REbasing

I see that TDS-3 does a great job with detection of rebased trojans, did you guys discovered why one of them was omitted?

Quoted from
http://home.arcor.de/scheinsicherheit/rebasing.htm



The various changes caused by rebasing can give rise to a problem if a virus analyst picks signatures from file locations which contain absolute addresses.

For example, if an AV file scanner tries to detect a Bionet 3.18 trojan and checks whether 7 bytes at ...

Offset: 646246 ( 9DC66h) = VA 0049E866

equal to ...

CODE:0049E866 mov edx, offset _str_From_WebPager_P.Text ( = mov edx, 0049E930 )
CODE:0049E86B call @System@@LStrLAsg$qqrv ; System::__linkproc__ LStrLAsg(void) ( = call 00403C98 )

it will be vulnerable if the file gets rebased. This is because the rebased file will look like this ...

BA30E90920E82854F6FF ( rebased file with ImageBase 20000000 )

CODE:2009E866 mov edx, offset _str_From_WebPager_P.Text ( = mov edx, 2009E930 )
CODE:2009E86B call @System@@LStrLAsg$qqrv ; System::__linkproc__ LStrLAsg(void) ( = call 20003C98 )

while the orginal file looks like that ...

BA30E94900E82854F6FF ( orginal file with ImageBase 00400000 ).


In consequence, an AV/AT scanner should not exclusively rely upon signatures containing addresses which are subject to change during the process of rebasing. Alternatively, the scan engine must take into account that the ImageBase is variable.


3. Are there any vulnerable AV/AT scanners?

In order to determine whether any scanners suffer from the rebasing vulnerability we have compiled a small test set containing 7 well-known, rebased trojans (11 variants in total). Please feel free to examine the log files of several AV/AT scanners ...


a) Ewido Security Suite (0 out of 11)

---------------------------------------------------------
ewido security suite - Scan Report
---------------------------------------------------------

+ Erstellt am: 15:14:30, 26.02.2004
+ Report-Checksumme: 6A5C540E

+ Datum der Signaturen: 18.02.2004
+ Version der Scanengine: v1.0

+ Suchdauer: 951 ms
+ Untersuchte Dateien: 11
+ Geschwindigkeit: 11.57 Dateien/Sekunden
+ Infizierte Dateien: 0
+ Entfernte Dateien: 0
+ Unter Quarantäne gestellte Dateien: 0
+ Dateien, die nicht geöffnet werden konnten: 0
+ Dateien, die nicht entfernt werden konnten: 0

+ Endung ignorieren: Ja
+ Binder: Ja
+ Crypter: Ja
+ Speicher: Nein
+ Archive: Nein
+ Heuristik: Nein

+ Gescannt wurde:
D:\Desktop\Rebased

+ Scanergebnis:
Keine Infizierten Dateien gefunden!


::Report Ende


b) Kaspersky AntiVirus 4.5 (7 out of 11)

Rebased.CIA122.20000000.NotPacked.exe Infected Backdoor.Ciadoor.122 <cd0000.0.e>
Rebased.CIA122.68000000.NotPacked.exe Infected Backdoor.Ciadoor.122 <cd0000.0.e>
Rebased.CIA122.40000000.NotPacked.exe Infected Backdoor.Ciadoor.122 <cd0000.0.e>
Rebased.CIA122.40640000.NotPacked.exe Infected Backdoor.Ciadoor.122 <cd0000.0.e>
Rebased.CIA122.00640000.NotPacked.exe Infected Backdoor.Ciadoor.122 <cd0000.0.e>
Rebased.Theef2b5.20000000.NotPacked.exe Infected Backdoor.Delf.dy <cd0000.0.e>
Rebased.Y3Kpro02.20000000.NotPacked.exe Archive Embedded EXE <ce0000.0.11>
Rebased.Y3Kpro02.20000000.NotPacked.exe/EXE-file Packed UPX <d70000.0.10>
Rebased.Y3Kpro02.20000000.NotPacked.exe/EXE-file Infected Backdoor.Y3KRat.pro.02 <cd0000.0.e>

Rebased.Bionet318.20000000.NotPacked.exe OK <cf0000.0.9>
Rebased.OptixLite04.20000000.NotPacked.exe OK <cf0000.0.9>
Rebased.Beast192c2.20000000.NotPacked.exe OK <cf0000.0.9>
Rebased.TheefLE111.40640000.NotPacked.exe OK <cf0000.0.9>


c) McAfee VirusScan (6 out of 11)

Scan engine v4.3.20 for Win32.
Virus data file v4327 created Feb 23 2004
Scanning for 86217 viruses, trojans and variants.

