adware are not considered BADware
o Not all Adware are simply a nuisance, when
o They simply steal your sensitive data
o They simply take you where the danger lurks
o They install X-ware without your permission
o They try hard to hide – disabling your AV, installing rootkit
BADware distribution
o BADware is frequently installed via Web redirects:
o A - malicious scripts,
o B - .htaccess redirects, and
o C - hidden iframes
Why does BADware exist
From: Sanford Wallace
To: Jared Lansky
Subject: I DID IT
Date: March 6, 2004
I figured out a way to install an exe
without any user interaction. This is
the time to make the
$$$ while we can.
From Ben Edelman’s Beautiful Security, 2009
INDICTED IN 2011
Why does BADware exist: pay per install
PPI service charges from $7 to $180 per thousand successful installations.
Of the world’s top 20 types of malware, 12 employed PPI services to buy infections.
Data from Brian Krebs
Why does BADware exist: pay per install
Juan Caballero, 2011
Why does BADware exist: pay per install
Juan Caballero, 2011
Affiliate Username Account Balance (USD)
nenastniy $158,568.86
krab $105,955.76
rstwm $95,021.16
newforis $93,260.64
slyers $85,220.22
ultra $82,174.54
cosma2k $78,824.88
dp322 $75,631.26
iamthevip $61,552.63
dp32 $58,160.20
Joe Stewart, Secureworks
BADware “genes” – 4 groups
System Changes
o S1 - Change proxy settingso S2 - Change browser homepageo S3 - Change search providero S4 - Install Browser helper object or add-ono S5 - Install windows service/drivero S6 - Create files/process mimicking Windows binary nameso S7 - Create new Task Scheduler tasks
BADware “genes” – 4 groups
Payload Armoring
o P1 - Payload is obfuscated or packed
o P2 - Payload uses anti-debugging techniques
o P3 - Payload uses anti-reversing techniques
o P4 - Payload uses anti-VM/anti-sandbox techniques
BADware “genes” – 4 groups
Remote Communication
o R1 - Download more binaries
o R2 - Upload system information to remote server
o R3 - Wait for commands from remote server
o R4 - Encrypt the connection to remote C&C Server
BADware “genes” – 4 groups
Behavior traits
o B1 - Inject Ads into web page.
o B2 - Capture login credentials or Browser cookies.
o B3 - Block specific websites
o B4 - Disable security features
o B5 - Hijack file type association
o B6 - Persist in the system
o B7 - Self-protected. (Hard to remove)
o B8 - Hide itself on the system (rootkit)
o B9 - Silent Install
BADware case studies
o Adpeak
o Oxy
o BrowseIgnite
o PC Optimizer Pro
o Gorilla Price
o Amonetize
o Browser Guardian
o OSX Conduit
o OSX Genieo
o Umeng
Adpeak SavingsBull
o MD5: 66ffc19cb717359d4b59bb71bb6f3347
o Achieves persistence through a Windows service (B6, S5)
o Downloads & executes scripts via integrated Lua interpreter (R1)
o Thus changes functionality on the fly
Adpeak SavingsBull
o 66ffc19cb717359d4b59bb71bb6f3347
o Achieves persistence through a Windows service
o Downloads & executesscripts via integratedLua interpreter
o Thus changesfunctionality on the fly
POLL #1 - LUA
o Which other well known threat used LUA scripting language?
o Stuxnet
o Flame
o Conficker
o None of the above
FLAME
o FLAME APT malware also used LUA
Adpeak SavingsBull
o Injects ads to common web browsers (B1).
Oxy iPumper Adware
o MD5: 1d291ccac6ce11c2e5761e37bb0b95fc
o Runs as a silent installer (B9)
o Downloads and executes other binaries (R1, R2)
o Exfiltrates sensitive system information to C&C in cleartext:o Location of %TEMP% folder
o Windows version
o Processor architecture
o Antivirus products installed
o Default browser path
o GUID
Browser Hijacker BrowseIgnite
o MD5: 616dc7625176d113765f9b1808c8a195
o Legitimate looking installer
o Introduces browser plugins for Firefox, Internet Explorer and Chrome (S4, B1)
o Does not inform the user aboutadditional advertisement!
