Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NTXISSACSC4 - The Art of Evading Anti-Virus

The Art of Evading Anti-Virus

There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease.

Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization.

He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems.

Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

NTXISSACSC4 - The Art of Evading Anti-Virus

  1. 1. @NTXISSA #NTXISSACSC4 The Art of Evading Antivirus Quentin Rhoads-Herrera Security Analyst State Farm 9/28/2016
  2. 2. @NTXISSA #NTXISSACSC4 Background • Worked in the following roles: • System administrator • Developer (.net / mobile) • Regulatory/compliance analyst • Security Analyst • Pentesting Hobbyist J NTX ISSA Cyber Security Conference – October 7-8, 2016 2
  3. 3. @NTXISSA #NTXISSACSC4 The Problem • Pen-testers are caught by antivirus programs. • Antivirus programs catch stock Metasploit payloads. • Malicious malware creators have already solved this problem. NTX ISSA Cyber Security Conference – October 7-8, 2106 3
  4. 4. @NTXISSA #NTXISSACSC4 How Antivirus Works • Signature-based detection • Heuristic-based detection • Behavioral-based detection • Sandbox detection • Data mining techniques NTX ISSA Cyber Security Conference – October 7-8, 2106 4
  5. 5. @NTXISSA #NTXISSACSC4 Is Antivirus Dead? • In 2014 the senior vice president of Symantec Brian Dye declared to the Wall Street Journal that antivirus “is dead.” – Brian Dye, Senior Vice President, Symantec Source: http://online.wsj.com/news/article_email/SB1000142405270230341710457954214 0235850578-lMyQjAxMTA0MDAwNTEwNDUyWj NTX ISSA Cyber Security Conference – October 7-8, 2106 5
  6. 6. @NTXISSA #NTXISSACSC4 Is Antivirus Dead? • “Relying solely on antivirus is a dead end- and it has been for at least 8 years now. But that’s like saying that aspirin is dead because it’s not the cure for cancer, AIDS, and all of humanity's other illnesses.” –Bogdan Domitru, Chief Technology Officer, Bitdefender Source: http://securitywatch.pcmag.com/security/ NTX ISSA Cyber Security Conference – October 7-8, 2106 6
  7. 7. @NTXISSA #NTXISSACSC4 Evading Antivirus Ways • Changing the signature • Encode (A LOT) • Encrypt • Leverage your own executable, or one that is already trusted by Windows (notepad.exe) • Veil-Framework NTX ISSA Cyber Security Conference – October 7-8, 2106 7
  8. 8. @NTXISSA #NTXISSACSC4 The Veil-Framework NTX ISSA Cyber Security Conference – October 7-8, 2106 8
  9. 9. @NTXISSA #NTXISSACSC4 HD Moore • “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.” – HD Moore Source: https://community.rapid7.com/community/metasploit/blog/2009/02/23/the-best- defense-is-information NTX ISSA Cyber Security Conference – October 7-8, 2106 9
  10. 10. @NTXISSA #NTXISSACSC4 Checking your Payloads • Virustotal is a website that allows you to check how successful your payload is when evading antiviruses. • Antivirus vendors receive information about what was uploaded to Virustotal. NTX ISSA Cyber Security Conference – October 7-8, 2106 10
  11. 11. @NTXISSA #NTXISSACSC4 Virustotal NTX ISSA Cyber Security Conference – October 7-8, 2106 11 Source: https://www.virustotal.com/
  12. 12. @NTXISSA #NTXISSACSC4 Meterpreter is Caught NTX ISSA Cyber Security Conference – October 7-8, 2106 12
  13. 13. @NTXISSA #NTXISSACSC4 Encoded Meterpreter NTX ISSA Cyber Security Conference – October 7-8, 2106 13
  14. 14. @NTXISSA #NTXISSACSC4 The Veil Way • The Veil hash check method!!! (Really slick) • Recommended to check the hash which is located at /veil/output/hashes through the API on virustotal instead of submitting files. • checkvt will spawn all hashes and check via API with Virustotal. NTX ISSA Cyber Security Conference – October 7-8, 2106 14
  15. 15. @NTXISSA #NTXISSACSC4 Demo NTX ISSA Cyber Security Conference – October 7-8, 2106 15
  16. 16. @NTXISSA #NTXISSACSC4 When it is Caught NTX ISSA Cyber Security Conference – October 7-8, 2106 16
  17. 17. @NTXISSA #NTXISSACSC4 Veil-Evasion • Integrated with Metasploit • Leverages encryption (AES encrypted shellcode) • Can leverage your own payloads • Uses non-standard languages for Windows binaries • Can integrate into your own project NTX ISSA Cyber Security Conference – October 7-8, 2106 17
  18. 18. @NTXISSA #NTXISSACSC4 Languages Used • Python • Perl • PowerShell • C • C# • Go • Ruby NTX ISSA Cyber Security Conference – October 7-8, 2106 18
  19. 19. @NTXISSA #NTXISSACSC4 Shellcodes • Void Pointer casting: • Not a guarantee that your shellcode will drop into executable memory. • Virtual Alloc: • Allocates memory (shellcode size) • Determines permissions needed • HeapAlloc: • Manually drop shellcode NTX ISSA Cyber Security Conference – October 7-8, 2106 19
  20. 20. @NTXISSA #NTXISSACSC4 DEMO NTX ISSA Cyber Security Conference – October 7-8, 2106 20
  21. 21. @NTXISSA #NTXISSACSC4 Veil-Ordnance • Generates shellcode that can be copied into your payload. • Created due to shellcode being “broken” when leveraging msfvenom making a non- working payload. NTX ISSA Cyber Security Conference – October 7-8, 2106 21
  22. 22. @NTXISSA #NTXISSACSC4 Veil-Ordnance NTX ISSA Cyber Security Conference – October 7-8, 2106 22
  23. 23. @NTXISSA #NTXISSACSC4 Veil-Catapult • Payload Delivery tool • Payloads: • PowerShell • Barebones Python • Sethc backdoor • Can auto spawn the Metasploit handler script. NTX ISSA Cyber Security Conference – October 7-8, 2106 23
  24. 24. @NTXISSA #NTXISSACSC4 DEMO NTX ISSA Cyber Security Conference – October 7-8, 2106 24
  25. 25. @NTXISSA #NTXISSACSC4 How to Stop Veil • API Scanners (Ambush IPS) • Predictable Behaviors • Enhanced Mitigation Experience Toolkit (EMET) NTX ISSA Cyber Security Conference – October 7-8, 2106 25
  26. 26. @NTXISSA #NTXISSACSC4 Other AV Evading Tools • Hyperion: This is used to encrypt the binary • peCloak: Automated tool that attempts multiple tricks to evade antiviruses NTX ISSA Cyber Security Conference – October 7-8, 2106 26
  27. 27. @NTXISSA #NTXISSACSC4 Q&A NTX ISSA Cyber Security Conference – October 7-8, 2106 27
  28. 28. @NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – October 7-8, 2016 28 Thank you

    Be the first to comment

    Login to see the comments

  • danillYudhistira

    May. 23, 2019

The Art of Evading Anti-Virus There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease. Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization. He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems. Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.

Views

Total views

1,372

On Slideshare

0

From embeds

0

Number of embeds

966

Actions

Downloads

16

Shares

0

Comments

0

Likes

1

×