It’s titled, Old wine in a new bottle: Why new variants of old malware keep slipping through.
We’ll drill down on TDL4 and SpyEye in particular, discussing how new variants
have low detection rates despite all the advances in behavioral signatures, and how live memory analysis and other techniques such as code injection tracking are key to detecting any and all variants.

Bookmark www.securabit.com and or check it out on iTunes.

By incorporating the Bit9 GSR, ECAT provides the broadest
available software reputation service to its customers

Montreal, QC, — February 15, 2012 — Silicium Security, the provider of ECAT advanced malware detection, today announced that it has partnered with Bit9,
to give ECAT enterprise customers integrated software reputation services within
the ECAT console. ECAT enterprise customers will now be able to easily identify
the trustworthiness of software files running in their environments using the
Bit9 software reputation service.

By leveraging Bit9’s GSR, ECAT’s advanced malware detection can incorporate reputation results for every file against the GSR database of more than 8 billion files, the industry’s largest. This provides a fast, efficient method for flagging files that are known already to be benign, allowing the analyst to focus on the unknown threats that ECAT can identify but antivirus might miss, including Advanced Persistent Threats (APTs).

The Bit9 Global Software Registry™ makes it easy to identify and authenticate software files through a fast, on-demand service. There is no other single source of information that could provide such broad coverage and in-depth knowledge about the world’s software. “With ECAT we focus on finding the most difficult-to-detect, potentially damaging malware like advanced persistent threats that are targeted at enterprises with the most intellectual property to lose. The Bit9 GSR enhances our detection and analysis capabilities by identifying the known good software files and reducing the time it takes for investigations,” said Chad Loeven, Silicium Security’s VP of Sales and
Marketing.

“Our software reputation service, the Bit9 GSR, allows Silicium Security to quickly incorporate application metadata into ECAT to weed out known good files so ECAT can concentrate on potential advanced malware,” said Doug Cahill, vice president of business development at Bit9.

The full press release is here:

http://www.prweb.com/releases/2012/2/prweb9198336.htm

About Bit9

Bit9 is the global leader in advanced threat protection and server security. Bit9 protects customer’s Intellectual Property by providing innovative, trust-based solutions to detect
and prevent Advanced Threats.  The company protects the world’s leading brands.

Bit9 is privately held and based in Waltham, Mass. For more information, visit http://www.bit9.com, follow us on Twitter @Bit9 , Facebook and Google+, or call +1 617.393.7400.

About Silicium Security

Since 1999, Silicium Security has been delivering innovative enterprise security solutions
to a world-wide customer base that includes government, corporations and public
institutions. Today, we are recognized for our signature-less malware detection
and unique approach in protecting strategic corporate information residing on
Windows-based computer installations. Silicium’s flagship product, ECAT, was
introduced to the market in 2007 and set the standard for enterprise compromise
assessment and threat detection.

The full conference info is here and we’ll be at booth 340. There’s a handy floor plan if you want to plan your route. Drop by and see us, and see what’s new with a sneak preview of ECAT V.3.3

At a glance, the results are impressive in relative terms compared to the competition. However, things get a little more clouded when you drill down to the absolutes of what is getting detected. The first sign of trouble is in the overall detection rates on page 6 of the report . Kaspersky certainly fares well at a 97.4% detection rate, pipping McAfee at 96.8% and getting pipped by BitDefender at 97.7%. But 97.4% on this test (against a corpus of confirmed malware) means that 2.6% of known malware will slip right past no problem. Let’s put that another way: approximately one time in 40 known malware will slip past onto your desktop even if you are running the best AV in the market.

To use a hockey analogy (we are Canadian after all), AV is the goalkeeper, malware is an agressive forward taking lots of shots at the net. The goalkeeper has to stop every shot, the forward just needs to get one and only one in.

Still, maybe you can live with those odds. But if you’re a bit concerned about that, keep going to page 7 and the on-demand proactive test. This is a test specifically on new and unknown (i.e. no signature exists yet) malware. The stuff you should worry about, that more likely slipped through perimeter defenses before hitting the desktop or server. Here, Kaspersky scores just 57.6%. They were topped by Avira at 60.7%. For an enterprise that gets targeted attacks, fully 42.4% of new threats will settle on your desktop, AV nowithstanding. Worse, those stats include false positives. Avira’s slightly higher detection rate was offset by its’ higher FP rate.

To be clear, we’re still not suggesting you ditch your AV, quite the contrary, per this blog post. And we’re certainly not knocking a particular AV vendor, any more than we did Symantec in a previous post.

To stretch the hockey analogy rather painfully though, just as NHL teams have enforcers to bring down goal-scoring forwards, make sure you’ve got an enforcer like ECAT on your desktops and give your goalie a break.

For a whitepaper on ECAT or to request more information, please click here

We’ll be following up in future posts with more analyses using ECAT and posting videos on our Youtube channel that you can subscribe to here.

For a whitepaper on ECAT or to request more information, please click here

My talk at ToorCon San Diego 2011 from Andrew King on Vimeo.

Like Stuxnet, when Duqu was first exposed there was low to no AV detection. So let’s see how things would have turned out in a hypothetical situation where an endpoint was compromised by Duqu and it was scanned by ECAT. Please note that the ECAT sanning process can take place on thousands of hosts at the same time.

Duqu - Initial scan with ECAT

Here, we can see highlighted a MSL (Machine Suspect level) of 89. Normally base lining standard configurations would give a MSL of 0 for uncompromised machines. With or without that baseline we can consider anything above 30 indicative of a serious compromise. However, it’s interesting to note that Duqu’s rating of 89 compares to 105 with Stuxnet.  This isn’t entirely surprising as the version of Duqu we tested does less than Stuxnet, most importantly it doesn’t have any propagation capabilities.

