staying low: staying low: how fakeavhow fakeav flies under the...
TRANSCRIPT
Staying Staying Staying Staying low:low:low:low:how how how how FakeAVFakeAVFakeAVFakeAV flies under flies under flies under flies under the AV's radarthe AV's radarthe AV's radarthe AV's radar
Staying Staying Staying Staying low:low:low:low:how how how how FakeAVFakeAVFakeAVFakeAV flies under flies under flies under flies under the AV's radarthe AV's radarthe AV's radarthe AV's radar
Bojan Zdrnja, Branko [email protected], [email protected]
INFIGO IShttp://www.infigo.hr
Who Who Who Who are are are are wewewewe????
Bojan ŽdrnjaSenior information security consultant at INFIGO IS (a Croatian security company)
Various duties at SANSInternet Storm Center Handler
Mostly known for reverse engineering malware
SANS GREM (GIAC Reverse Engineering Malware) course co-author
Advisory Board Member
Team Cymru Dragon Research Group member
Who Who Who Who are are are are wewewewe????
Branko SpasojevićInformation security consultant at INFIGO IS (yes, Bojan and I work together)
Reverser by nature
Author of the Optimice IDA Pro plugin for deobfuscation and malware analysis
Of course, we used it for this presentation ☺
http://code.google.com/p/optimice/
AgendaAgendaAgendaAgenda
What is FakeAV/RogueAV?A little bit of history behind this critter
Server side tricks (Bojan)What’s the infrastructure behind FakeAV?
How does it spread?
Client side tricks (Branko)VirusTotal:
• Current status: finished
• Results: 0 /42 (0.0%)
What is rogue security software?What is rogue security software?What is rogue security software?What is rogue security software?
Any malware that poses as legitimate security software
Relies mainly on social engineering to entice the user on installation
But groups behind it can use exploit packs as well
Simple modus operandi:Scare the user intro thinking his/her machine is infected
Offer the solution
Ask for payment for the full productDepending on the group, steal data, control the machine etc.
How to make millions of dollars?How to make millions of dollars?How to make millions of dollars?How to make millions of dollars?
Most Fake AV business are located in Eastern Europe
They handle credit card processing, money cashing, even refunds
Not many such business existBut they make most money
Affiliates are recruitedTheir job: make end users install Fake AV
They get commission per each install/Fake AV copy bought
There are many affiliatesSome campaigns going on for years!
Versatile campaignsVersatile campaignsVersatile campaignsVersatile campaigns
First FakeAV campaigns started back in 2007
Very prominent 2008 – 2011
Hundreds of rogue security software “vendors” and “products”
AntiSpyware 2008
Antivirus Pro 2009
Antivir Solution Pro
ByteDefender
Internet Antivirus
MS Antivirus Microsoft Anti Malware
Security Essentials 2010
TheSpyBot …
Getting users to install Getting users to install Getting users to install Getting users to install scarewarescarewarescarewarescareware
Scare the s**t out of them by copying familiar looking windows
Getting users to install Getting users to install Getting users to install Getting users to install scarewarescarewarescarewarescareware
… no matter which browser they use
Getting users to install Getting users to install Getting users to install Getting users to install scarewarescarewarescarewarescareware
… or operating system
Laying the baitLaying the baitLaying the baitLaying the bait
How to get users to install FakeAV?Need to get them to visit “scary” web pages
Various attack vectorsSend spam
Compromise other well known web pages
Compromise ads hosting web sitesHappens way too often!
