Crimeware get easy and progressively harder to fight

The Zeus Trojan kit is not anything that new. It has been available on the market for around $700, and has been used more than 150 times in attacks around 4,000 computers per day as reported by stopBADware, the online malware resource.
Some additional background:

1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. In the past 6 months RSA’s Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.

2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other — making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.

3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim’s machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the “Remember this password?” checkbox?)… And the features-list goes on.

In an additional twist, the Russian Business Network, which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to sue security companies for blacklisting their products.
In a trend to see this going even more mainstream we have seen a common Web 2.0 mentality is that the more people use the service, the better it gets, a mode of thinking we could see applied in the case of open source malware, and malware as a web service. Once the source code becomes publicly obtainable, it’s not just new features and modules that get introduced, but also, the malware starts using the Web as a platform.

Some of the most popular open source badware code kits are successfully building communities around this open source nature, attracting criminal innovation behalf of third-party coders.

And so we are begging to see a demand for “quality of service” which has lead to commercial code obfuscation software such as Code Virtualizer. “Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Modified Code
Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed.”


~ by David Barnett on October 10, 2008.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: