Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bringing Down the House - How One Python Script Ruled Over AntiVirus

2,103 views

Published on

This talk is about how a single python tool (Veil aka Veil-Evasion) is able to render AntiVirus useless. Veil's goal is to bypass antivirus products on workstations and servers.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Bringing Down the House - How One Python Script Ruled Over AntiVirus

  1. 1. Bringing Down the House - How One Python Script Ruled Over Antivirus @ChrisTruncer
  2. 2. whoami Chris Truncer ⊡ Systems Administrator turned Red Teamer ⊡ Red Team Lead at Mandiant ⊡ Open Source Developer □ Veil-Framework □ EyeWitness □ and others...
  3. 3. What’s this talk about? ⊡ A pen tester’s problem ⊡ Shellcode injection ⊡ Veil-Evasion ⊡ Veil-Evasion’s approach ⊡ Signature bypass ⊡ Questions
  4. 4. A Pen Tester’s Problem Veil’s Inception
  5. 5. What’s My Job? ⊡ Penetration testers and red teamers test the security of …. Something.. □ A website □ An application □ An office’s domain □ A global distributed network
  6. 6. What’s My Job? ⊡ Tests are objective oriented ⊡ We don’t just hack everything for the lulz ⊡ Targeted in nature □ Access internal payroll systems □ Access customer lists □ Steal company secrets □ Wire money to a controlled account □ ...etc.
  7. 7. What’s My Job?
  8. 8. What’s My Job?
  9. 9. What’s My Job?
  10. 10. Path to the Objective ⊡ Typically we will need to compromise workstations ⊡ To compromise systems, we introduce controlled viruses ⊡ However, we run into the same problems/roadblocks that real attackers do...
  11. 11. What’s My Job?
  12. 12. Our Problem ⊡ Bypassing antivirus is relatively trivial (demoed later) ⊡ I wanted an automated means to bypass antivirus □ Let’s not waste time bypassing AV, use that time to better assess our customer’s environment
  13. 13. Veil-Evasion
  14. 14. Our Problem ⊡ Myself, Will Schroeder, and Michael Wright decided to create a framework □ Aggregate public AV bypass techniques □ Automate the customization and compilation process □ Modularize Veil to easily add new payload modules ⊡ The output is the source code, and an executable “stager”
  15. 15. Stagers
  16. 16. Stagers ⊡ Stagers (Veil output) can be referred to as “stage 1” ⊡ The goal for stagers is to inject shellcode into memory and run it ⊡ The shellcode can connect to a remote system, receive additional code ⊡ Think of stagers as a loader for your real malware
  17. 17. Stagers ⊡ Any language that has access to Windows function calls can be used to write a stager ⊡ So… we started writing them in Python at first! □ Debasish Mandal and Mark Baggett both developed proof of concepts for injecting shellcode into memory.
  18. 18. Stagers ⊡ It’s all done with four function calls □ VirtualAlloc - Allocate space and assign memory permissions □ RtlMoveMemory - Move shellcode into allocated space □ CreateThread - Run the shellcode stored in memory □ WaitForSingleObject - Don’t exit the process until the thread is done executing
  19. 19. Our Problem
  20. 20. Our Problem
  21. 21. Our Problem
  22. 22. Our Problem
  23. 23. Our Problem
  24. 24. Veil’s Approach to Beating AV
  25. 25. Veil’s Approach ⊡ Veil is designed to beat on-disk detection through a variety of techniques: □ Increasing code obfuscation □ Encrypted code □ Non-standard languages for Windows binaries Python, Perl, Ruby
  26. 26. Veil’s Approach ⊡ Languages that Veil supports □ Python □ Perl □ PowerShell □ C# □ C □ Go □ Ruby
  27. 27. Shellcode Injection Observation
  28. 28. Veil’s Approach ⊡ We observed that using a non-C or C# based language made a big difference □ Antivirus didn’t understand how to properly inspect non-standard languages ⊡ Example □ C vs. Python
  29. 29. Our Problem
  30. 30. Our Problem
  31. 31. Veil’s Observation Simply changing the language the executable was developed in completely bypassed ALL antivirus engines
  32. 32. Veil’s Approach ⊡ Invested heavily in Python module development □ Basic letter substitution □ Base64 encoded shellcode □ Encrypted shellcode ⊡ Developed a payload which brute forces itself
  33. 33. Stallion ⊡ At runtime, the payload performs a chosen- ciphertext attack □ With known ciphertext, it observes the cleartext output ⊡ Use a constrained keyspace □ Ex: “IEjy2kDLJ*@%nfs9fSYEbdudfd” + “123456” ⊡ Loop over the constrained keyspace ⊡ If the decoded ciphertext matches the known plaintext value, then the key is discovered
  34. 34. Stallion
  35. 35. Stallion
  36. 36. Signature ⊡ After approximately 1 year, we were notified that a signature was developed for Veil
  37. 37. Veil’s Signature ⊡ This was a step in the right direction by AV companies □ We want them to step up their game ⊡ Previous attempts to categorize Veil have ended up quite humorous...
  38. 38. Stallion
  39. 39. Stallion
  40. 40. Signature Evasion
  41. 41. Signature Evasion
  42. 42. Signature Evasion
  43. 43. Signature Evasion
  44. 44. Generating Executables ⊡ Usability - Executable Generation □ Wine became our best friend □ Python installed within Wine □ Required libraries installed within Wine □ PyInstaller within Python on Wine ⊡ Extended this concept to all languages □ Go □ Ruby □ C#
  45. 45. Generating Executables ⊡ We chose PyInstaller and Py2Exe since they are widely used □ To prevent AV companies from just flagging all PyInstaller output ⊡ Some companies did this anyway...
  46. 46. Generating Executables
  47. 47. Generating Executables
  48. 48. A Better Solution
  49. 49. Better Options ⊡ Static string based antivirus detection is dead ⊡ Move to dynamic analysis and reputation based detection
  50. 50. Test Your Security ⊡ Start testing your security “solutions” so you know the level of protection they provide ⊡ Determine the level of risk security products introduce ⊡ Python provided the way for us to do this
  51. 51. THANKS! Any questions? @ChrisTruncer https://www.christophertruncer.com https://github.com/ChrisTruncer https://github.com/Veil-Framework

×