11:31 On traversing antivirus in practice | |
| The other day in this blog was published a link to news about the universal method obhoda vendors. However, by the chain of English and Russian journalists kopipeysterov posts are distorted so incompatible with reason and reality of heresy that I - a specialist in the (anti) virus technology - had to read the text twice before I understood what some are talking about. Therefore advised to read the source. I'm not going to comment on the proposed concept - with this task successfully cope antivirus vendors. The essence of the other: Workaround anti-virus protection - not the science of rockets, which requires a conceptual approach, but quite commonplace. To illustrate this fact, I will cite a few examples of technological life. Examples will be drawn from our favorite little creatures - the bot-rootkit TDSS, which in recent years a lot of talk. Which is not surprising: it is one of the most common, technologically advanced and rapidly developing bots. The diagram on the left displays the statistics on anti-virus protection installed on users' computers simultaneous infection with TDSS. Notes to chart:
A few words about the cats withLaunched about two years ago, the bot-rootkit TDSS (also known as Alureon, Tidserv, TDL/TDL2/TDL3 +) quietly multiplied to the alarming figures. Namely:
The fundamental factor is so rapid and at the same time, quiet victories - bid to circumvent anti-virus and advanced technology. task is successfully solved with the earliest days of the boat, and to this day: as anti-virus software updated - updated and technology around them in the code of TDSS, always delighting researchers and "pleasing" protections original developers of innovations. In fact, throughout the lifetime of the TDSS, he was continuously unreachable for all existing remedies, including the most popular anti-virus and anti-rootkit professional. Moreover, until recently bot invisible developed under the guise of self-efficacy, as producers antivirus was unprofitable to publicize the threat with which they can not cope. Over the past six months, the situation is slightly improved. The standoff continues, "big" anti-virus software still can not cope, but it started to produce specialized tools-lechilki (Norman TDSS Cleaner, Kaspersky TDSSKiller). Bypass Antivirus: Technical HelpFrom the standpoint of survival, before the malicious program has two major tasks:
Examples of techniques bypass the securitytechniques are presented in the order in which we found them in the evolving TDSS. All described methods are not as effective as they were at the time of their appearance. Example № 1. System cache DLLsThe essence of the technique: malicious code is placed in the system cache frequently used libraries \ KnownDLLS, called from a legitimate system applications by using them one of these libraries. Profit: one-shot killed two hares: Workaround behavioral protection and avoidance of personal firewall. This is possible due to the fact that malicious code is executed in the context of the system process "trusted" by default. Pseudo code: / / 1. place malicious code in the cache frequently used library NtCreateSection ("\ knowndlls \ dll.dll") / / 2. provide a transition to this code from legitimate library / / so far - in a copy on disk CopyFile ("msi.dll", "patched_msi.dll") WriteFile ("patched_msi. dll ", <jump dll.dll>) / / 3. substitute for the library cache NtOpenSection ("\ knowndlls \ msi.dll") NtMakeTemporaryObject (...) / / section was temporary, and can now be ... CloseHandle (...) / / removed NtCreateSection ("patched_msi.dll") / / 4. call a system service, which will perform the code msi.dll => dll.dll StartService ("Windows Installer (msiexec.exe)") Example number 2. Print ManagerThe essence of technology is the same as in the previous example - a passive introduction of a systemic process. Mechanism somewhat different: the malicious code slips Spooler service under the guise of his official library. Pseudo code: / / 1. copy the malicious code on a business directory Spooler GetPrintProcessorDirectory (...) GetTempFileName (...) CopyFile (<self>, <tempname>) / / 2. Print Spooler service must be running StartService ("spooler") / / 3. transmits the malicious code AddPrintProcessor (<tempname>) Example number 3. Infection of a legitimate driverThe previous examples illustrate obhod behavioral protection. Now consider how TDSS avoids detection and treatment. The approach: minimize changes to the system, + powerful low-level masking of the remaining "tails." Since late last year, the TDSS virtually no own files, no references to it in the Startup list. Power masking "tails" provided that the rootkit's filters are located below the level of all existing anti-rootkit technology.
Example № 4. "Odnoshagovka"In late April, the bot has once again renewed. Version = 3.273 builddate = 20.4.2010 16:17:53 At this time, the problem is solved circumvent the protection of minimal modification of equipment from an existing arsenal. Namely:
Note that it is this, as in the last example, the primitive one-step scheme circumvent the protection occurs at every step in the mass of malicious programs. This solution requires no special genius from the developer, nor the particular vulnerability of the defense, and is characterized by a very small period of life. Technology is complex (as in example number 3) or cunning (Case number 1 and 2) more typical of well-funded target of rootkits. Remains an open question whether the team lost its best TDSS developer, or still a fair share of funding? .. | |
|
| |
| Total comments: 0 | |