Corona Malware Chips
The development of information technology affects the development of the entire spectrum of software (software). It does not bypass the side and malware . It is possible to identify the main techniques used in the development of "advanced" malicious software (HP).
For a general understanding of what digital signature technology (EDS) is about, which will be discussed later, it is necessary to reveal the basic concepts of cryptography . Existing encryption methods can be divided into symmetric - DES , 3DES , AES , RC4 , RC6 and asymmetric (or public key encryption) - RSA , ECDSA . The main differences between them are:
With symmetric encryption, there is a need to exchange a key between two users (which is very inconvenient, especially if they are very far from each other), asymmetric encryption is deprived of this disadvantage. Its main essence: there are two keys - private and open, and the private key is impossible for a reasonable time (for example, during the life of a cracker) to pick up or calculate from the public using the available computing power of today. Naturally, right now the 8-bit key can be calculated in less than a second, while 1024-bit will have to be selected for many years. Another public and private key property is that any of them can encrypt the message and decrypt the other. That is, two operations are possible:
Operation 1 is used for signing, operation 2 is used for encryption, using two pairs of keys by the number of exchange participants (users A and B):
')
The private key should be kept only by the user and nowhere else, the public key as a bundle, the user key can be freely distributed anywhere. In the first case (ID or signature), user B is sure that message A was sent by user A, since no one except A can encrypt the message so that it is decrypted by public key A (the private key cannot be calculated from the public one). In the second case (encryption), only user B can decrypt a message encrypted by any user using his public key B using his private key B (the private key cannot be calculated from the public one).
In practice, the scheme is somewhat more complicated, since it was already mentioned that asymmetric encryption is ten times slower than symmetric encryption. Therefore, when signing use encryption is not the entire amount of data, and some of the functions of this data, called the hash function . As the simplest hash function, you can consider a technique that is often used in astrology, for example, the number of the year 1998 is 1 + 9 + 9 + 8 = 27 = 2 + 7 = 9. In the first approximation, this is how the hash function works, except that many other functions are used instead of addition. In the above example, it is clear that, for example, the year 1899 will also have the number 9, this situation is called a collision , which means that one hash function (or just a hash) corresponds to different data sets. The most common types of hashes are MD5 , MD6 , SHA-1 , SHA-2 . Thus, technically, EDS is an additional block of data that contains the hash of the transmitted data that is encrypted with the user's private key. Conflict can be used to fake a digital signature. If we take the EDS from any file and form our fake file with the same hash, then the end user will have all the calculations converge, and he will think that the file is sent from the person he knows (and not from us). The problem is that it is impossible to create an algorithm, what bytes to add to our file to get the specified hash value. Of course, you can, for example, add bytes to our file with a value of 0, then 1, 2, and so on, up to 255, then add a second, third, etc. in a similar way, but it will take a very long time.
As for encryption, some modifications are also applied there. So, the asymmetric algorithm is again encrypted not the entire data set, but the so-called session key, which is generated randomly. This session key encrypts the data set using a symmetric algorithm, which is much faster. The session key itself is encrypted with the recipient’s public key and added to the source data. The recipient decrypts the session key with his private key and decrypts the original message with it.
By using cryptographic methods, attackers accomplish the following tasks:
In its development, management systems have gone through the following stages:
It is obvious that everything that is set statically, sooner or later blocked by antivirus companies. DGA and P2P technologies are used to solve these problems.
The essence of DGA is that the names of command centers for management are not strictly specified, but are generated by a pseudo-random algorithm using the current date and time, and the number of such domains should be large enough, for example, 1000 per day. This leads to the fact that registering or blocking all such names is a very difficult and practically impossible task. However, the use of DGA in VPO allows anti-virus companies to use the so-called sinkhole-router - a fake control center, which bots begin to perceive as their own. Thus, it becomes possible to estimate the extent of infections and their geographical distribution by analyzing the IP addresses of incoming connections. In some cases, it even allows you to take control and give a command to self-destruct, which, however, is rare, since commands and new files are usually signed by EDS by attackers.
Using the same P2P allows you to completely abandon the concept of the control center, management or distribution of new versions of the bot can be made from any infected computer.
P2P (peer-to-peer, peer-to-peer network) involves a large number of computers, each of which contains some information about other such computers, such as an IP address. The list of such computers (peers, peer) is called the bootstrap list (initial initialization list). Depending on where this list comes from, there are partially decentralized and fully decentralized P2P networks.
