Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Immanentize the Eschaton - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Immanentize the Eschaton

A couple of weeks ago, my stepdaughter came home from college for a long weekend and brought her roommate's computer. Like most of us, I end up playing the leading role in the “Six Degrees of HelpDesk” game... you know... the one where you do technical support for a-friend-of-a-relative-of-a-next-door-neighbor-of-your-wife's-hairdresser's-second-cousin? For the most part, I really don't mind, because... well... it gives me a chance to pad out my collections of mp3s* and porn**.

The machine in question had more than a few issues. In its relatively short life, it had two different major AV packages installed. One of them had been rather incompletely uninstalled, leaving behind several running processes that were bogging the machine down horribly. The product that had been installed in its place wasn't doing too well either. Most all of its detection functionality was disabled (more on this later) and it hadn't been updated in months. I tried to jump-start the AV, but something kept shutting it off.

To those problems, add the fact that a glance at the registry showed several suspicious “RUN” values, and what should have been a rather peppy machine took nearly 15 minutes to fully boot. Not good.

My stepdaughter brought the machine home for me to see if I could get the wireless network card to work, but networking this box would be like... well... like asking Lindsey Lohan to drive down to the corner liquor store and pick you up a bottle of Jack Daniels....

So... I set to work doing my normal computer cleanin' schtick. I keep a bunch of tools on a USB key for jobs like this, and after whacking more than a few ugly little critters, I tried kicking the current AV program to life.

Big mistake.

The program started up just fine, and once it realized that it was waaaay past due for a full system scan, it fired up a window and started listing off the files that it was dutifully inspecting. As I watched the list scroll by, it slowly dawned on me that the filenames seemed awfully familiar. For whatever reason, the program had decided that the first disk it was going to inspect was my USB drive.

Suddenly, a little red window popped up and announced that the program had found and removed some malicious code... a little executable called Spycar.exe.

For those of you who don't know, Spycar is a suite of programs the I wrote about 18 months ago to test the behavior based detection capabilities of anti-spyware programs. Ed Skoudis and I were reviewing enterprise anti-spyware for Information Security magazine and we needed a repeatable way to test specific spyware-like behavior.  The Spycar tools do about 25 different “things” that spyware typically might do (it will drop a program and install it to automatically run at startup, it will change and lock IE's homepage, it will drop and launch a keystrokes logger, etc... and when its all done, it'll clean up after itself). While Spycar represented only a small portion of our overall testing strategy, our release of the tool following our testing apparently immanentize the Eschaton (look it up... from the first line of a very cool book) as far as the anti-spyware folks were concerned.

Holy Smoke! It was like Tom and Ed had shown up naked for church (something which I would heartily discourage... pews are cold, and there's the ever-present danger of splinters...) The Skodo-Liston hate-fest flew to fever-pitch when Consumer Reports, in a display of poor judgment, used Spycar as the sole criteria for their own magazine's anti-spyware shoot-out (Note: That was done without contacting us to ask what we thought of the idea... it was also in direct violation of Spycar's online documentation and EULA. Worse still... they didn't comp either of us with a free subscription... )

So here we are, a year and a half later, and I'm watching an AV program eat the copy of Spycar that I had on my USB key. What the heck? Spycar isn't malicious, its a testing program. It isn't evil – its just a tool for testing the limits of anti-malware's behavior-based detection capabilities. So why tag the executable as malicious and delete it?

But wait... the funny thing was, the version of Spycar that was detected and removed was one that had never been publicly released.  It was a copy of Spycar version 2 that was written about nine months ago, and sent out to select AV vendors for comment.  Interesting... here it was being detected just sittin' around on my USB key.

Hmmm... suppose you have an anti-spyware tool that doesn't have behavior-based detection. Or, what if you do have behavior based detection, but it's pretty crappy. What better way to deal with Spycar than to write a signature for it, EVEN BEFORE IT IS RELEASED...

Huh... seems that Spycar can detect lousy behavior-based detection without even being run.

I'm a better programmer than I thought.

(FYI: By the way, right now, Skodo and Matt Carpenter are testing various enterprise anti-malware tools and are using a massively polymorphic version of Spycar 2 that I whipped up to evaluate their behavior-based detection capabilities.  Happily, the polymorphism stuff I brewed in the lab quite effectively dodges their signature defenses, so we can separate out their behavior-based detection abilities.  Awww... too bad AV dudes...)

-Tom Liston - Intelguardians

* To all my friends at the RIAA: I'm talking about free, legal, re-distributable music here, of course.  Believe it or not, some artists release their work for free and want it distributed far and wide without involving record companies.  I know, I know... it's sacrilege.

** Honey... it's a joke... really.  Honey?  Sweetheart? Hello?

Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!