Last-minute paper: Hide and seek - how targeted attacks hide behind clean applications

Gabor Szappanos Sophos

  download slides (PDF)

After the initial surprise of realising what has been going on under the radar for years, an increasing and steady focus is placed on investigating and detecting ongoing APT attacks. The cybercriminals have to work harder to keep the 'P' in the acronym, and achieve system persistence for an extended period of time without being detected by AV scanners. As a necessary condition, they have to minimize the detectable system impact, keeping almost everything in encrypted form, and placing the plain components conveniently in the close neighbourhood of clean applications (in the blind spot of protection products).

Analysing the incoming flow of recent APT attack scenarios a couple of new interesting techniques stand out, which outline the directions in which the malware authors may be moving today, and pointing out where the protection software should look for signs of infection.

This presentation will dive deep into the technical details of three recent and/or ongoing attacks that are approaching this problem with three very different strategies.

The first case, Plugx, is well known for (ab)using digitally signed clean applications. It makes use of the DLL load order vulnerability, dropping the malicious library next to the application; this way when the application is executed, it will load the malware DLL from the current folder, instead of the clean DLL located in the system folder.

The second case, Blame, hides the malicious content deep within a DLL compiled from various open source projects. One of them is the LAME MP3 encoder, which only serves as a decoy to add enough clean code to overwhelm the malicious code. The other two libraries are actually used in the backdoor: the UDT data transfer library provides the network communication functions, and the DES (ECB) library provides (unusually strong) way to decrypt the string constants.

The third specimen, Simbot, defines the BYOT (Bring Your Own Target) attack model. It conveniently carries along a clean but vulnerable application, which is started with an extremely long command line, leading to the execution of a malicious shellcode, decrypting and loading the main payload. In this case, the detectable fingerprint on an infected system is as close to zero as possible. And there is no reliance on the pre-installed vulnerable application, as all comes in the same package.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.