pinkslipbot a deep look at how malicious code adapts and
play

Pinkslipbot: A deep look at how malicious code adapts and evolves - PowerPoint PPT Presentation

Jun 29, 2023 •460 likes •662 views

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware Researcher Anti Malware Operation Team Know Your Enemy Server-side polymorphic worm. EXE and DLL modules First seen around 2007 Features

  1. Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware Researcher Anti Malware Operation Team

  2. Know Your Enemy • Server-side polymorphic worm. EXE and DLL modules • First seen around 2007 • Features common backdoor functionalities • Spread method • Compromised webpages with injected code • Network shares (exploits included!) • AutoRun (mostly old variants) • Spam E-mail attachments (old variants) • No known source code available • Very effective in local corporate networks due to spread methods • This received attention from the media last year http://www.techweekeurope.co.uk/news/nhs-computers-hit-by-qakbot-infection-6636 http://www.bankinfosecurity.com/breach-may-have-targeted-jobless-a-3655 http://www.infosecurity-magazine.com/view/18164/qakbot-author-is-no-crackpot- says-symantec/ • Actively developed over the years 2

  3. Pinkslipbot historic data • Outbreaks follow defined pattern • Interim time used for development • Major code change around 2009 improved effectiveness • But that had its consequences: too much attention! • Low profile lately. • Major code change in sight? 3 June 14, 2012

  4. Pinkslipbot historic data This Google Maps view shows reported infections by Pinkslipbot in 2011 2009 2010 2011 2012 4 June 14, 2012

  5. Pinkslipbot network model 2009 2010 2011 2012 5 June 14, 2012

  6. Pinkslipbot network model hostrmeter.com:31666 up002.cn adserv.co.in up004.cn up01.co.in up02.co.in upa01.in nt14.in incitylocal.com www.cdcdcdcdc2121cdsfdfd.com ppcimg.in du01.in yimg.com.ua du02.in corpgift.in yimg.com.ua soros.in.ua citypromo.info googstat.info w1.webinspector.biz 109.95.114.252 bgstat.in abirvalg.co.in a.rtbn2.cn redserver.com.ua:31666 nt202.cn 69.175.80.89:21 c.rtbn2.cn up002.cn spotrate.info 195.3.145.32:8080 www.cdcdcdcdc2121cd adserv.co.in karnadya.com.my sfdfd.com up004.cn flwest.com www.cdcdcdcdc2121c ijk.cc falahuddarain.com dsfdfd.com w1.madway.net silfersystem.com Irc.zief.pl:65520 w1.rstk.us gemini.com.co 2009 2010 2011 2012 6 June 14, 2012

  7. Pinkslipbot prehistory • Packer/Obfuscation varies wildly • Some samples with strings in Russian • Samples were small (~14KB-45KB) • Configuration uses Rolling-XOR encryption called SXOR by virus authors • Spread methods included spam with zipped DOC attachments • Default password ‘ Hello999W0rld777 ’ • Infection count low • Group behind it is not well organized yet 2009 2010 2011 2012 7 June 14, 2012

  8. Pinkslipbot – Q1 2010 • Many samples using custom packer • Client side polymorphism • Wild variety of code seen in samples • Apparently the group behind Pinkslipbot attempt major rework of code • Seems they were not successful 2009 2010 2011 2012 8 June 14, 2012

  9. Pinkslipbot – Q2 2010 • File obfuscation start to look like those used by Zeus • Starts to use server-side polymorphism • Almost no changes since 2009 • Reverted to old code • Users of the following banks were targeted: 2009 2010 2011 2012 9 June 14, 2012

  10. Pinkslipbot – Q2 2010 2009 2010 2011 2012 10 June 14, 2012

  11. Pinkslipbot – Q3/Q4 2010 • Major code change. Base for today’s version • EXE keep DLL alive in processes • Adds features to steal digital certificates • Download BackDoor-EXI, fully featured backdoor • Pinkslipbot begins to disable AV by changing NTFS ACL permissions Infected Clean 2009 2010 2011 2012 11 June 14, 2012

