[SecurityRatty] tag: detection

Revealing Packed Malware

Wed, 08 Oct 2008 00:42:07 +0000

In concert with the ever-growing network applications, a significant increase in the spread of malware over the Internet has been observed. In cases where malware are the zero-day threats, generating their signatures for detection via anti-virus (AV) scan engines becomes an important reactive security function. However, modern malware can easily bypass AV scanners using packers, which can hide malicious file contents from detection. This article describes how packers work, and the three most commonly used unpacking methods. The authors describe the logic flow and behavior of Upack, a popular packer, as an example of a software packer.

Web Based Malware Emphasizes on Anti-Debugging Features

Mon, 06 Oct 2008 22:42:00 +0000

Following the ongoing development of a particular web based malware, always comes handy in terms of assessing the commoditization of anti-debugging features within modern malware. With plain simple, "managed binary crypting and firewall bypassing verification" on demand in February, to August's overall anti antivirus software mentality as a key differentiation factor of the malware.

So what are they working on? Anti tracing and emulation protection, PeiD and PESniffer protection, as well as anti heuristic scanning with a simple junk data adding feature in order to maintain a smaller binary size.

Here's a translated description :

"- The binary works under admin and under normal user
- The binary is always run as the "current user"
- An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
- binary file size is 25k, the size can be reduced once it's crypted

- Doesn't take advantage of BITS protocol
- Doesn't allow an infected host to be infected twice
- Bypassing NAT and supporting "always-on" connections
- A simple, easy to configure web based admin panel"

What if the buyer doesn't care about the quality assurance practices applied? Managed lower AV detection and firewall bypassing service comes into play.

OSfuscate: Change your Windows OS TCP/IP Fingerprint to confuse P0f, NetworkMiner, Ettercap, Nmap and other OS detection tools

Thu, 02 Oct 2008 20:15:15 +0000

I was wondering awhile back how one could go about changing the OS fingerprint of a Windows box to confuse tools like Nmap, P0f, Ettercap and NetworkMiner. I knew there were registry setting you could change in Windows XP/Vista that would let you reconfigure how the TCP/IP stack works, thus changing how the above tools would detect the OS. I wasn't sure what all registry changes to make, but luckily I found Craig Heffner's work on the subject. In this post I cover the issue of passive/active OS fingerprint detection, as well as release my tool OSfuscate.

CEP, Event Noise and Asymmetric Event Processing

Thu, 02 Oct 2008 01:22:59 +0000

In The Genesis of Complex Event Processing: Asymmetric Capabilities I introduced the abstract concept of “asymmetric processing capabilities” to describe the foundations of complex event processing. If you take a few moments to review the first CEP projects from Stanford University, you will see that the application of CEP was toward solving myriad asymmetric event processing problems in distributed networks. These applications included challenging problems such as:

Network Level Monitoring and Management,
Cyber Security: Network Intrusion Detection,
Enterprise Monitoring and Management,
Modeling and Simulation of Collaborative Business Processes,
Business Policy Monitoring, and
Analysis and Debugging of Distributed Systems.

In each of the CEP application examples above, the amount of event information available to software developers can be staggering; however, despite all the available information, the capability to sense-and-respond to threats and opportunities is crude, at best.

Folks who work in network and security management, for example, are bombarded with event information. However, this deluge of event information is, for the most part, “noise” that is difficult to understand. In network management one of the most difficult things to accomplish is to find the root cause of an outage or performance problem. This is why researchers at Stanford were funded to focused on research topics such as (above), the Analysis and Debugging of Distributed Systems.

These are the classes of asymmetric event processing problems that define complex event processing, or CEP. Processing events by mediating events, routing events, or running a rule-set against events and making a processing decision are all perfectly valid event processing applications. However, the core reason to have “complex event processing” is to solve event processing problems where there exists a significant asymmetry between the deluge of “event noise” (Professor Luckham called this phenomena the “event cloud”) and detecting business-relevant, actionable complex events in an climate of uncertainty and noise.

In my next post on this topic I will briefly the review motivation behind my 1999 ACM paper, Intrusion Detection Systems and Multisensor Data Fusion, where we were working on solving complex distributed security challenges based on real-world experiences with the problems of asymmetric processing capabiilities. I will discuss why we evolved from an early rule-based expert system model to a more advanced inference model that was not dependent solely on rule-based thinking. I will also explain why other researchers and developers experienced in complex event detection applications have come to the same conclusion.

