Analysis and Detection of SPYWARE

Analysis and Detection 

of Polymorphic Spyware

Polymorphic spyware is becoming more common nowadays as a method to defeat antivirus scanners. In this article we will consider how polymorphic mutation helps prevent malware from being detected by examining the recently discovered NrgBot/DorkBot polymorphic worm. We will then consider how to find and neutralize active infections where AV scanners have been unable to detect recently generated polymorphic spyware.

What you will learn… 

• peculiarities of polymorphic spyware; 
• how to use sandboxing in spyware analysis; 
• how to create a Yara rule to detect an active infection on a computer system.

What you should know…

• Windows OS background knowledge; 
• general information about sandboxing technology;
• general information about Yara engine

Malware creators constantly look for new techniques to stay one step ahead of antimalware researchers in an effort to avoid detection by antivirus programs. The technique we are going to discuss here is a frequently employed trick that is widely used by web exploits and wellknown botnets – server-side polymorphism.

Examples of this technique include Shiz, Carperb and Nrgbot /Dorkbot. The main purpose of these backdoors is to steal credentials for Internet banking, trade platforms and RBS (remote banking services). Once released, it is extremely common that the
new copy of the polymorphic spyware is not detected by the majority of AV file scanners: Figure 1. Thus, it makes detecting malware created using server-side polymorphism more challenging for the traditional signature-based approach.

A Concept of Polymorphic Encryption

The idea of polymorphic encryption is not new and lies in re encrypting a malicious file on the attacker’s servers every time it is requested by an infected bot machine. Let us consider the scheme of polymorphic infection (Figure 2).

Once infected, the user’s computer sends registering information to a C&C server. The C&C server then replies with a set of commands to execute on the victim’s computer. A new piece of malware is generated by a “Polymorphic Generator” that re-packs or re-encrypts it with a randomly generated key. This technique ensures that the malware is unique giving it a significant advantage – it will never have been caught and analysed by malware researchers. This vastly increases the likelihood that it will not be detected.

The attacker can choose to scan the newly-created copy with popular antimalware products to verify that no detection occurs. Although the file can be scanned by online services, such as Virus Total, malware authors tend not to take this route since the sample will be shared amongst the AV community leading to the file being analysed and added to detection databases. Once the copy is generated and verified as not being detected, it is stored on a
“Download Server” and the link is sent to the victim.

Nrgbot Polymorphic Worm

Let us take a look at a real-life example. Once installed, the Nrgbot receives from C&C a URL to update itself (Figure 3). 

The bot then downloads a new backdoor instance (Figure 4). After the “update”, the backdoor becomes invisible to AV signature-based scanners. Moreover, such backdoors often block access to AV websites stopping the user’s security application from downloading new detection database updates. If we compare two polymorphic instances of the same backdoor, we will see the picture shown in Figure 5

The code and file size are completely different. This difference can be achieved by using a polymorphic mutator. The figure illustrates that code structure and size can be changed by adding zeroes and re-encrypting the data. As a result, we can see essential distinctions in a file structure as well. However, if we run both samples in a sandbox and take a look at the code injected into the system processes, we will see almost identical data (Figure 7). 

Despite the significant differences in file content, both samples have the same functionality and a payload reflected in malicious injections (see Figure 6). If antivirus scanners were able to run a sample in a sandbox or emulator during scanning, they would not be tricked by the polymorphic encryption and catch newly created copies immediately with an exact family verdict. 

Detecting Polymorphic Spyware Injects with Yara Rules 

The section describes Yara rules which will help malware researchers to identify malware samples of Nrgbot/Dorkbot on the infected machine. 

To find unique strings used to identify an infection, making a Nrgbot code dump is required. The dump is injected into the address space of all running processes, except system, smss.exe and lsass.exe. 

Figure 8 shows an example of searching for the injection by analyzing virtual address descriptors (VAD) of Explorer.exe [1] (Figure 8). 

In addition, the malicious code dump injected into the Explorer.exe process can be made using PETools (Figure 9). 

A malicious code dump example is illustrated in Figure 10. 

The dump is scanned by a free online VirusTotal multi scanner (Figure 11).

The scan results shows that most antivirus programs cannot detect Nrgbot in the memory. To simplify the search process of unique dump strings to be used for creating Yara rules, we will use the String utility. Below is a fragment of  

"Dump_013E0000_0004E000.dmp" strings:

The fragment presents names of the Internet resources blocked by the antivirus program, as well as the unique "ngrBot" marker. 

Using the "Dump_013E0000_0004E000.dmp" strings, let us create a Yara rule (Figure 12). 

In the rule, we check for all of the strings in $a1-$a9 or only "facebook", "twitter", "symantec", "threatexpert" with the standard marker "ngrBot". As you can see, the "ngrBot" string is excluded from the first part of our condition. This is due to the samples with no "ngrBot”" signature found in a dump. Using the created rule, let us scan the Explore. exe process by PID. The command to scan the Explore.exe process is as follows: 

Yara.exe Yara.txt 1544 > YaraResult

 Results are presented in Figure 13. The Yara signature has successfully detected Nrgbot malware. The program can be deleted manually following the malware description.

A similar rule can be created for the Shiz malware family (Figure 14). 

Yara signatures applied to the unique strings or byte sequences taken from malware dumps or injections allow for the identification of polymorphic spyware on the system. 

Conclusion

 As we have seen, polymorphism technology can significantly protect new pieces of spyware against 0-day detection by the majority of antiviruses, making itself almost invisible on a computer system. Moreover, once installed, polymorphic backdoors can run an update procedure to download a new version of spyware, thus increasing its lifespan on an infected computer. 

We also introduced the way in which polymorphic spyware can be detected and how this approach is mainly based on a dynamic analysis of samples. Once executed, polymorphic spyware reveals its malicious payload directly in process memory. The active infection can be successfully detected using Yara rules specially created for Nrgbot and Shiz families in this paper. 

Taking this information into consideration, we can suggest the described method of detection for numerous infections, for example, in a corporate network. Using the described techniques, an administrator or a security engineer can easily create a Yara rule for a particular spyware family and start detecting an active infection in the network. Once the infection is detected, a removal guideline could help cure the system. 

Bibliography

[1] Russinovich ME, Solomon DA. Microsoft Windows
internals, Microsoft Windows Server(TM) 2003,
Windows XP, and Windows 2000 (Pro-Developer).
4th ed. Redmond, WA, USA: Microsoft Press, ISBN
0735619174; 2004.

On the Web

• http://lavasoft.com/mylavasoft/malware-descriptions/blog/backdoorwin32shiz – analysis of
Shiz backdoor;
• http://lavasoft.com/mylavasoft/malware-descriptions/blog/nrgbot – analysis of Nrgbot/Dorkbot worm;
• http://lavasoft.com/mylavasoft/securitycenter/malware_desc/blog – analysis of Carperb backdoor;
• https://www.virustotal.com – Virustotal multiscanner;
• https://www.virustotal.com/fle/138cec24cc1a5ce7466e86f8a9aaad555317b1b2281c531a0bcab8d84eb149b8/analysis/1352204012/ – a scan report of the new Nrgbot by Virustotal;
• http://technet.microsoft.com/en-us/sysinternals/bb897439 – Strings v2.5 by Mark Russinovich;
• http://yara-project.googlecode.com/files/YARA%20User’s%20Manual%201.6.pdf – Yaraproject;
• http://uinc.ru/scripts/load.cgi?files/neox/PE_Tools.zip – PE Tools downloading page.

Glossary

Polymorphism – is a passive method of code protection that allows a self-replicating program to fully or partially modify its outward appearance and/or the structure of its code during the replication process.