third level • fourth level automated infection system...click to edit master title style • click...
TRANSCRIPT
![Page 1: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/1.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Automated infection system:New generation of threatsBased on a story of Gumblar trojan
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
Michael MolsnerSenior Malware Analyst
![Page 2: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/2.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
What is Gumblar?Components list
![Page 3: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/3.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar components
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
List of components: Exploits component:
Adobe PDF exploits Adobe Flash exploits
Win32 trojan application Server PHP backdoor HTTP redirector component (infected html) Injection component (html infector + server script
spreader)
![Page 4: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/4.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Component tiers
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 5: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/5.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Data flows
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 6: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/6.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Speed of growthHTML Injection Count
![Page 7: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/7.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Speed of growth
Number of server-side infections in October-November 2009
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 8: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/8.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Global Location analysis
Status Dec 04th 2009
![Page 9: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/9.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Global Location analysis
Status Feb 16th 2010
![Page 10: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/10.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Injection Statistics JapanDomestic Location analysis
Local access count analysis
![Page 11: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/11.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Injection Statistics MalaysiaDomestic Location analysis
![Page 12: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/12.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar-‐x vs Pegel
Gumblar-‐x Pegel
Exploit Adobe Reader Adobe Reader
Targets Flash MDAC
MSOffice WebComponent SnapShotViewer
Internet Explorer JRE
Function FTP acc FTP acc
Rootkit Rootkit
Fake AV
Botnet join
JP Count 5000 440
![Page 13: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/13.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Possible originsTimeline analysis
![Page 14: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/14.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Timeline analysis
HTML injection time:
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 15: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/15.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Timeline analysis
Daylight zones (05:00 UTC)
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 16: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/16.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Timeline analysis
Daylight zones (15:00 UTC)
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 17: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/17.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Case studyHTML Injected sites
![Page 18: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/18.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar Samples
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
Many kind of web sites were found victimized.At especially high risk:
Small businesses (lower IT skill; business loss) Admins using same Passwords for multiple sites (adult)
![Page 19: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/19.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar Samples
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 20: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/20.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar Samples
Really ANY kind of web site can be a target.Some Police related samples:
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 21: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/21.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar components
Analysis of active components: HTTP redirector component (injected .htm*, .js) Injection component (html infector + server script
spreader)
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 22: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/22.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar components
HTTP redirector component (infected html)
![Page 23: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/23.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar components
Analysis of active components: Exploits component:
MSOfficeWeb exploit Adobe PDF exploits Adobe FLASH exploits
WIN32 Trojan ROOTKIT DLL injection Web traffic hook
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 24: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/24.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Exploit layers
Adobe PDF exploit shellcode downloads Win32 malware
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 25: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/25.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar components Analysis
Script exploit:
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
• Cookie,Referer,UA check
• Dynamic code on access
• ENV dependent aSack
• Exploit downloader
![Page 26: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/26.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar components Analysis
PDF reader exploit:• PDF file
• FlateDecode
• JavaScript
• Downloader
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 27: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/27.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar components
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
• CWS file 1
• FWS file 1
• Binary
• Decrypt
• CWS file 2
• FWS file 2
• Strings
• ASCII bin
• FWS file 3
(Downloader)
Flash Player exploit:
![Page 28: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/28.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar components
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
• Downloaded Exe ...
• Creates DLL
• Restart …
• Process Injec]on
Win32 trojan application
![Page 29: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/29.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar components
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
Win32 trojan application
• C&C Communica]on
• Hidden in legit stream
• Self UPDATE
• FTP Acc data stolen
![Page 30: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/30.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
JAVASCRIPT
Gumblar components
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
REDIRECT
BROWSER?
Internet ExplorerMSOfficeWeb
EXPLOIT?
DOWNLOADER
PDF CWS
EXE
DOWNLOADER DOWNLOADER
404
![Page 31: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/31.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar Demo
Infection procedure
• Live demonstration with Virtual machines as Server & Client
(DEMO)
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 32: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/32.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Gumblar Demo
Server PHP backdoor
• Command line level access to compromised machine
(DEMO)
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 33: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/33.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Variable name analysis
Eastern European name “iutka” - the only meaningful identifier
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 34: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/34.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Automated infection systemGeneralization of Gumblar threat
![Page 35: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/35.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Definition
Automated Infection System (AIS) is a distributedmulticomponent information system which has a viral natureand can grow on its own by establishing the data exchangebetween its components. The growth of the system isestimated by the number of computers which hosts thecomponents of the system.
![Page 36: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/36.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Threat level estimationHow dangerous is such system?
![Page 37: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/37.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Threat level estimation
Risks:Very large scaleSensitive data leakageInternationalRapidly growingNo human interaction required (self-sufficient)Has the power of server botnet
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 38: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/38.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Threat level estimation
Weaknesses:Dependence on the root servers
Elimination of root infector-servers stops system operation
Dependence on stable data exchangeDestruction of few communication channels (even basing on
network filtering) stops system growth
Compatibility problem (different platforms/interpreters)The code highly depends on usage of compatible (sometimes
deprecated) functions to work correctly
Can be simply honeypottedThe system may be artificially fed with honeypot FTP credentials
that will reveal active servers
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 39: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/39.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)
Conclusion
• Success due to low profile visibility;• Result - slow countermeasures by AV industry;• Multiple infection routines & obfuscation;• Frequent code changes to circumvent security software;
APRICOT, 1st – 5th of March 2010, Kuala Lumpur
![Page 40: Third level • Fourth level Automated infection system...Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level •](https://reader034.vdocuments.us/reader034/viewer/2022052014/602b8b121c6762370f0a00ea/html5/thumbnails/40.jpg)
Click to edit Master title style
• Click to edit Master text styles• Second level
• Third level• Fourth level
• Fifth level
June 10th, 2009 Event details (title, place)APRICOT, 1st – 5th of March 2010, Kuala Lumpur
Michael [email protected]
Thank you !