Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Adventures in Asymmetric Warfare

2,276 views

Published on

This presentation was given at BSides Augusta '14, and covers the various obfuscation methods utilized by Veil-Evasion.

Published in: Technology
  • Be the first to comment

Adventures in Asymmetric Warfare

  1. 1. Adventures in Asymmetric Warfare: Fighting the AV Vendors Will @harmj0y Veris Group - Adaptive Threat Division
  2. 2. @harmj0y ● Security researcher and red teamer for the Adaptive Threat Division of Veris Group ● Co-founder of the Veil-Framework #avlol o www.veil-framework.com o Shmoocon ‘14: AV Evasion with the Veil Framework o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0 o co-wrote Veil-Evasion, wrote Veil-Catapult, Veil- PowerView,Veil-Pillage, and PowerUp ● Active Cortana and PowerShell hacker
  3. 3. tl;dr ● Problem Space ● How we got here and ethical issues ● Approaches #avlol ● Obfuscation methods ● Payload Analysis
  4. 4. Teh Halting Problem? ● Input: o a potentially malicious program P ● Output: o True if executing P would cause a the host computer to be “compromised” o False otherwise ● def halts(P): return isMalicious(“removeMaliciousLogic(P) compromiseHost()”)
  5. 5. Problem Space ● Anti-virus detection is an undecidable problem o That is, it’s impossible to design a 100% effective anti-virus solution ● Though a perfect approach is impossible, approximations can be made ● But detection is really really hard
  6. 6. Our Problem
  7. 7. How We Got Here ● From 2009 on, antivirus started snarfing up more and more stock MSF payloads ● We started researching basic ways to keep doing our job ● All of our initial efforts drew from prior work, we don’t claim to have invented any of this stuff!!
  8. 8. Previous Work ● Mark Baggett’s post Tips for Evading Anti- Virus During Pen Testing was the first public resource to talk about using Python to inject shellcode ● We ended up mostly drawing from Debasish Mandal's Execute ShellCode Using Python o Uses the VirtualAlloc/CreateThread/WaitForSingleObject pattern
  9. 9. Our Solution ● A way to get around antivirus as easily as professional malware o don’t want to roll our own backdoor each time o codebase built by myself, @ChrisTruncer and @TheMightyShiv ● Generate payloads in a language and technique agnostic way ● See the Shmoocon ‘14 presentation AV Evasion with the Veil-Framework for more background
  10. 10. Our Solution
  11. 11. Ethical Issues ● The disclosure debate is nothing new... ● Pentesters are 5+ years behind the professional malware community ● This is a problem the bad guys have already solved, and better than we have!
  12. 12. Public Reaction “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?” “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?” “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.” http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payloa d_generator_for_bypassing/
  13. 13. Twitter Reaction
  14. 14. Approaches ● We started with Python based shellcode injection techniques, soon branched into other languages ● Similar payloads = : ( o started implementing basic obfuscation methods o and by basic, we mean basic ● static signatures = #avlol
  15. 15. Obfuscation 1.0 ● Let’s randomize everything we possibly can o This works better than you think ● Substitute in a randomized string for all variable and method names ● Shuffle up everything as appropriate
  16. 16. Obfuscation 1.0
  17. 17. “Pyherion” ● What if vendors still find a way to trigger on the malicious Python script sources? ● We introduced Pyherion, a python ‘crypter’ inspired by Hyperion ● Encrypts an entire Python file with a random AES key, base64’s it and and rolls it all up into an exec(*) wrapper
  18. 18. Obfuscation 1.5: Pure Stagers ● What if vendors are triggering on the raw shellcode and decoders? ● How about we eliminate shellcode all together, and build some native stagers? ● They aren’t that complicated, thanks Raffi! o https://github.com/rsmudge/metasploit-loader o http://blog.strategiccyber.com/2013/06/28/staged-payloads- what-pen-testers-should-know/
  19. 19. Pure Stagers The meterpreter stager is surprisingly simple: 1) a tcp connection is opened to the handler 2) the handler spits back 4 bytes indicating the .dll size, and then the .dll itself 3) socket number is pushed into EDI 4) execution is passed to the .dll just like we do regular shellcode (void * or VirtualAlloc)
  20. 20. Pure Stagers ● The following are the pure stagers currently available in the framework: Language Stager Python meterpreter/reverse_tcp Python meterpreter/reverse_http Python meterpreter/reverse_https C meterpreter/reverse_tcp C meterpreter/reverse_tcp_service C meterpreter/reverse_http C meterpreter/reverse_http_service
  21. 21. Pure Stagers Language Stager C# meterpreter/reverse_tcp C# meterpreter/reverse_http C# meterpreter/reverse_https Powershell meterpreter/reverse_tcp Powershell meterpreter/reverse_http Powershell meterpreter/reverse_https Ruby meterpreter/reverse_tcp
  22. 22. Obfuscation 2.0 ● Variable obfuscation is great ● But for things like C, this doesn’t work as well as we’d like ● Can we introduce something a little more interesting?
