Super-powerful Flame worm could take YEARS to dissect The exceptionally complex Flame malware, this week found on numerous systems across the Middle East and beyond, is likely to take months if not years to analyse. Early indications suggest that Flame is a cyber-espionage toolkit that has penetrated computers primarily, but not exclusively, in Iran and Israel. The worm may have …
When hacker teams have keygen's and network blocking solutions for the bloatware giant Adobe Master Collection 6 within 24 hours of it's public release, the security firms really think that it would take years to dissect this? It would seem that reverse engineering, decompiling and debugging have changed a lot since my time ...
I understand the point that you are making, in that syscalls/win32 calls have a fairly destinct appearence in the dissassembled output of a native binary.
However, there is no requirement for a malware author to use the api's for the intended purpose, meaning taking the api/syscall signatures at face value is unlikely to be helpful.
Suppose you have large volumes of logic in a scripting language that you can generate at runtime, then your native app, is just a host with the lua generator seeds + interpreter.
Also, what happens if all your interesting native code is application layer, and the api calls are just false flags.
What does this do - ( this is from the IOCC - so give it a punt before you look up the answer)
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>
#undef D
#undef E
#undef U
#ifndef C
#define I int n,r;
#define D(N) void*N(void*);
#define C pthread_create
#define E int l;char *ak(char *u){return (*u=(l+=6,*u)=\
='@'?'K':*u=='.'?'P':*u=='-'?'M':tolower(*u))?ak(u+1)-1:u;}
#define U int
#elif ! defined J
#define H "x\0\b\0\200\1\0\0\0\0\377\377\377,\0\0\0\0x\0\b\0\0\3"
#define E tn; char h[30]="GIF87a" H;void *(*fn[25])(void*)={
#define U };
#define D(N) N,
#define L return fwrite("\1\t\0;",1,4,stdout)!=4;
#define K {I for(r=0;r<8;r++)for(n=0,putchar(l);n<l;n++)putchar(B[r][n]|8)
#define J h[6]=h[24]=l=l-3;fwrite(h,1,30,stdout);K
#else
#define T pthread_t
#define E char B[8][256];
#define U int main(int c,char **a) { bdefhklmnprtuvwxyz57(ak(a[1]));J;}L}
#define D(N) void *N(void *y) {\
static I char *x=y;\
T t=0;\
if(!n && (r=tn)<24) C(&t,NULL,fn[++tn],y);\
if(*x&&strchr(# N,*x)) B[2+r/5][2+n*6+r%5]=16;\
n++;\
if(*x) N(x+1);\
if(t) pthread_join(t,&y);\
return y;\
}
#endif
E
/* ____ END OF CODE __ */
Not trying to be difficult but I'm not any sort of expert in the domain, and I reckon I'm aware of quite a few techniques to make it difficult to determine the intent.
A simple stream cipher + interperter + randomized memory locations should slow most people down for long enought to collect the paycheck and move on to the next gig.
Imagine what tricks you might know if this was your domain, I fully expect that there are techiques for this kind of thing that make my feeble imaginings look rather old hat but hey it's not my domain.
Just some food for thought,
Sed
- didn't paste all the code..
