[SecurityRatty] tag: anti-virus

Anti-Debugging Series - Part I

Tue, 02 Dec 2008 17:56:25 +0000

For those that don’t know, anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target process. Typically this is achieved by detecting minute differences in memory, operating system, process information, latency, etc. that occur when a process is started in or attached to by a debugger compared to when it is not. Most research into anti-debugging has been conducted from the vantage point of a reverse engineer attempting to bypass the techniques that have been implemented. Limited data has been presented that demonstrates anti-debugging methods in a high level language that the average developer can understand. It is with this in mind that I hope to begin a series of posts that present some of the methods of anti-debugging in a clear, concise, and well documented fashion. The end goal of this series is to arm developers with the techniques and knowledge that will allow them to add a layer of protection to their software while simultaneous educating reverse engineers in some of the anti-debugging methods used by malware authors today.

Before we delve into the intricacies of individual methods of anti-debugging let’s use this post to define the classes of anti-debugging that we will be discussing. While other classes may exist, the definition of these classes is an attempt to include the majority of anti-debugging methods in use today. There is some overlap between classifications and we may have left out some methods due to limited exposure or effectiveness.

API Based Anti-Debugging
API based anti-debugging is the most straightforward and possibly the easiest to understand for a typical developer. Using both documented and undocumented API calls, these methods query process and system information to determine the existence or operation of a debugger. From single line calls such as IsDebuggerPresent() and CheckRemoteDebugger() to slightly more complex methods including debugger detaching and CloseHandle() checks. These methods are generally trivial to add to an existing code base and many can even be implemented in as few as two or three lines.

Exception Based Anti-Debugging
Exception based anti-debugging is slightly different than your basic API based techniques. Many times when a debugger is attached to a process, exceptions are trapped and handled by the debugger without regard to passing the exception back to the application for continued execution. Occasionally these exceptions can even crash or terminate a process when run under a debugger and be handled gracefully when running clean. It is these discrepancies that makes exception based anti-debugging techniques possible.

Process and Thread Block Anti-Debugging
Some of the API based anti-debugging methods use published functions to query information from within the process and thread blocks for our running code. Many API based detections can be subverted within a debugger by hooking the API call and returning values that indicate a clean process. One way around this subversion is to directly query the process and thread blocks, bypassing the API calls. Direct analysis of the process and thread blocks, while more complex, can lead to a more accurate and high assurance result.

Modified Code Anti-Debugging
One of the methods that a debugger uses to signal a breakpoint is to insert a break byte into the running code at the location that it wishes to stop execution. The process execution breaks when this value is seen, giving control to the debugger. When the program is resumed, the breakpoint value is removed and replaced with the original byte, the execution backed up one byte, and the program is resumed. Detection of software based breakpoints can be achieved by analyzing the process for modifications from the expected norm.

Hardware and Register Based Anti-Debugging
A second way that a debugger can break the execution of a process is by using a hardware breakpoint. A hardware breakpoint relies upon CPU registers to store the pertinent information and to detect when the target break addresses are seen on the bus. A break interrupt is triggered at the appropriate time based on these register values. Reading or modifying the hardware can allow for the detection of a debugger.

Timing and Latency Anti-Debugging
Finally timing and latency can be used as an effective anti-debugging method. When executing a program within a debugger, specifically when single stepping, a much larger latency occurs between execution of instructions. This latency can be detected and compared against a reasonable threshold to detect the existence of a debugger attached to our process.

Each of the classes of anti-debugging outlined above has merit when used individually to protect a process. While none of them can be assured to ever protect a program from a determined reverse engineer or debugger, implementation of these techniques (or many of them if appropriate) can sufficiently slow down the debugging process and hopefully make the attacker spend his time on other, easier, ventures. In the remainder of this series on anti-debugging we will review in depth some of the more interesting methods of each of the above classes. So bring along your debugger and your development environment and let the games begin.

Yet Another Web Malware Exploitation Kit in the Wild

Tue, 02 Dec 2008 03:24:43 +0000

With business-minded malicious attackers embracing basic marketing practices like branding, it is becoming increasingly harder, if not pointless to keep track of all XYZ-Packs currently in circulation. How come? Due to their open source nature allowing modifications, claiming copyright over the modified and re-branded kit, the source code of core web malware exploitation kits continue representing the foundation source code for each and every newly released kit.

In fact, the practice is becoming so evident, that anecdotal evidence in the form of monitoring ongoing communications between sellers and buyers reveals actual attempts of intellectual property enforcement in the form of exchange of flames between an author of a original kit, and a newly born author who seems to have copied over 80% of his source code, changed the layout, re-branded it, added several more exploits and started pitching it as the most exclusive kit there is available in the underground marketplace.

What's new about this particular kit anyway? Changed iframe and js obfuscation techniques, doesn't require MySQL to run, with several modified Adobe Acrobat and Flash exploits - all patched and publicly obtainable. This is precisely where the marketing pitch ends for the majority of malware kits released during the last quarter.

As always, there are noticable exceptions to the common wisdom that time-to-underground market isn't allowing them to innovate, but thankfully, these exceptions aren't yet going mainstream. What is going to change in the upcoming 2009? Web malware exploitation kits are slowly maturing into multi-user cybercrime platforms, where traffic management coming from the SQL injected or malware embedded sites is automatically exploited with access to the infected hosts or to the traffic volume in general offered for sale under a flat rate, or on a volume basis.