Poison search engine resultsSo they end up on compromised web pages
And finally poison image search engines
Different groups use different attack vectors
This presentation is limited to search engine poisoning
Advanced infrastructureAdvanced infrastructureAdvanced infrastructureAdvanced infrastructure
CompromiseCompromiseCompromiseCompromiseCompromiseCompromiseCompromiseCompromise
Retrieve Hot SearchesRetrieve Hot SearchesRetrieve Hot SearchesRetrieve Hot Searches
ffffrom Google trends androm Google trends androm Google trends androm Google trends and
update local cacheupdate local cacheupdate local cacheupdate local cache
Google crawler comes Google crawler comes Google crawler comes Google crawler comes to visit the to visit the to visit the to visit the compromised web sitescompromised web sitescompromised web sitescompromised web sites
Serve back modified web Serve back modified web Serve back modified web Serve back modified web pages containing queries pages containing queries pages containing queries pages containing queries retrieved from Google trendsretrieved from Google trendsretrieved from Google trendsretrieved from Google trends
Spam blogs and other Spam blogs and other Spam blogs and other Spam blogs and other web sites with links to web sites with links to web sites with links to web sites with links to compromised web sitescompromised web sitescompromised web sitescompromised web sites
I want to see news I want to see news I want to see news I want to see news about Justin about Justin about Justin about Justin BieberBieberBieberBieber!!!!
Sure, here are the results Sure, here are the results Sure, here are the results Sure, here are the results with links to web pages with with links to web pages with with links to web pages with with links to web pages with these breaking newsthese breaking newsthese breaking newsthese breaking news
GET /?GET /?GET /?GET /?lxaxlxaxlxaxlxax====justin+bieberjustin+bieberjustin+bieberjustin+bieber HTTP/1.1HTTP/1.1HTTP/1.1HTTP/1.1
Host: www.compromised.comHost: www.compromised.comHost: www.compromised.comHost: www.compromised.com
Advanced infrastructureAdvanced infrastructureAdvanced infrastructureAdvanced infrastructure
Once the user lands on a compromised web site
Do some checks
If everything is ok, redirect to the web site hosting the scary web page
Ask the mothership where to redirect to
PPP = Pure PHP PPP = Pure PHP PPP = Pure PHP PPP = Pure PHP PwnagePwnagePwnagePwnage
Almost all scripts written exclusively in PHP
Various FakeAV groups target various servers
Usually Wordpress/Joomla installations
Or insecure TinyMCE installations
But also theft of FTP credentials
Master PHP script infects the whole web site
Or more, if the hoster is careless
Infect all PHP web pagesInfect all PHP web pagesInfect all PHP web pagesInfect all PHP web pages
Add the following snippet to every PHP web page
Infect all PHP web pagesInfect all PHP web pagesInfect all PHP web pagesInfect all PHP web pages
And this decodes to:
Infect all PHP web pagesInfect all PHP web pagesInfect all PHP web pagesInfect all PHP web pages
… automatically
What is What is What is What is style.css.phpstyle.css.phpstyle.css.phpstyle.css.php????
Master PHP scriptBasically allows full external control of the site
It is not a PHP shell
It is a purposely written FakeAV control program
It handles everythingInitial “infection” of the web site
Automatic updates
Generation of search engine poisoning content
Redirection of visitors with search engine referrals to FakeAV binary hosting web sites
Display of normal web content if no referrals has been detected
If needed – self removal
Search engine poisoningSearch engine poisoningSearch engine poisoningSearch engine poisoning
Depending on group scripts either retrieve popular keywords from mothership or directly from Google Trends
Look for content matching these keywords
Search engine poisoningSearch engine poisoningSearch engine poisoningSearch engine poisoning
Various methods for generating fake content
Some groups retrieve pictures from other search engines such as Bing and Yahoo
Some use Markov chainsMarkov text generators have been used by spammers for long time to create realistic e-mails
Search engine poisoningSearch engine poisoningSearch engine poisoningSearch engine poisoning
Finally, a template is filled in cached locally
Search engine poisoningSearch engine poisoningSearch engine poisoningSearch engine poisoning
When a search engine crawler arrives, it is served the artificially created web page
Crawler identification in multiple stepsDoes User Agent match?
