Thanks to very creative advancements in network applications, network services, and operating system features, identifying malware propagation has become much more difficult than it used to be for IDSs. IDS signatures have proven to be practically helpless against new malware releases or polymorphic malware. At the early turn of the millennium, an entirely new breed of propagation techniques were released into the world, techniques spawned from the lessons learned from prior malware outbreaks.
Malware trends have evolved to such a point that we now rely on experts to predict potential new outbreaks or methods where old techniques may lead to innovations that dwarfed the damage done by predecessors. New techniques are built upon using system enhancements and feature upgrades of operating systems and applications against end users. Table 1-3 lists some of the newest evolutions in malware propagation methods.
The worms described in Table 1-3 use newer methods of infection and propagation and have been the source of significant outbreaks in recent IT history. By itself, Downadup infected over 9 million computers in less than 5 days. Evaluating the development of malware is important—from custom-targeted malware against organizations all the way
Malware Year Injection Technique Propagation Techniques
P2P C2 structure and Fast Flux communication chaining AutoIT 2008 File execution Copies generated onto
removable drives by overwriting the autorun.inf Downadup 2009 File execution File transfer, fi le sharing,
copying itself across network shares or shares with weak passwords
Bacteraloh 2009 File execution (P2P network-based)
Disguised as a crack utility that a user downloads and executes locally
Koobface 2009 Client-side exploit Spread through social net-working sites with a loaded URL linked to the malware through sites such as Facebook, MySpace, Friendster, and LiveJournal
Table 1-3 New Evolutions in Malware
down to simple client-side exploits that execute malicious code in order to remotely take control of victim computers. Although almost all of the popular examples are Microsoft Windows–focused malware that were reported in the press and printed in everyone’s morning paper, quantifying the entirety of the malware out there in the wild is still key.
All of the techniques used during malware’s initial evolutionary period can be seen conceptually in today’s malware releases. The damage these techniques have caused has only increased due to advances in network and routing services developed to ease the network administrator’s daily roles and responsibilities.
At the dawn of the twenty-first century, malware authors have also started using techniques that have been increasingly difficult for forensics analysts and network defenders to identify and mitigate against. Historically, methods have ranged from very traditional straightforward ones to highly innovative approaches, which cause many headaches for administrators around the world. In the following sections, I’m going to discuss one the biggest outbreaks and then move on to describing other samples and their functionality.
You can download and open the IDA Pro images for personal research and educational purposes from the book’s companion website. At each point, we will tell you which images you should open and review in order to identify the techniques being discussed and analyze the suggested malware samples in a robust analysis tool. We recommend for the sake of this edition, IDA Pro. You can download a free trial edition that allows read-only access to the samples available to readers on this book’s website. You can download IDA Pro from http://www.hex-rays.com/idapro/.
In 2007, we had the pleasure of experiencing one of the most elusive and eloquently implemented worms to date, a worm which was still active in mid-2008 and is only now slowly retreating into the ether of the wild as industry has developed several countermeasures.
StormWorm (Malware Sample: trojan.peacomm)
StormWorm is an emailer worm that utilized social engineering of the recipient from trusted friends using attached binaries or malicious code embedded within Microsoft Office attachments, which would then leverage well-known client-side attacks against vulnerable versions of Microsoft Internet Explorer and Microsoft Office, specifically versions 2003 and 2007. StormWorm is a peer-to-peer botnet framework and backdoor Trojan horse that affects computers using Microsoft operating systems. It was originally discovered on January 17, 2007. StormWorm seeds a peer-to-peer botnet farm network, which is a newer command and control technique, in order to ensure persistence of the herd and increase the ability to survive attacks against its command and control structure because there is no single point of centralized control. Each compromised machine connects to a subset of the entire botnet herd, which can range from 25 to 50 other compromised machines. In Figure 1-5, you will see the effectiveness of StormWorm’s command and control structure—one of the main reasons it was so difficult to protect against and track down.
