Fighting Malware And Spam CONTENTS IN THIS ISSUE
DECEMBER 2012Fighting malware and spamCONTENTS23COMMENTPACKING ZEUSBYOD and the mobile security maturity modelRecently, the Pony trojan (a.k.a. FareIt) has beenobserved installing a new Zeus sample on users’machines. Jie Zhang takes a look at the new packertricks that are used by this latest Zeus sample.NEWSSeason’s greetingsVB announces ‘VBWeb’ certification tests forweb security products3IN THIS ISSUEMALWARE PREVALENCE TABLEMALWARE ANALYSES4New tricks ship with Zeus packer7Compromised libraryFEATURES10A journey into the Sirefef packer: aresearch case study14Part 2: Interaction with a black holepage 4ANTI, ANTIThe Floxif DLL file infector implements bothanti-static- and anti-dynamic-analysis techniques.Raul Alvarez describes how.page 7RELENTLESS PULL OF GRAVITYGabor Szappanos started with two fairly incompletesources of information about the latest Blackholeserver version: the server-side source code fromold versions and the outgoing flow of malware. Hedescribes how, using these sources, he was able tosketch a reasonably good picture of what goes oninside the server hosting the Blackhole exploit kit.page 14ISSN 1749-702728END NOTES & NEWS
COMMENT‘The BYOD conceptneeds a maturitymodel to ensurethere is a clearpath to increasedorganizationalsecurity’Jeff Debrosse, WesternGovernors UniversityBYOD AND THE MOBILESECURITY MATURITY MODELOne of the latest terms to find its way into public andprivate organizations is ‘BYOD’ (Bring Your OwnDevice). While the practice of allowing employeesto use their own mobile devices to access corporatenetworks and resources is typically considered to becost effective and accommodates the users’ desire touse their own devices, the concept needs a maturitymodel to ensure there is a clear path to increasedorganizational security while maintaining (orincreasing) cost-effectiveness.While this article could propose a mobile securitymaturity model (MSMM), addressing the manypermutations of organizations, needs and policies isbeyond the scope of such a short piece. Instead, thisarticle aims to act as a catalyst for organizations to thinkabout BYOD implementations – or perhaps to thinkdifferently about them.In the world of business and software productdevelopment, I’ve come to embrace the concept ofthe ‘Agile’ software development process. Throughcycles known as iterations, products are progressivelycompleted in planned and measurable phases(versions). At a certain point each version is consideredEditor: Helen MartinTechnical Editor: Dr Morton SwimmerTest Team Director: John HawesAnti-Spam Test Director: Martijn GrootenSecurity Test Engineer: Simon BatesSales Executive: Allison SketchleyPerl Developer: Tom GraceyConsulting Editors:Nick FitzGerald, AVG, NZIan Whalley, Google, USADr Richard Ford, Florida Institute of Technology, USA2DECEMBER 2012production-ready. In other words, a pre-determined levelof functionality and usability has been met. This processallows the developer to quickly deliver alpha, beta andsubsequent releases to customers.Applying these concepts to the mobile securitymaturity model allows for four areas of focus to helpensure the organization is tracking toward its BYODgoal:1. Agile. Threats are evolving and infection vectorschange continually. The maturity model must beevaluated regularly to ensure that it addresses thedynamic landscape of threats. The model and theorganization must be structured in such a way thatmakes it easy to pivot and realign to the threatswhen the difference between the maturity modeland the threatscape becomes significant enough towarrant a change.2. Continuous improvement. When moving forwardin the maturity model, each progression, regardlessof size, should represent increased security andcost-effectiveness. Setting these two goals to pre-set,quantifiable values can help to meet an overallefficiency goal.3. Time-constrained. In order to gain the maximumeffectiveness of the MSMM, the time it takes tomake the transition between levels should be asshort as reasonably possible, otherwise scope creepand organizational malaise may set in and destroy,or at least marginalize a very important process. Thekey is to truly understand the time required to makethe transition to each level.4. Measured output. By tracking quantifiabletargets (e.g. costs, number of devices, time takento implement, etc.), it is possible to determinethe organization’s overall velocity on MSMMimplementations and on subsequent iterationsthrough the model’s steps. This also increases theaccuracy of forecasting and the ability to set realisticand attainable goals. Ultimately, the organizationwill be able to forecast long-term goals, setstakeholder expectations and determine the businessvalue accordingly.As companies strive to determine the best model,framework, or home-grown process for BYODimplementations, at a minimum, they will have todetermine goals, stakeholders, domains and processesfrom the outset.Regardless of whether companies choose to implementa mobile security maturity model, the BYOD trend iscontinuing to gain momentum – and is here to stay.
