Malware Manipulates Procedure Prologue and Epilogue to Evade Security

Techniques used by malware developers to evade detection by security software have changed drastically in recent years. Encryption, packers, wrappers, and other methods were effective for various lengths of time. But eventually antimalware programs gained detection techniques to combat these steps.

Malware authors next started frequently changing code and other data; now malware binaries are modified multiple times per day to evade detection. We have discussed some of the most common methods of modifications in previous blogs. Today we’ll talk about the opcode modification of procedure prologue and epilogue sequences. The modification is used by some fake-alert malware.

Modifying Opcode

The opcode modification technique replaces the standard opcodes generated by a compiler with different opcodes–and without changing the outcome of the code.

Prologue and Epilogue

The procedure prologue and epilogue are standard initialization sequences that compilers generate for almost all of their functions. The particulars of these sequences depend on the specific compiler used and on the calling conventions. Most functions start with a prologue that sets up a stack frame for the function and ends with an epilogue that clears the stack frame.

Here’s a typical 32-bit Intel architecture assembly-language function prologue:

PUSH EBP          —> Save Base Pointer

MOV EBP,ESP     —> EBP becomes the temporary stack pointer

And here’s a typical epilogue:

POP EBP            —> Recover Base pointer

RET                   —> Return from the function

Next we see a typical and a modified prologue:

Typical_Prologue

 

 

Figure 1.1: A typical procedure prologue. 

Modified_Prologue

 

 

Figure 1.2: A modified procedure prologue.

Now let’s look at an example of a typical and a modified epilogue:

Typical_Epilogue

 

 

Figure 2.1: A typical procedure epilogue.

Modified_Epilogue_1

 

 

 

 

Figure 2.2: A modified procedure epilogue.

Modified_Epilogue_2

 

 

 

 

Figure 2.3: Another modified procedure epilogue.

 

The preceding screenshots show standard opcodes generated by the compiler and the modified ones used by fake-alert malware to evade code-based detection. McAfee has complete coverage and detects all variants that use this technique.

Don’t Ignore the Warnings

Be honest. Do you really read the warning messages that your browser displays to you? Or do you blindly click the phishing site warnings or the SSL mismatch dialog away? Apparently most users don’t seem to care too much about those warnings and click through them quickly. And I doubt that they have memorized the meaning of the warnings and reflect on the consequences each time.

An interesting study from Google and Berkeley University analyzed 25.4 million warnings from the Google Chrome and Mozilla Firefox browsers. According to their research, on average, 15.1 percent of the users click through the warning for malware-infected sites. Interestingly enough, Mozilla Firefox users on Windows have a click-through rate of only 7.1 percent compared to Google Chrome users on Windows with a 23.5 percent click-through rate, about three times as click-happy.

For phishing site warnings, the average click-through rate is 20.4 percent. In this phishing category, Linux users, with 32.9 percent, click through the warnings a lot more often than the others. Maybe they are more tech-savvy and think that they know what they are doing. The study only analyzed warnings where the user had the option to bypass it. Those are typically shown when there is a chance that it might be a false positive, so it doesn’t necessarily mean that something malicious is going on every time a warning is shown

For SSL warnings, the results are even higher, with an average click-through rate of 73.4 percent for Google Chrome users and 36.7 percent for Firefox users. The researchers are not sure why Chrome users are twice as likely to ignore the SSL warnings. Of course, the SSL warning does not always mean malicious intent. Some people use self-signed certs at home and sometimes servers are just badly configured. So clicking through the warning does not necessarily mean that the warning was ignored, the user may have just made a well educated decision to bypass it.

Nevertheless, the researchers suspect that many people tire of these warning messages and start ignoring them. A phenomenon that we all remember from the early anti-virus solutions in the past was when people got bored of dialog boxes asking if “svchost.exe” was allowed to access the Internet or not. Warnings can be helpful, but they have to be used in the right way.

When ignoring these warnings becomes a habit, people are more likely to fall for malicious websites in the future, for example, the classic man-in-the-middle (MITM) attacks often seen at free hotspots at airports or restaurants. Many people do not realize that some attackers are setting up malicious access points that will serve self-signed certificates for all sites. If the user accepts those certificates, the attacker can eavesdrop on the traffic and might read passwords for online services. Certification pinning, as introduced by Google, can help against such MITM attacks since the user will not get the chance to bypass the warning for major websites. The study showed that around 20 percent of the Chrome SSL warnings cannot be bypassed by the users. A percentage of this may have been from MITM attacks.

Ignoring the malware warning can also be foolish. Symantec’s Internet Security Threat Report (ISTR) showed that 61 percent of the infected websites were hijacked legitimate websites. Therefore, knowing the site does not prove that it is clean, even if you visited it before. It may have been compromised since your last visit and is now serving up malware through exploits.

We recommend reading the browser warnings and taking them seriously. If you have read and understood them, you can of course click through if you know that the website is not a security risk. Just don’t make it a habit of blindly clicking through all those warnings.

