The pace of advisories and reports surrounding new zer0day activity seems to be accelerating at an alarming rate in 2013. Growing numbers have been seen in the wild exploiting victims and gaining beachheads within enterprises around the world. Meanwhile, as a noted in a recent New York Times article, which highlighted the statistics of crimeware detection and prevention among the world’s top 45 antivirus engines commercially available, the cyber security industry has been slow to adapt. To illuminate some of the mystery behind some of the tools and techniques that makes executable detections more difficult than they used to be, it helps to examine a small chip off of the proverbial iceberg of evasion techniques to make the topic more digestible.
In the book Hacking Exposed – Malware and Rootkits, my co-authors and I discussed many of these evasion techniques and other tools such as crypters, binders, packers, polymorphism, and several other common methods that bolster the survivability of a malicious executable. Almost all of these tactics are incorporated by persistent threats in order to evade detection by most commercially available antivirus or other security products. To understand these methods and related behaviors, one must first examine the motive behind them.
Money, of course, is the reason behind more than 90 percent of the crimeware that’s seen in the wild. When e-crime entrepreneurs pay through initial startup fees from scratch, armoring their tools makes perfect sense. Rough costs can be quickly estimated by considering some of the things a startup e-crime entrepreneur must have to kick off a campaign: builders (of crimeware), hosting, c2, distribution, currency, and account digital laundry services. Once e-criminals are setup and their campaigns are underway, their malicious codes become detectable – even with the defacto UPX , which is available via the underground marketplaces – within a matter of weeks.
Once their code becomes detectable, e-criminals have a handful of logical options. They can deploy a new family of malware, begin using different distribution channels like a new exploit kit or downloader, or they can begin armoring their binaries. An efficient e-criminal would actually do all of these together in no particular order. For purposes of this blog post, let’s focus on the malicious code/portable executable portion of the campaign. For example, an e-criminal can easily armor their malicious executables with a simple Citadel sample, which is a variant in development from the original Zeus bot source code release at version 126.96.36.199.
Detection rankings show 31of 45 antivirus engines detect enough malicious properties in a given piece of malware to trigger an alert. A serious or persistent e-criminal will at some point figure out how to evade all 45 by armoring malware with some type of packer, crypter, or binder – all of which alter the properties of malicious code at run and scan time. Various armoring tools and services can be found online for as cheap as $1 per malicious binary, and custom tools that will armor binaries can even be purchased in bulk (if you have more than one). The screenshots below demonstrate a handful of tools that can be used to modify a malicious sample with less than an hour of research. Even with very limited access to funds, an e-criminal can almost instantly rejuvenate their crimeware campaigns with new life and the ability to play out as undetectable malicious code.
The malicious file we are going to cover in this example SHA256: 72c64e8424db2164eb759c990f0f603da0be7ed9f2271fe90a3a764439c10573
Fig 1 – Malicious Sample Detection on VT unarmored
Fig 2 – Yoda’s Crypter v1.3 (compiled 2010)
Yoda’s Crypter 1.3 – used in the example shown in figure 2 – is neither a new tool nor a new stub. This is a simple crypter tool that can be downloaded for free. Updates are available from the author for $40.00 via Web money or liberty reverse. All of the tools shown here are older, so it’s worth noting that there will certainly be more done with some of the newer tools throughout the year. However, this example demonstrates how easily one can modify, mutate, or otherwise deviate the capability of crimeware campaigns.
Fig 3 – VT not processing armored samples
In figure 3, you can see that we were able to give the analysis engine on VirusTotal a run for its money. With the sample now allowing VirusTotal to complete its analysis, we wanted to determine what action would other anti-virus or host-based security engines take when seeing this code execute. Figure 4 shows that while using Anubis, we were able to get a report, but unable to generate any malicious activity.
Fig 4 – Anubis Scanner Sample Results
Further inspection of other tools used against the sample are included below:
After some time in the lab, we were able to get varying detections from these samples, but none of them had anything to do with Citadel. Our experiment included the use of Yoda Crypter’s ability to obfuscate a threat and also combined Yoda and SaW VI crypters, which can interfere with malicious code – but, this specific combination seems to work and respond to the C&C. The sample also modified when we used Broad Crypter.
The endgame with these underworld professionals is your money, which can be gleaned from almost every aspect of your enterprise networks. This demands answers to some tough budget questions. Which purchased products are really seeing and alerting on every actionable piece of intelligence you need when trying to identify more than the mere fact that you’ve been compromised? Every system or device plugged into the Internet with extra threads and an IP address is a target. In today’s threat landscape, knowing you’ve been compromised is the easy part. How you’ve been compromised and what you can do to stop or mitigate an in-progress attack is the information budget-conscious enterprises should really be after.