Browser Hijacker BrowseIgnite
Adware PcOptimizerPro
o MD5: ffec7c722a41ba18c410a0a50ee389fa
o Lures the user into believingWinSCP would be installed
o In fact, WinSCP is never installed
Adware PcOptimizerPro
o Notifies the user about additionally installed software: PC Speed Maximizer
o But The opt-out button is deactivated.
Adware PcOptimizerPro
o PcOptimizerPro shows fake alerts of performance problems
o Fixing only possible with commercial version
o Offers user to buy an upgrade
Adware GorillaPrice
MD5: A6B6CCDFA42EC13A111B062A2823E97A
• Displays pop-up ads and advertisements on web pages that you visit. (B1)
• Installed as an extension for Internet Explorer, Firefox and Chrome (S4)
Armored to evade detection: (P1,P2,P3,P4)
• Sandbox detection (QEMU, VMware, VBox)
• HoneyPot detection (Nepenthes)
• Debugger detection (Olly, IDA)• Monitoring tools detection
(Snort, API logger)
Adware GorillaPrice
Amonetize
o MD5: 66ffc19cb717359d4b59bb71bb6f3347
o It uses pay per install to earn money
o Detects VMWare (P4)
Browser Guardian
o MD5:EBFBA5A4F34DE97C42A8AA3FD5E26978
o Shows unwanted popups (B1)
o Installs other unwanted programswithout user knowledege (R1)
o Shows fake messages to user, blocks URLs (B3)
o Has rootkit capabilities like malware (B8)
Browser Guardian
o MD5: EBFBA5A4F34DE97C42A8AA3FD5E26978
Toolbar OSX.Conduit
o MD5: dc982d1f0415682e2735d45e83dff17e
o Toolbar, browser hijacker and data stealer
o OSX is not immune – Safari is just as much a target as Windows based browsers
OSX – Genieo
o MD5: 11f085fdfca46a4b446760a0e68dc2c3
o Browser Hijacker
OSX – Genieo
o MD5: 11f085fdfca46a4b446760a0e68dc2c3
o Browser Hijacker
o changes the default website of the browser, modifies search engine results and displays advertisements
o Found in fake FlashPlayer installers
o It is hard to remove, comes with a broken uninstaller
Android – Umeng
o MD5: ad3bcb7cbd4f9981539c49ac70baec9e
o 1.9 MB apk file
o Packed, obfuscated by bangcle
o Sends out personally identifiable device info:o Device IMEI
o Phone manufacturer and model
o Location
o Details about running and installed applications
How to recognize Adware
o Common Adware non-behavior traits:
o Large in size (1MB+)
o Digitally signed
o Has a GUI
o Created by a registered corporation with professional developers
o Distributed via CNET / Download.com
o Categorize them more accurately by their “deeds”
o Behavior analysis is critical
o Characterize their risk based on their behavior
Dangerous Behaviors Make Them BADware
o Steal your sensitive data, like Oxy iPumper
o Take you where the danger lurks, like OSX Genieo, Conduit
o Install X-ware without your permission, like Browser Guardian
o Try hard to hide themselves, like GorillaPrice, Browser Guardian
How to recognize BADware: Submit
o When in doubt: Submit to Cyphort for auto-analysis http://www.cyphort.com/resources/security-tools/
o Submit to Microsoft for analysishttps://www.microsoft.com/security/portal/submission/submit.aspx
o Submit to VirusTotalhttps://www.virustotal.com/
How to recognize BADware: Interpreting VTotal
How to recognize BADware: Interpreting VTotal
How to recognize BADware: Interpreting VTotal
Fight BADware - Clean Software Alliance
o First meeting planned on Jan 21, 2015
o Brings Anti-malware vendors together with the download bundlers and sets agreed upon standards for adware
o Compliant vendors will be allowed to use CSA logo
Conclusions
o BADware is affecting every platform
o The distinction between BADwareand adware is sometimes not obvious.
o Security products need to detect BADware and categorize their behavior correctly
Thank You!Twitter: @belogor
Previous MMW slides on
http://cyphort.com/labs/malwares-wanted/