Norman Data Defense Systems Oliver Kunzmann Support Manager Author: Oliver Kunzmann.
Viren 2004 Bagle.A January MyDoom.A MyDoom.B Netsky.A Netsky.B Netsky.C1 Bagle.C Bagle.D Bagle.E Bagle.F February Bagle.G Bagle.I MyDoom.D MyDoom.E Bagle.B MyDoom.F Netsky.C3 Netsky.D1 Bagle.J MyDoom.G MyDoom.H Netsky.L Bagle.O Netsky.C2 March Netsky.E Bagle.H Netsky.F Bagle.K Netsky.G Netsky.H Netsky.M Bagle.L Netsky.K Netsky.N Netsky.J Netsky.O Bagle.Q Bagle.T Bagle.R Bagle.S Netsky.I 2 Author: Oliver Kunzmann
War of the worms Der Mydoom, Bagle und Netsky Virenkrieg Neue Viren werden im schneller entwickelt Virenschreiber haben immer neue Ideen z.b zip-dateien mit Passwort in einer Bilddatei 3 Author: Oliver Kunzmann
4 Author: Oliver Kunzmann
Quicker spreading 5 Author: Oliver Kunzmann
Proactive virus protection From virus to definition files Author: Oliver Kunzmann.
Norman SandBox US Patentpending Author: Oliver Kunzmann.
Ordinary Antivirus Antivirus clear the traffic Traffic checking against definition files SoBig.a Sobig.b z Gibe a z Swen.A Swen b-z Dialer.a Dialer.b - z Dialer 1 1289 Trojaner 1 Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx 8 Author: Oliver Kunzmann
Smart Antivirus Antivirus clear the traffic with definition files and the ruleset Traffic checking against definition files SoBig.a Sobig.b z Gibe a z Swen.A Swen b-z Dialer.a Dialer.b - z Dialer 1 1289 Trojaner 1 Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx What if? Suppose? Traffic checking against ruleset (Heuristics) 9 Author: Oliver Kunzmann
Antivirus m. Sandbox Traffic checking against definition files Antivirus clear the traffic with definition files and the sandbox SoBig.a Sobig.b z Gibe a z Swen.A Swen b-z Dialer.a Dialer.b - z Dialer 1 1289 Trojaner 1 Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx Xxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxx Xxxxxxxxx Xxxxxxxxxxxx Xxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxx Traffic checking against SandBox Vituelt miljø: Virtual environment: Maskinvare Hardware Operativsystem Operative Applikasjoner Applications Kommunikasjon Communication 10 Author: Oliver Kunzmann
Sandbox contents E-mail SMTP Backdoors E-mail MAPI SMTP server IP 193.75.75.100 Open ports: 25 IRC \\Another\Machine IP 192.168.0.4 Open ports: 137,139 Port139(SMB) Updates via HTTP Name: FAKE IP address: 192.168.0.101 Drive N:\ mapped network drive \\Remote\Machines Default IP: Any Open ports: all Mapped network drives ICQ Kazaa DNS IP 193.75.75.102 Open ports: 53 11 Author: Oliver Kunzmann
Sandbox Live!! 12 Author: Oliver Kunzmann
Virus ALIZ * SMTP Engine * Email Adress * Location WAB-File * Memory maps the WAB-File * Connects to SMTP Server / Send mail 1. OS searching. Finish Found files WINSOCK32 ADVAOI32 2. OS searching. Finish Found files FILE (Email Adressbuch) WAB-FILE 3. OS searching. Finish EXIT Found files SMTP Server MS Account Manager IP Adress / PORT Number PORT 25 4. IP 175.25.36.227 Create mail.dat 13 Author: Oliver Kunzmann
5. OS Send Finishmails. EXIT send mail process finish exit process SEND email mail.dat 6. CLOSE SOCKET 14 Author: Oliver Kunzmann