Partially decentralized P2P networks assume that the bootstrap list is loaded from previously known servers. In particular, this is how uTorrrent works. In such a system there is a weak point - it is enough to block access to the servers containing the bootstrap list. Therefore, the VPO uses a completely decentralized scheme. It should be noted that the concept of a fully decentralized P2P network in relation to HVO implies that the distribution will take place in two stages. At the first stage, a bot with an empty bootstrap list is distributed, it periodically refers to the command center, which in turn fixes the bot's IP address. In addition to the IP address itself, the botnet operators are interested in information whether the bot is behind the gateway (gateway) or firewall. If this is not the case, it means that the bot can act as a super peer (super peer, super node), that is, other peers can directly connect to it. As soon as the required number of superpirs is typed, their list is entered into the bootstrap list, and the new version of the bot with it begins to spread by the attackers. After distribution, all bots exchange information about their neighbors and form their own bootstrap list. This results in a P2P network. It is resistant to the disappearance of a certain number of bots, as the list of neighbors is constantly changing. During the exchange, bots also exchange information about their version. If the bot detects that it is “out of date”, a new version is downloaded from one of its neighbors. When downloading, as a rule, the EDS of the file is checked in order to exclude the possibility of distributing "not your own" files. Thus, all bots in P2P keep themselves up to date. It is according to the above two-stage scheme that the latest versions of the Storm, Sality and Zeus work . The P2P implementation they use is based on the Kademlia protocol. Conficker uses its own implementation, the most interesting thing about it is that the bootstrap list of it is initially empty, it detects its neighbors by scanning IP addresses. Due to its features, Conficker is more reminiscent of a tool for testing newer technologies in the writing of malware, than just another bot.
Summing up, we can conclude that the creators of modern malware take quite seriously the issues of ensuring the survivability of their malware. And there is a tendency that anti-virus companies really lose in this race. The use of P2P and EDS practically does not give chances to “crack down” with botnets.
- Operation of software vulnerabilities installed on the affected computer for its hidden launch or elevation of privileges .
Examples - Stuxnet instead of the traditional launch from USB media via autorun (autorun.inf) used the MS10-046 shortcut processing vulnerability, later the same vulnerability began to be used by Sality . Conficker used the MS08-067 network service vulnerability, which allowed it to multiply on a large number of machines. Vulnerability, as a rule, belongs to the class buffer overflow , but not necessarily, there may still be heap overflow, etc. The brief essence of the buffer overflow: the stack is often used in programming. The concept of the stack allows you to simplify the transfer of parameters to the function and return control to the place where the function call originated from. Example: we called our desired function, which should enter a string from the keyboard, the return address was put on the stack, say 4 bytes, then we reserved 255 bytes in the stack for the string - we don’t feel sorry. And while working with our program, Comrade Ivanov took and entered a 364-byte string. The 4 bytes of the return address were overwritten by other bytes (from the string). Therefore, back control will not return to the place where the function was called from, but to some other one. Including it is possible to adjust that our line will contain binary codes and the transition will occur to the address pointing to the memory area inside our line. Such a tailored sequence (in general, data, not only strings) is called a shell code , and a malicious program that injects a shell code is an exploit . The vulnerability of our program lies in the fact that there is no check for the length of the input string. To eliminate the vulnerability patch is applied. A patch is a program (or sequence of actions) that modifies certain files to fix vulnerabilities. - Application of polymorphism technology.
As you know, one of the anti-virus methods for detecting malware is signature analysis . This means that for the malware, any characteristic data sequence (byte) is defined, which is called a signature. Such a signature should not be found in any other program. In the general case, it may look like this in the text description: 127 bytes from the beginning is equal to 7, 145237 bytes from the end is equal to 255, while 145235 bytes must be equal to 0. Polymorphism also means that each time the VPO file is different, and for him it was impossible to allocate any pattern (signature). For example, Zeus, with its hidden installation, recoded its main module, so on different computers the same version of it was different in almost every byte. A particularly “advanced” method is the “server-side” polymorphism, when a malicious server loads a newly assembled copy of malware to each computer. In this case, the file conversion algorithm is not contained in the malware itself, but is implemented on the server. This greatly increases the possibility of forming dissimilar copies, since the “mutation” code can be arbitrarily large and complex. This method was used, for example, in Storm. - The presence of a rootkit functional aimed at hiding signs of malware on an infected computer.
As a rule, this implies invisibility of malware on the system level, invisibility of malware processes in the Task Manager, certain registry keys, and so on. - The implementation of self-defense functions.
