Didier Stevens

Monday 11 September 2006

Malicious Cryptography

Filed under: Malware — Didier Stevens @ 9:18

Aditya Kapoor blogged on the McAfee Avert Labs Blog about a trojan using EFS to protect itself.

To understand more of this, I did some tests during the weekend.

I developed a service that runs under a dedicated account and writes the EICAR test virus file every 5 seconds to an encrypted file.

You can find the this service here (source code & EXE), you can compile it with Borland’s free C++ 5.5 compiler. Be warned, this service will write the EICAR test virus file to your c:\ folder and your anti-virus will detect this. EICAR is not a virus, it’s an anti-virus test file.

Procedure:

  • logon as administrator to a test machine (preferably a virtual machine)
  • create a user efsuser with password 123456 and make this user member of the administrator group
  • give the efsuser user the right to logon as a service (local security policies)
  • logoff & logon as efsuser
  • copy MyEFSService.exe to a folder on the test machine
  • install the service: MyEFSService.exe -i
  • encrypt MyEFSService.exe (properties / advanced / encrypt contents to secure data)
  • logoff & logon as administrator
  • start the service

This service writes debug information, you can view this with Sysinternals‘s DebugView.

Your anti-virus should detect the encrypted c:\eicar.exe file that is written to the disk every 5 seconds.

This is normal, even for encrypted files, because a modern anti-virus installs a file system filter driver that analyzes all data read from & written to disk before encryption (screenshot of DeviceTree):

devicetree-mcafee.PNG

McAfee VirusScan 8.0i detected & deleted this EFS encrypted “virus” without problems.

But I also wanted to know if the service itself, if it was a virus, could avoid detection.

The problem was that I could not modify my service to get it detected as a virus by McAfee. Including the EICAR string is not a solution, because the EICAR anti-virus test file specifications states that the EICAR string must be detected only if it’s in a file that contains nothing more than the EICAR string. I ended-up replacing the DOS header in the PE-structure (the stuff that says “This program cannot be run in DOS mode.”) by a byte sequence of an old DOS virus. McAfee would not detect this “fake” virus, but AVG does (I tested this with VirusTotal, without distributing the file).

I replaced McAfee with AVG Anti-Virus Free on my test machine. At first AVG didn’t even detect the EICAR virus, I found this very strange, because AVG also uses a file system filter driver:

devicetree-avg.PNG

But then I activated the “on-close scanning” option:

avg-settings.PNG

and the EICAR anti-virus test file was detected:

avg-eicar.PNG

But AVG failed to detect the “infected” service, even when I instructed AVG to scan the file. Only when I stopped the service (making the file accessible) did AVG detect the “virus”.

However, AVG will detect the “virus” when booting, preventing the service from starting.

So it seems that this EFS trick can fool some anti-virus products some of the time. I will continue trying to make McAfee detect my service as a virus, to see how it behaves.

Malicious Cryptography, the inspiration for the title of my post, is a very interesting read for anti-virus specialists.

2 Comments »

  1. Bravo Didier,

    Great post. Do you feel a free offering like AVG-Free is enough to protect most users? I am currently testing clamwin for general use. So far it seems to be working well, no active monitoring though, scan only.

    Also, if you recommend Malicious Cryptography, I may have to pick it up. It seems to score high marks at Amazon.com. I love reading about anything related to crypto … The Code Book is a fun historical view of the subject (and Cryptanalysis).

    Comment by Steve — Tuesday 12 September 2006 @ 21:12

  2. No, an anti-virus in not enough to protect most users.

    The most important security measure is to reduce the attack surface, and the NAT-router has helped a lot.
    Broadband started with modems, but now NAT-routers are more popular, and it’s my opinion that WiFi has contributed a lot to the ubiquity of NAT-routers.

    Other ways to reduce the attach surface:
    – educate the user, make her aware of all the “bad” stuff out there and promote a defensive atitude (e.g. don’t trust attachments, …)
    – if you use Windows: patch!
    – use a non admin account
    – …

    An AV is a safety net, in case another security measure fails or if the users makes a mistake.

    I liked the ransom-ware and cryptocounters in Malicious Cryptography.

    Comment by Didier Stevens — Wednesday 13 September 2006 @ 16:31


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 234 other followers

%d bloggers like this: