Saturday, April 28, 2012

Interview: Flashback and the mechanics of a malware

The recent return of the malware in the news Flashback handed in before the security issues around the Mac. 

But there are other interesting aspects in this issue: how to operate this type of software, what are the methods used by publishers to analyze them and how can we explain some variation in the numbers of reported infections. 

Questions were answered Philip Devallois, Senior Security Analyst at Intego, and as such responsible for their laboratory.

MacMyth: In what ways it can be installed?

Philippe Devallois: There basically three types of facilities:

1 - older versions used a fake installation package posing as Flash, hence the nom.

2 - a system using two Java flaws, without user intervention and through infected web pages (for WordPress blogs essentially).

For these variants, any request of the administrator password is required. The software is installed in the directory of the current user. Very stealthy! But very uselessness, because he injected code in all applications or binaries launched by the user or by launchd in the user session. This is also why as users began to have doubts, and manifested themselves on the Apple support forums (launchd is a system startup program that will run daemons - small software running back -plan - or the user-visible applications, ed). After these crashes, the criminals have therefore compiled a list of applications that, if present on the machine, did not allow the installation of malware.

At this stage it is important to identify the components of this malware: the Java applet on infected sites is not in the ordinary sense a Trojan. That is to say he does not go for something else in the eyes of a user. This is what we call a "drive-by download", it does not require a user intervention. For example, you visit a website - even quite respectable - that has been previously infected. In the usual course of trade data and execution of scripts (Java, Flash, JavaScript ...) between the site and your browser, malicious code will take advantage of a flaw, either in the browser, or in one of its plug-ins, and settled quietly on your computer.

This binary, installed and run by the Java applet is a "backdoor" (a backdoor, ed). It plugs into the back of the user that is called a control server (Command & Control, in the jargon). In this case, a software firewall is useless to detect its presence. Only tools blockages of communication beyond the computer can detect this activity. Finally, the behavior of the third component is to be viral, it will dynamically inject its code into other applications launched by the user.

There are also various forms of viruses: there is the classic that infects files. Only OSX / Macarena and OSX / Leap. The (discovered in 2006) responded to this type of virus that is the best known. Then there is the injector process in memory. Very discreet, this type of virus is spreading in systems where the code injection is permitted (Unix ...). Flashback, in its latest version, one of them. Finally, it was the companion virus which does not combine the infected binary code, but that is executed at the same time.

3 - The last mode installation requires the Java numbered famous flaw CVE-2012-0503. It is operated by the latest versions of Flashback. If the Mac had no network security utility, or debugging tool Xcode developer as this, an administrator password was asked to install an injector code in Safari. But even with the presence of these obstacles, the backdoor code was installed in the Library folder> LaunchAgents active user.

Which leads to correct some statements made recently. Once the Java applet launched, the Mac is infected, even if a tool like VirusBarrier (or Office and Skype as we have read) is installed. The difference is that in one case a password is requested using a window-type updates for software, and in the other cases, no.

What is the point? We wait quietly that security software be disabled by the user to regain control and continue the installation.

In this case, the window software update with the request password is a Trojan that installs a virus (the injector code). But only a Safari virus in the samples I had. If a security application is installed, no password is requested, and then the component installed by the Java applet is a simple backdoor, invisible to the user. 
 MacMyth: Once installed on a computer, what does it precisely?

It depends on the variants. The latest Google forged requests as soon as the user was browsing a site, in order to artificially increase traffic statistics that are monetized. Some Web queries were filtered and others were redirected to ad pages. There was an injection of JavaScript into the pages received by the user to return to the browser page addresses or websites monetized.

The authors of this malware have also full control of infected Macs and can install and run new native OS X code, via the process of updating Flashback. I watched in one of my virtual boxes (an OS X running in a VMware machine), a binary shell was installed and a malefactor executed shell commands on this virtual machine, to fast to notice the deception ( we can see these virtual machines like goats tied to a stake ..., ed). I think the person at the other end had a doubt about the infection ... and realized he was right.

MacMyth: Does Flashback hit 600,000 machines as stated Dr.Web from his extrapolations?

I'm sure not, for example the UUID (universally unique identifiers) of some VMware virtual machines is used to test infections were included in the stats of Dr.Web.

MacMyth: But how can we explain other figures, such as Symantec this week showed an increase in the number of infected machines. He bases this projection on its pool of machines that are used as bait. Within 24 hours we pass an evaluation of 600 000-380 000 machines - this is before the tools are common antiFlashback - with decreases much slower once Apple has responded.
The analysis that I do is a personal interpretation: the malware is a query on the domain calculated the day; it will be for example "iwuyrvtylnojde" which he adds is. Com,. Info,. Net or. Kz and dug at random from a predetermined list. It is from these addresses that the malware will seek if a server able to provide instructions.Symantec has purchased the domain names ". Info" for the next 15 days. But another company has purchased the side of his. "Com". The malware starts sending its encrypted query on "iwuyrvtylnojde" with the ending chosen randomly. If the server responds correctly, it ends there. Otherwise, it makes a request on another field or random Info or. Net or. Kz.Donc if the "honeypot" drawn primarily responds well and that's it. Com, Symantec will ever see requests from infected Macs. I think this is what happened between 9 and 10 April.

