staying low: staying low: how fakeavhow fakeav flies under the...

Staying Staying Staying Staying low:low:low:low:how how how how FakeAVFakeAVFakeAVFakeAV flies under flies under flies under flies under the AV's radarthe AV's radarthe AV's radarthe AV's radar

Staying Staying Staying Staying low:low:low:low:how how how how FakeAVFakeAVFakeAVFakeAV flies under flies under flies under flies under the AV's radarthe AV's radarthe AV's radarthe AV's radar

Bojan Zdrnja, Branko [email protected], [email protected]

INFIGO IShttp://www.infigo.hr

Who Who Who Who are are are are wewewewe????

Bojan ŽdrnjaSenior information security consultant at INFIGO IS (a Croatian security company)

Various duties at SANSInternet Storm Center Handler

Mostly known for reverse engineering malware

SANS GREM (GIAC Reverse Engineering Malware) course co-author

Advisory Board Member

Team Cymru Dragon Research Group member

Who Who Who Who are are are are wewewewe????

Branko SpasojevićInformation security consultant at INFIGO IS (yes, Bojan and I work together)

Reverser by nature

Author of the Optimice IDA Pro plugin for deobfuscation and malware analysis

Of course, we used it for this presentation ☺

http://code.google.com/p/optimice/

AgendaAgendaAgendaAgenda

What is FakeAV/RogueAV?A little bit of history behind this critter

Server side tricks (Bojan)What’s the infrastructure behind FakeAV?

How does it spread?

Client side tricks (Branko)VirusTotal:

• Current status: finished

• Results: 0 /42 (0.0%)

What is rogue security software?What is rogue security software?What is rogue security software?What is rogue security software?

Any malware that poses as legitimate security software

Relies mainly on social engineering to entice the user on installation

But groups behind it can use exploit packs as well

Simple modus operandi:Scare the user intro thinking his/her machine is infected

Offer the solution

Ask for payment for the full productDepending on the group, steal data, control the machine etc.

How to make millions of dollars?How to make millions of dollars?How to make millions of dollars?How to make millions of dollars?

Most Fake AV business are located in Eastern Europe

They handle credit card processing, money cashing, even refunds

Not many such business existBut they make most money

Affiliates are recruitedTheir job: make end users install Fake AV

They get commission per each install/Fake AV copy bought

There are many affiliatesSome campaigns going on for years!

Versatile campaignsVersatile campaignsVersatile campaignsVersatile campaigns

First FakeAV campaigns started back in 2007

Very prominent 2008 – 2011

Hundreds of rogue security software “vendors” and “products”

AntiSpyware 2008

Antivirus Pro 2009

Antivir Solution Pro

ByteDefender

Internet Antivirus

MS Antivirus Microsoft Anti Malware

Security Essentials 2010

TheSpyBot …

Getting users to install Getting users to install Getting users to install Getting users to install scarewarescarewarescarewarescareware

Scare the s**t out of them by copying familiar looking windows


… no matter which browser they use


… or operating system

Laying the baitLaying the baitLaying the baitLaying the bait

How to get users to install FakeAV?Need to get them to visit “scary” web pages

Various attack vectorsSend spam

Compromise other well known web pages

Compromise ads hosting web sitesHappens way too often!

Poison search engine resultsSo they end up on compromised web pages

And finally poison image search engines

Different groups use different attack vectors

This presentation is limited to search engine poisoning

Advanced infrastructureAdvanced infrastructureAdvanced infrastructureAdvanced infrastructure

CompromiseCompromiseCompromiseCompromiseCompromiseCompromiseCompromiseCompromise

Retrieve Hot SearchesRetrieve Hot SearchesRetrieve Hot SearchesRetrieve Hot Searches

ffffrom Google trends androm Google trends androm Google trends androm Google trends and

update local cacheupdate local cacheupdate local cacheupdate local cache

Google crawler comes Google crawler comes Google crawler comes Google crawler comes to visit the to visit the to visit the to visit the compromised web sitescompromised web sitescompromised web sitescompromised web sites

Serve back modified web Serve back modified web Serve back modified web Serve back modified web pages containing queries pages containing queries pages containing queries pages containing queries retrieved from Google trendsretrieved from Google trendsretrieved from Google trendsretrieved from Google trends

Spam blogs and other Spam blogs and other Spam blogs and other Spam blogs and other web sites with links to web sites with links to web sites with links to web sites with links to compromised web sitescompromised web sitescompromised web sitescompromised web sites

I want to see news I want to see news I want to see news I want to see news about Justin about Justin about Justin about Justin BieberBieberBieberBieber!!!!

Sure, here are the results Sure, here are the results Sure, here are the results Sure, here are the results with links to web pages with with links to web pages with with links to web pages with with links to web pages with these breaking newsthese breaking newsthese breaking newsthese breaking news

GET /?GET /?GET /?GET /?lxaxlxaxlxaxlxax====justin+bieberjustin+bieberjustin+bieberjustin+bieber HTTP/1.1HTTP/1.1HTTP/1.1HTTP/1.1

Host: www.compromised.comHost: www.compromised.comHost: www.compromised.comHost: www.compromised.com

Advanced infrastructureAdvanced infrastructureAdvanced infrastructureAdvanced infrastructure

Once the user lands on a compromised web site

Do some checks

If everything is ok, redirect to the web site hosting the scary web page

Ask the mothership where to redirect to

PPP = Pure PHP PPP = Pure PHP PPP = Pure PHP PPP = Pure PHP PwnagePwnagePwnagePwnage

Almost all scripts written exclusively in PHP

Various FakeAV groups target various servers

Usually Wordpress/Joomla installations

Or insecure TinyMCE installations

But also theft of FTP credentials

Master PHP script infects the whole web site

Or more, if the hoster is careless

Infect all PHP web pagesInfect all PHP web pagesInfect all PHP web pagesInfect all PHP web pages

Add the following snippet to every PHP web page


And this decodes to:


… automatically

What is What is What is What is style.css.phpstyle.css.phpstyle.css.phpstyle.css.php????

