How to tell BADware from adware

Your speakers today

Nick Bilogorskiy@belogor

Director of Security Research

Shelendra SharmaProduct Marketing Director

Agenda

o BADware defined

o BADware Case studies

o How to recognize BADware

o Q&A

Cyp

ho

rt L

abs

T-sh

irt

Threat Monitoring & Research team

________

24X7 monitoring for malware events

________

Assist customers with their Forensics and Incident Response

We enhance malware detection accuracy

________

False positives/negatives________

Deep-dive research

We work with the security ecosystem

________

Contribute to and learn from malware KB

________

Best of 3rd Party threat data

What is BADware

o Adware

computer software that is provided usually for free but contains advertisements.

o BADware

adware that collects personal information, changes computer’s configuration, or displays advertising without user consent. It qualifies as malware.

Adware, Malware, BADware

o Most malware are BADware

o Most Adware are not considered BADware

o Not all Adware are simply a nuisance, when

o They simply steal your sensitive data

o They simply take you where the danger lurks

o They install X-ware without your permission

o They try hard to hide – disabling your AV, installing rootkit

BADware distribution

o BADware is frequently installed via Web redirects:

o A - malicious scripts,

o B - .htaccess redirects, and

o C - hidden iframes

Why does BADware exist

From: Sanford Wallace

To: Jared Lansky

Subject: I DID IT

Date: March 6, 2004

I figured out a way to install an exe

without any user interaction. This is

the time to make the

$$$ while we can.

From Ben Edelman’s Beautiful Security, 2009

INDICTED IN 2011

Why does BADware exist: pay per install

PPI service charges from $7 to $180 per thousand successful installations.

Of the world’s top 20 types of malware, 12 employed PPI services to buy infections.

Data from Brian Krebs

Why does BADware exist: pay per install

Juan Caballero, 2011

Why does BADware exist: pay per install

Juan Caballero, 2011

Affiliate Username Account Balance (USD)

nenastniy $158,568.86

krab $105,955.76

rstwm $95,021.16

newforis $93,260.64

slyers $85,220.22

ultra $82,174.54

cosma2k $78,824.88

dp322 $75,631.26

iamthevip $61,552.63

dp32 $58,160.20

Joe Stewart, Secureworks

BADware “genes” – 4 groups

System Changes

o S1 - Change proxy settingso S2 - Change browser homepageo S3 - Change search providero S4 - Install Browser helper object or add-ono S5 - Install windows service/drivero S6 - Create files/process mimicking Windows binary nameso S7 - Create new Task Scheduler tasks

BADware “genes” – 4 groups

Payload Armoring

o P1 - Payload is obfuscated or packed

o P2 - Payload uses anti-debugging techniques

o P3 - Payload uses anti-reversing techniques

o P4 - Payload uses anti-VM/anti-sandbox techniques

BADware “genes” – 4 groups

Remote Communication

o R1 - Download more binaries

o R2 - Upload system information to remote server

o R3 - Wait for commands from remote server

o R4 - Encrypt the connection to remote C&C Server

BADware “genes” – 4 groups

Behavior traits

o B1 - Inject Ads into web page.

o B2 - Capture login credentials or Browser cookies.

o B3 - Block specific websites

o B4 - Disable security features

o B5 - Hijack file type association

o B6 - Persist in the system

o B7 - Self-protected. (Hard to remove)

o B8 - Hide itself on the system (rootkit)

o B9 - Silent Install

BADware case studies

o Adpeak

o Oxy

o BrowseIgnite

o PC Optimizer Pro

o Gorilla Price

o Amonetize

o Browser Guardian

o OSX Conduit

o OSX Genieo

o Umeng

Adpeak SavingsBull

o MD5: 66ffc19cb717359d4b59bb71bb6f3347

o Achieves persistence through a Windows service (B6, S5)

o Downloads & executes scripts via integrated Lua interpreter (R1)

o Thus changes functionality on the fly

Adpeak SavingsBull

o 66ffc19cb717359d4b59bb71bb6f3347

o Achieves persistence through a Windows service

o Downloads & executesscripts via integratedLua interpreter

o Thus changesfunctionality on the fly

POLL #1 - LUA

o Which other well known threat used LUA scripting language?

o Stuxnet

o Flame

o Conficker

o None of the above

FLAME

o FLAME APT malware also used LUA

Adpeak SavingsBull

o Injects ads to common web browsers (B1).