VIRUS BULLETIN www.virusbtn.comNEWSSEASON’S GREETINGSThe members of the VB team extend their warm wishes toall Virus Bulletin readers for a very happy holiday seasonand a healthy, peaceful, safe and prosperous new year.Clockwise from top left: Helen Martin, Martijn Grooten,John Hawes, Allison Sketchley, Simon Bates, Tom Gracey.VB ANNOUNCES ‘VBWEB’ CERTIFICATIONTESTS FOR WEB SECURITY PRODUCTSAmong the billions of legitimate websitesthere are millions that are malicious in oneway or another, and millions of others thatare best avoided, at least in a corporateenvironment. Thankfully, there is a plethoraof solutions that aim to make web surfing apleasant and safe experience by closing thedoor to malicious traffic. But are they anygood? And which ones are the best?VERIFIEDWEBWe are pleased to announce that VB will soon be runningregular comparative tests of web security products, addingthe ‘VBWeb’ tests to our testing portfolio alongside theVB100 anti-malware and VBSpam anti-spam tests.The tests will enable users to check the performance claimsmade by web security product vendors, as well as givean overview of the products’ ongoing performance over aperiod of time. The tests will measure how well productsblock malicious HTTP requests, while also checkingwhether legitimate requests are being blocked incorrectly.After a lot of internal and external discussion, we are readyto share our plans in more detail with the developers of websecurity solutions and other experts. In particular, thosewho are interested in participating in a trial run are askedto contact VB’s Anti-spam and Web Security Test Director,Martijn Grooten (martijn.grooten@virusbtn.com). The fulltests are scheduled to begin in early 2013.Prevalence Table – October 2012 oit-miscDropper-miscLNK-ExploitBlacolePotentially tPUWormRogueTrojanTrojanTrojanTrojanOthers 69%0.69%0.67%0.65%0.63%9.69%100.00%Figures compiled from desktop-level detections.[2]Readers are reminded that a complete listing is posted athttp://www.virusbtn.com/Prevalence/.DECEMBER 20123
VIRUS BULLETIN www.virusbtn.comMALWARE ANALYSIS 1NEW TRICKS SHIP WITH ZEUSPACKERJie ZhangFortinet, ChinaZeus (a.k.a. ZBot) is a famous banking trojan which stealsbank information and performs form grabbing. It wasfirst identified in July 2007. A fully functioning Zeus botcould be sold for hundreds of dollars on the undergroundmarket. The bot’s development was very rapid, and it soonbecame one of the most widespread trojans in the world.In late 2010, the creator of Zeus, ‘Slavik’, announced hisretirement and claimed that he had given the Zeus sourcecode and the rights to sell the bot to his biggest competitor,the author of the SpyEye trojan. However, despite theretirement of its creator the total number of Zeus bots didn’tdecrease. There are still many living Zeus bots in the wild.In particular, many new Zeus bots were discovered after itssource code was leaked [1]. Some of them shipped with P2Pcapability [2], others could even infect Symbian, WindowsMobile, BlackBerry or Android phones [3].BACK TO ZEUSIn this article, we will focus on the new packer tricks thatare used by this new Zeus sample.DYNAMIC CODE DECRYPTION/ENCRYPTIONNowadays, most malware encrypts and/or compresses itscore data to evade anti-virus detection. To make life harderPONY!PONY!Zeus spreads mainly via drive-by download or phishingschemes. Recently, we found that the Pony trojan (a.k.a.FareIt) had started to install a new Zeus sample on users’machines. The Pony trojan (version 1.0) steals accountinformation or credentials from compromised machinesand sends them back to its remote server. At the sametime, it downloads three pieces of malware and launchesthem automatically. The Pony trojan also attempts to bruteforce the current user’s password with a built-in passworddictionary (see Listing 1) using the LoginUserA API.data:00414000db ‘123456’,0.data:00414007db ‘password’,0.data:00414010db ‘phpbb’,0.data:00414016db ‘qwerty’,0.data:0041401Ddb ‘12345’,0.data:00414023db ‘jesus’,0Figure 1: Decryption on entering function. removed .data:0041472Cdb ‘gates’,0.data:00414732db ‘billgates’,0.data:0041473Cdb ‘ghbdtn’,0.data:00414743db ‘gfhjkm’,0.data:0041474Adb ‘1234567890’,0Listing 1: Pony’s built-in password dictionary.4DECEMBER 2012Figure 2: Encryption on leaving function.