Master PHP scriptBasically allows full external control of the site

It is not a PHP shell

It is a purposely written FakeAV control program

It handles everythingInitial “infection” of the web site

Automatic updates

Generation of search engine poisoning content

Redirection of visitors with search engine referrals to FakeAV binary hosting web sites

Display of normal web content if no referrals has been detected

If needed – self removal

Search engine poisoningSearch engine poisoningSearch engine poisoningSearch engine poisoning

Depending on group scripts either retrieve popular keywords from mothership or directly from Google Trends

Look for content matching these keywords


Various methods for generating fake content

Some groups retrieve pictures from other search engines such as Bing and Yahoo

Some use Markov chainsMarkov text generators have been used by spammers for long time to create realistic e-mails


Finally, a template is filled in cached locally


When a search engine crawler arrives, it is served the artificially created web page

Crawler identification in multiple stepsDoes User Agent match?

Most scripts have an embedded list of IP address ranges belonging to search engines

Final redirection of victimsFinal redirection of victimsFinal redirection of victimsFinal redirection of victims

When victims arrive, the script checks their referrer

If it matches a search engine, redirect to the final destination

Otherwise serve the original web pageMakes the compromise harder to detect

They don’t like hackers/researchersThey don’t like hackers/researchersThey don’t like hackers/researchersThey don’t like hackers/researchers

Most scripts check for well known attacksEven things like SQL injection, although no DB are used

Huge lists of researcher/AV companies’ IP addresses

$ wc -l bi = 8680

Server side scripts use simple obfuscationJust layers of gzip & base64 encode

Sometimes hundreds of layers

Makes sense since web hosters rarely (never?) use AV programs

Usually variable names modified to make analysis or stealing harder

Backend infrastructureBackend infrastructureBackend infrastructureBackend infrastructure

Used to repack binariesRepacked very often

Various client side tricks used constantly

JavaScript heavily obfuscatedCreated automatically by backend sites

Layers of proxiesngnix is your best friend

Simple ROI – these files need to be obfuscated to evade client AV detection

Making AV vendor’s life difficultMaking AV vendor’s life difficultMaking AV vendor’s life difficultMaking AV vendor’s life difficult

Client side FakeAV protections by categoryAnti-dissasembly

Anti-emulation

Anti-VM

Anti-Debugging

FakeAVFakeAVFakeAVFakeAV –––– AntiAntiAntiAnti----disassemblydisassemblydisassemblydisassembly

Several techniquesDestroy functions

Use opaque predicates

Hide constant values

Fragment basic blocks

Long ROP chains

Packing

Optimization examples powered by Optimice

AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– Destroy functionsDestroy functionsDestroy functionsDestroy functions

AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– Opaque predicatesOpaque predicatesOpaque predicatesOpaque predicates

AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– Hide constantsHide constantsHide constantsHide constants

AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– Fragment Basic BlocksFragment Basic BlocksFragment Basic BlocksFragment Basic Blocks

AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– ROP chainsROP chainsROP chainsROP chains

3 – 5 instructions per block

~187 blocks long

AntiAntiAntiAnti----disassembly disassembly disassembly disassembly –––– PackingPackingPackingPacking

UPX packed code after first layer of obfucations

Unpacked code doesn’t contain anti-disassembly protections

AntiAntiAntiAnti----emulationemulationemulationemulation

Anti-emulation is tightly related to opaque predicates

Based onFunctionality of Windows API

Predictable error values of Windows API

Some of the used functions:LCMapStringA, GetFontData, GetKeyState, GetFileType, GetParent

AntiAntiAntiAnti----VMVMVMVM

Several anti-virtualization checks in a cascade


CPUID - 1


CPUID – 0x40000000 (search for supervisor)

Search for VMwareVMware string

VMware detection by VMX string

AntiAntiAntiAnti----DebuggingDebuggingDebuggingDebugging

IsDebuggerPresent

CreateProcess, WriteProcessMemory, CreateRemoteThread

Process synchronization

Cracking Cracking Cracking Cracking FakeAVFakeAVFakeAVFakeAV

Don’t want to pay for FakeAV?Year Subscription $49.95

2 Year Subscription $69.95

3 Year Subscription $89.95

Serials fishingWNDS-JUYH3-24GHJ-HGKSH-FKLSD, WNDS-89OF7-7324R-5SAD4-TG68U, WNDS-HFVDR-9844O-U54DA-5TBSC, WNDS-G8FB6-1V87S-DRT1S-63SRG, WNDS-4BGY2-JY4KO-IT98Y-7HJ43, WNDS-5D1V2-XB0D5-JT1TY-97DS3, WNDS-F40SA-1ER5H-4FG5D-F8412…

Cracking the Cracking the Cracking the Cracking the FakeAVFakeAVFakeAVFakeAV

Thank you for Thank you for Thank you for Thank you for your attention!your attention!your attention!your attention!

staying low: staying low: how fakeavhow fakeav flies under the...

Documents