SlideShare a Scribd company logo

Evading anti virus detection in downloader scripts - zusy

Download as PPTX, PDF
INCIDE
INCIDE

AntiVirus protection es not enough. More advanced EndPoint protection is needed. In this presentation you can see how easy is to evade a ZUSY thread (downloader script).

Technology
1 of 21
Evading AntiVirus detection in downloaders scripts ZUSY - Practical case INCIDE Abraham Pasamar @apasamar Julio 2017
ZUSY • The term Zusy has been used to name a thread that uses a downloader embedded in powerpoint documents (.ppsx). • The thread was found in-the-wild on early June 2017 • It does not use macros • It does not requiere even a single ‘click’ (in some scenarios)
ZUSY • When a malicious ZUSY document is opened we see something like this:
ZUSY • The document is opened in full-screen mode (.ppsx) and there is are more slides. This pretends to make the user roll the mouse over the “link”, when this is done, it activates the “trigger”
ZUSY • Fortunately in Office 2013 and Office 2010 a warning message will pop up to prevent the user to execute the malware :P
ZUSY • If the user allows ZUSYs execution or if the warning does not appear, the code will be executed as a consequence of the MouseOver action defined in ppt/slides/slide1.xml • <a:hlinkMouseOver r:id="rId2" action=“ppaction://program"/> • The id="rId2" is defined in ppt/slides/_rels/slide1.xml.rels
ZUSY • The code is something like: • Target contains the malicious script URL encoded. Here you can see it decoded:
ZUSY • After replacing [char] 0x2F with “/“ character and formatting the code a little bit: Execution of the file Downloads a malicious file in the temporary folder The ZUSY code is a Downloader
ZUSY • At VirusTotal we can find this sample identified by its SHA226 hash: 796a386b43f12b99568f55166e339fcf43a4 792d292bdd05dafa97ee32518921
• AntiVirus detection is 39 of 59 AVs (17-07-2017): ZUSY
• We will now learn how to modify ZUSY to avoid AntiVirus detection. • The first modification made was the replacement of the malicious URL cccn.nl/c.php by “blabla.net” and the name of the original file by “svchost.exe” • The code is the following: Modifying ZUSY
• The result in VirusTotal of this scan has the following detection rate (13 of 59 AVs): Modifying ZUSY
• Clearly many AntiVirus have a signature only for the malicious site and / or the filename and not the script itself. • It is interesting, because if you think about it, a script that downloads a file and executes it does not have to necessarily be malware. • However, a powerpoint that uses a MouseOver action to run a powershell script that downloads a file from the internet and executes it, is difficult not to be considered malware. The criteria of certain AntiVirus is at least curious. • There are many AntiVirus which have chosen to establish a signature only for the site and the file. Among others: • Avast, AVG, CalmAV, Comodo, Ikarus, Fortinet, McAfee, Microsoft, Panda, Symantec, TrendMicro, etc. Modifying ZUSY
• Since it was easy to lower the detection rate from 39 to 13 AVs, some additional tests were performed and the results indicate that the rest of the AVs focus on the execution of the powershell, the flags and the functions used (DownloadFile and Invoke-Item) • We decided to make a more radical modification, a different implementation of the downloader. Modifying ZUSY
• This is a VBS (Visual Basic Script) that performs the same function: Modifying ZUSY
• To be able to execute it the script must be implemented in this way: • The script creates a new script (asdf.vbs) that contains the powershell script and finally it is executed using cscript asdf.vbs (and deleted after execution) Modifying ZUSY
• After the URL encoding we put it in ppt/slides/_rels/slide1.xml.rels: Modifying ZUSY
• The VirusTotal detection of the modified script is the following (1 of 59 AVs): Modifying ZUSY
• Only the Chinese AntiVirus Qihoo 360 notices it as suspicious file. • The script works, it downloads and executes the payload Modifying ZUSY
• AntiVirus evasion of this kind of scripts (downloaders) is easy. • These threats are very dangerous and the computers should be protected in a proper way, not only by trusting the AntiVirus protection. • Our recommendation is to establish an advanced EndPoint protection that allows a higher level of detection of these threats and at the same time, a high level of logging of all the actions carried out by every process in order to use them to identify in depth the threat in case of an incident. Conclusión
INCIDE Avda. Diagonal, 618 6a Planta E-F (Barcelona) 93 254 62 77 https://www.incide.es Abraham Pasamar @apasamar apasamar@incide.es Contact

