Fighting malware and spam

'Last-minute' presentations

16:20 - 16:40 Roel Schouwenberg Kaspersky Lab
16:40 - 17:00 Kurt Baumgartner PC Tools

  Technical stream: Thursday 20 September 2007, 14:00 - 14:40.

16:20 - 16:40 Roel Schouwenberg. Targeted Banker malware on demand

Recently I had to do some research into a specific piece of banker malware. These days banker malware is extremely common. However, as the research progressed this targeted attack became more and more interesting.

In my presentation I will give an analysis of the malware package. It concerns a trojan which has functionality such as spying on the URLs the user is visiting and downloading files on command. When visiting HTTPS sites the trojan will download an HTTPS traffic logger to capture and send the captured traffic to a specific server.

The Trojan does this for a very specific reason. It allows the authors of the malicious code to more easily create a malware dedicated to a single bank - the bank the infected machine visits. Truly 'malware on demand'.

By using this approach it also becomes a lot easier for the malware authors to create banker trojans that aren't stopped by two-factor authentication. To top it all off the trojan also includes file infection functionality that is becoming popular again these days.

Note: Certain details may be obfuscated due to confidentiality concerns.

16:40 - 17:00 Kurt Baumgartner. Storm - Malware 2.0 has arrived

  download slides (PDF)

The evidence of a major shift in the world of malware continues to build with the ongoing Storm threat. The distribution and development activity and underlying behaviours displayed by this multi-layered threat lead us to declare 'Malware 2.0' has arrived indeed. This threat and the characteristics that it embodies are significant because it arguably has eclipsed any other threat in terms of volume, distribution activity, and its constant state of change. The code is interesting, and the effort behind the malware currently is alive and kicking.

The best brief description for the Storm threat is 'constantly changing'. The social engineering in its messages, the sophisticated kernel level code containing its code injection techniques and AV kill methods, its browser exploits and various shellcode have all changed for this threat in multiple ways since its inception. Even the binaries downloaded from its malicious web sites change with each and every victim's download - they are always repacked.

Also characterizing this threat is its use of 'the network as platform', appropriation and sharing of exploit code and shellcode, its parisitic use of the user as contributor, its own perpetual beta, and a highly interactive and rich set of malicious deliverables.

In our presentation, we will examine how this threat embodies these characteristics by reversing multiple generations of its always changing binaries and web content, examining disassembly listings and monitored behaviour of both its kernel level code and user level threads, its old and new exploits served up in web content, its changing shellcode, and its social engineering. We'll provide details of its drivers' KeInsertQueueAPC injection technique alongside its placement of system hooks and memory writes from the kernel. We'll reverse its kernel-injected p2p threads, make note of its system component lockdown to neutralize specific security tools and describe its effective kernel level AV termination techniques. We'll walk through the threat's web server-side browser decision tree and how we created it. Finally, we'll decode its obfuscated web content and examine a couple of browser and plug-in vulnerabilites it targets based on its serverside decisions. We'll describe the shellcode's format and decode the newest 'proactive solution'-evading download and exec shellcode within, compile it and step through it in order to explain and display its stack manipulation and camouflaged return location techniques and their purpose. We'll compare it with the original Storm threat shellcode.

When compared to the older techniques of Malware 1.0, we see a whole new attitude behind the malware effort, and the crystallization of an ongoing major shift for malware in the wild.

Poll

VB2008