VIRUS BULLETIN www.virusbtn.comfor malware researchers and/or memory dump forensic tools(such as Volatility [4]), some malware families have evolveddynamic data encryption and decryption mechanisms. Thiskind of virus will only decrypt the important data when itplans to use it, and then re-encrypts the data afterwards.In this way, malware researchers can only see a little datawhen they perform dynamic analysis on such a sample.The Zeus sample takes advantage of a trick which I call‘binary code dynamic decryption and encryption’. Thevirus encrypts almost all important function calls. Whenone function is invoked, it will call a routine to decrypt partof the binary code (Figure 1). Before leaving this function,another routine will be called to re-encrypt the functioncode (Figure 2). Thus researchers will only see a few partsof code at a time when they examine the sample. As I recall,this trick can be traced back to the DOS era.DYNAMIC TLS CALLBACKFigure 3: Break in virus entry point.Thread Local Storage (TLS) callback [5] has existed formany years, but until now, not many viruses have usedthe technology. However, ZeroAccess introduced thismechanism into its latest version and Zeus has followedsuit. This version of Zeus uses a method which I call‘dynamic TLS callback’.When we researched this sample with static analysis, wedidn’t find any malicious code in its entry point. But whenwe loaded it with a debugger, we found that the virus wasalready running when the debugger placed a break in itsentry point (Figure 3).We concluded that the virus uses TLS callback technology.Checking the file with PEiD confirmed our suspicions(Figure 4).We also checked the file with IDA, which showed that thereis only one TLS callback routine, TlsCallback 0, in the TLScallback table (Figure 5).If the TLS callback routine of this virus were used forself-protection or to execute the virus code directly, ourstory would end. However, this is not the case.Figure 4: TLS table in PEiD.The first (and, until now, only) TLS callback routine is verysimple. But there is a point that has grabbed our attention:The instructions shown in the red rectangle in Figure 6modify the TLS callback function table. When the TLScallback routine returns to the system, the system will querythe next TLS callback stored in the table. If the next TLScallback routine is not ZERO, the system will invoke it andincrease the counter. For now, as the next TLS callbackroutine has been set to ‘TlsCallback 1’, the system will callthis function, as shown in Figure 7. We call this mechanism‘dynamic TLS callback’.Figure 5: TLS callback table.We can see that the virus uses the same trick again in theTlsCallback 1 routine (Figure 8).After completing the dynamic TLS callback trick twice, thevirus will decrypt the real Zeus module and execute it in theTlsCallback 2 routine.DECEMBER 20125
VIRUS BULLETIN www.virusbtn.comFigure 6: Modify TLS callback table in TlsCallback 0.Figure 9: Zeus packer payload.Figure 7: OS calls next TLS callback routine.Finally, we retrieve a complete, non-encrypted version ofthe Zeus sample.CONCLUSIONIn this article, we have demonstrated some unusual tricksin Zeus’s new armour. The use of these skills is simple,but often confuses new malware researchers. With thedevelopment of the virus, these tricks are likely to becomemuch more complex and more difficult to detect, posingsome challenges for malware researchers and anti-virusengines alike.REFERENCESFigure 8: Modify TLS callback table in TlsCallback 1.SCRAMBLE WITH JUNK INSTRUCTIONSThe virus inserts a lot of junk instructions in order toscramble the code [6]. These instructions are very simple,so we will not elaborate on the details.[1]Kruse, P. ZeuS/Zbot source code for sale. CSISblog. http://www.csis.dk/en/csis/blog/3176/.[2]Zeus peer-to-peer feature. The Swiss Security Blog.http://abuse.ch.[3]Apvrille, A. Zeus In The Mobile (Zitmo): OnlineBanking’s Two Factor Authentication Defeated.FortiBlog. [4]Volatility. https://www.volatilesystems.com/.[5]Zeltser, L. How Malware Defends Itself Using TLSCallback Functions. ISC Diary. https://isc.sans.edu/diary.html?storyid 6655.[6]Zhang, J.; Xie, D. Scrambler, a new challenge afterthe warfare of unknown packers. AVAR 2009.PACKER PAYLOADThe virus attempts to decrypt the real Zeus module with theBlowfish algorithm, as shown in Figure 9.The decryption key follows the string‘n3s(#,pSvW?y}A%LBk ’. After decryption, the virus willcreate a clone process with the CREATE SUSPENDEDflag. Then it loads and maps the real Zeus to a new process.6DECEMBER 2012