The Commercialization of Anti Debugging Tactics in Malware

Mon, 29 Sep 2008 12:55:54 +0000

Commoditization or commercialization, Themida or Code Virtualizer, individually crypting or outsourcing to an experienced malware crypting service offering discounts on a volume basis next to detection rates of the crypted binary offered by a trusted online scanner that is NOT distributing the samples to the vendors? These are just some of the questions malware authors often ask themselves, while others distribute pirated copies of Code Virtualizer urging everyone to start taking advantage of commercial anti-reverse engineering tools to make their malware harder to analyze. Once again, just like we've seen before, a legitimate commercial application can come handy in the hands of the wrong people :

"Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed."

With Cyber-as-a-Service business model becoming increasingly common, the entire quality assurance model in respect to malware is slowly maturing from individual malware crypting propositions, where the seller of the service is basically taking advantage of a diverse set of public/private tools, into DIY web services offering crypting discounts on a volume basis, and perhaps most importantly - improving the customer's experience by letting him take advantage of the inventory of crypting tools and bypassing verification services. Within the tool's inventory are naturally lots of (pirated) commercial anti-reverse engineering tools.

As we've seen before, whenever someone starts commercializing what used to be a self-selving process, others will either follow, or disintermediate their services by persistently releasing crypting tools for free in the wild. At the end of the day, it's all a matter of how serious they're about commercializing this market segment, and taking into consideration that a spamming vendor is offering malware crypting services "in between" the rest of the services in their portfolio, this underground cash cow is yet to prove itself in the long term.

Plan-based Complex Event Detection across Distributed Sources

Thu, 25 Sep 2008 12:49:02 +0000

Here is an interesting 2008 paper, Plan-based Complex Event Detection across Distributed Sources.

Abstract

Complex Event Detection (CED) is emerging as a key capability for many monitoring applications such as intrusion detection, sensorbased activity & phenomena tracking, and network monitoring. Existing CED solutions commonly assume centralized availability and processing of all relevant events, and thus incur significant overhead in distributed settings. In this paper, we present and evaluate communication efficient techniques that can efficiently perform CED across distributed event sources.

Our techniques are plan-based: we generate multi-step event acquisition and processing plans that leverage temporal relationships among events and event occurrence statistics to minimize event transmission costs, while meeting application-specific latency expectations. We present an optimal but exponential-time dynamic programming algorithm and two polynomial-time heuristic algorithms, as well as their extensions for detecting multiple complex events with common sub-expressions. We characterize the behavior and performance of our solutions via extensive experimentation on synthetic and real-world data sets using our prototype implementation.

I'll be speaking at Phreaknic 2008

Wed, 24 Sep 2008 20:46:45 +0000

My talk proposal has been accepted, so I'll be giving a presentation on hardware keyloggers and their detection at this year's Phreaknic. It runs from October 24th - 25th, 2008 in Nashville, TN. It's a great event if you can make it.

Intrusion-prevention systems still not used full throttle: survey

Mon, 22 Sep 2008 20:00:00 +0000

Intrusion-prevention systems often aren’t used to actually block attack traffic, but instead act more like intrusion-detection systems, according to an Infonetics Research survey of 169 information professionals who offered a detailed look at how IPS equipment really gets used.

Fraud Detection in Financial Services Reloaded

Sat, 20 Sep 2008 18:36:27 +0000

I read an interesting post by the former CTO of out-of-business Kaskad Technology, where event processing colleague Colin Clark respectfully disagrees with my assesement of the (lack of) capabilites in current-generation “CEP engines” for detecting complex fraud in financial services. I’ll respond with a quote from my September 2007 post, End Users Should Define the CEP Market.

“Experienced end users are very intelligent.

These end users know the complex event processing problems they need to solve; and they know the limitations of the current COTS approaches marketed by the CEP community. Even in Thailand, a country many of you might mistakenly think is not very advanced technologically, there are experts in telecommunications (who run large networks) who are working on very difficult fraud detection applications, and they use neural networks and say the results are very good.   However, there is not one CEP vendor, that I know of, who offers true CEP capability in the form of neural nets.

Almost every major bank, telco, etc. has the same opinion, and the same problem. They need much more capability than streaming joins, selects and rules to solve their complex event processing problems that Dr. Luckham outlined in his book.   The software vendors are attempting to define the CEP market to match their capability; unfortunately, their capabilities do not meet the requirements of the vast majority of end users who have CEP problems to solve.

If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher. Hence, the users have already voted.   The problem is that the CEP community is not listening.”

