bringing down the house - how one python script ruled over antivirus
TRANSCRIPT
Bringing Down the House - How One Python Script Ruled Over
Antivirus
@ChrisTruncer
whoami
Chris Truncer⊡ Systems Administrator turned
Red Teamer⊡ Red Team Lead at Mandiant⊡ Open Source Developer
□ Veil-Framework□ EyeWitness□ and others...
What’s this talk about?
⊡ A pen tester’s problem⊡ Shellcode injection⊡ Veil-Evasion⊡ Veil-Evasion’s approach⊡ Signature bypass⊡ Questions
A Pen Tester’s ProblemVeil’s Inception
What’s My Job?
⊡ Penetration testers and red teamers test the security of …. Something..□ A website□ An application□ An office’s domain□ A global distributed network
What’s My Job?
⊡ Tests are objective oriented⊡ We don’t just hack everything for the lulz⊡ Targeted in nature
□ Access internal payroll systems□ Access customer lists□ Steal company secrets□ Wire money to a controlled account□ ...etc.
What’s My Job?
What’s My Job?
What’s My Job?
Path to the Objective
⊡ Typically we will need to compromise workstations⊡ To compromise systems, we introduce
controlled viruses⊡ However, we run into the same
problems/roadblocks that real attackers do...
What’s My Job?
Our Problem
⊡ Bypassing antivirus is relatively trivial (demoed later)⊡ I wanted an automated means to bypass
antivirus□ Let’s not waste time bypassing AV, use
that time to better assess our customer’s environment
Veil-Evasion
Our Problem
⊡ Myself, Will Schroeder, and Michael Wright decided to create a framework□ Aggregate public AV bypass techniques□ Automate the customization and
compilation process□ Modularize Veil to easily add new payload
modules⊡ The output is the source code, and an
executable “stager”
Stagers
Stagers
⊡ Stagers (Veil output) can be referred to as “stage 1”⊡ The goal for stagers is to inject shellcode into
memory and run it⊡ The shellcode can connect to a remote
system, receive additional code⊡ Think of stagers as a loader for your real
malware
Stagers
⊡ Any language that has access to Windows function calls can be used to write a stager⊡ So… we started writing them in Python at
first!□ Debasish Mandal and Mark Baggett both
developed proof of concepts for injecting shellcode into memory.
Stagers
⊡ It’s all done with four function calls□ VirtualAlloc - Allocate space and assign
memory permissions□ RtlMoveMemory - Move shellcode into
allocated space□ CreateThread - Run the shellcode stored in
memory□ WaitForSingleObject - Don’t exit the
process until the thread is done executing
Our Problem
Our Problem
Our Problem
Our Problem
Our Problem
Veil’s Approach to Beating AV
Veil’s Approach
⊡ Veil is designed to beat on-disk detection through a variety of techniques:□ Increasing code obfuscation□ Encrypted code□ Non-standard languages for Windows
binariesPython, Perl, Ruby
Veil’s Approach
⊡ Languages that Veil supports□ Python□ Perl□ PowerShell□ C#□ C□ Go□ Ruby
Shellcode Injection Observation
Veil’s Approach
⊡ We observed that using a non-C or C# based language made a big difference□ Antivirus didn’t understand how to
properly inspect non-standard languages⊡ Example
□ C vs. Python
Our Problem
Our Problem
Veil’s Observation
Simply changing the language the executable was developed in completely bypassed ALL antivirus engines
Veil’s Approach
⊡ Invested heavily in Python module development□ Basic letter substitution□ Base64 encoded shellcode□ Encrypted shellcode
⊡ Developed a payload which brute forces itself
Stallion
⊡ At runtime, the payload performs a chosen-ciphertext attack□ With known ciphertext, it observes the
cleartext output⊡ Use a constrained keyspace
□ Ex: “IEjy2kDLJ*@%nfs9fSYEbdudfd” + “123456”
⊡ Loop over the constrained keyspace⊡ If the decoded ciphertext matches the known
plaintext value, then the key is discovered
Stallion
Stallion
Signature
⊡ After approximately 1 year, we were notified that a signature was developed for Veil
Veil’s Signature
⊡ This was a step in the right direction by AV companies□ We want them to step up their game
⊡ Previous attempts to categorize Veil have ended up quite humorous...
Stallion
Stallion
Signature Evasion
Signature Evasion
Signature Evasion
Signature Evasion
Generating Executables
⊡ Usability - Executable Generation□ Wine became our best friend□ Python installed within Wine□ Required libraries installed within Wine□ PyInstaller within Python on Wine
⊡ Extended this concept to all languages□ Go□ Ruby□ C#
Generating Executables
⊡ We chose PyInstaller and Py2Exe since they are widely used□ To prevent AV companies from just
flagging all PyInstaller output⊡ Some companies did this anyway...
Generating Executables
Generating Executables
A Better Solution
Better Options
⊡ Static string based antivirus detection is dead⊡ Move to dynamic analysis and reputation
based detection
Test Your Security
⊡ Start testing your security “solutions” so you know the level of protection they provide
⊡ Determine the level of risk security products introduce
⊡ Python provided the way for us to do this
THANKS!
Any questions?@ChrisTruncer
https://www.christophertruncer.comhttps://github.com/ChrisTruncer
https://github.com/Veil-Framework