Avoiding Detection – Obfuscation the Criminal Game

Reading the Oversitesentry 30 Security Analysis posts I was struck by the recurring theme of detection avoidance and obfuscation is the name of the criminal game.

 

Specifically:

Rapid7’s Blog post¹ on how attackers evade SIEM (Security Information event Manager)

and the interesting post by Drops² about obfuscation by Windows programs that run in the 64bit space by using the 32bit mode as the processor switches the modes  to give backward compatibility.

Drops-32bitwithin64bitspace

From the blog: “The printed code segment selectors in hexadecimal confirmed the mode switch from 32-bit to 64-bit and back to 32-bit indeed happened.

What does this actually mean? The combination of Windows DLL space allowing malware to run while obfuscating itself and thus hiding in the environment. You may have heard that Anti-virus software only detects about 50% of the malware out there.

The big key is to use the Command  & Control connections by the malware to create Event analysis such as by Talos³ threat research blog from Cisco.  Which is discussing the latest Cryptowall 4 malware:

cryptowall4Talosimage

Notice the initial announcement connection to C2 (Command and Control) Server. As well as the subsequent Cryptowall 4 request for the encryption Pubkey, Tor domain, and PNG wallpaper such as:

The PNG wallpaper shows a bunch of “personal pages” which you have to access to pay for the decryption key.

 

So as a Systems person we need to focus on the obfuscation and Command and control traffic. The obfuscation may happen, but we know the C2 server traffic does happen, and that is what has to be captured by our firewall/NGFW(next generation firewall)

 

Contact Us if you need help with this.

 

 

 

 

 

 

  1. https://community.rapid7.com/community/infosec/blog
  2. http://en.wooyun.io/2015/12/08/33.html
  3. http://blogs.cisco.com/security/talos/cryptowall-4

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.