NVC 5 deutsch JEC
Transcription
NVC 5 deutsch JEC
Norman Data Defense Systems Oliver Kunzmann Support Manager Author: Oliver Kunzmann. Viren 2004 Bagle.A January MyDoom.A MyDoom.B Netsky.A Netsky.B Netsky.C1 Bagle.C Bagle.D Bagle.E Bagle.F February MyDoom.D Bagle.G MyDoom.F Bagle.B MyDoom.E Netsky.C3 Bagle.I Bagle.J Netsky.C2 MyDoom.G Netsky.D1 MyDoom.H Netsky.L Bagle.O March Netsky.M Netsky.E Bagle.T Bagle.L Bagle.H Bagle.K Netsky.F Netsky.K Netsky.H Netsky.J Bagle.S Netsky.N Netsky.O Bagle.Q Bagle.R Netsky.G Netsky.I 2 Author: Oliver Kunzmann War of the worms • Der Mydoom, Bagle und Netsky Virenkrieg • Neue Viren werden im schneller entwickelt • Virenschreiber haben immer neue Ideen z.B zip-Dateien mit Passwort in einer Bilddatei 3 Author: Oliver Kunzmann 4 Author: Oliver Kunzmann Quicker spreading 5 Author: Oliver Kunzmann Proactive virus protection From virus to definition files Author: Oliver Kunzmann. Norman SandBox US Patentpending Author: Oliver Kunzmann. Ordinary Antivirus Antivirus clear the traffic Traffic checking against definition files •SoBig.a •Sobig.b – z •Gibe a – z •Swen.A •Swen b-z •Dialer.a •Dialer.b - z •Dialer 1 – 1289 •Trojaner 1 •Xxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxxx •Xxxxxxxxx •Xxxxxxxxxxxx •Xxxxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxx •Xxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxxx •Xxxxxxxxx •Xxxxxxxxxxxx •Xxxxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxx 8 Author: Oliver Kunzmann Smart Antivirus Antivirus clear the traffic with definition files and the ruleset Traffic checking against definition files •SoBig.a •Sobig.b – z •Gibe a – z •Swen.A •Swen b-z •Dialer.a •Dialer.b - z •Dialer 1 – 1289 •Trojaner 1 •Xxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxxx •Xxxxxxxxx •Xxxxxxxxxxxx •Xxxxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxx •Xxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxxx •Xxxxxxxxx •Xxxxxxxxxxxx •Xxxxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxx What if? Suppose? Traffic checking against ruleset (Heuristics) 9 Author: Oliver Kunzmann Antivirus m. Sandbox Antivirus clear the traffic with definition files and the sandbox Traffic checking against definition files •SoBig.a •Sobig.b – z •Gibe a – z •Swen.A •Swen b-z •Dialer.a •Dialer.b - z •Dialer 1 – 1289 •Trojaner 1 •Xxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxxx •Xxxxxxxxx •Xxxxxxxxxxxx •Xxxxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxx •Xxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxxx •Xxxxxxxxx •Xxxxxxxxxxxx •Xxxxxxxxxxxxxxx •Xxxxxxxxxxxxxxxxx Vituelt Virtual environment miljø: : Traffic checking against SandBox •Maskinvare •Hardware •Operativsystem •Operative system •Applikasjoner •Applications •Kommunikasjon •Communication 10 Author: Oliver Kunzmann Sandbox – contents E-mail SMTP Backdoors E-mail MAPI \\Another\Machine SMTP server IP 192.168.0.4 IP 193.75.75.100 Open ports: 137,139 Open ports: 25 Port139(SMB) IRC \\Remote\Machines Name: FAKE Updates via HTTP IP address: 192.168.0.101 Drive N:\ mapped network drive Mapped network drives ”Default” IP: Any Open ports: all Kazaa ICQ DNS IP 193.75.75.102 Open ports: 53 11 Author: Oliver Kunzmann Sandbox Live !! 12 Author: Oliver Kunzmann * SMTP Engine * Email Adress * Location WABWAB-File * Memory maps the WABWAB-File * Connects to SMTP Server / Send mail Virus ALIZ 1. OS Finish searching…. Found files WINSOCK32 ADVAOI32 2. OS Finish searching…. Found files WABWAB-FILE (Email Adressbuch) 3. EXIT OS Finish searching…. Found files SMTP Server MS Account Manager IP Adress / PORT Number 4. PORT 25 IP 175.25.36.227 Create mail.dat 13 Author: Oliver Kunzmann 5. EXIT OS Send mails…. Finish send mail process finish exit process SEND email mail.dat 6. CLOSE SOCKET 14 Author: Oliver Kunzmann Virus ALIZ 1. OS W98 connect