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>
#undef D
#undef E
#undef U
#ifndef C
#define I int n,r;
#define D(N) void*N(void*);
#define C pthread_create
#define E int l;char *ak(char *u){return (*u=(l+=6,*u)=\
='@'?'K':*u=='.'?'P':*u=='-'?'M':tolower(*u))?ak(u+1)-1:u;}
#define U int
#elif ! defined J
#define H "x\0\b\0\200\1\0\0\0\0\377\377\377,\0\0\0\0x\0\b\0\0\3"
#define E tn; char h[30]="GIF87a" H;void *(*fn[25])(void*)={
#define U };
#define D(N) N,
#define L return fwrite("\1\t\0;",1,4,stdout)!=4;
#define K {I for(r=0;r<8;r++)for(n=0,putchar(l);n<l;n++)putchar(B[r][n]|8)
#define J h[6]=h[24]=l=l-3;fwrite(h,1,30,stdout);K
#else
#define T pthread_t
#define E char B[8][256];
#define U int main(int c,char **a) { bdefhklmnprtuvwxyz57(ak(a[1]));J;}L}
#define D(N) void *N(void *y) {\
static I char *x=y;\
T t=0;\
if(!n && (r=tn)<24) C(&t,NULL,fn[++tn],y);\
if(*x&&strchr(# N,*x)) B[2+r/5][2+n*6+r%5]=16;\
n++;\
if(*x) N(x+1);\
if(t) pthread_join(t,&y);\
return y;\
}
#endif
E
D(bdefhklmnprtuvwxyz57)
D(bcdefgiopqrstz23567890K)
D(abcdefgjopqrstz123567890K)
D(cefghkoqstz23457890K)
D(mntuvwxyz7)
D(bcdefghklmnopqrsuvw256890K)
D(aimnxy1)
D(jkt14)
D(abdhmprxyz0)
D(mnoquvw237890K)
D(abcdefghklmnopqruvw560K)
D(befhikprs45689MK)
D(befghjmnqprstwxyz156890MK)
D(dghs234789M)
D(amnoquvw90K)
D(abcdefghjklmnopqruw4680K)
D(aivxz40PK)
D(ajkrtwy1247PK)
D(abdghnqvx456K)
D(amnosuw34890K)
D(abdefhklmnprxz25_)
D(bcdegijloqsuwz12356890_PK)
D(bcdegloqstuvyz123567890_PK)
D(cehklorsuwz1234890_K)
D(amnqxz2_K)
U
#ifndef T
#include __FILE__
#endif
Bloatware is easy to dissect, especially if all you're doing is keygen, no-cd, or other such tasks. You don't even have to know what a program does to be able to find its key-checking algorithm.
If you want to know every detail, however, you'll need to analyze every byte of code; you can't gloss over anything. And well-obfuscated code can be a twisted mess, too; Adobe doesn't spend a majority of its time making sure no one can read a single line of code.
You will never know. The black budget is currently at USD 50 billion YEARLY. You can put a few excellent developers into the small interstices, then buy them a nice, large house on the coast so that they STFU.
Then one day, an old bartender starts talking to you about this programming project...
Just in case casual readers dismiss you as a "conspiracy theorist", the figure of $50bn for black projects, is the total amount spent by the Department of Defence on projects they list as Classified. I.e. they wont tell you where the money goes. The $50bn figure is for the year 2010.
The USA spends *a lot* of money on things it doesn't disclose to the public.
Sadly, in a budget the size of the US government, $50bn doesn't even make it to the category of "rounding error." And knowing some folk who work in the defense industry, $50bn doesn't actually go as far as you might think when it starts to involve hardware, which it certainly will. As in, one of my low levels friends (not involved in the spook-like classified activities, just protection of force ones) doesn't even spend serious time thinking about expenditures below $1 million.
Least this is free and in that compared to windows is realy very primative in design, Windows is still number #1 and has done so using the box/shop expliot were they get there victim to do all the hard work and pay for the priveledge.
Any virus or malware that does not use double-enrty code and hidden op-codes etc is badly written.
Anon or my graphics card operating system might be called a virus like some network card OS was recently :=]
Funny that, I was just thinking the same, especially in the light of the gazillion patches it downloads every day and the Windows *cough* "Advantage" data going the other way, nobody would notice a data extraction The problem was that I could not see Microsoft (a) code anything that works and (b) keep it under 1GB, let alone 20MB - they haven't been forced to demonstrate tight compiling since they got rid of Borland.
Next candidate who doesn't see privacy as a barrier: Google OS? Maybe the Chinese gave them an idea (which would also neatly count as a reverse rip off).
Just musing probabilities. On account of the probably funding, required secrecy and total disregard for any applicable legal barriers you'd almost immediately think US - also because of where it has been found so far..
Oh please, give them some credit. Why is it that the default position of reg commenters is 'assume the subjects of the article are complete idiots'?
Shoehorning 'angry birds' into the article seems a rather lame bit of attention grabbing, too. As Mr Mount observed, lua use is widespread these days, if only because there aren't a whole lot of fast, simple, small languages intended for embedding within a larger application.
Oh please, give them some credit.
I think it's a reasonable remark.
