securitybananas.com

It will not surprise you that malware authors are using new techniques to make us researchers it hard to analyze the malware they create. In the ongoing battle they came up with a known technique used by many software vendors, but now using it for their malware.

How does it work:

- When a user got infected by the first malware dropper, it’s unraveling all of the tools and then proceeds to hide the malicious payload components. After cleaning up it finally starts up the actual botnet agent.

- Once the agent is started, it looks for an Internet connection. After this check has passed it does a quick systemcheck of the computer e.g. MAC address, CPU ID, OS etc.
The agent then connects for the first time towards the Command and Control server of the botnet. It registers the victims computer and sends through this unique gathered system data.

- The Command and Control server sends a response to the victims computer: a new custom made agent based on the unique system data. It removes the old agent and the new unique agent is ‘locked’ and installed. This agent is unique to this particular victim and will not run on any other computer.

- The ‘new’ agent connects to a new Command and Control server of the botnet and the victims computer is fully in control by the botnet crew.

Botnet and malware authors are using this technique to hide their samples from anti-virus vendors. A general signature for this kind of malware will not work and a solution will not be easy. The antivirus guys must redesign the techniques it currently relies upon for sample analysis and generation of signatures.

In the on-going battle between virus-writers and avers, different techniques and methods are use by both parties. In this short article I will discuss some of them. Virus writers are using techniques like polymophic, epo or metamorphic to hide their code. Avers already know how to battle these.
So how would you in the first place want to detect a virus? By using Wildcards. Wildcards is one of the most famous detection techniques. Example of an AV vendor using this technique is ClamAV. ClamAV searches for pattern and includes some features to detect some polymorphic engines. You can easily defat this wildcards search by using an obfuscated polymorphic engine like Marburg.
Another trick to discover a virus is by using emulation. Emulation needs an entrypoint to begin the analysis. Most of virus writers bypass the whole emulation by a trick to avoid an entrypoint is discovered.
What other techniques use Avers? Static Analysis
Static Analysis contain two types the First is code Disassembling and the second is Static analysis for Executables. Code disassembling will not be discussed in this article.
Static analysis for Executables:
This type you can simply name it “Tracing the Registers Behavior”. This Analysis work by trace the registers and search for a register that should be in the decryptor the counter or the pointer and test if there are all the decryptor’s registers’  behavior. If there are so this code is decrypting the virus so we should emulate this code and test if the virus appeared in the memory. If not so the file is not infected.
How can this be defeated? Using Dynamic Register Swapping:

This idea was recently published on certain forums. Any playing with the register will defeat the static analysis of an executable. You could simply swap the registers in the middle of the code like this:
;ecx–>counter
xchg eax,ecx
;eax–>counter or ecx–>counter

This code will swap the registers in the middle of the decrypter code. The values will be exchanged and the eax will have the value of ecx and will act as a decryptor in the next instructions.
Another example:
;ecx–>counter
mov eax,ecx
;eax–>counter or ecx–>counter
This example will make the value of eax deleted but you will have two registers have the same value and also can any one of them act like the counter. Who will detect what you choose as a counter?  More scenarios for this trick are applicable. Avers need to keep up-to-date with the ‘latest’ tricks to modify their detection methods and algorithms.

Trend Micro’s Senior Threat Researcher David Sancho has written a great in-depth analysis of this new threat.

Read it here:

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/bredolab_final.pdf

New KOOBFACE Upgrade Makes It Takedown-Proof

Early this week, the KOOBFACE Command and Control (C&C) servers issued a new command to its downloader component. This new command identifies a list of IP addresses to be used by the downloader component as Web or relay proxies to retrieve subsequent commands and components.

F-secure posted a nice blog entry about the ‘sexy view’SMS-worm.

The full blog can be read on:

http://www.f-secure.com/weblog/archives/00001732.html

For the first time criminal hackers may have succeeded in creating a network of “zombie” cellphones, infected without the owners’ knowledge with software that can be used to send spam or carry out cyber attacks.

http://abcnews.go.com/Technology/AheadoftheCurve/story?id=8112308