malware most wanted: evil bunny
TRANSCRIPT
EvilBunny MalwareMarion Marschalek
Security Researcher at Cyphort Labs
Your speakers today
Marion MarschalekSecurity Researcher
Cyphort Labs
Shelendra SharmaProduct Marketing Director
Agenda
o Modern Threat Landscape
o Wrap-up and Q&A
Cyp
ho
rt L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
The Modern Threat Landscape
http://www.mirror.co.uk/
OFFENDERS
http://www.moviepilot.com
DEFENDERS
http://www.screenrant.com/
SOPHISTICATEDWEAPONRY
http://www.fanpop.com/
SOPHISTICATEDWEAPONRY WITH SUPERPOWERS
o You don‘t see your adversary
o You don‘t know whose death star it is there on your machine
o You probably won‘t even find the death star on your machine
http://glee.wikia.com
o Intellectual property being stolen
o Political opponents put to jail
o Internet communication being blocked
o Vendor finding a new exploit
o Same time, hacker writes 5 more
o Control of media
o Enterprises loosing customer data
o Nation states spying on their citizens
o Nation states being hacked
o Little paul loosing his homework
Bunny Offenders
SAMPLE #1
o Filesize:192512
o CompileTime: 2010:05:06
o C&C: callientefever.info
o HTTP Accept-Language: fr
TFC
o Dynamic API loading by name hash
TFC
o PING
o EXEC
o HTTPF
o ASPFLOOD
o TCPFLOOD
o WEBFLOOD
o POSTFLOOD
ATCLEAR
STATISTICS
KILL
SET
UPLOAD
UPDATE
PLUGIN
FLO
OD
IN
G
EV
ER
YT
HIN
G
TFC command and control
SAMPLES #[2-4]
o FileSize: 184320
o CodeSize: 139264
o CompileTime: 2010:02:16 18:05:54+01:00
o FileSize: 184320
o CodeSize: 139264
o CompileTime: 2010:03:11 17:55:03+01:00
o FileSize: 792064
o CodeSize: 583680
o CompileTime: 2011:10:25 20:28:39+01:00
EvilBunny
o FileSize: 792064
o CompileTime: 2011:10:25 20:28:39+01:00
o API name hashing key AB34CD77h
o http://1.9.32.11/bunny/test.php?rec=nvista
o Anti-Analysis | Threads & Files | CPU Data | C&C Commands | LUA
Not funny.
SRSLY?
Evil Bunny
AV Product Enumeration
Firewall Product Enumeration
Sandbox Check "klavme", "myapp", "TESTAPP",
"afyjevmv.exe“, Timing Condition
SELECT * FROM ANTIVIRUSPRODUCT
SELECT * FROM FIREWALLPRODUCT
Big Boss
Worker2
Worker1
Worker0
Worker3
MainThread
PerfMon
CommandParsing
ScriptExecution
ManageWorkerThreads
FileMan/Inet
EvilBunny
LUA Thread
Cmd Parsing
Execute Command
Start LUA Thread
AdvancedCommandand ScriptParsing
Lua magic
AdvancedCommandand ScriptParsing
Lua magic
o 4 worker threads
o Executing Lua scripts
o Lua 5.1 + C/Invoke code
o Callback from LUA to C++
C&c servers
o Config stored in HKLM\Software\Microsoft\Ipsec
o http://le-progres.net/images/php/test.php?rec=11206-01
o http://ghatreh.com/skins/php/test.php?rec=11206-01
o http://www.usthb-dz.org/includes/php/test.php?rec=11206-01
Location Remote Host Port Number
Oakville, Canada 69.90.160.65 80
Montréal, Canada 70.38.107.13 80
Montréal, Canada 70.38.12.10 80
http://www.threatexpert.com/report.aspx?md5=c40e3ee23cf95d992b7cd0b7c01b8599
C&c servers
GETCONFIG
FTPPUT
FTPGET
SENDFILE
GETFILE
UNINSTALL
RESTARTHEARER
RESTART
CLEANHEARER
COMMANDS
CRONTASKA
CRONTASKR
CRONTASKL
MAXPOSTDAT
SETURL
STOP
SETCPULIMIT
TIMEOUT
WAITFOR
UPDATEDIETIME
Infection Vector
http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/
CVE-2011-4369
o Adobe Reader vulnerability
o Discovered December 2011
o Original release date: Dec. 16, 2011
o Documented Bunny infection: Dec. 20, 2011
WRAPPING UPTHE RABBIT
TRAITS OF SOPHISTICATED MALWARE
o Tricking of security solutions
o Showing uncommon features
o Vast resources being used in development and spreading
o Advanced stealth mechanisms
BUNNY ORIGINS
o Project named bunny, version 2.3.2
o DDoS botnet operators
o Accept-Language: fr
o C&C Servers hosted in Canada
o C&C domains resemble French/Iranian websites
o Related to recently revealed Babar malware
THE HIDDEN LINK
o Shared code
o Proxy bypass
o Anti-virus enumeration
o Similar API obfuscation
o Same level of complexity
o Middle-eastern domain names
Q&A
Thank You!