The article also notes that the worm uses the "open source" libz library. Wow, apart from the fact that I think this is usually referred to as zlib though I don't want to get in a willy-waving competition about open source libraries, what the fuck does it matter that it's an open source library? Or that SQLite is being used for persistence? Implementation - the libraries used - shouldn't be confused with design - encrypted and compressed communication.
The Lua interpreter has few things going for it when choosing something to execute your business logic: it's free, open source, lightweight when compiled and is designed to be statically linked from a C program so it's self-contained.
If you want to deploy something that is [relatively] complex, and retain the ability to quickly modify it's behaviour significantly in the field then Lua is a natural fit. Much more so than either compiled languages or Python, Ruby, Java, etc.
"it uses various open-source libraries including libz for compression; it is spread out over several files rather than as one executable; and most unusually it uses a database managed by the SQLite library."
Well, I guess someone finally discovered a use for open source software.
If they have been really smart, the antivirus folks will forever be playing catch up, while the perps keep changing the only unencrypted bits of it the AV signatures can algorithmically detect. Maybe that's why they are using Lua, so they can more easily remote control installed instances to change the bits conforming to the AV signatures as and when it suits those operating these instances.
Sounds like getting rid of this thing for good may well involve backing up any known good data which doesn't contain executable content, wiping the rest and reinstalling from still trusted sources and media. I doubt many Windows lusers have that capability.
I always thought trying to keep a system secure by avoiding blacklisted software was a bad idea. Better only to execute whitelisted software if it really matters.
http://certcc.ir/index.php?name=news&file=article&sid=1894
From the CERT team themselves:
Table1: Infection Components
Content Name & Path
Registry key existence HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Authentication Packages -> mssecmgr.ocx
Malware binaries windows\system32\mssecmgr.ocx
Windows\System32\ccalc32.sys
Windows\System32\msglu32.ocx
Windows\System32\boot32drv.sys
Windows\System32\nteps32.ocx
Windows\System32\advnetcfg.ocx
Windows\System32\soapr32.ocx
Yes, definitely. It's now certainly not Windows compatible, so the suits upstairs will be with you shortly.
Speaking of which, I feel left out. They promised Macs would become as vulnerable as Windows (a fact I heard played back by a Microsoft rep a few days ago - until I asked him to quantify the number of separate malware strands for each platform), so where is my copy?
Anyone heard of malware for Google OS yet? Or has it remained too insignificant to bother? Or IS that actually Flame in user-friendly mode (given the propensities and known NSA links of the company in question)?
"Does nobody actually understand system security anymore?"
Those who understand security execute only trusted executables and use software distribution and installation systems involving cryptographic chains of trust identifying all the engineers who have signed all executables installed as checked and verified. On larger general purpose systems we have to take calculated risks, of the kind: "has the team engineering this closed source component of my otherwise opensource system used as a device driver or media player been nobbled, or is there a zero day in this or some other component known to someone who wants to attack this system but not the engineer who signed it ?". On smaller security-purposed systems we have to ask the same questions but have a better chance of answering them. We keep these differently purposed systems sandboxed from each other.
I don't think anyone who genuinely understands systems security has been highly reliant on popular software used for scanning and detection of blacklisted executables for many years. If blacklisted or not yet blacklisted executables can be installed onto your system and executed, you either don't yet properly understand, or don't yet really care about security.
My point is that the "threat" is/was 20 megs in size. And nobody noticed it? WTF? I noticed sub-64K files as few as 10 years ago ... Consumer systems are entirely too bloated, and idiots are using them in places that they don't belong. Thus the question ...
Ah, well. Said idiots are funding my retirement :-)
This thing seems to bypass every single heuristic detection on systems that have proper security software. Or, it pre checked the system setup without raising alarm bells and didn't infect the ones which will check things like "startup items added out of nowhere" heuristics.
Analysts seem a bit confused about the complexity.
Smart Geeks also don't do work that gives anyone a reason to kill them.
I can't remember where I first read it, but the all-time classic along this line involves pure mathematics. If you were to find a fast algorithm to factorize a huge number into its only two prime factors, your only hope (other than keeping it secret to your grave) would be to spam your paper as far and wide as you could, and then go into hiding for a few months until the powers that be worked out that it could not ever be suppressed.
Most mathematicians believe such an algorithm to be impossible. If there are any that justifiably think otherwise, they have good reason to keep quiet about it!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