Dont ignore 1.png

Figure. Firefox malware site warning

Phishers Pursue More Victims by Urging Users to Spam

Improving effectiveness of phishing bait is always at the top of any phishers’ agenda. They prefer to use bait that reflects enticing subjects in order to catch the attention of as many users as possible. Recently, we have seen phishers moving one step ahead. In addition to having eye-catching bait, they are compelling users to spread the word. In today’s example, phishers used free cell phone airtime as the phishing bait.

The phishing site requested Indian Facebook users to verify their account by entering their login credentials in order to get the fake offer of free cell phone airtime. But phishers, not content with just duping one user and eager to target even more, start off by saying the offer is only valid after posting this same offer on the profile pages of a number of friends. Phishers devised this strategy because obviously receiving messages from friends is more convincing than from unknown sources. The method phishers are using in effect enlists unsuspecting users into spamming for them.
 

image1_4.jpeg

Figure 1. Facebook account verification
 

image2_2.jpeg

Figure 2. "Like us" enticement
 

image3_1.jpeg

Figure 3. Sharing enticement
 

image4_1.jpeg

Figure 4. Sharing enticement and personal information request
 

The first page of the phishing site asked users to verify their Facebook account. Users were then alerted that all information should be entered correctly. The second page of the phishing site displayed an image of a selection of Indian cell phone network operators. The phishing page stated that free airtime worth "Rs. 500" is available from the offer after following four additional steps. The steps were essentially to like, subscribe, share, and post the offer to at least 10 friends. Finally, in order to complete the process, the phishing site asked users for personal information including name, email address, cell phone number, network operator, and cellular zone. If any user fell victim to the phishing site, phishers would have successfully stolen personal user information for identity theft.

Users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, “https,” or the green address bar when entering personal or financial information
  • Use comprehensive security software such as Norton Internet Security or Norton 360, which protects you from phishing scams and social network scams
  • Report fake websites and email (for Facebook, send phishing complaints to [email protected])

Remote Access Tool Takes Aim with Android APK Binder

In a previous blog, we talked about the rise of remote access tools (RAT) written in Java that are capable of running on multiple operating systems. With the growing popularity of the Android operating system, it comes as no surprise that the Android OS is the latest target and is not immune to RATs. Since late last year, underground forums have been offering a free Android RAT known as AndroRAT (Android.Dandro). Now, unsurprisingly, the underground economy that caters to the needs of cybercriminals has created the first tools (called “binders”) that easily allow users to repackage and Trojanize legitimate Android applications with AndroRAT.
 

figure1.png

Figure 1. A “binder” tool being sold on underground forums advertised as the first binder ever
 

Back in November 2012, an open source RAT for Android named AndroRAT was published and made accessible to everyone on the Internet. Like other RATs, it allows a remote attacker to control the infected device using a user friendly control panel. For example, when running on a device, AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device.
 

figure2_HL.png

Figure 2. AndroRAT’s control panel
 

The RAT comes in the form of an APK which is the standard application format for Android. When used in conjunction with the AndroRAT APK binder, it easily allows an attacker with limited expertise to automate the process of infecting any legitimate Android application with AndroRAT, thus Trojanizing the app. When the Trojanized version of the legitimate app is installed on the device, the user unsuspectingly installs AndroRAT alongside the legitimate app they intended to install. This allows the attacker to circumvent elements of the Android security model through deception. To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT.

Subsequently, we have also spotted a commercial Java RAT named Adwind (Backdoor.Adwind) that already supports multiple operating systems and seems to be in the process of incorporating an Android module based off the AndroRAT open source code. Again, this RAT also features a graphical user interface allowing the attackers to manage and control the RAT remotely.
 

figure3LOB.png

Figure 3. Adwind main control panel
 

A demonstration video that shows Adwind working with Android also shows the presence of AndroRAT on the infected phone, suggesting that the authors of Adwind may be customizing the AndroRAT tool to incorporate it into Adwind. This development comes as no surprise, as the open source nature of the AndroRAT code means it can be easily customized into new threats and tools.
 

figure4_HL_600pxw.png

Figure 4. Screenshot of Adwind video showing AndroRAT’s presence on the infected device
 

At present, Symantec telemetry shows only several hundred infections of Android.Dandro worldwide, with the United States and Turkey being the most targeted countries. However, the telemetry is reporting a rise in infection numbers as of late, which we expect will continue as both the availability and sophistication of tools for AndroRAT increase.
 

figure5LOB.png

Figure 5. Heat map of infections
 

The evolution of remote access tools moving onto the Android platform was predicted. While AndroRAT is not showing a particularly high level of sophistication just yet, with the open source nature of its code and with its popularity growing, it has potential to evolve and grow into a more serious threat.

We recommend installing a security app, such as Norton Mobile Security, which detects this threat as Android.Dandro. For general safety tips for smartphones and tablets, please visit our Mobile Security website.