NVC 5 deutsch JEC

Transcription

NVC 5 deutsch JEC
Norman Data Defense Systems
Oliver Kunzmann
Support Manager
Author: Oliver Kunzmann.
Viren 2004
Bagle.A
January
MyDoom.A
MyDoom.B
Netsky.A
Netsky.B
Netsky.C1
Bagle.C
Bagle.D
Bagle.E
Bagle.F
February
MyDoom.D
Bagle.G
MyDoom.F
Bagle.B
MyDoom.E
Netsky.C3
Bagle.I
Bagle.J
Netsky.C2
MyDoom.G
Netsky.D1
MyDoom.H
Netsky.L
Bagle.O
March
Netsky.M
Netsky.E
Bagle.T
Bagle.L
Bagle.H
Bagle.K
Netsky.F
Netsky.K
Netsky.H
Netsky.J
Bagle.S
Netsky.N
Netsky.O
Bagle.Q
Bagle.R
Netsky.G
Netsky.I
2
Author: Oliver Kunzmann
War of the worms
• Der Mydoom, Bagle und Netsky Virenkrieg
• Neue Viren werden im schneller entwickelt
• Virenschreiber haben immer neue Ideen z.B
zip-Dateien mit Passwort in einer Bilddatei
3
Author: Oliver Kunzmann
4
Author: Oliver Kunzmann
Quicker spreading
5
Author: Oliver Kunzmann
Proactive virus protection
From virus to definition files
Author: Oliver Kunzmann.
Norman SandBox
US Patentpending
Author: Oliver Kunzmann.
Ordinary Antivirus
Antivirus clear the traffic
Traffic checking against definition files
•SoBig.a
•Sobig.b – z
•Gibe a – z
•Swen.A
•Swen b-z
•Dialer.a
•Dialer.b - z
•Dialer 1 – 1289
•Trojaner 1
•Xxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxxx
•Xxxxxxxxx
•Xxxxxxxxxxxx
•Xxxxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxx
•Xxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxxx
•Xxxxxxxxx
•Xxxxxxxxxxxx
•Xxxxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxx
8
Author: Oliver Kunzmann
Smart Antivirus
Antivirus clear the traffic with definition files and the ruleset
Traffic checking against definition files
•SoBig.a
•Sobig.b – z
•Gibe a – z
•Swen.A
•Swen b-z
•Dialer.a
•Dialer.b - z
•Dialer 1 – 1289
•Trojaner 1
•Xxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxxx
•Xxxxxxxxx
•Xxxxxxxxxxxx
•Xxxxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxx
•Xxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxxx
•Xxxxxxxxx
•Xxxxxxxxxxxx
•Xxxxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxx
What if?
Suppose?
Traffic checking against ruleset
(Heuristics)
9
Author: Oliver Kunzmann
Antivirus m. Sandbox
Antivirus clear the traffic with definition files
and the sandbox
Traffic checking against definition files
•SoBig.a
•Sobig.b – z
•Gibe a – z
•Swen.A
•Swen b-z
•Dialer.a
•Dialer.b - z
•Dialer 1 – 1289
•Trojaner 1
•Xxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxxx
•Xxxxxxxxx
•Xxxxxxxxxxxx
•Xxxxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxx
•Xxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxxx
•Xxxxxxxxx
•Xxxxxxxxxxxx
•Xxxxxxxxxxxxxxx
•Xxxxxxxxxxxxxxxxx
Vituelt
Virtual environment
miljø: :
Traffic checking against SandBox
•Maskinvare
•Hardware
•Operativsystem
•Operative system
•Applikasjoner
•Applications
•Kommunikasjon
•Communication
10
Author: Oliver Kunzmann
Sandbox – contents
E-mail SMTP
Backdoors
E-mail MAPI
\\Another\Machine
SMTP server
IP 192.168.0.4
IP 193.75.75.100
Open ports: 137,139
Open ports: 25
Port139(SMB)
IRC
\\Remote\Machines
Name: FAKE
Updates via HTTP
IP address: 192.168.0.101
Drive N:\ mapped network drive
Mapped network drives
”Default”
IP: Any
Open ports: all
Kazaa
ICQ
DNS
IP 193.75.75.102
Open ports: 53
11
Author: Oliver Kunzmann
Sandbox Live !!
12
Author: Oliver Kunzmann
* SMTP Engine
* Email Adress
* Location WABWAB-File
* Memory maps the WABWAB-File
* Connects to SMTP Server / Send mail
Virus ALIZ
1.
OS
Finish
searching….
Found files
WINSOCK32
ADVAOI32
2.
OS
Finish
searching….
Found files
WABWAB-FILE (Email Adressbuch)
3.
EXIT
OS
Finish
searching….
Found files
SMTP Server
MS Account Manager
IP Adress / PORT Number
4.
PORT 25
IP 175.25.36.227
Create mail.dat
13
Author: Oliver Kunzmann
5.
EXIT
OS
Send mails….
Finish
send mail process finish
exit process SEND email
mail.dat
6.
CLOSE SOCKET
14
Author: Oliver Kunzmann
Virus ALIZ
1.
