I am quite happy that we are not seeing a lot of specially crafted documents with malware executables embedded in it. This is good news since detecting them generically is really a challenging task. Considering it is under OLE, plus the fact that the structure used by the applications is undocumented (e.g., Ichitaro, a popular Japanese word-processing application), one will get an idea that this is really no trivial task.
For example, let us take a look at the recent malware that exploits Ichitaro application TROJ_TARODROP.Q.
The exploit is a stack-based buffer overflow on Ichitaro (.jtd file) application. The vulnerable code can be found on JSTBLLY2.DLL. The exploit was achieved by calling certain wrapper function (found at 0×3B61BE20) for MSVCRT.memmove API. Validation was not done on this function. Calling it for 0×1B08h times causes a buffer to overflow, overwriting a return value in the stack, thereby gaining control of the execution.
Figure 1: Passing a value of 0×1b08h to this function triggers this exploit. Figure 2: Function wrapper for “memmove” API. This function is called 0×1b08 times which overflows the stack. A return value is overwritten, gaining control of the execution path. Figure 3: Return address at stack (0×12cc70h) is overwritten to control execution. Figure 4: Vulnerable code after overwriting return address at 0×12cc70h with 0×7FFB6FD0. This points to a “jmp esp” instruction. Figure 5: Code at 0×7FFB6FD0 is a simple “jmp esp” to shellcode. The address is hardcoded on shellcode’s body. Figure 6: Shellcode after gaining execution. Shown is the decrypting part of its code. The decryption is a simple XOR of bytes with 0xE4h, length=340h.
Although some AV guys might have difficulty in identifying them generically, I think the playing field is equal since the necessary skills to craft such document are really something a malware writer can be proud of (assuming he did all the work). This is also a possible reason why this type of malware scores low on the distribution matrix; comparably very low to worms, Trojans and backdoors.
But the AV industry should not be complacent on this. Profiling the malware writer, one can deduce that he is quite knowledgeable in spotting vulnerabilities. Finding vulnerable codes requires in-depth knowledge on how (target) programs work and the inner working of the Operating System. Although many may argue that there are a lot of fuzzers out there to automate this task, this is not the whole story (perhaps for script kiddies, it is!). Fuzzing requires a certain knowledge of the target protocol or file, thus it cannot find vulnerable codes that need to meet certain conditions. To be effective, it requires another essential skill.
Yes, that is right! The malware author possesses mastery in reverse engineering. A skill which I must say is gained by a lot of hard work and which brings an endless possibility for the owner.
Another essential skill that he must have in his bag of tricks: programming! I need not elaborate on this as the reason is obvious.
You are probably asking what is my point of profiling the malware writer who can mount this type of attack. The simple answer is this passage from the Art of War by Sun Tzu: If you know both yourself and your enemy, you will come out of one hundred battles with one hundred victories.
If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
