In-depth analysis of malware shows different methods of obfuscating their codes. They employ different tactics to hide themselves to harden analysis. They also dynamically load functions that they will be using. Those functions more often times called API (Application Programming Interface) are commonly loaded when we run an application.

Malware authors also use dynamic function loading to enable itself to adapt to different operating system. They use it to enable their program to run on Windows XP, Vista, Windows 7 or other platform.

Common practice is to list all function names as an array of strings to be loaded once the application is running. They used a combination of LoadLibrary and GetProcAddress functions to get the proper addresses. Still some try to use other techniques of getting those addresses without even using those two functions.

Let’s take a closer look at how W32/Bredolab.AC!tr.dldr resolved its API addresses.

W32/Bredolab.AC!tr.dldr did not use a list of API strings,  instead it uses a list of hash values equivalent of the APIs. The hash is computed as below:

These are the steps how the malware got the right API  addresses without using LoadLibrary and GetProcAddress functions.

Step 1:

It first copies the DLL file that it needs in a “%temp%” folder with TMP??.tmp as the filename(?? is a 2-digit number).

Step 2:

It then loads the TMP??.tmp to its address space.

Step 3:

After loading the tmp file which is the equivalent dll file, it can now work on parsing it.  It parses its content, technically in the export table to get the list of function names. It then computes a hash value for each name and compare it to its own list.

Once it gets the right hash value, it then gets the address of the function. And it starts back on Step 1 till it gets all the addresses it needs.

This technique of getting API addresses is not new. But it still serves as a basis of how malware works. Malware authors go to some lengths just to try to make analysis harder. I imagine that this is not even half of what the malware does.

Two of Fortinet’s FortiGuard Labs researchers will be on hand at next week’s RSA Conference to present their research in the Fortinet booth theater (#2225). The presentations focus on ransomware and industrial spying, two hot topic areas that are on the minds of security professionals at enterprises today. Here is a bit of information:

All Your Data Are Belong To Us
Ransomware comes in many shapes and forms, with the most recent variation using malware masquerading as antivirus protection. The goal of an attacker is simple: cripple, lock down and encrypt files/applications, then offer a service to unlock the data. Ransomware has already begun to leave a destructive trail in 2010. Watch as Derek Manky, cyber security and threat researcher, discusses and demonstrates these threats live in the theater.

The Art of Industrial Spying
Every organization and individual has more and more confidential or regulated data to manage, with growing amounts of data being moved to digital storage and transferred digitally. This has wedged the door open to data theft and/or manipulation for financial gain, while bypassing physical security measures. Steve Fossen, senior manager of security research and development, will discuss and demonstrate how enterprises can protect their data from this kind of intellectual property theft so that it doesn’t end up in the wrong hands – or on the open market.

Presentations will take place every 30 minutes during show floor hours. Please stop by the Fortinet booth (#2225) for the schedule and for information on these presentations.

I’ve been asked to provide a little more information on what else we can provide in the web filtering space, particularly when it comes to service providers and how they can solve one of the main problems when considering a residential web filtering service. We have provided a way of dynamically provisioning the web filtering profile on a per end point basis, and end point can of course be many things. Flexibility in this end point definition is key, so it can relate to an authenticated username, a service, location, or in the case of mobile networks the cell number (MSISDN).

Providing this flexibility does of course leave us another problem to solve. In a mixed home environment with parents and children of various ages different levels of access are desirable, or a least the parent paying the bill wants to have some additional choice. With our in home residential control here at Fortinet we believe in allowing parents to have a different level of access than others in the house with an over ride capability which can unlock a reduced, or unfiltered access. Depending of course on how the provider has defined the service offering. But it is possible to match the service to just to the house, but to it’s occupants, all sharing the same IP address.

For providers it gives them the ability to create flexible services that are dynamically provisioned, helping the scalability, and profitability of the offer. For the customer we provide the protection they need, without the restrictions they are happy to do without.

Effortless Efficiency

Speed and efficiency is of the essence in protecting your network and its users from threats. It is also key to a quick response for web site ratings.

As previously discussed, the latency is minimized through the FortiGate monitoring of FortiGuard servers for the most responsive server within its geographic region. Further, rating responses can also be cached locally, minimizing the hits on the FortiGuard servers. This is a very effective method for common sites. Search engines and other frequently visited sites for your business can remain cached locally. Other sites less frequently visited, can be cached locally for a determined amount of time. For a site such as Google, the frequency of its access can keep it in the cache, other sites can remain in the cache up to 24 hours, or less depending on the configuration.

But what other options can you have to maximize the response time to web filter ratings? Well you need to minimize the network latency, how we do that is provide you with your own copy of the FortiGuard database, automatically synchronized to the main FortiGuard Network.