Converging traffic management with drive-by exploitation and offering the output for sale, all from a single web interface, is precisely what malicious economies of scale is all about.

Related posts:
Cybercriminals release Christmas themed web malware exploitation kit
New Web Malware Exploitation Kit in the Wild
Modified Zeus Crimeware Kit Gets a Performance Boost
Zeus Crimeware Kit Gets a Carding Layout
Web Based Malware Emphasizes on Anti-Debugging Features
Copycat Web Malware Exploitation Kit Comes with Disclaimer
Web Based Malware Eradicates Rootkits and Competing Malware
Two Copycat Web Malware Exploitation Kits in the Wild
Copycat Web Malware Exploitation Kits are Faddish
Web Based Botnet Command and Control Kit 2.0
BlackEnergy DDoS Bot Web Based
A New DDoS Malware Kit in the Wild
The Small Pack Web Malware Exploitation Kit
The Nuclear Grabber Kit
The Apophis Kit
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild

Lenovo arms ThinkPads with Intel's built-in security

Tue, 02 Dec 2008 02:00:00 +0000

Lenovo Group said that its ThinkPad T400 laptop computers will now ship with anti-theft technology from Intel and Absolute Software built in.

Microsoft purges phony security software from 1 million PCs

Fri, 21 Nov 2008 02:00:00 +0000

Microsoft said that the anti-malware tool it pushes to Windows users as part of Patch Tuesday removed fake security software from nearly a million PCs over nine days this month.

MS AV Out and Free ... Uh-Oh

Wed, 19 Nov 2008 10:44:00 +0000

With headlines like "MS Destroys the Consumer AV Market," the news hit ... well, hit the fan like the proverbial... well, you know what :-)

Is it really "Good-bye Big Yellow and Little Red?" Probably not, as this new offering is aimed at consumers and lower-end SMBs; large orgs will still pay ransom ... eh, subscription fees for their AV. It was also interesting to read some of the comments, like "OMG, I so hate paying for AV... and now I won't have to." If such sentiment is indeed widespread, maybe MS choose a really, really good moment to come out with this!

The most fun comments are found on the OneCare team blog here. Esp. see this one: "a majority of consumers around the world do not have up-to-date antivirus, antispyware and antimalware protection" (now they will, thanks to MS! :-)) and "this new offering will focus on getting the majority of consumers the essential protection they need by providing comprehensive, real-time anti-malware protection, covering such threats as viruses, spyware, rootkits, trojans, and other emerging threats, in a single [FREE!], focused solution."

Political Changes for IP Law and Technology

Wed, 19 Nov 2008 08:48:09 +0000

Naturally with the economic turmoil and political transition, some changes are in the works for the way technology is governed on a Federal level:

For one thing, the House Judiciary’s Subcommittee on the Internet, Courts and IP will be losing its control over IP Law, which will be handled at the full House level in the future:

According to a committee aide who spoke with Ars on background, the decision was driven by simple numbers: as interest in IP issues has grown in recent years, so has the SCIIP. Handling them at the full committee level allows all the members to get their fingers in the pie. The swap also recognizes the complexity of legislation affecting IP, and avoids the need to get half the Judiciary Committee caught up with the subcommittee’s discussions.

Instead the Subcommittee will reign over anti-trust issues–some fear that this will be a victory for content holders, while other experts argue the fears are unfounded.

What other changes are in the works, and who will play the largest role in determining the future of technology law? Well, if you have some ideas, you can nominate yourself or other people for Ars Technica’s “People to Watch” list.

Microsoft dumps OneCare, slates free security software for '09

Wed, 19 Nov 2008 02:00:00 +0000

Microsoft will dump its Windows Live OneCare consumer security software next year and instead give away revamped, streamlined anti-malware software that it's calling "Morro."

New Web Malware Exploitation Kit in the Wild

Wed, 19 Nov 2008 01:15:01 +0000

Oops, they keep doing it, again and again - trying to cash-in on the biased exclusiveness of web malware exploitation kits in general, which when combined with active branding is supposed to make them rich. However, despite the low price of $300 in this particular case, this copycat kit is once again lacking any signification differentiation factors besides perhaps the 20+ exploits targeting Opera and Internet Explorer included within.

Marketed for novice users, despite lacking any key features worth being worried about, it's still managing to maintain a steady infection rate of unpatched Opera browsers. Such statistics obtained in an OSINT fashion always provide a realistic perspective on publicly known facts, like the one where millions of end users continue getting exploited due to their overall misunderstanding of today's threatscape driven by the ubiquitous web exploitation kits.

Chertoff: We're Closing that Boarding-Pass Loophole

Mon, 17 Nov 2008 15:57:00 +0000

Five years later, the Department of Homeland Security gets around to fixing a security hole that allows people to easily fly under an alias, bypassing anti-terror name screening.

Apple plays catch-up, ads anti-fraud safeguard to Safari

Fri, 14 Nov 2008 02:00:00 +0000

In an update to its Safari Web browser, Apple on Thursday patched several security flaws and added anti-phishing protection -- making it the last major browser to receive the feature that blocks known identity-stealing sites.