Oxy iPumper Adware

o MD5: 1d291ccac6ce11c2e5761e37bb0b95fc

o Runs as a silent installer (B9)

o Downloads and executes other binaries (R1, R2)

o Exfiltrates sensitive system information to C&C in cleartext:o Location of %TEMP% folder

o Windows version

o Processor architecture

o Antivirus products installed

o Default browser path

o GUID

Browser Hijacker BrowseIgnite

o MD5: 616dc7625176d113765f9b1808c8a195

o Legitimate looking installer

o Introduces browser plugins for Firefox, Internet Explorer and Chrome (S4, B1)

o Does not inform the user aboutadditional advertisement!

Browser Hijacker BrowseIgnite

Adware PcOptimizerPro

o MD5: ffec7c722a41ba18c410a0a50ee389fa

o Lures the user into believingWinSCP would be installed

o In fact, WinSCP is never installed

Adware PcOptimizerPro

o Notifies the user about additionally installed software: PC Speed Maximizer

o But The opt-out button is deactivated.

Adware PcOptimizerPro

o PcOptimizerPro shows fake alerts of performance problems

o Fixing only possible with commercial version

o Offers user to buy an upgrade

Adware GorillaPrice

MD5: A6B6CCDFA42EC13A111B062A2823E97A

• Displays pop-up ads and advertisements on web pages that you visit. (B1)

• Installed as an extension for Internet Explorer, Firefox and Chrome (S4)

Armored to evade detection: (P1,P2,P3,P4)

• Sandbox detection (QEMU, VMware, VBox)

• HoneyPot detection (Nepenthes)

• Debugger detection (Olly, IDA)• Monitoring tools detection

(Snort, API logger)

Adware GorillaPrice

Amonetize

o MD5: 66ffc19cb717359d4b59bb71bb6f3347

o It uses pay per install to earn money

o Detects VMWare (P4)

Browser Guardian

o MD5:EBFBA5A4F34DE97C42A8AA3FD5E26978

o Shows unwanted popups (B1)

o Installs other unwanted programswithout user knowledege (R1)

o Shows fake messages to user, blocks URLs (B3)

o Has rootkit capabilities like malware (B8)

Browser Guardian

o MD5: EBFBA5A4F34DE97C42A8AA3FD5E26978

Toolbar OSX.Conduit

o MD5: dc982d1f0415682e2735d45e83dff17e

o Toolbar, browser hijacker and data stealer

o OSX is not immune – Safari is just as much a target as Windows based browsers

OSX – Genieo

o MD5: 11f085fdfca46a4b446760a0e68dc2c3

o Browser Hijacker

OSX – Genieo

o MD5: 11f085fdfca46a4b446760a0e68dc2c3

o Browser Hijacker

o changes the default website of the browser, modifies search engine results and displays advertisements

o Found in fake FlashPlayer installers

o It is hard to remove, comes with a broken uninstaller

Android – Umeng

o MD5: ad3bcb7cbd4f9981539c49ac70baec9e

o 1.9 MB apk file

o Packed, obfuscated by bangcle

o Sends out personally identifiable device info:o Device IMEI

o Phone manufacturer and model

o Location

o Details about running and installed applications

How to recognize Adware

o Common Adware non-behavior traits:

o Large in size (1MB+)

o Digitally signed

o Has a GUI

o Created by a registered corporation with professional developers

o Distributed via CNET / Download.com

o Categorize them more accurately by their “deeds”

o Behavior analysis is critical

o Characterize their risk based on their behavior

Dangerous Behaviors Make Them BADware

o Steal your sensitive data, like Oxy iPumper

o Take you where the danger lurks, like OSX Genieo, Conduit

o Install X-ware without your permission, like Browser Guardian

o Try hard to hide themselves, like GorillaPrice, Browser Guardian

How to recognize BADware: Submit

o When in doubt: Submit to Cyphort for auto-analysis http://www.cyphort.com/resources/security-tools/

o Submit to Microsoft for analysishttps://www.microsoft.com/security/portal/submission/submit.aspx

o Submit to VirusTotalhttps://www.virustotal.com/

How to recognize BADware: Interpreting VTotal

How to recognize BADware: Interpreting VTotal

How to recognize BADware: Interpreting VTotal

Fight BADware - Clean Software Alliance

o First meeting planned on Jan 21, 2015

o Brings Anti-malware vendors together with the download bundlers and sets agreed upon standards for adware

o Compliant vendors will be allowed to use CSA logo

Conclusions

o BADware is affecting every platform

o The distinction between BADwareand adware is sometimes not obvious.

o Security products need to detect BADware and categorize their behavior correctly

Thank You!Twitter: @belogor

Previous MMW slides on

http://cyphort.com/labs/malwares-wanted/