This copy is stored on the FortiManager device that you would own and deploy at a location most appropriate to your network environment and the demands placed upon it. Having this local access minimizes any network latency for web site filtering for individual requests while having the same coverage offered by the host FortiGuard network.

Read Part I: Cloud-Based FortiGuard Web Filtering Services

Read Part II: Web Filtering: Controlling the Flow

You have likely heard of the Kneber attacks chronicled by the mass media as of late. Kneber is a botnet, and a very familiar one at that – Zeus. Zeus is a crimeware kit, a do-it-yourself setup which allows any aspiring botnet herders to configure and create their own botnet (referred to as ZBot). The builder will configure the ZBot binary for the client, with its own botnetID/password: thus creating a new variant of ZBot. In fact, there are many active botnets that are spawned by this widely distributed kit. It has become so popular, and accessible, that attacks like this are bound to arise in the numbers: Kneber is merely one of them. The configurations are extensive, the possibilities vast, and consulting services even exist to accelerate the deployment of a new botnet; this falls into the growing trend of Crime as a Service (see my post here on Adaptive Crime Services for more examples on this). Though Kneber certainly poses a problem on its own, the much larger issue is the source of the problem: how such kits and crime services allow these botnets to fluorish. Attacks can deliver payloads (the ZBot virus) from many arenas, not just traditional email.

Zeus is often associated as a banking trojan, but because of its flexible configuration, it is very easy to target any information the attacker wishes. For some examples, including a video demonstrations, please see the detailed analysis of Zeus/ZBot available on our FortiGuard Center. It can easily be configured to steal social networking credentials (we used Facebook as an example in our labs) — and indeed with Kneber, it has been used for such purposes. For quick reference, here is a screenshot which shows targeted Facebook information reported by ZBot to its controller (left). The form data (username and password) is passed along to view in clear text by the attacker:

ZBot reports stolen social networking credentials

This particular botnet was named after the email address used to register a domain used in this attack, though in reality, it is just another recent example of a new ZBot variant active in the wild. Further, infected machines were reported to also have Waledac infections — another very active spamming botnet. For more information, please see our detailed writeup on Waledac here. This is not a surprise, many machines are multi-infected nowadays, especially when it comes to botnets that are used as “loaders” to download and distribute malware, essentially infrastructure for hire. This is widely the case with the Pushdo and Bredolab botnets which have been active for years. Because of this, it should not be a focus to lock down against one particular attack: in my mind, layered security is a feasible approach to guarding against blended threats, multi-infections and the growing array of attacks we see in cyberspace today. FortiGuard Labs detects Zeus/ZBot network traffic through IPS as “Zeus.Botnet”, and guards against ZBot variants such as Kneber through antivirus as well.

While web filtering provides a company with the ability to limit where users visit on the the Internet, what if some users – managers, guests or whole departments – needed access to these categories or subsets of those categories? What if you still want your users or employees some level of freedom? After all, a happy worker is a productive worker. The flexibility to accommodate a multitude of configurations and situations. One size does not necessarily fit all.

Happily, FortiOS comes in many sizes. There are a options available to meet the needs of various users and at various times of the day.

Beyond the selections of the FortiGuard web services, overrides and custom configurations, are the firewall policies that instruct the FortiGate how to determine which users can see what sites and when.

Within firewall policies, you can use an identity-based approach, where local users and groups or more established LDAP, RADIUS or TACACS+ databases can be referenced.  By setting up users and unique groups, you can create web filtering policies to accommodate unique situations rather than painting web access with a very large corporate brush. With unique user and group options, firewall policies can be set up to request authentication. Before a user can access the specific web policy, they must enter a username and password. Once authenticated, the correct web profile can be applied.

Another possibility, web access policies can also be time-controlled. Where specific policies restrict web access through most of the day, policies can lift these restrictions over the lunch hour or after work to enable employees to view social networking sites and entertainment sites (remember those happy, workers?), yet shut the access off automatically so everyone can get back to work (happy and productive!). Or alternatively, set a time quota for the day for different web categories. Rather than dictating a specific time of the day, allow a total time allotment for the day. Gaming maximums of one hour; social network two hours a day. When the user’s time is up, they can be shut off until the next day.

And when the time is up, the FortiGate includes messages you can customize to let users gently know time is up with a customized message. These messages are stored on the FortiGate in simple HTML.

All of these options make for happy network admins, managers and employees. Further, all surfing actions can also be logged and analyzed. Users’ surfing habits can be monitored and thus filtering fine-tuned. If the FortiGate unit has an integrated storage module – internal hard disk or AMC module, or you use a FortiAnalyzer unit, you can log the web sites visited and generate reports to see what the web site flow is, and even, who the top users are, and adjust your network web filtering policies accordingly to strike a balance of network traffic management.

Read Part I: Cloud-Based FortiGuard Web Filtering Services