Not to be overly repetitive, but the last part of this quote from a year ago is worth highlighting:

“If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher. Hence, the users have already voted. The problem is that the CEP community is not listening.”

Frankly speaking, nothing in the “CEP world” has changed, technologically speaking, since this September 2007 post was written. From a sales perspective, we have seen less CEP-related sales in 2008 than in prior years. If these so called CEP products were actually capability of detecting “real” complex network-centric situations (threats) in real-time, they would be selling faster than a cup of ice water in the blazing hot Sahara desert.

Don’t shoot the messenger. Build better detection engines!

On the other hand, maybe complex detection is too hard for most of these companies and that is why they focus on routing, mediation and relatively simple rule-based scenarios, versus complex event processing?

Modelling Shoplifting

Sun, 07 Sep 2008 03:30:15 +0000

The other day I was thinking that I should write about specific situation models and by coincident Marc Adler pens CEP and Shoplifting. In Marc’s post, Marc begins to model shoplifting as if shoplifting is “market data,” with Level 1 to Level 4 shoplifting “quotes” - the natural approach for a brilliant guy from Citi. In reality, this model does not work very well, and I’ll touch on a few reasons why today.

Marc’s initial shoplifting model in his post is based on John Colapinto’s concepts of matching a pattern of customer movements in the store with their estimated patterns of shoplifting behavioral patterns. Marc’s asks how Coral8 might address this. We are not ready to seek a vendor solution. We do not yet have a workable detection model.

As indicated above, I don’t think the example situation cited by John and Marc is a viable model for automated processing. Tracking the behavior of customer’s movements, by machine, would require some very sophisticated image processing technology that would be too expensive compared to any possible loss at most retails stores. This type of behavioral pattern recognition. in retail stores, is performed by people (security personnel), not machines, observing people.

To develop a machine pattern recognition application to detect retail shoplifting we need to build detection models that are economically feasible. If we are going to use a model of shoplifting pattern recognition versus anomaly detection, we need to define the objects we must track.

In the most simple model, we have merchandise-objects. Stores normally (physically) track merchandise-objects only at the exit/entry points of the store using some electromagnetic proximity detection technology. In this model, the detection configuration is a combination of simple alerting with humans watching the store (”minding the store”). This is not complex event processing.

However, if we added another object to our model, the customer-object, then we start to get more “complex,” but we have not defined “complexity” yet because we have not defined the object properties, the possible states of the objects, and the relationships between the objects that are the basis for estimated situations.

Hence, model building is constrained by available resources, simple economics and risk (cost-benefit). If we are detecting shoplifting in Walmart the cost-benefit model for implementing an automated shoplifting detection system would be different than at a top diamond store on 5th Avenue in NYC. Protecting loss at a weapons-grade uranium respository follows a different model than protecting loss at a handicraft shop, naturally.

Like Marc, I find models to automatically detect shoplifting interesting, so permit me to close with a general discussion of shoplifting in the context of our CEP/EP reference model.

One approach would be do determine what objects will be represented in our model. For example, if we are going to track merchandise, we need to model the ”merchandise-object”. If we are going to track people, we need to define the properties of this “person object.” If we are going to represent the store layout, we need to define all these objects (store-object, table-object, shelf-object, entry-object and so forth). The model can get “complex” quite quickly.

Editorial Note: An object-oriented approach greatly assists complex model building because we can benefit from OO properties such as encapsulation and polymorphism. For example, we can define a basic “person object class” and then create superclasses of this object for “customer-object”, “manager-object”, “or criminal-object.”

Generally speaking, each object we define will require a state-model, for example, in Marc’s example of a customer moving around the store, we would need to model the possible states (customer at the entrance, at table 1, at table 2, at shelf 1, in the bathroom, at the cashier, etc.) Indeed Marc, this is complex event processing if we have modelled multiple objects and defined object-object relationships that indicate situations of interest. For example, customer-object at table2 where merchandise-object has the property of ”very expensive, high risk” and then customer-object changes state to “in bathroom”. Of course, we need more key indicators, but you get the idea.

Right now, I am typing from the Taste from Heaven Vegetarian Restaurant in Chiang Mai and my battery is running low. The owner of this excellent restaurant also runs the Elephant Nature Park, a non-profit organization advocating and acting on behalf of the rights of the mighty elephants in Thailand. Would be great if we could also automatically detect the situation of “elephant abuse” by poachers and other crimes against nature. Time to get back to my delicious mushroom salad, Northeastern Thai style.

As always, thanks for reading, time for me to get back to eating!