Rebased.Y3Kpro02.20000000.NotPacked.exe ... Found the BackDoor-GQ trojan !!!
Rebased.Beast192c2.20000000.NotPacked.exe ... Found the BackDoor-AMQ trojan !!!
Rebased.Bionet318.20000000.NotPacked.exe ... Found the BackDoor-FK.svr trojan !!!
Rebased.CIA122.00640000.NotPacked.exe ... is OK.
Rebased.CIA122.20000000.NotPacked.exe ... is OK.
Rebased.CIA122.40000000.NotPacked.exe ... is OK.
Rebased.CIA122.40640000.NotPacked.exe ... is OK.
Rebased.CIA122.68000000.NotPacked.exe ... is OK.
Rebased.OptixLite04.20000000.NotPacked.exe ... Found trojan or variant BackDoor-RS !!!
Rebased.Theef2b5.20000000.NotPacked.exe ... Found virus or variant New BackDoor3 !!!
Rebased.TheefLE111.40640000.NotPacked.exe ... Found trojan or variant BackDoor-AFG !!!

Note: We did not intentionally create so many CIA 1.22 variants because we knew that McAfee would have a problem with the detection of this particular trojan. ;-) The original CIA 1.22 is detected by McAfee.


d) NOD32 Version 2.009

Advanced Heuristics default configuration: 0 out of 11
Advanced Heuristics enabled: 10 out of 11 (as unknown NewHeur_PE virus)

TheefLE 1.11 was not detected.


e) Trojan Defense Suite 3 (7+3 out of 11)

16:27:50 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
16:27:55 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
16:27:55 [Init] • Systems Initialised [32149 references - 11639 primaries/9155 traces/11355 variants/other]
16:27:55 [Init] Radius Systems loaded. <Databases updated 26-02-2004>

16:27:56 [File Scan] Scanned 11 files: 10 alarms in 0,640625 seconds (Avg 18,17 files/sec)

Scan Control Dumped @ 16:28:06 26-02-04

Positive identification: RAT.CIA 1.22 (Unpacked)
File: d:\desktop\rebased\rebased.cia122.20000000.notpacked.exe

Generic Detection: Possible trojan with password-stealing capability
File: d:\desktop\rebased\rebased.theef2b5.20000000.notpacked.exe

Generic Detection: Possible trojan with password-stealing capability
File: d:\desktop\rebased\rebased.y3kpro02.20000000.notpacked.exe

Positive identification: RAT.CIA 1.22 (Unpacked)
File: d:\desktop\rebased\rebased.cia122.68000000.notpacked.exe

Positive identification: RAT.CIA 1.22 (Unpacked)
File: d:\desktop\rebased\rebased.cia122.40000000.notpacked.exe

Positive identification: RAT.CIA 1.22 (Unpacked)
File: d:\desktop\rebased\rebased.cia122.40640000.notpacked.exe

Positive identification: RAT.CIA 1.22 (Unpacked)
File: d:\desktop\rebased\rebased.cia122.00640000.notpacked.exe

Positive identification: RAT.Bionet 3.18 (Unpacked)
File: d:\desktop\rebased\rebased.bionet318.20000000.notpacked.exe

Positive identification: RAT.Optix Lite 0.4
File: d:\desktop\rebased\rebased.optixlite04.20000000.notpacked.exe

Positive identification <Adv>: Possible ICQ-notifying trojan
File: d:\desktop\rebased\rebased.theefle111.40640000.notpacked.exe

Beast 1.92 remained undetected.



f) Trojan Hunter 3.85 (2+1 out of 11)

Found trojan file: Rebased\Rebased.Theef2b5.20000000.NotPacked.exe (Theef)

Found possible trojan file: Rebased.Bionet318.20000000.NotPacked.exe (Possible BioNet trojan, Bionet)

Found trojan file: Rebased.Beast192c2.20000000.NotPacked.exe (BeastDoor)

(Note: Trojan Hunter did not detect the original CIA 1.22 server and therefore failed to detect the rebased samples as well.)



g) Memory Scanners

Also memory scanners like BOClean 4.11 are (obviously) not immune against rebasing. For instance, the rebased Beast 1.92, CIA 1.22 & Theef 2 beta 5 servers remained undetected. Rebased Bionet 3.18 and Optix Lite 0.4 servers were detected.



4. Disclaimer:

Please note that the above information does not constitute a "hacking tutorial". We merely explain what attackers are already doing in order to circumvent AV/AT scanners (i.e., the "rebasing trick" has already been disclosed in the VX/trojan scene).

 

Hi tempnexus, Thanks for the report,

DCS pride themselves on using hand picked sigatures quite rightly to IMHO and, of course, the strong scanning engines used

I guess the reason that one was missed is because either it has not been submitted or is not in the wild ie. a private unreleased build. Or Gavin simply has not come across it as yet.
Also Bionet .84, right up to 4.1 are in the TDS primary list but I could not find 1.92