  23. 23. Obfuscation 2.0 ● Our (slightly) more “advanced” C obfuscation involves our interpretation of a method nop o muck up dynamic analysis without affecting the actual execution of the program ● General idea: o throw in enough processing functions that sufficiently complicate the call tree of the program ● This is a basic version of what malware has been doing for years o shouldn’t be that effective, but it is!
  24. 24. Obfuscation 2.0 ● Choose a set of randomized string processing functions (reverse, split, etc.) ● Malloc a randomized number of strings of randomized lengths ● Intersperse these randomized functions throughout the actual code
  25. 25. Obfuscation 2.0
  26. 26. Obfuscation 3.0 ● What if some vendors trigger on the Pyinstaller loader.exe itself? ● How about a (reasonably) obfuscated version of the Pyinstaller loader? :) o BSides Boston ‘14: Pwnstaller 1.0 o https://github.com/harmj0y/pwnstaller/ ● Integrated into Veil-Evasion this past May
  27. 27. Pwnstaller ● On each run: o Obfuscated code for all* source files associated with the Pyinstaller launcher are generated o mingw32 is used to compile everything into a new runw.exe, all on Kali m/ o copy the runw.exe into the correct location o a randomized Windows icon is chosen for the final packaged result *see http://www.harmj0y.net/blog/python/pwnstaller-1-0/ for a full explanation
  28. 28. Obfuscation 4.0: Ruby ● Since some people have started to pay attention to Pyinstaller binaries, let’s try some other languages: ● C? sure, with some obfuscation ● C#? mono can help with .NET ● PowerShell? no disk writes? awesome ● Ruby? Why not...
  29. 29. Ruby ● Ruby has a foreign function interface just like Python does, the win32-api gem o This means we can inject shellcode, and can write native Meterpreter stagers! ● And it has its own Pyinstaller analogue: OCRA (One Click Ruby application) o http://ocra.rubyforge.org/ ● I wonder if we can get this running on Kali :)
  30. 30. Ruby Shellcode Injection
  31. 31. Ruby OCRA Compilation
  32. 32. Ruby Module Releases ● The following payload modules are currently in the development branch, and will be merged into master for the 9/15/2014 V-Day: o ruby/shellcode_inject/flat o ruby/meterpreter/reverse_tcp ● Everything is compiled to a self-extracting Windows executable, all on Kali!
  33. 33. A .NET Crypter ● C#/VB.net code is compiled, not interpreted, so we can’t build a dynamic obfuscator equivalent to Pyherion :( ● Or can we? .NET has an interesting feature called Reflection: o “you can use reflection to create type instances at run time, and to invoke and access them” http://msdn.microsoft.com/en-us/library/f7ykdhsy(v=vs.110).aspx
  34. 34. A .NET Crypter ● If we have an array of raw bytes of a .NET binary, we can run the entire executable from memory with 3 lines by utilizing Reflection: o Assembly a = Assembly.Load(bytes); o MethodInfo m = a.EntryPoint; o m.Invoke(a.CreateInstance(m.Name), null); ● We can obfuscate these bytes in any way we want beforehand
  35. 35. Arya: a .NET Crypter ● A crypter for all .NET binaries was just pushed along with the Ruby payloads ● A payload binary is generated and compiled as normal, the crypter then: o reads in the raw bytes o base64 encodes the data and builds a random substitution cipher for the string o builds a launcher/dropper that decodes the raw data and invokes the original binary using Reflection
  36. 36. A .NET Crypter
  37. 37. Payload Analysis
  38. 38. ssdeep ● ssdeep is a ‘fuzzy hashing’ static malware comparison tool, allowing for the comparison of malware families ● “can match inputs that have homologies” o biology term, fancy way to saying degree of shared ancestry ● Generated 1000 samples of some payload families did ssdeep runs over each set
  39. 39. python/meterpreter/rev_tcp ● (1000 choose 2) = 499500 possible pairing combinations for ssdeep ● 169107 pairings (33.8%) matched at a score of 75/100 or better o Only 66 (.01%) scored at 90/100 or better o Average pairwise score: 74 ● What this means: only .01% of the samples scored as a ‘similar’ malware family
  40. 40. python/meterpreter/rev_tcp
  41. 41. c/meterpreter/rev_tcp ● Same 499500 possible pairings ● 267387 pairings (53.5%) matched at a score of 25/100 or better o Only 2615 (0.5%) scored at 90/100 or better o Average pairwise score: 37 ● What this means: only .5% of the samples scored as a ‘similar’ malware family o but wider variation than Python families
  42. 42. c/meterpreter/rev_tcp
  43. 43. cs/shellcode_inject/flat w/ Arya ● Same 499500 possible pairings ● Only 5 pairings (0.001%) matched at a score of 25/100 or better o none scored at 90/100 or better ● What this means: 0% of the samples scored as a ‘similar’ malware family o variation was all over the map!
  44. 44. Recap ● Started our research out of necessity but continued it out of curiosity ● Fuxoring AV vendors really isn’t that difficult ● There are still ways to stop us :) ● #avlol
  45. 45. Questions? ● Contact me: o @harmj0y o harmj0y@veil-framework.com ● Read more: o https://www.veil-framework.com ● Get the the goods: o https://www.github.com/Veil-Framework/Veil o https://github.com/HarmJ0y/stagers

×