Take THAT IE Fan Boy

Bruce Schneier just posted an interesting article on his blog entitled “Interview with an Adware Developer“.

This article reinforces many of the things I have been telling people for a very long time, but for whatever reason never sinks in.

I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has.

IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they’re going. It runs in the actual browser process, which means it can do anything the browser can do—which means basically anything.

Aside from reinforcing that Internet Explorer is a poor choice to use for web browsing (unless you enjoy collecting and cleaning malware… you know, for practice), it also outlines an interesting new technique that I recently witnessed as I was cleaning a machine.

If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn’t, then it will install it. That’s fine until somebody goes and deletes the executable.

The next thing that Direct Revenue did—actually I should say what I did, because I was pretty heavily involved in this—was make a poller which continuously polls about every 10 seconds or so to see if the BHO was there and alive. If it was, great. If it wasn’t, [ the poller would ] install it.

During my live analysis of this machine I used the ms/sysinternals filemon program to watch for a bit and noticed explorer.exe doing something similar to what the author describes.

34139    6:32:11 PM    explorer.exe:2916    OPEN    C:\NTDETECT.COM:QebiesnrMkudrfcoIbamtykdDa.exe:$DATA    NOT FOUND    Options: Open  Access: Read

The article explains how they will create a seemingly random named file (a hash of the mac address) and use that as the installer.  This one appears to be a variant on the technique that takes it a step further and uses hidden data streams (or alternate data streams). These are data streams that I had previously detected and removed.

The article also has an interesting point about evasion.

Next we made a function shuffler, which would go into an executable, take the functions and randomly shuffle them. Once you do that, then of course the signature’s all messed up. [ We also shuffled ] a lot of the pointers within each actual function. It completely changed the shape of the executable.

In the virology and malware world this is known as polymorphism, and is a very effective technique for evading most anti-virus/spyware programs.

Now the truly frightening part mentions using interrupt handlers instead of executables and states that they decided not to do it.  Because the concept is written, someone will run with it.

There was one further step that we were going to take but didn’t end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. In fact, you can register with the OS a chunk of code to handle a given interrupt. Then all you have to do is arrange for an interrupt to happen, and every time that interrupt happens, you wake up, do your stuff and go away. We never got to actually do that, but it was something we were thinking we’d do.

What this all boils down to is that the malware authors once again have leap frogged the anti-virus industry.  Microsoft also needs to take a more proactive role in securing IE and Windows against these sorts of threats.

The days of recycling the old code as variants is over and its time that we prepare ourselves for a whole new world of malware threats.

There are 2 comments left Go To Comment

  1. Bryan Murphy / Post Author

    I do agree that the sites a user chooses to visit has a large bearing on the volume of malware one is exposed to, but a number of high profile cases exist in which legitimate popular sites become infected and distribute malware to visitors.

    Firefox is a good choice for browsing because you can block 3rd party cookies, have it clear all cache and history on exit and with plugins completely disable java-script and ads unless you opt-in. Its not safe, but safer.

    A few good examples of IE being a poor choice are the browser helper objects (BHO), activex and this…

    Open windows explorer (not internet explorer) type in http://google.com and hit enter. Observe.

  2. LOBO /

    I love this article/posting of your facts and findings.

    I am a avid user of Internet Explorer more exclusively for the choices of not accepting cookies from third party, and controlling session from one interface rather than scripting solutions.

    I utilize and support a full range of Microsoft Products for pay, and I care for the lambs that wonder to the slaughter on the net for their facebook, Myspace, Shopping, Tax Filing, onlinebanking and their porn.

    So for me it isnt the browser that is the issue it is the web, and web 2.0 vulnerabilities that are going to be the pathways to fixing and wiping, and reinstalling windows operating systems.

    I love my windows o/s platforms, but too many resistors out there think that if you run windows and any browser but I.E. will be better and safe. WRONG. A bad/infested website is exactly that, no browser choice will fix that.

    With that being said, you linux afficionados will rally on that and exclaim ” that is why you run linux ” ha.

    Lobo

Leave a Reply

%d bloggers like this: