Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Art of AV Evasion - Or Lack Thereof


Published on

This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.

Published in: Internet

The Art of AV Evasion - Or Lack Thereof

  1. 1. The Art of AV Evasion - Or Lack Thereof @ChrisTruncer
  2. 2. ◉ Sys Admin Turned Red Teamer for Mandiant ◉ Florida State Seminole ◉ Open Source Software Developer ○ Veil-Framework ○ EyeWitness ○ Egress-Assess WHOAMI
  3. 3. What is this talk about? ◉ Stager Background ◉ Veil-Evasion’s AV Bypass Approach ◉ Signatured - DOH! ◉ An Experiment I Conducted ◉ Process Creation
  4. 4. Stagers
  5. 5. What are stagers? ◉ Can be referred to as “stage 1” ○ This can be msfvenom or Veil-Evasion output ◉ The goal for these are (typically) to inject shellcode into memory ○ The shellcode’s task is usually to download and inject a reflective dll ○ Or anything you specify ◉ This is essentially a loader for your real malware
  6. 6. What are stagers? ◉ Any language that has a means to access Windows functions can be used to develop stagers! ○ This can open up a ton of options ◉ Interacting with Windows functionality isn’t all that scary! ○ It’s just four function calls
  7. 7. Shellcode Injection Basics ◉ Allocate memory to store shellcode, and set proper memory protections ◉ Copy the shellcode that you want to run into the previously allocated memory ◉ Create a thread to execute the shellcode ◉ Have your code run until the thread has completed execution (you exit Meterpreter)
  8. 8. VirtualAlloc ◉ Allocates memory within the current process ○ How much memory should it allocate (shellcode size)? ○ Which permissions should be assigned to the allocated memory? ■ RWX? ■ W?
  9. 9. RtlMoveMemory ◉ Moves shellcode into the memory space that’s been allocated ○ Needs a pointer indicating where to copy the shellcode (VirtualAlloc output) ○ A pointer indicating where you are copying “data” from ○ The length of data (shellcode) to copy
  10. 10. CreateThread ◉ This function creates a new thread for the copied shellcode ○ Needs a pointer to the start of the code (shellcode) that you want to run in a new thread ○ Schedule the thread to run immediately
  11. 11. WaitForSingleObject ◉ This function tells the program (stager main) to wait to exit until the thread completes ○ A handle to the thread that was just created (output from CreateThread) ○ A value (-1) instructing the program to wait until the thread has finished running
  12. 12. AV’s Approach to Catching Malware
  13. 13. AV Methods of Detection ◉ Signature Based ○ This is what Veil-Evasion attempts to bypass ◉ Heuristics Based ◉ “Crowd Sourced” ○ Reputation
  14. 14. Veil-Evasion’s Approach to Bypass AV
  15. 15. Approaches to Bypassing AV ◉ Ghost code / net no-operation code ◉ Encrypted binaries ○ Hyperion ◉ Custom Code ◉ Multiple different ways to approach bypassing AV
  16. 16. Veil-Evasion’s Approach ◉ We are combating on-disk detection through different techniques: ○ Obfuscated code ○ Encrypted code ○ Non-standard languages for windows binaries ■ Python, Ruby, Perl, etc. ■ Flat Payloads vs. others
  17. 17. Veil-Evasion’s Approach ◉ Languages within Veil-Evasion ○ Python ○ Perl ○ PowerShell ○ C# ○ C ○ Go ○ Ruby
  18. 18. Veil-Evasion’s Approach ◉ Using a language that’s not C or C# made a big difference ○ AV Programs didn’t know or didn’t properly inspect non-standard languages ◉ Example: ○ C Flat vs. Python Flat
  19. 19. Simply changing the language the code is written in completely bypassed all signatures.
  20. 20. Time for a New Module
  21. 21. Close Enough to June V-Day ◉ It’s been a little while since our last V-Day ○ Sorry, life… ◉ I have a module I wrote a while ago that’s been fairly successful ◉ It’s Python based ◉ Let’s release it today!
  22. 22. Remember Hyperion? ◉ I briefly mentioned Hyperion before ◉ Hyperion is a cool concept ○ It works by completely encrypting an executable ○ It wraps a decoder stub around the executable ○ Hyperion uses a purposefully restricted keyspace for generating the encryption key ○ The decryption key is NOT within the executable ○ The executable brute forces itself at runtime and once decrypted, runs the original executable
  23. 23. Remember Hyperion? ◉ This is a pretty nifty idea, it shouldn’t be hard to write in a higher level language. ◉ However, there is an issue/feature when performing decryption routines ○ If I don’t provide the right key, I don’t get an alert, I just get decrypted garbage
