Cyphort Labs has come across a sophisticated malware sample, dubbed Evil Bunny, which tricks sandboxes and shows rather uncommon deception traits to evade detection. Marion Marschalek, Security Researcher of Cyphort Labs, will dissect this evil, yet fascinating, malware called EvilBunny Malware Dropper. We will examine how it attempts to evade detection from AV and sandboxing, how it drops the payload, and how it persists and deletes itself.
5. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data
11. o You don‘t see your adversary
o You don‘t know whose death star it is there on your machine
o You probably won‘t even find the death star on your machine
http://glee.wikia.com
12. o Intellectual property being stolen
o Political opponents put to jail
o Internet communication being
blocked
o Vendor finding a new exploit
o Same time, hacker writes 5 more
o Control of media
o Enterprises loosing customer data
o Nation states spying on their citizens
o Nation states being hacked
o Little paul loosing his homework
18. SAMPLES #[2-4]
o FileSize:
184320
o CodeSize:
139264
o CompileTime:
2010:02:16
18:05:54+01:00
o FileSize:
184320
o CodeSize:
139264
o CompileTime:
2010:03:11
17:55:03+01:00
o FileSize:
792064
o CodeSize:
583680
o CompileTime:
2011:10:25
20:28:39+01:00
19. EvilBunny
o FileSize: 792064
o CompileTime: 2011:10:25 20:28:39+01:00
o API name hashing key AB34CD77h
o http://1.9.32.11/bunny/test.php?rec=nvista
o Anti-Analysis | Threads & Files | CPU Data | C&C
Commands | LUA
26. C&c servers
o Config stored in HKLMSoftwareMicrosoftIpsec
o http://le-progres.net/images/php/test.php?rec=11206-01
o http://ghatreh.com/skins/php/test.php?rec=11206-01
o http://www.usthb-dz.org/includes/php/test.php?rec=11206-01
30. CVE-2011-4369
o Adobe Reader vulnerability
o Discovered December 2011
o Original release date: Dec. 16, 2011
o Documented Bunny infection: Dec. 20, 2011
32. TRAITS OF SOPHISTICATED MALWARE
o Tricking of security solutions
o Showing uncommon features
o Vast resources being used in development and spreading
o Advanced stealth mechanisms
33. BUNNY ORIGINS
o Project named bunny, version 2.3.2
o DDoS botnet operators
o Accept-Language: fr
o C&C Servers hosted in Canada
o C&C domains resemble French/Iranian websites
o Related to recently revealed Babar malware
34. THE HIDDEN LINK
o Shared code
o Proxy bypass
o Anti-virus enumeration
o Similar API obfuscation
o Same level of complexity
o Middle-eastern domain names