Download - Malware's Most Wanted: How to tell BADware from adware

How to tell BADware from adware

Your speakers today

Nick Bilogorskiy@belogor

Director of Security Research

Shelendra SharmaProduct Marketing Director

Agenda

o BADware defined

o BADware Case studies

o How to recognize BADware

o Q&A

Cyp

ho

rt L

abs

T-sh

irt

Threat Monitoring & Research team

________

24X7 monitoring for malware events

________

Assist customers with their Forensics and Incident Response

We enhance malware detection accuracy

________

False positives/negatives________

Deep-dive research

We work with the security ecosystem

________

Contribute to and learn from malware KB

________

Best of 3rd Party threat data

What is BADware

o Adware

computer software that is provided usually for free but contains advertisements.

o BADware

adware that collects personal information, changes computer’s configuration, or displays advertising without user consent. It qualifies as malware.

Adware, Malware, BADware

o Most malware are BADware

o Most Adware are not considered BADware

o Not all Adware are simply a nuisance, when

o They simply steal your sensitive data

o They simply take you where the danger lurks

o They install X-ware without your permission

o They try hard to hide – disabling your AV, installing rootkit

BADware distribution

o BADware is frequently installed via Web redirects:

o A - malicious scripts,

o B - .htaccess redirects, and

o C - hidden iframes

Why does BADware exist

From: Sanford Wallace

To: Jared Lansky

Subject: I DID IT

Date: March 6, 2004

I figured out a way to install an exe

without any user interaction. This is

the time to make the

$$$ while we can.

From Ben Edelman’s Beautiful Security, 2009

INDICTED IN 2011

Why does BADware exist: pay per install

PPI service charges from $7 to $180 per thousand successful installations.

Of the world’s top 20 types of malware, 12 employed PPI services to buy infections.

Data from Brian Krebs


Juan Caballero, 2011


Juan Caballero, 2011

Affiliate Username Account Balance (USD)

nenastniy $158,568.86

krab $105,955.76

rstwm $95,021.16

newforis $93,260.64

slyers $85,220.22

ultra $82,174.54

cosma2k $78,824.88

dp322 $75,631.26

iamthevip $61,552.63

dp32 $58,160.20

Joe Stewart, Secureworks

BADware “genes” – 4 groups

System Changes

o S1 - Change proxy settingso S2 - Change browser homepageo S3 - Change search providero S4 - Install Browser helper object or add-ono S5 - Install windows service/drivero S6 - Create files/process mimicking Windows binary nameso S7 - Create new Task Scheduler tasks


Payload Armoring

o P1 - Payload is obfuscated or packed

o P2 - Payload uses anti-debugging techniques

o P3 - Payload uses anti-reversing techniques

o P4 - Payload uses anti-VM/anti-sandbox techniques


Remote Communication

o R1 - Download more binaries

o R2 - Upload system information to remote server

o R3 - Wait for commands from remote server

o R4 - Encrypt the connection to remote C&C Server


Behavior traits

o B1 - Inject Ads into web page.

o B2 - Capture login credentials or Browser cookies.

o B3 - Block specific websites

o B4 - Disable security features

o B5 - Hijack file type association

o B6 - Persist in the system

o B7 - Self-protected. (Hard to remove)

o B8 - Hide itself on the system (rootkit)

o B9 - Silent Install

BADware case studies

o Adpeak

o Oxy

o BrowseIgnite

o PC Optimizer Pro

o Gorilla Price

o Amonetize

o Browser Guardian

o OSX Conduit

o OSX Genieo

o Umeng

Adpeak SavingsBull

o MD5: 66ffc19cb717359d4b59bb71bb6f3347

o Achieves persistence through a Windows service (B6, S5)

o Downloads & executes scripts via integrated Lua interpreter (R1)

o Thus changes functionality on the fly

Adpeak SavingsBull

o 66ffc19cb717359d4b59bb71bb6f3347

o Achieves persistence through a Windows service

o Downloads & executesscripts via integratedLua interpreter

o Thus changesfunctionality on the fly

POLL #1 - LUA

o Which other well known threat used LUA scripting language?

o Stuxnet

o Flame

o Conficker

o None of the above

FLAME

o FLAME APT malware also used LUA

Adpeak SavingsBull

o Injects ads to common web browsers (B1).

