Bringing Down the House - How One Python Script Ruled Over

Antivirus

@ChrisTruncer

whoami

Chris Truncer⊡ Systems Administrator turned

Red Teamer⊡ Red Team Lead at Mandiant⊡ Open Source Developer

□ Veil-Framework□ EyeWitness□ and others...

What’s this talk about?

⊡ A pen tester’s problem⊡ Shellcode injection⊡ Veil-Evasion⊡ Veil-Evasion’s approach⊡ Signature bypass⊡ Questions

A Pen Tester’s ProblemVeil’s Inception

What’s My Job?

⊡ Penetration testers and red teamers test the security of …. Something..□ A website□ An application□ An office’s domain□ A global distributed network

What’s My Job?

⊡ Tests are objective oriented⊡ We don’t just hack everything for the lulz⊡ Targeted in nature

□ Access internal payroll systems□ Access customer lists□ Steal company secrets□ Wire money to a controlled account□ ...etc.

What’s My Job?

What’s My Job?

What’s My Job?

Path to the Objective

⊡ Typically we will need to compromise workstations⊡ To compromise systems, we introduce

controlled viruses⊡ However, we run into the same

problems/roadblocks that real attackers do...

What’s My Job?

Our Problem

⊡ Bypassing antivirus is relatively trivial (demoed later)⊡ I wanted an automated means to bypass

antivirus□ Let’s not waste time bypassing AV, use

that time to better assess our customer’s environment

Veil-Evasion

Our Problem

⊡ Myself, Will Schroeder, and Michael Wright decided to create a framework□ Aggregate public AV bypass techniques□ Automate the customization and

compilation process□ Modularize Veil to easily add new payload

modules⊡ The output is the source code, and an

executable “stager”

Stagers

Stagers

⊡ Stagers (Veil output) can be referred to as “stage 1”⊡ The goal for stagers is to inject shellcode into

memory and run it⊡ The shellcode can connect to a remote

system, receive additional code⊡ Think of stagers as a loader for your real

malware

Stagers

⊡ Any language that has access to Windows function calls can be used to write a stager⊡ So… we started writing them in Python at

first!□ Debasish Mandal and Mark Baggett both

developed proof of concepts for injecting shellcode into memory.

Stagers

⊡ It’s all done with four function calls□ VirtualAlloc - Allocate space and assign

memory permissions□ RtlMoveMemory - Move shellcode into

allocated space□ CreateThread - Run the shellcode stored in

memory□ WaitForSingleObject - Don’t exit the

process until the thread is done executing

Our Problem

Our Problem

Our Problem

Our Problem

Our Problem

Veil’s Approach to Beating AV

Veil’s Approach

⊡ Veil is designed to beat on-disk detection through a variety of techniques:□ Increasing code obfuscation□ Encrypted code□ Non-standard languages for Windows

binariesPython, Perl, Ruby

Veil’s Approach

⊡ Languages that Veil supports□ Python□ Perl□ PowerShell□ C#□ C□ Go□ Ruby

Shellcode Injection Observation

Veil’s Approach

⊡ We observed that using a non-C or C# based language made a big difference□ Antivirus didn’t understand how to

properly inspect non-standard languages⊡ Example

□ C vs. Python

Our Problem

Our Problem

Veil’s Observation

Simply changing the language the executable was developed in completely bypassed ALL antivirus engines

Veil’s Approach

⊡ Invested heavily in Python module development□ Basic letter substitution□ Base64 encoded shellcode□ Encrypted shellcode

⊡ Developed a payload which brute forces itself

Stallion

⊡ At runtime, the payload performs a chosen-ciphertext attack□ With known ciphertext, it observes the

cleartext output⊡ Use a constrained keyspace

□ Ex: “IEjy2kDLJ*@%nfs9fSYEbdudfd” + “123456”

⊡ Loop over the constrained keyspace⊡ If the decoded ciphertext matches the known

plaintext value, then the key is discovered

Stallion

Stallion

Signature

⊡ After approximately 1 year, we were notified that a signature was developed for Veil

Veil’s Signature

⊡ This was a step in the right direction by AV companies□ We want them to step up their game

⊡ Previous attempts to categorize Veil have ended up quite humorous...

Stallion

Stallion

Signature Evasion

Signature Evasion

Signature Evasion

Signature Evasion

Generating Executables

⊡ Usability - Executable Generation□ Wine became our best friend□ Python installed within Wine□ Required libraries installed within Wine□ PyInstaller within Python on Wine

⊡ Extended this concept to all languages□ Go□ Ruby□ C#

Generating Executables

⊡ We chose PyInstaller and Py2Exe since they are widely used□ To prevent AV companies from just

flagging all PyInstaller output⊡ Some companies did this anyway...

Generating Executables

Generating Executables

A Better Solution

Better Options

⊡ Static string based antivirus detection is dead⊡ Move to dynamic analysis and reputation

based detection

Test Your Security

⊡ Start testing your security “solutions” so you know the level of protection they provide

⊡ Determine the level of risk security products introduce

⊡ Python provided the way for us to do this

THANKS!

Any questions?@ChrisTruncer

https://www.christophertruncer.comhttps://github.com/ChrisTruncer

https://github.com/Veil-Framework