Norman Data Defense Systems Oliver Kunzmann Support Manager

Transcription

1 Norman Data Defense Systems Oliver Kunzmann Support Manager Author: Oliver Kunzmann.

2 Viren 2004 Bagle.A January MyDoom.A MyDoom.B Netsky.A Netsky.B Netsky.C1 Bagle.C Bagle.D Bagle.E Bagle.F February Bagle.G Bagle.I MyDoom.D MyDoom.E Bagle.B MyDoom.F Netsky.C3 Netsky.D1 Bagle.J MyDoom.G MyDoom.H Netsky.L Bagle.O Netsky.C2 March Netsky.E Bagle.H Netsky.F Bagle.K Netsky.G Netsky.H Netsky.M Bagle.L Netsky.K Netsky.N Netsky.J Netsky.O Bagle.Q Bagle.T Bagle.R Bagle.S Netsky.I 2 Author: Oliver Kunzmann

3 War of the worms Der Mydoom, Bagle und Netsky Virenkrieg Neue Viren werden im schneller entwickelt Virenschreiber haben immer neue Ideen z.b zip-dateien mit Passwort in einer Bilddatei 3 Author: Oliver Kunzmann

4 4 Author: Oliver Kunzmann

5 Quicker spreading 5 Author: Oliver Kunzmann

6 Proactive virus protection From virus to definition files Author: Oliver Kunzmann.

7 Norman SandBox US Patentpending Author: Oliver Kunzmann.

8 Ordinary Antivirus Antivirus clear the traffic Traffic checking against definition files SoBig.a Sobig.b z Gibe a z Swen.A Swen b-z Dialer.a Dialer.b - z Dialer Trojaner 1 Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx 8 Author: Oliver Kunzmann

9 Smart Antivirus Antivirus clear the traffic with definition files and the ruleset Traffic checking against definition files SoBig.a Sobig.b z Gibe a z Swen.A Swen b-z Dialer.a Dialer.b - z Dialer Trojaner 1 Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx What if? Suppose? Traffic checking against ruleset (Heuristics) 9 Author: Oliver Kunzmann

10 Antivirus m. Sandbox Traffic checking against definition files Antivirus clear the traffic with definition files and the sandbox SoBig.a Sobig.b z Gibe a z Swen.A Swen b-z Dialer.a Dialer.b - z Dialer Trojaner 1 Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx Traffic checking against SandBox Vituelt miljø: Virtual environment: Maskinvare Hardware Operativsystem Operative Applikasjoner Applications Kommunikasjon Communication 10 Author: Oliver Kunzmann

11 Sandbox contents SMTP Backdoors MAPI SMTP server IP Open ports: 25 IRC \\Another\Machine IP Open ports: 137,139 Port139(SMB) Updates via HTTP Name: FAKE IP address: Drive N:\ mapped network drive \\Remote\Machines Default IP: Any Open ports: all Mapped network drives ICQ Kazaa DNS IP Open ports: Author: Oliver Kunzmann

12 Sandbox Live!! 12 Author: Oliver Kunzmann

13 Virus ALIZ * SMTP Engine * Adress * Location WAB-File * Memory maps the WAB-File * Connects to SMTP Server / Send mail 1. OS searching. Finish Found files WINSOCK32 ADVAOI32 2. OS searching. Finish Found files FILE ( Adressbuch) WAB-FILE 3. OS searching. Finish EXIT Found files SMTP Server MS Account Manager IP Adress / PORT Number PORT IP Create mail.dat 13 Author: Oliver Kunzmann

14 5. OS Send Finishmails. EXIT send mail process finish exit process SEND mail.dat 6. CLOSE SOCKET 14 Author: Oliver Kunzmann

15 Virus ALIZ 1. OS W98 connect connect Sandbox emuliert simuliert searching Finish Virus Infos. sending Finish Virus Infos found VIRUS search order WINSOCK32 ADVAOI32 2. OS W98 connect connect Sandbox emuliert simuliert 3. OS W98 connect connect Sandbox emuliert simuliert searching Finish Virus Infos. sending Finish Virus Infos searching Finish Virus Infos. sending Finish Virus Infos found VIRUS search order FILE ( Adressbuch) WAB-FILE create virtual adressbook sandbox.wab c:\sandbox.wab found VIRUS search order SMTP Server / SMTP.global.no MS Account Manager IP Adress / PORT Number 4. connect connect W98 Sandbox send virtuel mail SMTP.global.no create virtual virtuel PORT/ IP Adress PORT 25 IP Create mail.dat 15 Author: Oliver Kunzmann