Self-defense involves countering antivirus programs, for example, forcing them to shut down, or for user actions, for example, blocking the launch of a registry editor. It can also prevent access to antivirus companies' portals or information security sites, where you can get instructions on how to remove this or that malware, download an update to the antivirus or the antivirus itself. True, the incorrect work of the antivirus is a unmasking factor for malware. A separate item is the removal from the affected computer of its "competitors" - other malicious programs. The classic case of such a confrontation is the struggle between the families of bots Srizbi and Storm. - The use of a control system for transmitting commands and receiving information from a malware that is resistant to the actions of antivirus companies aimed at curbing botnet activities .
A botnet is a collection of bots (malicious programs of the same type) that receive commands from one source - from an operator or operators (intruders).
Basic information from the field of cryptography
For a general understanding of what digital signature technology (EDS) is about, which will be discussed later, it is necessary to reveal the basic concepts of cryptography . Existing encryption methods can be divided into symmetric - DES , 3DES , AES , RC4 , RC6 and asymmetric (or public key encryption) - RSA , ECDSA . The main differences between them are:
- symmetric encryption is much faster than asymmetric (tenfold);
- in symmetric encryption, there is one key; in asymmetric encryption, two.
With symmetric encryption, there is a need to exchange a key between two users (which is very inconvenient, especially if they are very far from each other), asymmetric encryption is deprived of this disadvantage. Its main essence: there are two keys - private and open, and the private key is impossible for a reasonable time (for example, during the life of a cracker) to pick up or calculate from the public using the available computing power of today. Naturally, right now the 8-bit key can be calculated in less than a second, while 1024-bit will have to be selected for many years. Another public and private key property is that any of them can encrypt the message and decrypt the other. That is, two operations are possible:
- sender - source text - private key - encrypted text - public key - decrypted text - recipient;
- sender - source text - public key - encrypted text - private key - decrypted text - recipient.
Operation 1 is used for signing, operation 2 is used for encryption, using two pairs of keys by the number of exchange participants (users A and B):
')
- sender A - source text - private key A - encrypted text - public key A - decrypted text - recipient B;
- sender A - source text - public key B - encrypted text - private key B - decrypted text - recipient B.
The private key should be kept only by the user and nowhere else, the public key as a bundle, the user key can be freely distributed anywhere. In the first case (ID or signature), user B is sure that message A was sent by user A, since no one except A can encrypt the message so that it is decrypted by public key A (the private key cannot be calculated from the public one). In the second case (encryption), only user B can decrypt a message encrypted by any user using his public key B using his private key B (the private key cannot be calculated from the public one).
In practice, the scheme is somewhat more complicated, since it was already mentioned that asymmetric encryption is ten times slower than symmetric encryption. Therefore, when signing use encryption is not the entire amount of data, and some of the functions of this data, called the hash function . As the simplest hash function, you can consider a technique that is often used in astrology, for example, the number of the year 1998 is 1 + 9 + 9 + 8 = 27 = 2 + 7 = 9. In the first approximation, this is how the hash function works, except that many other functions are used instead of addition. In the above example, it is clear that, for example, the year 1899 will also have the number 9, this situation is called a collision , which means that one hash function (or just a hash) corresponds to different data sets. The most common types of hashes are MD5 , MD6 , SHA-1 , SHA-2 . Thus, technically, EDS is an additional block of data that contains the hash of the transmitted data that is encrypted with the user's private key. Conflict can be used to fake a digital signature. If we take the EDS from any file and form our fake file with the same hash, then the end user will have all the calculations converge, and he will think that the file is sent from the person he knows (and not from us). The problem is that it is impossible to create an algorithm, what bytes to add to our file to get the specified hash value. Of course, you can, for example, add bytes to our file with a value of 0, then 1, 2, and so on, up to 255, then add a second, third, etc. in a similar way, but it will take a very long time.
As for encryption, some modifications are also applied there. So, the asymmetric algorithm is again encrypted not the entire data set, but the so-called session key, which is generated randomly. This session key encrypts the data set using a symmetric algorithm, which is much faster. The session key itself is encrypted with the recipient’s public key and added to the source data. The recipient decrypts the session key with his private key and decrypts the original message with it.
