Also very interesting was the Kernel Wars session from Joel Eriksson, Karl Janmar, and Christer Öberg where they showed, among other things, how to gain full access to FreeBSD via a WiFi exploit. On the picture from left to right, Satur from Panda Research, myself and Luis from PandaLabs.
Yesterday the 2007 eCrime Congress finished in London. We had a good time there, met some interesting people and learned a lot about how financial entities and banks deal with fraud and phishing attacks. For those interested in my presentation about the latest banking trojan techniques we have seen on some russian trojans we are investigating you can find it here.
Following up on the Packing a punch post, we recently came across a couple of banking targeted attack Trojans that use interesting signature-based detection evading techniques.
There's packers (UPX, FSG, etc.) and cryptors or protectors (ASProtect, SWPK, Armadillo, Themida, etc.). These last ones are widely used by legitimate software publishers to protect their applications from being cracked by pirates. Crackers create generic tools to un-protect software applications and, just as with malware, crackers and software publishers are on a constant cat and mouse race to crack and avoid cracking.
The first Trojan we'll look at uses regular and known packing techniques. By investigating different downloader variants which the Trojan uses to update itself, we found a point-and-click utility with runtime-packing functionality to create additional Trojan downloader variants that evade detection.
The user only needs to type in the URL where the downloader should get the Trojan from, choose the runtime packing technique of choice from a drop-down box (or add a custom one) and click "Make Downloader…" Voilà, we have a new undetectable Trojan.
Great. Now any regular Joe Blow can point-and-click to create yet more undetectable Trojan downloader variants. We'll be adding a signature which will generically detect any downloader created by this utility.
The next Trojan we'll look at is a bit more advanced. It wasn't picked up or identified by any of our internal tools nor competing AV engines. So by taking a more in-depth look at it we see that there's no visible strings and the entry point is typical of packers… probably a new type of packer? Let's follow the unpacking algorithm with OllyDbg in the video and find out.
After unpacking it manually its size doubles and the strings within become visible. Turns out its a purpose-made runtime packer created specifically for distributing malware that's undetectable by any current AV unpacking algorithms (at least the ones we've checked). The actual Trojan is a targeted attack to users of well known banks and financial institutions, by using brand new techniques to steal banking credentials (I'll show details of these techniques at the eCrime Congress later this month).
In Packing a punch we discussed whether packers should be detected more generically than they are now. There's some interesting points of view and valid arguments from legitimate software developers, but if those are taken into consideration the question still remains; should more unknown packers and packers used by malware such as the ones shown above be detected generically?
We're happy to announce the integration of the Panda engine into Jotti online scanning service. Even though the linux pav engine at Jotti is a bit old and doesn't have genetic heuristics, we'll soon be integrating version 1.4.3.
First it was Panda Antivirus 2007 for consumers and ClientShield for corporate desktops, now also Panda Antivirus+Firewall 2007 Beta (aka Titanium version 6.01.08) is compatible with Windows Vista. Check out our Vista Compatibility Information site at http://www.pandasoftware.com/vista for more info.
In addition to Vista 32bit compatibility, this beta version is also compatible with Windows XP 64bits and MS Office 2007. As it includes the new Panda Engine 1.4.3 it integrates the new version of Genetic Heuristic Engine and low-level rootkit detection. There's also some major usability improvements with its alerts, messages and install/uninstall processes.
You can download Panda Antivirus + Firewall 2007 Beta directly from here. For automatic updates of the signature database you can use CCF227ANMB and KPW7K2E4 as the username and password respectively. Be sure to contact firstname.lastname@example.org with any problems or suggestions.
We're happy to announce that after many months of development we are finally releasing our Panda Engine version 1.4.3. Some of the most significant improvements made are:
- Improved support for Office12 formats
- Improved support of .SIS formats
- Support of Vista platform
- Support of Multimedia Messaging Service (MMS) formats
- Support of Flash, Nullsoft 2x and WinAce 2.0 formats
- Improved analysis of hidden processes
- Low-level rootkit scanning for NTFS, FAT32, FAT16 and FAT12
- Remote thread scanning to detect certain rootkits
- Improved Genetic Heuristic Engine (GHE) version 6.2.1
- Plugin for generic unpacker engine to support additional formats
- Detection of "exepacker_of_death" for files using multiple packed layers
- Scan support of Windows Restore Points
This new engine will de deployed progressively to all our products over the next couple of months. Watch this space for the release of a new Panda Scanner (command-line) and EngineAPI that makes use of this new engine.
It's that time of the year again. PandaLabs has recently published its Annual 2006 Report. It's also very interesting to read the detailed quarterly reports for Q1, Q2 and Q3. I specially like the "day-to-day" reports section. Great work guys!