Processes and floating code

Next, we drill down into the running processes. Three processes – all lsass.exe – show suspect levels indicating compromise.  Right out of the gate it’s suspicious to have lsass.exe loaded 3 times. In an uncompromised system we would expect to see it only once. What we also see here is floating code or where what is in memory doesn’t match the image on disk (image mismatch). This means that Duqu managed to replace lsass.exe code in memory while the OS still believed the original lsass.exe was loaded. This method is very effective because it uses a trusted process to hide the malware presence and appear as legitimate to installed security products.

Note that ECAT flags the file as suspicious when a Microsoft file that would normally be
digitally signed is found unsigned with an identical name.

Duqu – ECAT console view of floating code

Duqu and DLLs

Next, we scroll down the list and look at DLLs. The scan overview highlights several processes that were injected with malicious DLLs, raising their Suspect Level:

Duqu - ECAT console view of DLLs

Since the lsass.exe process has been tampered with by Duqu, ECAT reports a high Suspect Level everywhere it is configured to run. We can also see Duqu’s driver (cmi4432.sys) configuration.

Duqu – LSASS and driver config

Duqu, son of Stuxnet?

When we look further down into the “Inline Hooks” section, this is where it gets particularly interesting. Duqu hooks a number of ntdll function calls, exactly like Stuxnet.
Referring back to the equivalent section in our Stuxnet analysis http://www.siliciumsecurity.com/stux illustrates why there’s a compelling case the two are related.

Duqu - ECAT console view of Inline hooks

Drilling down on one of hooked processes, we can see in the code parser the “before” and “after” view of what the original code was, and what the code looks like after the process was hooked and malicious code was injected. Stuxnet used a slightly different approach to perform its inline hook. Duqu modifies the address moved to eax and directly jumps to it. Stuxnet instead modifies the address moved to edx a few bytes further and uses a Call statement.

Duqu - Code parser view of injected code

The technique used by Stuxnet is more effective for bypassing memory analysis tools that are detecting hooks by looking for a jump at the beginning of the function. As shown here though, this is ineffective against the ECAT scan.

Suspicious Threads

Scrolling down further to Suspicious Threads, this category confirms that not only injected DLLs are present in the system but threads are actually running within the injected code. Also, other blocks of independent floating code, not linked to any floating DLLs, are found in the memory associated with these processes, i.e. running in live memory when the process is running.

Duqu - ECAT console view of suspcicious threads

Conclusion

The ECAT scan confirms the machine is compromised, but that this version of Duqu at least is less virulent than Stuxnet. From this analysis, we can’t say if Stuxnet and Duqu have been created by the same authors. We can say that both have some unusual traits in common.

Regardless of who created each one, we can expect that other malware using the same code base will eventually be circulating in the wild and that proper detection mechanisms must be put in place to thwart them.

We owe a special thanks to Frank Boldewin for sharing his initial work on understanding the Duqu configuration and startup mechanism.

We’ll be following up in future posts with more analyses using ECAT 3.2, and posting videos on our Youtube channel that you can subscribe to here.

This Duqu write-up can also be downloaded as a PDF.

For a whitepaper or datasheet on ECAT or to request more information, please click here .

These attacks are an example of the distributed, outsourced business model so prevalent now. The malware was built using a standard crimeware kit widely available on-line, then tweaked and bundled in for installation and delivery via email attachments.

Our analysis begins with a scan by ECAT of a compromised machine. This delivers the result shown below, a Machine Suspect Level (MSL) of 41. Definitely bad, and in need of attention, though worth noting that it’s a relatively low rating for malware:

ECAT console view after scan of machine infected with Poison Ivy

Next,we see that Windows hooks have been used to inject code into memory, using a Windows OS API:

Poison Ivy code injection using Windows hooks

We can then see that floating code has been injected into Explorer.exe and IEExplorer.exe (the IE browser). The ECAT agent captures this floating code as soon as it’s generated and links it back to the original process(es). The MSL (suspect level) of these two processes registers as 33 in ECAT, indicating they are compromsied and can’t be trusted:

Poison Ivy code injection into Explorer, IE

Drilling down further on one of the floating code blocks, we see an HTTP connection string:

Poison Ivy threat generates malicious HTTP traffic

We then see that multiple network connections are going out to this IP address on port 4445. There seems to be a polling pattern since the mean time between connections is 41 seconds +/-7 seconds. Note that in our test we had it connect to an internal server. Also note that the number of bytes sent is greater than the number of bytes received which is the opposite of what we would expect to see for a connection to a web server. Of interest is the Burst Count and Standard Deviation results. This is a handy feature in ECAT’s network monitoring and analysis for identifying suspicious traffic patterns, and in this instance indicates communication with the command and control server (C&C):

Poison Ivy generating multiple network connections

 

In the next view we see an unknown program trying to mascarade as a normal Windows application that is configured to run automatically at boot time through a run key:

Poison Ivy launches an unknown program

Analyzing the file in ECAT shows that it has only one imported function (very unusual). The file’s strings contain the IP address of the C&C and an HTTP connect string, the same one we found while analyzing the floating code found in IExplore.exe:

Poison Ivy - unknown file analysis

 

Putting it all together we now have a complete picture of the compromise: what it did, how it did it, and (perhaps most importantly) where it tried to reach to get instructions and exfiltrate data.

We’ll be following up in future posts with more analyses using ECAT 3.2, and posting videos on our Youtube channel that you can subscribe to here.

For a whitepaper on ECAT or to request more information, please click here