  12. Pinkslipbot – Q3/Q4 2010 • Change in network infrastructure to bulletproofed servers in Ukraine • Stolen data sent to FTP server • Able to infect HTML files (.asp, .pl, .php, .htm, .cfm) with <script> code • Users of the following banks were targeted: 2009 2010 2011 2012 12 June 14, 2012

  13. Pinkslipbot – Q1/Q2 2011 • Starts to use UPX + second-level obfuscator • Social Engineering: AutoRun variant uses folder icons • DLL component and configuration now comes embedded in EXE resource section • Users of the following banks were targeted: 2009 2010 2011 2012 13 June 14, 2012

  14. Pinkslipbot – Q1/Q2 2011 • First variants featuring user-mode rootkits • Used to protect the main EXE and to hijack IE functions iphlpapi.dll!GetTcpTable ntdll.dll!NtQuerySystemInformation iphlpapi.dll!AllocateAndGetTcpExTableFromStack ntdll.dll!NtResumeThread WS2_32.dll!connect kernel32.dll!GetProcAddress WS2_32.dll!send WININET.dll!InternetCloseHandle WS2_32.dll!WSASend WININET.dll!HttpOpenRequestA WS2_32.dll!WSAConnect WININET.dll!InternetReadFile ADVAPI32.dll!RegEnumValueW WININET.dll!InternetQueryDataAvailable ADVAPI32.dll!RegEnumValueA WININET.dll!HttpSendRequestA USER32.dll!TranslateMessage WININET.dll!HttpSendRequestW USER32.dll!GetClipboardData WININET.dll!InternetReadFileExA USER32.dll!CharToOemBuffA 2009 2010 2011 2012 14 June 14, 2012

  15. Pinkslipbot – Q3/Q4 2011 • Intense development cycle • Not very effective in customer networks • Hints that they might be targeting specific AV features • First stolen digital certificates being used in binaries • Change in SXOR encryption for configuration file • New heavy encryption layer added 2009 2010 2011 2012 15 June 14, 2012

  16. Pinkslipbot – Q3/Q4 2011 2009 2010 2011 2012 16 June 14, 2012

  17. Pinkslipbot – Q1 2012 • Obfuscator looks more and more like that used by Zeus variants • Virus activity under control • Activity from update server: Unique samples from yimg.com.ua 30 25 20 15 10 5 0 2011-03 2011-04 2011-05 2011-06 2011-09 2011-10 2011-11 2011-12 2012-01 2012-02 2012-03 2009 2010 2011 2012 17 June 14, 2012

  18. Future (Current) Developments • New variant showing up week prior to this conference • New obfuscation, same as many Zbot variants • Doubled number of affected banks • Change in behavior: � DLL module is directly injected in memory (no file on disk!) • Future developments • Improved rootkit • More anti-AV features • Change in spread method • Interaction with other malware families • Partner with another backdoor or integrate in its own code • Code integration with Zeus 2009 2010 2011 2012 18 June 14, 2012

  19. Acknowledgments • McAfee Labs Threat Advisory • https://kc.mcafee.com/corporate/index?page=content&id=PD22960 • McAfee Labs Sample Database Team • Personal Communication (McAfee Labs): Abhishek Karnik, Mark Olea, Srinivasa Kanamatha, François Paget • For contributions during preparation of this report: • Jacomo Dimmit (Team Cymru) • Ivo Peixinho (Brazilian Federal Police) Guilherme_Venere@mcafee.com @gvenere 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

2005-10-12 Malicious Code an Increasing Problem Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads universitet DAV C19 Applied Security 2 Datavetenskap 2005-10-12 Datavetenskap 2005-10-12 Media

442 views • 7 slides
Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

381 views • 20 slides
Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses

624 views • 40 slides
Vulnerabilities: Malicious Code Class 10 P&amp;P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

Vulnerabilities: Malicious Code Class 10 P&amp;P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

Vulnerabilities: Malicious Code Class 10 P&amp;P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011 Announcement Presence sheet Solution to Homework 2 is out Grades will follow 2 CIS-5372: 9.Nov.2011 What Did We Cover Before ?

