Bot Masters have a lot to fear now a days: 'The Feds', White/Grey Hats, Anti Virus Firms, and other Bot Masters, so adding protection to a Bot is now common place.
Here is a list of common security measures in use:
Sandbox Detection:
Anti: Sandboxie, Norman, Anubis, ThreatExpert, VMWare, Virtual PC.
Debugger detection: Ollydbg, SoftICE, Process Explorer, RegMon, FileMon.
Encryption:
SSL Encrypted connection to the C&C, BlowFish encrypted input/output of commands, BlowFish/XOR encrypted settings within the file.
Custom Crypters/Packers:
Scan/Runtime 'FUD', RC4/AES/Blowfish encrypted executable & settings, RunPE Injection, Process Injection to bypass Firewalls/HIPs, SDT Restore, API Un/Hooking.
Custom C&Cs:
IRC: There are a few custom IRCd's released, most of which have limited commands so only the Bot Master can communicate to the Zombies.
HTTP: Easy to setup, admin PHP interface, harder to detect due to blending into normal network traffic.
P2P: Hard to take down, no 'complete' public code available, can use existing P2P networks to there advantage eg Gnutella.
Some C&Cs have built in defense mechanisms such as auto banning and DDoS when they detect intruders.
Anti Malware:
Some Bots will seek out and destroy other Malware which have infected a Victim PC. Some Bots also hijack other Malware infections by what is called 'WormRide'. Basilically what WormRide does is hijack the transfer of Malware from a Zombie to a Victim and send itself inplace.
Anti Anti-Virus/Protection:
Disabling of AV products, unhooking of protected APIs, blocking updates by modifying the 'Host' file and also blocking/poisoning DNS, disabling Vistas UAC, disabling Windows Updates, modifying IE security levels, modifying local group policy, adjusting user/application rights.
Most of the above is publically available to Malware authors and its often just a case of 'copying and pasting' into a piece of Malware.
Wednesday 3 September 2008
Subscribe to:
Posts (Atom)