Using cryptography in malware
By using cryptographic methods, attackers accomplish the following tasks:
- by applying EDS, it is confirmed that the updated version of the malware or the team was actually received from operators, and not from malicious competitors or employees of antivirus companies. To do this, the public key is “sewn up” in the bot, and the private key is stored in a safe place (of course, not on the server). It is no secret that many programs contain vulnerabilities, are not an exception in this sense, and command servers botnets. In some cases, it was possible to hack such servers, then it became possible to give the command to self-destruct bots, distribute antivirus utility under the guise of a new version of the bot, or change the address of the control center. Using EDS removes the problem of intercepting control over a botnet;
- encrypt information stolen from an infected computer. Thus, the results of the work of a botnet can only be used by its operators (who have a private key), that is, hacking the management server will do nothing;
- Many anti-virus tools do not analyze the actions of programs (monitoring suspicious actions, for example, implementing their code in another process) if they are signed by EDS of large software companies and driver developers. This feature is successfully used by attackers to bypass anti-virus protection systems. The signature is generated using stolen private keys (Stuxnet is signed with a stolen Realtek key), collision matching method (Flame is signed by Microsoft), in some cases it was possible to register a fake software development company and get its own private key legally;
- experts from antivirus companies point out that ransomware , the ransomware programs, has recently become more frequent. As a classic example of ransomware, GPCode can be given. This malicious program encrypts user files with a random session key, which is stored in an encrypted form using a public key (located in GPCode). The original data, of course, erased. To perform a reverse operation, it is necessary to transfer a certain amount of money to the requisites left by the attacker and send him this encrypted session key. It is decrypted using a private key (located with the attacker) and sent back to the user, after which the files will be successfully decrypted. The only reliable protection from the impact of such programs - backup.
Types of control systems
In its development, management systems have gone through the following stages:
- hard-coded email addresses;
- using IRC chat, bots were connected to certain channels on specified servers, and the servers could be both legal and hacked, with the subsequent installation of the IRC server software on it;
- hard-coded domain names or IP addresses;
- use of DGA (Domain Generation Algorithm);
- use of P2P technology.
It is obvious that everything that is set statically, sooner or later blocked by antivirus companies. DGA and P2P technologies are used to solve these problems.
The essence of DGA is that the names of command centers for management are not strictly specified, but are generated by a pseudo-random algorithm using the current date and time, and the number of such domains should be large enough, for example, 1000 per day. This leads to the fact that registering or blocking all such names is a very difficult and practically impossible task. However, the use of DGA in VPO allows anti-virus companies to use the so-called sinkhole-router - a fake control center, which bots begin to perceive as their own. Thus, it becomes possible to estimate the extent of infections and their geographical distribution by analyzing the IP addresses of incoming connections. In some cases, it even allows you to take control and give a command to self-destruct, which, however, is rare, since commands and new files are usually signed by EDS by attackers.
Using the same P2P allows you to completely abandon the concept of the control center, management or distribution of new versions of the bot can be made from any infected computer.
P2P (peer-to-peer, peer-to-peer network) involves a large number of computers, each of which contains some information about other such computers, such as an IP address. The list of such computers (peers, peer) is called the bootstrap list (initial initialization list). Depending on where this list comes from, there are partially decentralized and fully decentralized P2P networks.
Partially decentralized P2P networks assume that the bootstrap list is loaded from previously known servers. In particular, this is how uTorrrent works. In such a system there is a weak point - it is enough to block access to the servers containing the bootstrap list. Therefore, the VPO uses a completely decentralized scheme. It should be noted that the concept of a fully decentralized P2P network in relation to HVO implies that the distribution will take place in two stages. At the first stage, a bot with an empty bootstrap list is distributed, it periodically refers to the command center, which in turn fixes the bot's IP address. In addition to the IP address itself, the botnet operators are interested in information whether the bot is behind the gateway (gateway) or firewall. If this is not the case, it means that the bot can act as a super peer (super peer, super node), that is, other peers can directly connect to it. As soon as the required number of superpirs is typed, their list is entered into the bootstrap list, and the new version of the bot with it begins to spread by the attackers. After distribution, all bots exchange information about their neighbors and form their own bootstrap list. This results in a P2P network. It is resistant to the disappearance of a certain number of bots, as the list of neighbors is constantly changing. During the exchange, bots also exchange information about their version. If the bot detects that it is “out of date”, a new version is downloaded from one of its neighbors. When downloading, as a rule, the EDS of the file is checked in order to exclude the possibility of distributing "not your own" files. Thus, all bots in P2P keep themselves up to date. It is according to the above two-stage scheme that the latest versions of the Storm, Sality and Zeus work . The P2P implementation they use is based on the Kademlia protocol. Conficker uses its own implementation, the most interesting thing about it is that the bootstrap list of it is initially empty, it detects its neighbors by scanning IP addresses. Due to its features, Conficker is more reminiscent of a tool for testing newer technologies in the writing of malware, than just another bot.
Summing up, we can conclude that the creators of modern malware take quite seriously the issues of ensuring the survivability of their malware. And there is a tendency that anti-virus companies really lose in this race. The use of P2P and EDS practically does not give chances to “crack down” with botnets.
Source: https://habr.com/ru/post/162259/
All Articles