1.02k views • 71 slides
CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

638 views • 16 slides
CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

347 views • 33 slides
Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal Technical Consultant Verdasys, Inc. Background Organizations are confronted with troubling developments the malware problem phenomenon

581 views • 27 slides
Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Adi Hayon Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory in a remote process (and write to it) Executes the code in that memory region Frees the code Memory dump taken at the end of

373 views • 22 slides
Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for Networks and Trap doors System Software Logic bombs May 12, 2002 Worms Examples Lecture 11 Lecture 11 Page 1 Page 2 CS 239,

234 views • 12 slides
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on mechanisms/bypasses

638 views • 52 slides
Concurrent mode Prabashwara Seneviratne (bash) Before we start Disclaimers In a nutshell What

Concurrent mode Prabashwara Seneviratne (bash) Before we start Disclaimers In a nutshell What

Building responsive web apps with Concurrent mode Prabashwara Seneviratne (bash) Before we start Disclaimers In a nutshell What is it? For react, this the ability to work on multiple state updates at the same time Incremental Adoption

572 views • 17 slides
Google &amp; Facebook: Alliances with intelligence to make privacy obsolete Matthaus Litteken

Google &amp; Facebook: Alliances with intelligence to make privacy obsolete Matthaus Litteken

Google &amp; Facebook: Alliances with intelligence to make privacy obsolete Matthaus Litteken CS 305 Google Ties To CIA Robert David Steele - Google took money from the CIA when it was poor and it was starting up. In June 1999,

449 views • 17 slides
Oracles Thus Far Bitcoin Ethereum Recap Bitcoin Script: Dest Address in UTXO

Oracles Thus Far Bitcoin Ethereum Recap Bitcoin Script: Dest Address in UTXO

Oracles Thus Far Bitcoin Ethereum Recap Bitcoin Script: Dest Address in UTXO Timelock What else? Recap Ethereum Smart contracts Examples? Real-World When the temperature hits XF, pay $. When player X

682 views • 45 slides
Automated and Scalable QoS Control - For Network Convergence Wonho Kim (Princeton Univ.) Puneet

Automated and Scalable QoS Control - For Network Convergence Wonho Kim (Princeton Univ.) Puneet

Automated and Scalable QoS Control - For Network Convergence Wonho Kim (Princeton Univ.) Puneet Sharma, Jeongkeun Lee, Sujata Banerjee, Jean Tourrilhes, Sung-Ju Lee, and Praveen Yalagandula (HP Labs) 1 Motivation Why do we care about QoS

408 views • 36 slides
ICEBERG and PD in ICEBERG: News and plans for run 2C and after Carlos Escobar 12/17/19

ICEBERG and PD in ICEBERG: News and plans for run 2C and after Carlos Escobar 12/17/19

ICEBERG and PD in ICEBERG: News and plans for run 2C and after Carlos Escobar 12/17/19 Extensive work on cryogenics and electrical installation both CE and, to a lesser extent, PD. From Shekhar s scheduling wiki:

269 views • 3 slides
Identifying and Tracking Disinformation during the May Michael Baldassaro Digital Threats

Identifying and Tracking Disinformation during the May Michael Baldassaro Digital Threats

Identifying and Tracking Disinformation during the May Michael Baldassaro Digital Threats Project Lead 2019 South Africa Elections The Carter Center Prepared for The Workshop on Comparative Approaches to Disinformation Analytical and

253 views • 8 slides
Local non-Bayesian social learning with stubborn agents Daniel Vial, Vijay Subramanian ECE

Local non-Bayesian social learning with stubborn agents Daniel Vial, Vijay Subramanian ECE

Introduction Model Learning outcome Adversarial setting Related work Local non-Bayesian social learning with stubborn agents Daniel Vial, Vijay Subramanian ECE Department, University of Michigan Introduction Model Learning outcome

458 views • 20 slides
Working with Humans Effects and Ethics Some effects to be aware of when doing human-subjects

Working with Humans Effects and Ethics Some effects to be aware of when doing human-subjects

Working with Humans Effects and Ethics Some effects to be aware of when doing human-subjects research. The role of ethics in evaluating interfaces with the help of human subjects. Hawthorne Effect The basic idea behind the Hawthorne Effect

683 views • 12 slides

More recommend