Government grade malware in the wild
For the geeks, this beast's protection code is now out in the wild and being seen in commercial malware.
It ignores instrumentation attempts by AV and has the usual obfuscation along with lots of unusual obfuscation so extremely difficult to catch. Unplug your network connection now! ;) |
Re: Government grade malware in the wild
doesn't the fact it creates a reg entry give it away if you do not have skype? ( limited understanding of this subject)
|
Re: Government grade malware in the wild
TBH I've found lots of malware used by elite criminal groups to be above the junk some people consider "government grade" for years already, what exactly is "government grade" malware anyway? After all we've known some governments to use pretty crappy and amateurish attacks on occasion.
Interestingly the researchers say repeatedly it's designed for x86 and x64, yet in their analysis say the payload is pure 64-bit and uses native 64-bit system APIs. Which wouldn't run on a x86-32 install. Then they later say the main payload executes inside a 32-bit process. So what exactly is going on? |
Re: Government grade malware in the wild
Quote:
http://en.wikipedia.org/wiki/WoW64 Have a look at the references to the obfuscation techniques it uses. Part of the games it plays involve screwing with WoW. Along with that it has a 32 bit wrapper and execution paths for both 32 and 64 bit. The protection features are exceptionally sophisticated and were seen first in a malware traced back to the Russian government. That code is instruction for instruction in commercial gack. Seems government grade to me. Happy to reverse engineer it if you can send me a copy. Will just take a while. |
Re: Government grade malware in the wild
Windows on Windows is irrelevant though. WoW64 does not exist on 32-bit Windows. A native 32-bit binary can run on 64-bit using WoW64, a native 64-bit binary cannot run on 32-bit Windows. It can try screw with WoW as much as it likes, but when WoW doesn't exist on the target machine it's not going to get anywhere... The references all describe how it'd run on a x64 Windows install, but not an x86 (although a partial example of the some disassembly of the latter is shown, no description of how they came to it is shared)
|
Re: Government grade malware in the wild
Mmm this was meant to be a fairly light-hearted post hence the comment at the end.
This is actually more of a PR piece than a serious technical article. The malware itself is similar to Urausy.C/D with some modifications (modified Yoda wrapper) and bits of espionage payload attached. |
Re: Government grade malware in the wild
Yes, I know, though the Sentinel labs article tries to go into some depth of technical analysis either I'm reading it wrong or it's self-contradictory and they've left out some important bits (like, where do I get a copy?)
|
Re: Government grade malware in the wild
It's not very technical at all.
http://blog.avast.com/2013/07/24/ura...nd-20-minutes/ Is something like technical. If you want a copy go to one of the usual places where these things live. Analyses don't tend to provide links, though it should at very least have the MD5 of the thing. |
Re: Government grade malware in the wild
I don't see the difference in technicality really, the first has
Quote:
Quote:
|
Re: Government grade malware in the wild
Feel free to obtain the older malware, reverse it yourself, and show them how it should be done as far as a technical reporting and analysis goes.
|
Re: Government grade malware in the wild
I still don't understand what you see to be the difference, given as quoted above, it's the same information on the same subject in both paragraphs.
I'm not sure what 'showing them' has to do with the difference you are trying to describe? |
Re: Government grade malware in the wild
Quote:
Often the malware writer on the internet will have techniques and use use 0-day vulnerabilities that governments/security services are not aware of (although the window of exclusivity is limited) so it goes without saying it works both ways and the agencies have techniques no one else knows about. At least the AV companies can try and work this in to their programs now, if they can.....maybe that is why Symntec recently gave up and said AV is no longer viable for keeping infections away. Could make your computer extremely slow to check everything and even then it will have problems detecting infections in firmware of your hardware and bios for example. At least Dragor (BadBios fame) know's he isn't mad now since the Snowden leaks, after seeing software update and infections come back on an air-gapped computer :D |
Re: Government grade malware in the wild
Quote:
Quote:
Quote:
http://www.mcafee.com/uk/products/deep-defender.aspx Though given virtual machine hypervisors have their own vulnerabilities as it is, I wonder how long it'll be before someone develops an exploit to rootkit the Deep Defender host as well... |
Re: Government grade malware in the wild
Quote:
They still don't exactly say why doing this stops AV's from seeing the hooks or API calls. Could be how it is injected in to the memory space of another process or a bug in how windows handles something. Could be that the AV doesnt see beyond the WoW64 part running for some reason. Really dunno :p: It really wouldn't surprise me if it uses a backdoor put in by microsoft. People have got to stop thinking of backdoors as they used to be, these days they are made by intentionally coding bugs so there is the deniability factor. No code showing magic packets/port knocking or passwords that can be found by reverse engineering software/firmware like we saw a while back with some routers. Instead a bug is put in that is extremely difficult to find or exploit unless you created in the first place. Re Deep defender; a step in the right direction. Protection really needs to start at the hardware level. Just hope they do it right rather than just introduce another thing that can be exploited like you say. |
Re: Government grade malware in the wild
Thanks for the explanation :)
As for hardware protection - haven't we had TPM and Trusted Execution for a while now? |
All times are GMT +1. The time now is 06:53. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.