VIRUS BULLETIN www.virusbtn.comMALWARE ANALYSIS 2COMPROMISED LIBRARYRaul AlvarezFortinet, CanadaIn the October issue of Virus Bulletin [1] I wrote about theQuervar file infector, which infects .EXE, .DOC, .DOCX,.XLS and .XLSX files. We have seen hundreds of fileinfectors that can infect executable files, and we also haveseen document-infecting malware. However, Quevar infectsdocument files not because they are documents, but becausethey have the extension used by document files – if yourename any file with ‘.DOC’ or ‘.XLS’ as the first threeletters of the extension name, chances are, they would beinfected.Just a few weeks after Quervar, we discovered a file infectorwhose main target is DLL files. The malware code is nothighly encrypted, but it has some interesting sophistication.This article focuses on the DLL file infector dubbedFloxif/Pioneer. We will uncover how it implements bothanti-static- and anti-dynamic-analysis techniques.EXECUTING AN INFECTED DLLOnce an infected DLL is loaded into memory, a jumpinstruction at the entry point of the file will lead to themalware body. This instruction is a five-byte piece of codethat is added by Floxif every time it infects a DLL. Theoriginal five bytes of the host file are stored somewhere inthe virus body.Floxif starts by getting the imagebase of kernel32.dll byparsing the Process Environment Block (PEB). Once theimagebase is established, it starts parsing the exported APInames of kernel32.dll, searching for ‘GetProcAddress’ andeventually getting the equivalent address for this API.Once the GetProcAddress API has been found, itstarts getting the API addresses of GetProcessHeap,GetModuleFileNameA, GetSystemDirectoryA,GetTempPathA, CloseHandle, CreateFileA, GetFileSize,ReadFile, VirtualProtect, LoadLibraryA and WriteFile.Every time an API (from the list mentioned above) isneeded, the virus gets its equivalent address and executes it.The following is a summary of the execution:Floxif reserves a memory space, opens the original DLL fileand loads it in a newly created space. It starts decryptingpart of the virus code from the newly loaded DLL file inmemory, revealing the contents of the UPX version ofsymsrv.dll, which will be dropped later. (Symsrv.dll playsan important role in the overall infection process.) Thedecryptor is a simple combination of XOR 0x2A and NOTinstructions.After decrypting the content of the symsrv.dll file, italso decrypts the strings (‘C:\Program Files\CommonFiles\System\symsrv.dll’) where the file will be dropped.After dropping symsrv.dll, Floxif will load it as one ofthe modules of the infected DLL file in memory using theLoadLibraryA API. (It is interesting to note that the contentof symsrv.dll is already accessible by Floxif, but it stillreloads symsrv.dll as a module.)Acting as a module, Floxif can use the exported functionsof symsrv.dll as some sort of API. Two exported APIs arecontained in symsrv.dll, namely: FloodFix and crc32. Thevirus gets its name from the FloodFix API. (The crc32 APIis a continuous loop to a call to a sleep function with aone-minute interval.)FLOODFIX APIOnce the symsrv.dll module is properly loaded into the hostDLL, the virus will execute the FloodFix API. Let’s take acloser look at what this API does.First, it changes the protection of the memory used by thehost DLL between the start of the PE header and beforethe section header, to PAGE EXECUTE READWRITE.Then, it restores the virtual address and the size of the baserelocation table. Afterwards, it resets the protection of thesame memory area to PAGE READONLY.Next, it changes the protection of the whole .text section toPAGE EXECUTE READWRITE and restores 3,513 bytesof code. Then, it resets the protection to PAGE EXECUTEREAD. Afterwards, it restores the original five-byte code tothe host DLL entry point.Finally, jumping to the entry point of the host DLL file, itexecutes the original file.The main function of the FloodFix API is to restore