Have You Seen My Malware?
Joshua Pitts
NovaHackers
Nov 18, 2013
About Me
• Twitter: @midnite_runr
• I work for Leviathan Security
• Reverse Engineering, Pentesting
Two Topics
• Recomposer
• ??
Submitting To VirusTotal
Who here uses VT?
– At Home?
– On Family’s computers?
– At Work?
The Dangers of VT
• VtNotify – By Mubix
• Look up by hash
• Easy for attackers to look up
Recomposer
• Python
• Win 32/64
• Two functions:
– PE Editor
– Signature Modifier or re-composer

• github.com/secretsquir...
Goal
Break the common signatures that enable
malware to be easily tracked so we can once
again upload to online sandbox si...
How?
• Randomly change:
– File and sections names
– Section flags

• For each code cave over 20 bytes:
– Randomly pick one...
Results
• Created 11,200 binaries from one binary
• No collisions
Ssdeep Results
Compared to the original file:
(77) 155
(79) 9
(80) 1662
(82) 46
(83) 5056
(85) 3292
(86) 15
(88) 849
(90) ...
Ssdeep across all files
• 11200 * 11200 = 125,440,000 comparisons
• Would take hours…
• Let’s do >= 90%
Comparison Results
(100) 11200 : Expected
(99) 0
(98) 0
(97) 0
(96) 168
(95) 0
(94) 62
(93) 7,604
(92) 0
(91) 216,384
(90)...
Goal
Break the common signatures that enable
malware to be easily tracked so we can once
again upload to online sandbox si...
Part 1 Conclusion
You should feel better about using online
sandbox sites now?
Right?
Part 2: My Malware went where?
When you upload binaries to online AV/malware
sites:
– Is it truly sandboxed?
– Could an at...
Step 1: Make Malware
• Modified
github.com/secretsquirrel/shellcode_retriever
• Each site had a unique URL (examples):
– V...
Step 2: Run Web Server
#!/usr/bin/env python

import BaseHTTPServer
server = BaseHTTPServer.HTTPServer
server_address = ("...
Step 3: Upload
Selected Sandboxes:
– Virustotal
– Malwr
– Threat
– Jotti
– Anibus
– Garyshood
– Virscan
– ThreatTrack
Responses
Sandbox: Total; Unique IPs; response on upload
• Virustotal: 50; 10; yes
• Jotti: 33; 10; yes
• Malwr: 4; 3; yes...
Recognized IPs
•
•
•
•
•
•
•

SourceFire
Amazon EC2
ThreatTrack
ThreatGrid
TOR
Kaspersky
Symantec
Part 1 Conclusion
You should feel better about using online
sandbox sites now?
Right?
Questions?
Have You Seen My Malware?
Upcoming SlideShare
Loading in …5
×

Have You Seen My Malware?

1,194 views

Published on

NovaHackers 11/2013 talk about the dangers of uploading malware to sandbox sites.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,194
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
15
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Includes: Hashing of the binary, the sections, even ssdeep
  • Includes: Hashing of the binary, the sections, even ssdeep
  • Have You Seen My Malware?

    1. 1. Have You Seen My Malware? Joshua Pitts NovaHackers Nov 18, 2013
    2. 2. About Me • Twitter: @midnite_runr • I work for Leviathan Security • Reverse Engineering, Pentesting
    3. 3. Two Topics • Recomposer • ??
    4. 4. Submitting To VirusTotal Who here uses VT? – At Home? – On Family’s computers? – At Work?
    5. 5. The Dangers of VT • VtNotify – By Mubix • Look up by hash • Easy for attackers to look up
    6. 6. Recomposer • Python • Win 32/64 • Two functions: – PE Editor – Signature Modifier or re-composer • github.com/secretsquirrel/recomposer
    7. 7. Goal Break the common signatures that enable malware to be easily tracked so we can once again upload to online sandbox sites with less worry about being found out
    8. 8. How? • Randomly change: – File and sections names – Section flags • For each code cave over 20 bytes: – Randomly pick one of five nops – Inject a random number of those into the cave • For the most part the binary still functions normally
    9. 9. Results • Created 11,200 binaries from one binary • No collisions
    10. 10. Ssdeep Results Compared to the original file: (77) 155 (79) 9 (80) 1662 (82) 46 (83) 5056 (85) 3292 (86) 15 (88) 849 (90) 2 (91) 107 (93) 6 (94) 1 • 1.0357 % of the files are >= 90%
    11. 11. Ssdeep across all files • 11200 * 11200 = 125,440,000 comparisons • Would take hours… • Let’s do >= 90%
    12. 12. Comparison Results (100) 11200 : Expected (99) 0 (98) 0 (97) 0 (96) 168 (95) 0 (94) 62 (93) 7,604 (92) 0 (91) 216,384 (90) 0 Total 235,418 • 125,204,582 additional comparisons that are below 90 % matching.
    13. 13. Goal Break the common signatures that enable malware to be easily tracked so we can once again upload to online sandbox sites with less worry about being found out GREAT SUCCESS!
    14. 14. Part 1 Conclusion You should feel better about using online sandbox sites now? Right?
    15. 15. Part 2: My Malware went where? When you upload binaries to online AV/malware sites: – Is it truly sandboxed? – Could an attacker tell if it was executed? – Can you track the sandboxes?
    16. 16. Step 1: Make Malware • Modified github.com/secretsquirrel/shellcode_retriever • Each site had a unique URL (examples): – VT: herrovirus.html – Anibus: meow.html – Malwr.com: yawn.html • Compile to binary with pyinstaller
    17. 17. Step 2: Run Web Server #!/usr/bin/env python import BaseHTTPServer server = BaseHTTPServer.HTTPServer server_address = ("", 88) class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): def address_string(self): return str(self.client_address[0]) httpd = server(server_address, MyHandler) httpd.serve_forever()
    18. 18. Step 3: Upload Selected Sandboxes: – Virustotal – Malwr – Threat – Jotti – Anibus – Garyshood – Virscan – ThreatTrack
    19. 19. Responses Sandbox: Total; Unique IPs; response on upload • Virustotal: 50; 10; yes • Jotti: 33; 10; yes • Malwr: 4; 3; yes • Anubis: 4; 3; yes • ThreatTrack: 1; yes • ThreatExperts: 0 • Garyshood: 0 • Virscan: 0
    20. 20. Recognized IPs • • • • • • • SourceFire Amazon EC2 ThreatTrack ThreatGrid TOR Kaspersky Symantec
    21. 21. Part 1 Conclusion You should feel better about using online sandbox sites now? Right?
    22. 22. Questions?

    ×