Oxy iPumper Adware

o MD5: 1d291ccac6ce11c2e5761e37bb0b95fc

o Runs as a silent installer (B9)

o Downloads and executes other binaries (R1, R2)

o Exfiltrates sensitive system information to C&C in cleartext:o Location of %TEMP% folder

o Windows version

o Processor architecture

o Antivirus products installed

o Default browser path

o GUID

Browser Hijacker BrowseIgnite

o MD5: 616dc7625176d113765f9b1808c8a195

o Legitimate looking installer

o Introduces browser plugins for Firefox, Internet Explorer and Chrome (S4, B1)

o Does not inform the user aboutadditional advertisement!

Browser Hijacker BrowseIgnite

Adware PcOptimizerPro

o MD5: ffec7c722a41ba18c410a0a50ee389fa

o Lures the user into believingWinSCP would be installed

o In fact, WinSCP is never installed


o Notifies the user about additionally installed software: PC Speed Maximizer

o But The opt-out button is deactivated.


o PcOptimizerPro shows fake alerts of performance problems

o Fixing only possible with commercial version

o Offers user to buy an upgrade

Adware GorillaPrice

MD5: A6B6CCDFA42EC13A111B062A2823E97A

• Displays pop-up ads and advertisements on web pages that you visit. (B1)

• Installed as an extension for Internet Explorer, Firefox and Chrome (S4)

Armored to evade detection: (P1,P2,P3,P4)

• Sandbox detection (QEMU, VMware, VBox)

• HoneyPot detection (Nepenthes)

• Debugger detection (Olly, IDA)• Monitoring tools detection

(Snort, API logger)

Adware GorillaPrice

Amonetize

o MD5: 66ffc19cb717359d4b59bb71bb6f3347

o It uses pay per install to earn money

o Detects VMWare (P4)

Browser Guardian

o MD5:EBFBA5A4F34DE97C42A8AA3FD5E26978

o Shows unwanted popups (B1)

o Installs other unwanted programswithout user knowledege (R1)

o Shows fake messages to user, blocks URLs (B3)

o Has rootkit capabilities like malware (B8)

Browser Guardian

o MD5: EBFBA5A4F34DE97C42A8AA3FD5E26978

Toolbar OSX.Conduit

o MD5: dc982d1f0415682e2735d45e83dff17e

o Toolbar, browser hijacker and data stealer

o OSX is not immune – Safari is just as much a target as Windows based browsers

OSX – Genieo

o MD5: 11f085fdfca46a4b446760a0e68dc2c3

o Browser Hijacker

OSX – Genieo

o MD5: 11f085fdfca46a4b446760a0e68dc2c3

o Browser Hijacker

o changes the default website of the browser, modifies search engine results and displays advertisements

o Found in fake FlashPlayer installers

o It is hard to remove, comes with a broken uninstaller

Android – Umeng

o MD5: ad3bcb7cbd4f9981539c49ac70baec9e

o 1.9 MB apk file

o Packed, obfuscated by bangcle

o Sends out personally identifiable device info:o Device IMEI

o Phone manufacturer and model

o Location

o Details about running and installed applications

How to recognize Adware

o Common Adware non-behavior traits:

o Large in size (1MB+)

o Digitally signed

o Has a GUI

o Created by a registered corporation with professional developers

o Distributed via CNET / Download.com

o Categorize them more accurately by their “deeds”

o Behavior analysis is critical

o Characterize their risk based on their behavior

Dangerous Behaviors Make Them BADware

o Steal your sensitive data, like Oxy iPumper

o Take you where the danger lurks, like OSX Genieo, Conduit

o Install X-ware without your permission, like Browser Guardian

o Try hard to hide themselves, like GorillaPrice, Browser Guardian

How to recognize BADware: Submit

o When in doubt: Submit to Cyphort for auto-analysis http://www.cyphort.com/resources/security-tools/

o Submit to Microsoft for analysishttps://www.microsoft.com/security/portal/submission/submit.aspx

o Submit to VirusTotalhttps://www.virustotal.com/

http://www.cyphort.com/resources/security-tools/

https://www.microsoft.com/security/portal/submission/submit.aspx

https://www.virustotal.com/

How to recognize BADware: Interpreting VTotal



Fight BADware - Clean Software Alliance

o First meeting planned on Jan 21, 2015

o Brings Anti-malware vendors together with the download bundlers and sets agreed upon standards for adware

o Compliant vendors will be allowed to use CSA logo

Conclusions

o BADware is affecting every platform

o The distinction between BADwareand adware is sometimes not obvious.

o Security products need to detect BADware and categorize their behavior correctly

Thank You!Twitter: @belogor

Previous MMW slides on

http://cyphort.com/labs/malwares-wanted/