OS
W98
connect
connect
2.
found VIRUS search order
sending Virus Infos
Finish
WINSOCK32
ADVAOI32
searching Virus Infos….
Finish
found VIRUS search order
emuliert
Sandbox
simuliert
OS
W98
connect
connect
searching Virus Infos….
Finish
WABWAB-FILE (Email Adressbuch)
emuliert
Sandbox
sending Virus Infos
Finish
simuliert
create virtual email adressbook
c:\
c:\sandbox.wab
3.
OS
W98
connect
connect
searching Virus Infos….
Finish
emuliert
Sandbox
simuliert
sending Virus Infos
Finish
found VIRUS search order
SMTP Server / SMTP.global.no
MS Account Manager
IP Adress / PORT Number
create virtual virtuel PORT/ IP Adress
4.
PORT 25
IP 175.25.36.227
W98
send virtuel mail
connect
connect
SMTP.global.no
Sandbox
Create mail.dat
15
Author: Oliver Kunzmann
16
Author: Oliver Kunzmann
27.04.2004 – new Netsky
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
And we also have a new Netsky on our hands, from Sybari:
*********File name
: C:\MINM\NETSKY.ZIP\YOUR_P~1.VIF
ALWIL AVAST! LGUARD
: NO_VIRUS
H+BEDV AntiVir/DOS32
: NO_VIRUS
GRISoft AVG
: NO_VIRUS
Kaspersky Lab AVPDOS32 : NO_VIRUS
SOFTWIN AVXC/BDC
: NO_VIRUS
Dialogue Science DrWeb386 : NO_VIRUS
Frisk Software F-Prot : NO_VIRUS
McAfee Scan
: NO_VIRUS
Prognet FireLite
: NO_VIRUS
IKARUS PSCAN
: NO_VIRUS
MkS MkS_vir
: NO_VIRUS
Symantec NAV VSCAND : NO_VIRUS
ESET NOD32
: ~NEW_VIRUS
Norman NVCC
: Sandbox: W32/EMailWorm
Panda Antivirus 6.0 PAVCL : NO_VIRUS
Trend Micro VScan
: NO_VIRUS
GeCAD RAV
: NO_VIRUS
Sophos SWEEP
: NO_VIRUS
CA VET RESCUE
: NO_VIRUS
CA InoculateIT INOCUCMD : NO_VIRUS
VirusBuster VirusBuster : NO_VIRUS
ClamAV for Windows
: NO_VIRUS
•
•
•
•
w32_p2pworm.vxe : [SANDBOX] infected with unknown worm - W32/P2PWorm
•
•
•
•
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Display message box (Error!) : Can't find a viewer associated with the file.
* Attemps to open C:\WINDOWS\SYSTEM\drvsys.exe NULL.
* **Uses Ole32CreateStreamOnHGlobal.
* File length:
39263 bytes.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\drvsys.exe.
* Creates file C:\temp\ole320.
* Creates file C:\temp\ole321.
* Creates file C:\temp\ole322.
* Creates file C:\temp\ole323.
* Creates file C:\temp\ole324.
* Creates file C:\temp\ole325.
* Creates file C:\temp\ole326.
* Creates file C:\temp\ole327.
* Creates file C:\temp\ole328.
* Creates file C:\temp\ole329.
* Creates file \12;.
* Creates file C:\temp\ole32;.
* Creates file C:\temp\ole32<.
* Creates file C:\temp\ole32=.
* Creates file C:\temp\ole32>.
* Creates file C:\PROGRA~1\KAZAA\MYSHAR~1\Microsoft Office 2003 Crack, Working!.exe.
•
•
•
[ Changes to registry ]
* Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
17
Author: Oliver Kunzmann
New Bagle – 31.08.2004
•
•
•
•
•
•
•
•
•
•
•
•
>
>
>
>
>
>
>
>
>
>
>
>
AntiVir - HB+EDV:
AVG - Grisoft:
AVP - Kaspersky:
DrWeb - Dialogue Science :
F-Prot - Frisk:
NOD - ESET:
NVCC – Norman:
RAV - Microsoft:
ScanPM - NAI:
Sweep - Sophos:
VScan - Trend:
VScanD - Symantec:
Not detected
Not detected
Not detected
Not detected
be infected with an unknown virus
Not detected
W32/Malware
Not detected
W32/Bagle.dll.dr
Not detected
Not detected
Not detected
18
Author: Oliver Kunzmann
Andreas Marx - AV-Test
100 unknown viruses/worms/bots
Author: Oliver Kunzmann.
01.05.2004 – the start
20
Author: Oliver Kunzmann
01.06.2004
21
Author: Oliver Kunzmann
01.07.2004
22
Author: Oliver Kunzmann
Sandbox online service
www.sandbox.norman.no
Author: Oliver Kunzmann.
24
Author: Oliver Kunzmann
Sandbox online services
25
Author: Oliver Kunzmann
Sandbox online services
26
Author: Oliver Kunzmann
SandBox v2 - e-mail service
sandbox@eunet.no.
27
Author: Oliver Kunzmann
Herzlichen Dank für
Ihre Aufmerksamkeit
Professioneller Datenschutz für Ihr Netzwerk
28
Author: Oliver Kunzmann