How Malware Authors Fight Off Security Researchers

Discussion of a honeypot reportedly designed by attackers to snare researchers and rivals has turned the spotlight on techniques malware authors use to protect their business.

Attackers don't just lay traps for users; they do it for researchers and rivals as well.

A recent case in point is an exploit toolkit linked to a Zeus malware campaign that security pros at The Last Line of Defense report includes a fake administration console that records information about anyone who attempts to access or hack it.

Such traps are not unfamiliar to security researchers. Cyber-crime is a business, and when defending that business, the best defense can be a good offense.

"They have been doing this for some time, particularly bot-herders, to protect their botnets," said Jamz Yaneza, advanced threat manager at Trend Micro. "They employ monitoring scripts/stations that once [they] detect threat researchers are lurking ... then instruct the whole botnet-and possibly affiliate botnets-to flood [them] with denial-of-service attacks. This prevents analysis of the malicious network and is a roadblock as well for law enforcement for investigation."

In the case mentioned above reported by The Last Line of Defense, the person or persons using the exploit kit were involved in a spam campaign using fake messages from the Electronic Federal Tax Payment System (EFTPS) as bait to ultimately infect users with Zeus. The fake console served as a honeypot that could be used to gather information about anyone who is targeting or analyzing the threat.

"What particularly stands out about the EFTPS exploit toolkit is their admin interface," blogged Brett Stone-Gross, a developer and threat analyst at Last Line. "Note that it's common for most exploit toolkits to contain an admin interface that manages exploits, payloads, and tracks exploit success rates. However, the EFTPS exploit toolkit contains a completely fake admin console. This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it. The fake login system conveniently accepts default/easily guessed credentials and common SQL injection strings."

Once the researcher/hacker has been authenticated by the console, he or she is fed random exploit statistics, he blogged.

"I think what's most surprising about this is the orthogonal thinking that they employed to take care of a very real threat to them," said Danny Quist, CEO of Offensive Computing. "A lot of times when you have a quick turnaround required for analyzing a [malware] sample there's a strong likelihood to pick out the IP addresses and other information."

This information is usually the first thing required by a customer looking for malware analysis, Quist said, and the last few samples he has encountered have all had this data readily available.

"Only when analyzing further did I realize the real call home information was encoded in a much more sophisticated way," he added.

Kevin Haley, director of Symantec Security Response, said hackers also do things such as blocking access to chat groups based on IP addresses and building defenses into botnet command and control servers.

"Attackers are defending their threats against security software in much the same we have been seeing for some time," he said. "They use packers, encryption and programming obfuscation techniques on their malware. They essentially attempt to cripple security software on machines and stop it from updating. We see some evolution, but no real innovation here.

"Where we are seeing something close to innovation is in piracy prevention in the toolkit area," he continued. "What we are seeing is things like toolkit authors adopting methods legitimate businesses have used in the past to avoid software piracy. For instance, we've seen toolkit authors require dongles to run their software. We've seen them give modules away for free or simply accept the fact that their creations will get pirated and then try to compensate by making money selling upgrades or technical support."

But malware authors also have been seen using anti-virtual machine code where if a malicious file detects it is running under a virtual machine it assumes it is an attempt at analysis. At that point, it either shuts down or provides false data, Yaneza explained.

"Researchers discover these retaliatory tricks during the course of analysis," he said. "It is a cat-and-mouse game in most situations ... [but] on the positive end, it has spurred tighter cross-industry collaboration, which in my opinion is a very positive result."