January 30th, 2009

ronin

Interview with an Ad-Ware author - BHOs, code obsfucation, remote execution.


I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they're the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you're using IE, then either you don't care or you don't know about all the vulnerabilities that IE has.

IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they're going. It runs in the actual browser process, which means it can do anything the browser can do—which means basically anything. We would have a Browser Helper Object that actually served the ads, and then we made it so that you had to kill all the instances of the browser to be able to delete the thing. That's a little bit of persistence right there.

If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn't, then it will install it. That's fine until somebody goes and deletes the executable.

The next thing that Direct Revenue did—actually I should say what I did, because I was pretty heavily involved in this—was make a poller which continuously polls about every 10 seconds or so to see if the BHO was there and alive. If it was, great. If it wasn't, [ the poller would ] install it. To make sure the poller was less likely to be detected, we developed this algorithm (a really trivial one) for making a random-looking filename that was consistent per machine but was not easy to guess. I think it was the first 6 or 8 characters of the DES-encoded MAC address. You take the MAC address, encode it with DES, take the first six characters and that was it. That was pretty good, except the file itself would be the same binary. If you md5-summed the file it would always be the same everywhere, and it was always in the same location.

Next we made a function shuffler, which would go into an executable, take the functions and randomly shuffle them. Once you do that, then of course the signature's all messed up. [ We also shuffled ] a lot of the pointers within each actual function. It completely changed the shape of the executable.


http://philosecurity.org/2009/01/12/interview-with-an-adware-author

"There is no second chance when Kung F^W^W technical knowledge is used for evil!"

Also, this is why you shouldn't use IE.

Followup: In a shocking development, the adware author who wrote this article wasn't telling us the whole story.

(via bruce_schneier - I missed this when it was on Reddit.)