connect 2. found VIRUS search order sending Virus Infos Finish WINSOCK32 ADVAOI32 searching Virus Infos…. Finish found VIRUS search order emuliert Sandbox simuliert OS W98 connect connect searching Virus Infos…. Finish WABWAB-FILE (Email Adressbuch) emuliert Sandbox sending Virus Infos Finish simuliert create virtual email adressbook c:\ c:\sandbox.wab 3. OS W98 connect connect searching Virus Infos…. Finish emuliert Sandbox simuliert sending Virus Infos Finish found VIRUS search order SMTP Server / SMTP.global.no MS Account Manager IP Adress / PORT Number create virtual virtuel PORT/ IP Adress 4. PORT 25 IP 175.25.36.227 W98 send virtuel mail connect connect SMTP.global.no Sandbox Create mail.dat 15 Author: Oliver Kunzmann 16 Author: Oliver Kunzmann 27.04.2004 – new Netsky • • • • • • • • • • • • • • • • • • • • • • • • And we also have a new Netsky on our hands, from Sybari: *********File name : C:\MINM\NETSKY.ZIP\YOUR_P~1.VIF ALWIL AVAST! LGUARD : NO_VIRUS H+BEDV AntiVir/DOS32 : NO_VIRUS GRISoft AVG : NO_VIRUS Kaspersky Lab AVPDOS32 : NO_VIRUS SOFTWIN AVXC/BDC : NO_VIRUS Dialogue Science DrWeb386 : NO_VIRUS Frisk Software F-Prot : NO_VIRUS McAfee Scan : NO_VIRUS Prognet FireLite : NO_VIRUS IKARUS PSCAN : NO_VIRUS MkS MkS_vir : NO_VIRUS Symantec NAV VSCAND : NO_VIRUS ESET NOD32 : ~NEW_VIRUS Norman NVCC : Sandbox: W32/EMailWorm Panda Antivirus 6.0 PAVCL : NO_VIRUS Trend Micro VScan : NO_VIRUS GeCAD RAV : NO_VIRUS Sophos SWEEP : NO_VIRUS CA VET RESCUE : NO_VIRUS CA InoculateIT INOCUCMD : NO_VIRUS VirusBuster VirusBuster : NO_VIRUS ClamAV for Windows : NO_VIRUS • • • • w32_p2pworm.vxe : [SANDBOX] infected with unknown worm - W32/P2PWorm • • • • [ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * Display message box (Error!) : Can't find a viewer associated with the file. * Attemps to open C:\WINDOWS\SYSTEM\drvsys.exe NULL. * **Uses Ole32CreateStreamOnHGlobal. * File length: 39263 bytes. • • • • • • • • • • • • • • • • • • [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM\drvsys.exe. * Creates file C:\temp\ole320. * Creates file C:\temp\ole321. * Creates file C:\temp\ole322. * Creates file C:\temp\ole323. * Creates file C:\temp\ole324. * Creates file C:\temp\ole325. * Creates file C:\temp\ole326. * Creates file C:\temp\ole327. * Creates file C:\temp\ole328. * Creates file C:\temp\ole329. * Creates file \12;. * Creates file C:\temp\ole32;. * Creates file C:\temp\ole32<. * Creates file C:\temp\ole32=. * Creates file C:\temp\ole32>. * Creates file C:\PROGRA~1\KAZAA\MYSHAR~1\Microsoft Office 2003 Crack, Working!.exe. • • • [ Changes to registry ] * Deletes value "My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". * Deletes value "My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". 17 Author: Oliver Kunzmann New Bagle – 31.08.2004 • • • • • • • • • • • • > > > > > > > > > > > > AntiVir - HB+EDV: AVG - Grisoft: AVP - Kaspersky: DrWeb - Dialogue Science : F-Prot - Frisk: NOD - ESET: NVCC – Norman: RAV - Microsoft: ScanPM - NAI: Sweep - Sophos: VScan - Trend: VScanD - Symantec: Not detected Not detected Not detected Not detected be infected with an unknown virus Not detected W32/Malware Not detected W32/Bagle.dll.dr Not detected Not detected Not detected 18 Author: Oliver Kunzmann Andreas Marx - AV-Test 100 unknown viruses/worms/bots Author: Oliver Kunzmann. 01.05.2004 – the start 20 Author: Oliver Kunzmann 01.06.2004 21 Author: Oliver Kunzmann 01.07.2004 22 Author: Oliver Kunzmann Sandbox online service www.sandbox.norman.no Author: Oliver Kunzmann. 24 Author: Oliver Kunzmann Sandbox online services 25 Author: Oliver Kunzmann Sandbox online services 26 Author: Oliver Kunzmann SandBox v2 - e-mail service sandbox@eunet.no. 27 Author: Oliver Kunzmann Herzlichen Dank für Ihre Aufmerksamkeit Professioneller Datenschutz für Ihr Netzwerk 28 Author: Oliver Kunzmann