In a peer-to-peer botnet, no one machine has a full list of the entire botnet; each only has a subset of the overall list with some overlapping machines that spread like an intricate web, making it difficult to gauge the true extent of the zombie network.
StormWorm’s size was never exactly calculated. However, it has been estimated that StormWorm was the single largest botnet herd in recorded history, potentially ranging from 1–10 million victim systems. StormWorm was so large that it was reported several international security groups were attacked by the operators of StormWorm after they determined these groups were trying to actively combat and take down the botnet.
Imagine national security groups and agencies brought down for days due to the massive power of this international botnet.
Upon infection, StormWorm would install Win32.Agent.dh, which inevitably led to the downfall of the initial variants implemented by the author. Some security groups felt that this flaw could be a possible pre-test or weapons test by an unknown entity because the actual host code was engineered with flaws that could be stopped after some initial analysis of the binary. Keep in mind that numerous methods can be used to ensure malware is very difficult to detect. These methods include metamorphism, polymorphism, and hardware-based infection of devices, which are the most difficult to detect from the operating system. To date, no one knows whether the implemented flaws were intentional or not; this is still being discussed within the security community today as analysts attempt to better understand the methods and intentions behind the release of
Figure 1-5 StormWorm infection by country
StormWorm. If it had been a truly planned global epidemic, the author(s) would have probably taken more time to employ some of the more intricate techniques to ensure the rootkit was more difficult to discover or that it remained persistent on the victim host.
Metamorphism (Malware Sample: W32.Evol, W32.Simile)
Metamorphic malware changes as it reproduces or propagates, making it difficult to identify using signature-based antivirus or malicious software removal tools. Each variant is just slightly different enough from the first to enable the variant to survive long enough to propagate to additional systems. Metamorphism is highly dependent on the algorithm used to create the mutations; if it isn’t properly implemented, countermeasures can be used to enumerate the possible iterations of the metamorphic engine. The following diagram shows how each iteration of the metamorphic engine is changed just enough to alter its signature to keep it from being detected.
Metamorphic engines are not new and have been in use for over a decade. The innovative ways in which malware mutates on a machine has improved to make overall removal of the infection and even detection on the system very difficult. Following are some case studies of infamous malware samples that employed metamorphism.
Polymorphism (Malware Sample: W32.Rahack.h, W32.Polip, W32.Dengue)
Polymorphism refers to self-replicating malware that takes on a different structure than the original. Polymorphism is a form of camouflage that was initially adopted by malware writers in order to defeat the simple string searches antivirus engines employed to discover malware on a given host. Antivirus companies soon countered this technique.
However, the encryption process that is the core of polymorphism has continued to evolve to ensure survivability of the malware on a host with security. The following illustration shows a typical process employed by a polymorphic engine. As you can see, each iteration of the malware is completely different. This technique makes it more difficult for antivirus programs to detect the iteration of the malware. More often than not, as will be covered in Chapter 7, antivirus engines look for the base static code of the malware in order to detect it, or in some cases, they use a behavioral approach and attempt to identify whether the newly added file behaves like malware.
Oligomorphic (Malware Sample: W95.Sma)
This antidetection technique is generally considered a poor man’s polymorphic engine.
It self selects a decryptor from a set number of predefined alternatives. This being said, these predefined alternatives can be identified and detected with a fixed set of limited decryptors. In the following diagram, you can see the limitations of an oligomorphic engine and its effectiveness for use in real malware launches.
Obfuscation
Most malware seen on a daily basis is obfuscated in any number of ways. The most commonly found form of obfuscation is packing code via compression or encryption, which is covered in the next section. However, the concept of code obfuscation is vitally important to malware today. The two important types are host and network obfuscation in order to bypass both types of protection measures.
Obfuscation can sometimes be malware’s downfall. For instance, a writer implements obfuscation methods to such a severe state that network defenders can actually use the evasion technique to create signatures that detect the malware. In the next two sections,
we’re going to discuss the two most important components of malware obfuscation:
portable executable (PE) packers and network encoding