During the recent BSIDES conference (2014), which was hosted in Las Vegas, Kyle Adams presented on "Evading code emulation: Writing ridiculously obvious malware that bypasses AV":
During his presentation (video now available on YouTube) he discussed how 'clean looking code' can be used to bypass anti-virus (AV): https://www.youtube.com/watch?v=tkOtBkvS9xY
We recently identified some malware that uses some of the techniques detailed by Kyle, in order to bypass our AV scanner. What follows is a short analysis of the techniques used.
Merry Christmas, Santa Left You A Parcel…
It all started on the morning of December 4th when we received an e-mail purporting to be from FedEx. Figure 1 shows the e-mail. To our trained eyes this clearly appeared to be a Trojan or some sort of malicious phishing scam. Attached to the e-mail was a zip file Label_00000358165.zip.
We downloaded the attached zip file and calculated the MD5 sum; a Google search didn't find anything and further checks on Virus Total showed that the file had not yet been analysed.
The malicious zip file contained a file with a .doc extension for the weak souls to think it was a MS Word document.
After removing the “eval” call from the script, we were able to run it without risking infecting the network and obtain the plaintext. This was achieved by placing the script into a custom HTML page as shown in Figure 5 and Figure 6.
The first line of the script creates a WshShell object. WshShell objects are used to run commands as if the command was typed in the command prompt. This script builds its variables to create a command to execute as if it was typed on the command prompt. More details on WshShell can be obtained from http://msdn.microsoft.com/en-us/library/ateytk4a(v=vs.84).aspx.
The second instruction uses ws.ExpandEnvironmentStrings to retrieve the temporary directory of the infected system. The temp directory is then extended by a variable fn which will later hold the file name of the executable file (the malware).
On Windows 7 the string that will be passed to the command line will be similar to:
XMLHTTP is generally activated by default as seen in Figure 9.
Once the data is passed back to the script, the script will check if the received data is of type binary [type =1]. The binary data is then saved into file [ xa.SaveToFile (fn,2)] starting from the first position of the binary file [xa.position =0];
"fn" is the parameter that holds the file name that will be used to save the binary data. More information about the ADODB.Stream can be found at http://www.w3schools.com/asp/ado_ref_stream.asp
The file name was created but the content of the file was not downloaded. The network trace file shows HTTP response 404 indicating that the page was not found (Figure 10)
They are many reasons why the malware was not available for download:
- It is common practice that malware links get deleted or disabled once they have been found to distribute malware. It could have been the case that by the time we tried to download the malware, the files would have already been removed.
- It could have been the case that the malware files were hosted on a compromised server. Once the breach has been identified, the server will be patched and malware files will be deleted.
- Malware authors generally target a specific audience. It could have been the case that our IP address was out of the scope of intended infection.
- Simply, it could have been a mistake from the malware author i.e. they may have targeted the wrong URL.
Writing malicious script using advertised clean functions from Microsoft will continue to be a problem for security. Even though some user elevation still requires the user interaction, it is very common that people accept messages without actually reading what action is to be performed.
Our analysis did find any record of the zip file flagged as malicious up to three days after we received the file. The first stage of this malware would certainly go undetected. To be successful in the second stage, the malware author would have use a recently packed or encoded payload to defeat AV detection. Also, the malware author could use a zero day which would definitely go undetected in this case. Every effort need to be made to stop malware in its tracks at each point.
So, how do you protect yourself against malware infection in this case?
Protecting against malware which is constantly changing can be very challenging. However, there are a number of factors that should be considered.
Updates and patching - Perform regular updates as frequently as necessary to make sure that any malicious code does not take advantage of a known vulnerability
Monitoring and logging – Ensuring that you have the capability to detect changes and breaches is essential is responding to an attack. We can’t stop them all, so knowing when it happens to ensure action can be taken is a vital.
Find out more about security breaches and Nettitude’s approach here: https://www.nettitude.co.uk/cyber-breaches-response-in-depth/
To contact Nettitude's editor, please email firstname.lastname@example.org.