the hostDLL in its original form in memory and to execute the hostDLL, starting at its entry point, while the virus runs in thebackground.ANTI-STATIC-ANALYSIS TRICKBefore we go any further, let’s look into Floxif’santi-static-analysis trick. If the malware code is notencrypted, or binary dumped from the decrypted code,we can quickly take a look at its functionality using staticanalysis. In the case of Floxif, it looks as if the code iscorrupted, because a disassembler can’t render it properly.Figure 1 shows what the virus code looks like if we are justbrowsing it.The lines of code highlighted in the figure are not junkcode or corrupted data. The disassembler/debugger can’tDECEMBER 20127
VIRUS BULLETIN www.virusbtn.cominstruction. We can assume that it will jump back to thecaller, hence we will just end up at the first call.Using a debugger, following the RETN 8 instruction fromthe Reroute2 function will lead to another routine, which inturn will jump to another location – but instead of jumpingto the location straight after the RETN, the new location isjust after the extra byte.Figure 2 shows the disassembler’s attempt to interpret thecode after the RETN following the first CALL instruction,and the equivalent code once the proper jump has beenestablished.The byte (FF) at address 100046A2 was added to disorientthe disassembler. To emph
PACKING ZEUS Recently, the Pony trojan (a.k.a. FareIt) has been observed installing a new Zeus sample on users’ machines. Jie Zhang takes a look at the new packer tricks that are used by this latest Zeus sample. page 4 ANTI, ANTI The Floxif DLL fi le infector implements both anti-static- and anti-dynamic-analysis techniques.
Anti‐Spam 3 10 Anti‐Spam Email Security uses multiple methods of detecting spam and other unwanted email. This chapter reviews the configuration information for Anti‐Spam: Spam Management Anti‐Spam Aggressiveness Languages Anti‐Spam Aggressiveness Spam Management
Spam related cyber crimes, including phishing, malware and online fraud, are a serious threat to society. Spam filtering has been the major weapon against spam for many years but failed to reduce the number of spam emails. To hinder spammers' capability of sending spam, their supporting infrastructure needs to be disrupted.
Anti-spam scanning relates to incoming mail only , and in volv es chec king whether a message needs to be categorised as spam or suspected spam (depending on the spam rating of the message) and taking appropr iate action. A spam digest email and w eb based spam quar antine enables end users to manage their quarantined spam email.
learn to identify spam e-mail after receiving training on messages that have been manually classified as spam or non-spam. A spam filter is a program that is mainlyemployed to detect unsolicited and unwanted email and prevent those messages from reaching a user's inbox. Just like other types of filtering programs, a spam filter looks for certain
To reduce the false detection rate. To classify between the spam and ham (non-spam) tweets. 2. Related Works [5] For detecting the spam existing in the social media platform of Twitter, a framework of semi-supervised spam detection (i.e., S3D) was proposed in the research work. Two different modules namely spam detection module
Spam Filter User Guide Page 3 Getting to Know Your Spam Filter Features. Your spam filter consists of four tabs: Messages, Settings, Policies, and Status. The default setting is Messages, which displays all of the messages quarantined by the spam filter. Managing Your Quarantined Messages. The Inbound quarantine section will show the
Barracuda Spam Firewall: Login and logout activity: All logs generated by Barracuda spam virus firewall when login or logout is happened on barracuda spam firewall web interface. Barracuda Spam Filter: User login success: This category provides information related to user login success into barracuda spam filter.
2 Spam detection accuracy is the industry -standard metric used to measure how accurate an anti spam filter is at correctly identifying spam. Generally, higher spam detection accuracy is obtained at the cost of a higher false positive rate. A good anti-spam filter will have an acceptable trade-off between the two metrics.