Virus ALIZ 1. OS W98 connect connect Sandbox emuliert simuliert searching Finish Virus Infos. sending Finish Virus Infos found VIRUS search order WINSOCK32 ADVAOI32 2. OS W98 connect connect Sandbox emuliert simuliert 3. OS W98 connect connect Sandbox emuliert simuliert searching Finish Virus Infos. sending Finish Virus Infos searching Finish Virus Infos. sending Finish Virus Infos found VIRUS search order FILE (Email Adressbuch) WAB-FILE create virtual email adressbook sandbox.wab c:\sandbox.wab found VIRUS search order SMTP Server / SMTP.global.no MS Account Manager IP Adress / PORT Number 4. connect connect W98 Sandbox send virtuel mail SMTP.global.no create virtual virtuel PORT/ IP Adress PORT 25 IP 175.25.36.227 Create mail.dat 15 Author: Oliver Kunzmann
16 Author: Oliver Kunzmann
27.04.2004 new Netsky And we also have a new Netsky on our hands, from Sybari: *********File name : C:\MINM\NETSKY.ZIP\YOUR_P~1.VIF ALWIL AVAST! LGUARD : NO_VIRUS H+BEDV AntiVir/DOS32 : NO_VIRUS GRISoft AVG : NO_VIRUS Kaspersky Lab AVPDOS32 : NO_VIRUS SOFTWIN AVXC/BDC : NO_VIRUS Dialogue Science DrWeb386 : NO_VIRUS Frisk Software F-Prot : NO_VIRUS McAfee Scan : NO_VIRUS Prognet FireLite : NO_VIRUS IKARUS PSCAN : NO_VIRUS MkS MkS_vir : NO_VIRUS Symantec NAV VSCAND : NO_VIRUS ESET NOD32 : ~NEW_VIRUS Norman NVCC : Sandbox: W32/EMailWorm Panda Antivirus 6.0 PAVCL : NO_VIRUS Trend Micro VScan : NO_VIRUS GeCAD RAV : NO_VIRUS Sophos SWEEP : NO_VIRUS CA VET RESCUE : NO_VIRUS CA InoculateIT INOCUCMD : NO_VIRUS VirusBuster VirusBuster : NO_VIRUS ClamAV for Windows : NO_VIRUS w32_p2pworm.vxe : [SANDBOX] infected with unknown worm - W32/P2PWorm [ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * Display message box (Error!) : Can't find a viewer associated with the file. * Attemps to open C:\WINDOWS\SYSTEM\drvsys.exe NULL. * **Uses Ole32CreateStreamOnHGlobal. * File length: 39263 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM\drvsys.exe. * Creates file C:\temp\ole320. * Creates file C:\temp\ole321. * Creates file C:\temp\ole322. * Creates file C:\temp\ole323. * Creates file C:\temp\ole324. * Creates file C:\temp\ole325. * Creates file C:\temp\ole326. * Creates file C:\temp\ole327. * Creates file C:\temp\ole328. * Creates file C:\temp\ole329. * Creates file \12;. * Creates file C:\temp\ole32;. * Creates file C:\temp\ole32<. * Creates file C:\temp\ole32=. * Creates file C:\temp\ole32>. * Creates file C:\PROGRA~1\KAZAA\MYSHAR~1\Microsoft Office 2003 Crack, Working!.exe. [ Changes to registry ] * Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". 17 Author: Oliver Kunzmann
New Bagle 31.08.2004 > AntiVir - HB+EDV: Not detected > AVG - Grisoft: Not detected > AVP - Kaspersky: Not detected > DrWeb - Dialogue Science : Not detected > F-Prot - Frisk: be infected with an unknown virus > NOD - ESET: Not detected > NVCC Norman: W32/Malware > RAV - Microsoft: Not detected > ScanPM - NAI: W32/Bagle.dll.dr > Sweep - Sophos: Not detected > VScan - Trend: Not detected > VScanD - Symantec: Not detected 18 Author: Oliver Kunzmann
Andreas Marx - AV-Test 100 unknown viruses/worms/bots Author: Oliver Kunzmann.
01.05.2004 the start 20 Author: Oliver Kunzmann
01.06.2004 21 Author: Oliver Kunzmann
01.07.2004 22 Author: Oliver Kunzmann
Sandbox online service www.sandbox.norman.no Author: Oliver Kunzmann.
24 Author: Oliver Kunzmann
Sandbox online services 25 Author: Oliver Kunzmann
Sandbox online services 26 Author: Oliver Kunzmann
SandBox v2 - e-mail service sandbox@eunet.no. 27 Author: Oliver Kunzmann
Herzlichen Dank fürf Ihre Aufmerksamkeit Professioneller Datenschutz für Ihr Netzwerk 28 Author: Oliver Kunzmann