Kurt Baumgartner PC Tools
download slides (PDF)
The evidence of a major shift in the world of malware continues to build with the ongoing Storm threat. The distribution and development activity and underlying behaviours displayed by this multi-layered threat lead us to declare 'Malware 2.0' has arrived indeed. This threat and the characteristics that it embodies are significant because it arguably has eclipsed any other threat in terms of volume, distribution activity, and its constant state of change. The code is interesting, and the effort behind the malware currently is alive and kicking.
The best brief description for the Storm threat is 'constantly changing'. The social engineering in its messages, the sophisticated kernel level code containing its code injection techniques and AV kill methods, its browser exploits and various shellcode have all changed for this threat in multiple ways since its inception. Even the binaries downloaded from its malicious web sites change with each and every victim's download - they are always repacked.
Also characterizing this threat is its use of 'the network as platform', appropriation and sharing of exploit code and shellcode, its parisitic use of the user as contributor, its own perpetual beta, and a highly interactive and rich set of malicious deliverables.
In our presentation, we will examine how this threat embodies these characteristics by reversing multiple generations of its always changing binaries and web content, examining disassembly listings and monitored behaviour of both its kernel level code and user level threads, its old and new exploits served up in web content, its changing shellcode, and its social engineering. We'll provide details of its drivers' KeInsertQueueAPC injection technique alongside its placement of system hooks and memory writes from the kernel. We'll reverse its kernel-injected p2p threads, make note of its system component lockdown to neutralize specific security tools and describe its effective kernel level AV termination techniques. We'll walk through the threat's web server-side browser decision tree and how we created it. Finally, we'll decode its obfuscated web content and examine a couple of browser and plug-in vulnerabilites it targets based on its serverside decisions. We'll describe the shellcode's format and decode the newest 'proactive solution'-evading download and exec shellcode within, compile it and step through it in order to explain and display its stack manipulation and camouflaged return location techniques and their purpose. We'll compare it with the original Storm threat shellcode.
When compared to the older techniques of Malware 1.0, we see a whole new attitude behind the malware effort, and the crystallization of an ongoing major shift for malware in the wild.