Most scripts have an embedded list of IP address ranges belonging to search engines
Final redirection of victimsFinal redirection of victimsFinal redirection of victimsFinal redirection of victims
When victims arrive, the script checks their referrer
If it matches a search engine, redirect to the final destination
Otherwise serve the original web pageMakes the compromise harder to detect
They don’t like hackers/researchersThey don’t like hackers/researchersThey don’t like hackers/researchersThey don’t like hackers/researchers
Most scripts check for well known attacksEven things like SQL injection, although no DB are used
Huge lists of researcher/AV companies’ IP addresses
$ wc -l bi = 8680
Server side scripts use simple obfuscationJust layers of gzip & base64 encode
Sometimes hundreds of layers
Makes sense since web hosters rarely (never?) use AV programs
Usually variable names modified to make analysis or stealing harder
Backend infrastructureBackend infrastructureBackend infrastructureBackend infrastructure
Used to repack binariesRepacked very often
Various client side tricks used constantly
JavaScript heavily obfuscatedCreated automatically by backend sites
Layers of proxiesngnix is your best friend
Simple ROI – these files need to be obfuscated to evade client AV detection
Making AV vendor’s life difficultMaking AV vendor’s life difficultMaking AV vendor’s life difficultMaking AV vendor’s life difficult
Client side FakeAV protections by categoryAnti-dissasembly
Anti-emulation
Anti-VM
Anti-Debugging
FakeAVFakeAVFakeAVFakeAV –––– AntiAntiAntiAnti----disassemblydisassemblydisassemblydisassembly
Several techniquesDestroy functions
Use opaque predicates
Hide constant values
Fragment basic blocks
Long ROP chains
Packing
Optimization examples powered by Optimice
AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– Destroy functionsDestroy functionsDestroy functionsDestroy functions
AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– Opaque predicatesOpaque predicatesOpaque predicatesOpaque predicates
AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– Opaque predicatesOpaque predicatesOpaque predicatesOpaque predicates
AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– Hide constantsHide constantsHide constantsHide constants
AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– Fragment Basic BlocksFragment Basic BlocksFragment Basic BlocksFragment Basic Blocks
AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– ROP chainsROP chainsROP chainsROP chains
3 – 5 instructions per block
~187 blocks long
AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– PackingPackingPackingPacking
UPX packed code after first layer of obfucations
Unpacked code doesn’t contain anti-disassembly protections
AntiAntiAntiAnti----emulationemulationemulationemulation
Anti-emulation is tightly related to opaque predicates
Based onFunctionality of Windows API
Predictable error values of Windows API
Some of the used functions:LCMapStringA, GetFontData, GetKeyState, GetFileType, GetParent
AntiAntiAntiAnti----VMVMVMVM
Several anti-virtualization checks in a cascade
AntiAntiAntiAnti----VMVMVMVM
CPUID - 1
AntiAntiAntiAnti----VMVMVMVM
CPUID – 0x40000000 (search for supervisor)
Search for VMwareVMware string
VMware detection by VMX string
AntiAntiAntiAnti----DebuggingDebuggingDebuggingDebugging
IsDebuggerPresent
CreateProcess, WriteProcessMemory, CreateRemoteThread
Process synchronization
Cracking Cracking Cracking Cracking FakeAVFakeAVFakeAVFakeAV
Don’t want to pay for FakeAV?Year Subscription $49.95
2 Year Subscription $69.95
3 Year Subscription $89.95
Serials fishingWNDS-JUYH3-24GHJ-HGKSH-FKLSD, WNDS-89OF7-7324R-5SAD4-TG68U, WNDS-HFVDR-9844O-U54DA-5TBSC, WNDS-G8FB6-1V87S-DRT1S-63SRG, WNDS-4BGY2-JY4KO-IT98Y-7HJ43, WNDS-5D1V2-XB0D5-JT1TY-97DS3, WNDS-F40SA-1ER5H-4FG5D-F8412…
Cracking the Cracking the Cracking the Cracking the FakeAVFakeAVFakeAVFakeAV
Thank you for Thank you for Thank you for Thank you for your attention!your attention!your attention!your attention!