With two jars of honey, the odds are normally divided by 2, or going from 600K to 380K, roughly half ... Another "sinkholer" appears tomorrow in Russia - is that of Kaspersky or DrWeb - (the interview was conducted over the week, ed), so that there should divide their results statistically by 3. This method called "sinkhole" is good, but when you're all alone to use it.

We must also consider the "freshness" of malware samples you work with. This April 19 I got one in my virtual box that contacts a domain name that is not the one announced at Symantec. We can conclude that they have ancient samples, and not the latest, which will consequently affect the estimated number of infected computers.

MacMyth: What is the relationship between Apple and publishers specializing in security software? D.Web eg alleged that they operate in isolation, contrary to Microsoft where the interlocutors are clearly identified.

I am in constant contact with the group of Security Products from Apple. Besides, this is what they are asking all vendors of security. So things are moving forward for all users.

Frankly, I find them very efficient from the moment they have the right information. They have quality processes that take time, but who can blame them? That said, they worked so impressive when they took samples Flashback hands.

To give an idea of
​​the difficulty of the task, the latest variant amounted strings in the code with the UUID of the infected Mac. This binary could not be deciphered if we had this ID. On the other hand, stepping through the binary in a debugging tool does not work either for the same reason. So the exchange of samples between traditional antivirus vendors no longer sufficient.

It took also share information UUID to analyze the functioning of the many variants produced in a few weeks. Everyone did not have to really help Apple in recent months and yet to develop a component repair, we must be sure we have all varieties ... We all work in a hurry, but with very thorough testing procedures. Without our linked interventions, this threat would have done much more damage.

MacMyth: How is it that Russian publishers are so cutting edge in this case? How is it also that the domain name as the publisher Kaspersky found in the code and he bought Flashback to analyze the communications of the malware was available for sale?

Intego not trying to make news on all threats, especially those which are redundant as Flashback in one form or another for over a year. This does not mean that threats are not taken into account in defense products. For Flashback, VirusBarrier has always had a head start on the alternatives and has always recognized at least one component of the new variants, which helped block the installation and communication with the control server. These detections are made by the dynamic behavior of malware.

For these domain names of sites that have been purchased, the French law is very restrictive. Buy a domain name that is used by malware may be considered objectionable. In the East, perhaps it is tolerated for the fight against crime?

Flashback uses a different domain name per day, so you can get infected machines, in case the main control server is unavailable. There is also, as has been written, a process of regaining control via Twitter. The malware will seek instructions on Twitter to see what to do. However it will not question a particular Twitter account (which can be identified and closed), but keywords (hashtags) that consist of sequences of benign figures.

Kaspersky and Dr.Web (since others have also) bought the domain names of several days to see how they got connections with infected machines, then they used a set of methods for observing activity of this malware:

- Macs constantly switched on during this test period, no spyware to block communications without filtering their Internet providers;
- The Mac OS X virtual, a process used by all antivirus vendors;
- Researchers who tested manually or automatically using tools;
- And what is being discussed: the presence of Windows machines in these stats. I refute something, there is that Mac. Flashback purposely put in his packet of fake HTTP headers UserAgent Windows.

Anyway I think that their method can only give a trend, not specific numbers of infection. And as we grilled by servers Flashback to each infection, one is obliged to conduct further tests to make a new couple IP address / ID of the machine. How much is it mean in the stats related to Flashback? I do not know the words. If Dr.Web and Kaspersky had given us the basis, we could eliminate a lot of false positives from our machines at Intego.

MacMyth: If you step back on the malware detected since put a year, is that they were mostly functional and in operation, or are we still in the stage or their authors are hand with the Mac platform?

They are already very complicated and sophisticated, code injection is technically difficult to master. Exploiting loopholes Java (and now Word for OSX / SabPab) is also a difficult exercise.

Ultimately, they have a good knowledge of OS X and adapt very quickly to gates that are placed in their way. We must in our laboratories to be very dynamic and a little more work than 35h to anticipate their attacks ...

From the moment you publish a security alert, accompanied by a range of broad-spectrum vaccines generic in our scanners, the Apple community, very reactive, becomes very suspicious. Our users send us their samples detected by generic, one only has to confirm. It was a stroke ahead of the malware variants. The authors of this malware have to adapt very quickly or give up.

MacMyth: What are the motivations of perpetrators of such malware?

We often speak of opportunity to steal files from one hard drive, but is it that there is not much more discrete activities, simpler and that can making money quickly. There was talk of this artificial creation of visits to sites to withdraw money from these passages.

These gangsters do not do this for fun or for the hacker spirit. There are necessarily several motivations: money that can be obtained by sending users to sites with infected machines, there is also the ability to have a network of computers controlled to conduct Denial of service attacks against sites it is blocking, controlling the sending of spam from the infected computers, and then of course espionage personal information (or business) with the aim of monetizing .

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.