16 16 Author: Oliver Kunzmann

17 new Netsky And we also have a new Netsky on our hands, from Sybari: *********File name : C:\MINM\NETSKY.ZIP\YOUR_P~1.VIF ALWIL AVAST! LGUARD : NO_VIRUS H+BEDV AntiVir/DOS32 : NO_VIRUS GRISoft AVG : NO_VIRUS Kaspersky Lab AVPDOS32 : NO_VIRUS SOFTWIN AVXC/BDC : NO_VIRUS Dialogue Science DrWeb386 : NO_VIRUS Frisk Software F-Prot : NO_VIRUS McAfee Scan : NO_VIRUS Prognet FireLite : NO_VIRUS IKARUS PSCAN : NO_VIRUS MkS MkS_vir : NO_VIRUS Symantec NAV VSCAND : NO_VIRUS ESET NOD32 : ~NEW_VIRUS Norman NVCC : Sandbox: W32/ Worm Panda Antivirus 6.0 PAVCL : NO_VIRUS Trend Micro VScan : NO_VIRUS GeCAD RAV : NO_VIRUS Sophos SWEEP : NO_VIRUS CA VET RESCUE : NO_VIRUS CA InoculateIT INOCUCMD : NO_VIRUS VirusBuster VirusBuster : NO_VIRUS ClamAV for Windows : NO_VIRUS w32_p2pworm.vxe : [SANDBOX] infected with unknown worm - W32/P2PWorm [ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [email protected] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * Display message box (Error!) : Can't find a viewer associated with the file. * Attemps to open C:\WINDOWS\SYSTEM\drvsys.exe NULL. * **Uses Ole32CreateStreamOnHGlobal. * File length: bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM\drvsys.exe. * Creates file C:\temp\ole320. * Creates file C:\temp\ole321. * Creates file C:\temp\ole322. * Creates file C:\temp\ole323. * Creates file C:\temp\ole324. * Creates file C:\temp\ole325. * Creates file C:\temp\ole326. * Creates file C:\temp\ole327. * Creates file C:\temp\ole328. * Creates file C:\temp\ole329. * Creates file \12;. * Creates file C:\temp\ole32;. * Creates file C:\temp\ole32<. * Creates file C:\temp\ole32=. * Creates file C:\temp\ole32>. * Creates file C:\PROGRA~1\KAZAA\MYSHAR~1\Microsoft Office 2003 Crack, Working!.exe. [ Changes to registry ] * Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". 17 Author: Oliver Kunzmann

18 New Bagle > AntiVir - HB+EDV: Not detected > AVG - Grisoft: Not detected > AVP - Kaspersky: Not detected > DrWeb - Dialogue Science : Not detected > F-Prot - Frisk: be infected with an unknown virus > NOD - ESET: Not detected > NVCC Norman: W32/Malware > RAV - Microsoft: Not detected > ScanPM - NAI: W32/Bagle.dll.dr > Sweep - Sophos: Not detected > VScan - Trend: Not detected > VScanD - Symantec: Not detected 18 Author: Oliver Kunzmann

19 Andreas Marx - AV-Test 100 unknown viruses/worms/bots Author: Oliver Kunzmann.

20 the start 20 Author: Oliver Kunzmann

21 Author: Oliver Kunzmann

22 Author: Oliver Kunzmann

23 Sandbox online service Author: Oliver Kunzmann.

24 24 Author: Oliver Kunzmann

25 Sandbox online services 25 Author: Oliver Kunzmann

26 Sandbox online services 26 Author: Oliver Kunzmann

27 SandBox v2 - service [email protected]. 27 Author: Oliver Kunzmann

28 Herzlichen Dank fürf Ihre Aufmerksamkeit Professioneller Datenschutz für Ihr Netzwerk 28 Author: Oliver Kunzmann