  24. 24. Remember Hyperion? ◉ So I can’t just try/except my way through this module for incorrect keys ◉ Let’s perform a chosen plaintext attack! ○ Attack where we specify the plaintext and can observe the ciphertext ◉ Small modification of this will let me make a python based Hyperion-esque module
  25. 25. Notification of Signature ◉ Finally, after approximately 1 year, we had our first signature
  26. 26. Notification of Signature ◉ I was pretty excited to see if someone finally figured Veil-Evasion out. ◉ Previous attempts have turned out kind of humorous..
  27. 27. Preparation
  28. 28. ShowMeCon Prep ◉ I wanted to originally start looking into a brand new bypass to release for ShowMeCon ◉ Started looking into it, and immediately was disappointed in one vendor.
  29. 29. What did I try? ◉ Generated Payload - Caught ◉ Removed the Shellcode - Caught ◉ Renamed CTypes library (extra length) - Caught ◉ Commented Windows Function Calls ○ From one, to all of them ○ Caught ◉ Deleted ALL THE THINGS and did a “Hello World from Veil” test
  30. 30. Hello World!
  31. 31. What about in Windows? ◉ Test this functionality out in Windows! ○ This just seems odd.. ◉ Build a Python-based payload, but just the source ◉ “Compile” the script in Windows ◉ See what happens ○ Need to figure out the “baseline signature”
  32. 32. What are my Thoughts? ◉ This leads me to believe Avast is developing signatures for binaries generated by Veil- Evasion, regardless if they are malicious. ○ Lets test this by generating a windows binary outside of Veil-Evasion, but within Kali.
  33. 33. What did I Learn? ◉ Avast has chosen the shotgun approach to just blacklisting windows binaries made by PyInstaller within Linux ◉ So this leads to two observations.. ○ They’re going to be potentially blacklisting valid programs ○ Just “compile” your payload in Windows :)
  34. 34. Let’s Experiment with AV
  35. 35. Experiment Outline ◉ Generate most of the payloads currently in Veil-Evasion ◉ Test against multiple vendors, ensuring the ones I see most are included ◉ Differentiate between detected binaries, suspect/reputation based detections, and clean results ◉ Record the results
  36. 36. Who am I testing? ◉ Symantec ◉ McAfee ◉ Avast ◉ Microsoft Security Essentials ◉ Avira ◉ AVG ◉ ESET
  37. 37. Predictions? ◉ Generally - Most modules will bypass AV ◉ There will be some that are caught ○ C or C# based payloads ○ Probably some of the “Flat” modules ◉ Python based modules are the original ones, and likely will be caught ◉ Newer languages like GO will bypass AV ◉ “Pure” stagers will bypass AV ◉ PowerShell wins
  38. 38. The ability to detect an open source virus as the single datapoint for determining which antivirus product to buy isn’t the best evidence for your decision.
  39. 39. But it’s not a bad supplement :)
  40. 40. Observations ◉ A lot of interesting information: ○ Of all the payloads generated against all the tested AVs, almost 50% are determined to be virus free ○ Ruby Base64 Encoded payload is the least detected payload ○ C# Flat is the most detected payload ○ McAfee is the worst at detecting Veil-Evasion payloads ○ AVG is the best at detecting Veil-Evasion payloads
  41. 41. Observations ◉ Crowd-sourcing antivirus detection can be an option, but will heavily rely on: ○ The number of nodes submitting to the cloud ○ The configuration of your system ■ How does it respond on low, medium, high, etc. reputations? ○ Does it just ignore and/or not use signatures?
  42. 42. Wrapup
  43. 43. Wrapup ◉ Antivirus isn’t a brick wall ◉ The tiniest modifications can bypass antivirus ◉ AV Vendors are human, and make human decisions when choosing how to make signatures ○ You can exploit this ◉ Anyone can develop new ways to bypass AV ◉ Seriously… ○ I’m not an expert, anyone can do this
  44. 44. Develop Your Process
  45. 45. Develop Your Process ◉ I approach AV how I approach red teaming environments I don’t know ○ I see stuff I have not ever touched before all the time, and I need to learn to abuse it ○ Develop your process for interacting with technology (or AV signatures) you’ve never encountered
  46. 46. A difference between an experienced professional and someone new to the field is the pro is confident in their own methodology with encountering unknowns and being successful
  47. 47. Any questions ? Reach out to me! ◉ @ChrisTruncer ◉ ◉ Thanks!