MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Process Automation anti-analysis II

Malicious mechanisms used in both the propagation process and the methods of infection gradually evolve through crimeware developers are constantly tweaking their creations in order to increase their economy.

This reality clearly realizes that the development of malware is a business where many "entrepreneurs" take the post on the subject releasing new viral market alternatives that actively participate in the automated generation of malicious code embedded self-defensive processes that cause a negative effect research and analysis of malware.

Some time ago we talked about one of the crimeware applications of Russian origin so fierce was added to the portfolio of offerings that show, and represents, the underground trade of malware: malicious software family with polymorphic features of CRUM.

Earlier this month, officially launched its creators, with fireworks, new version of its two stars crimeware applications CRUM Cryptor Polymorphic (v2.6) and CRUM Polymorphic Joiner (v3.1), both written in Delphi and ASM.

The first is a "crypto" polymorphic, a program whose goal is to encrypt each file processed. In this case, encryption is through a random key of 256 bytes. At the same time, the malicious file is also subject to polymorphism in which each process is obtained in a separate file, which is equal to say ... a different malware.

With a value of USD 200, this crimeware promises, among many others, the following features:

Windows 2000, Windows XP SP3, Windows Server 2003 and Windows Vista
Encryption polymorphic
Encryption with 256-byte random key in previous versions of encryption is 128 bytes
By default, the entry point is always in the first section of the binary, but can be configured to be random
Anti-VM. Avoids binary implementation of virtual machines
Anti-dump. Prevent dumping of memory
Replacement of pixels icon Random
Ability to change or delete icon
Allows encrypted under command line

Perhaps this crimeware seem a bit trivial but polymorphism functionality makes it a very dangerous threat as the mutation that occurs in each of the files isn't superficial, doesn't change any time stamp but makes important changes in the modified binary completely its structure, forming in each process a new type of malware.

As the younger brother of the family, CRUM Joiner Polymorphic, is designed, as its name implies, to merge (a concept adopted by the current crimeware) files regardless of extension and is in MASM32.

It's priced between USD 100 and its features include that:

Like the older brother, has polymorphic capacities
Allow merge an unlimited number of files with any extension (mp3, avi, doc, bmp, jpg, exe)
Set options of functionality in the final file (folder housing, attributes, etc.).
Allows selection of the iconography. By default, the software brings 40 images
Encrypt the binary with 256-byte random key
Supports Drag & Drop
Ability to select the final file extension
Removing file icons
Ability anti-analysis. Prevents execution of the binary in virtual machines

With respect to conditions of sale and use of crimeware, the author claims not to share the crypto and its components (this goes against the "business"), for commercial purposes (a clear contradiction) or submit it to analysis through online sites as VirusTotal (this increases the detection rate of binary). Requirements seem to be rather childish.

The objective behind the development of these applications is to increase the life cycle of the malicious codes that are subject to malicious processes proposed by the application, adding anti-analysis features that hinder its detection and subsequent analysis by the antivirus companies. 

Related information this Blog
Los precios del crimeware ruso
Comercio Ruso de versiones privadas de crimeware ¡Aproveche la oferta!
Automatización de procesos anti-análisis a través de crimeware

Jorge Mieres

0 comentarios:

Post a Comment