Recommended

Iis6 configuration with was (installed on linux)
Iis6 configuration with was (installed on linux)Iis6 configuration with was (installed on linux)
Iis6 configuration with was (installed on linux)Pathanjali Oneness
 
Web development-work space
Web development-work spaceWeb development-work space
Web development-work spacechawlan
 
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?Andrew Freeborn
 
User Powershell for Task Automation
User Powershell for Task AutomationUser Powershell for Task Automation
User Powershell for Task AutomationAman Dhally
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Msdnaa and you
Msdnaa and youMsdnaa and you
Msdnaa and youJessica Morris
 
My v mware solutions home lab
My v mware solutions home labMy v mware solutions home lab
My v mware solutions home labBrian Drew
 
Msdnaa and you
Msdnaa and youMsdnaa and you
Msdnaa and youKalin Khera
 

Recommended

Iis6 configuration with was (installed on linux)
Iis6 configuration with was (installed on linux)Iis6 configuration with was (installed on linux)
Iis6 configuration with was (installed on linux)Pathanjali Oneness
 
Web development-work space
Web development-work spaceWeb development-work space
Web development-work spacechawlan
 
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?Andrew Freeborn
 
User Powershell for Task Automation
User Powershell for Task AutomationUser Powershell for Task Automation
User Powershell for Task AutomationAman Dhally
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Msdnaa and you
Msdnaa and youMsdnaa and you
Msdnaa and youJessica Morris
 
My v mware solutions home lab
My v mware solutions home labMy v mware solutions home lab
My v mware solutions home labBrian Drew
 
Msdnaa and you
Msdnaa and youMsdnaa and you
Msdnaa and youKalin Khera
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...
TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...
TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...Concentrated Technology
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaMarko Heijnen
 
Prepping software for w7 deployment
Prepping software for w7 deploymentPrepping software for w7 deployment
Prepping software for w7 deploymentConcentrated Technology
 
你不知道的前端
你不知道的前端你不知道的前端
你不知道的前端taobao.com
 
Lession 5
Lession 5Lession 5
Lession 5Vietfreelancer Expert
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 
Eclipse Installation
Eclipse InstallationEclipse Installation
Eclipse InstallationAnjaliSoorej
 
PowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepointPowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepointConcentrated Technology
 
computer viruses
computer virusescomputer viruses
computer virusesupenthira I
 
Sqldata 21 dezembro
Sqldata 21 dezembroSqldata 21 dezembro
Sqldata 21 dezembroPedro Martins
 
OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...
OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...
OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...David Johansson
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityDavid Wilemski
 
Chrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating SystemChrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating SystemChatchai Wangwiwattana
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Quick Tips for Server Security
Quick Tips for Server SecurityQuick Tips for Server Security
Quick Tips for Server SecurityAlister Loxton
 
Infrastrucutre As Code
Infrastrucutre As Code Infrastrucutre As Code
Infrastrucutre As Code Venu Murthy
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Çapraz Platformda(Cross Platform) Başarıyı Yakalamak
Çapraz Platformda(Cross Platform) Başarıyı YakalamakÇapraz Platformda(Cross Platform) Başarıyı Yakalamak
Çapraz Platformda(Cross Platform) Başarıyı Yakalamaknedirtv
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 
Free tools for rapidly deploying software
Free tools for rapidly deploying softwareFree tools for rapidly deploying software
Free tools for rapidly deploying softwareConcentrated Technology
 
Wsus sample scripts
Wsus sample scriptsWsus sample scripts
Wsus sample scriptsConcentrated Technology
 

More Related Content

What's hot

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...
TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...
TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...Concentrated Technology
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaMarko Heijnen
 
你不知道的前端
你不知道的前端你不知道的前端
你不知道的前端taobao.com
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 
Eclipse Installation
Eclipse InstallationEclipse Installation
Eclipse InstallationAnjaliSoorej
 
computer viruses
computer virusescomputer viruses
computer virusesupenthira I
 
OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...
OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...
OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...David Johansson
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityDavid Wilemski
 
Chrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating SystemChrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating SystemChatchai Wangwiwattana
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Quick Tips for Server Security
Quick Tips for Server SecurityQuick Tips for Server Security
Quick Tips for Server SecurityAlister Loxton
 
Infrastrucutre As Code
Infrastrucutre As Code Infrastrucutre As Code
Infrastrucutre As Code Venu Murthy
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Çapraz Platformda(Cross Platform) Başarıyı Yakalamak
Çapraz Platformda(Cross Platform) Başarıyı YakalamakÇapraz Platformda(Cross Platform) Başarıyı Yakalamak
Çapraz Platformda(Cross Platform) Başarıyı Yakalamaknedirtv
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 

What's hot (20)

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...
TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...
TechMentor Fall, 2011 - Using Task Sequences to Completely Automate Windows 7...
 
The moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp SofiaThe moment my site got hacked - WordCamp Sofia
The moment my site got hacked - WordCamp Sofia
 
Prepping software for w7 deployment
Prepping software for w7 deploymentPrepping software for w7 deployment
Prepping software for w7 deployment
 
你不知道的前端
你不知道的前端你不知道的前端
你不知道的前端
 
Lession 5
Lession 5Lession 5
Lession 5
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 
Eclipse Installation
Eclipse InstallationEclipse Installation
Eclipse Installation
 
PowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepointPowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepoint
 
computer viruses
computer virusescomputer viruses
computer viruses
 
Sqldata 21 dezembro
Sqldata 21 dezembroSqldata 21 dezembro
Sqldata 21 dezembro
 
OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...
OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...
OWASP London: Bypassing CSRF Protections - A Double Defeat of the Double-Subm...
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
 
Chrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating SystemChrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating System
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
Quick Tips for Server Security
Quick Tips for Server SecurityQuick Tips for Server Security
Quick Tips for Server Security
 
Infrastrucutre As Code
Infrastrucutre As Code Infrastrucutre As Code
Infrastrucutre As Code
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
 
Çapraz Platformda(Cross Platform) Başarıyı Yakalamak
Çapraz Platformda(Cross Platform) Başarıyı YakalamakÇapraz Platformda(Cross Platform) Başarıyı Yakalamak
Çapraz Platformda(Cross Platform) Başarıyı Yakalamak
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Framework
 

Similar to Evading anti virus detection in downloader scripts - zusy

Free tools for rapidly deploying software
Free tools for rapidly deploying softwareFree tools for rapidly deploying software
Free tools for rapidly deploying softwareConcentrated Technology
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Akmal Hisyam
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareJoxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Softwarerahmanprojectd
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdfBeratAkit
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
Static Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationStatic Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationAndrey Karpov
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...Concentrated Technology
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727csirac2
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 

Similar to Evading anti virus detection in downloader scripts - zusy (20)

Free tools for rapidly deploying software
Free tools for rapidly deploying softwareFree tools for rapidly deploying software
Free tools for rapidly deploying software
 
Wsus sample scripts
Wsus sample scriptsWsus sample scripts
Wsus sample scripts
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
Rapidly deploying software
Rapidly deploying softwareRapidly deploying software
Rapidly deploying software
 
Static Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationStatic Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to Integration
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 

More from INCIDE

Es Whatsapp un testigo fiable en un juicio?
Es Whatsapp un testigo fiable en un juicio?Es Whatsapp un testigo fiable en un juicio?
Es Whatsapp un testigo fiable en un juicio?INCIDE
 
MODIFYING WHATSAPP MESSAGES FOR DUMMIES
MODIFYING WHATSAPP MESSAGES FOR DUMMIESMODIFYING WHATSAPP MESSAGES FOR DUMMIES
MODIFYING WHATSAPP MESSAGES FOR DUMMIESINCIDE
 
NoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirus
NoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirusNoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirus
NoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirusINCIDE
 
Navaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virus
Navaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virusNavaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virus
Navaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virusINCIDE
 
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDayAntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDayINCIDE
 
Evasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamar
Evasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamarEvasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamar
Evasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamarINCIDE
 
Evadiendo antivirus - uso de crypters
Evadiendo antivirus - uso de cryptersEvadiendo antivirus - uso de crypters
Evadiendo antivirus - uso de cryptersINCIDE
 
Seminario análisis forense - quién se ha llevado mi archivo
Seminario análisis forense - quién se ha llevado mi archivoSeminario análisis forense - quién se ha llevado mi archivo
Seminario análisis forense - quién se ha llevado mi archivoINCIDE
 

More from INCIDE (8)

Es Whatsapp un testigo fiable en un juicio?
Es Whatsapp un testigo fiable en un juicio?Es Whatsapp un testigo fiable en un juicio?
Es Whatsapp un testigo fiable en un juicio?
 
MODIFYING WHATSAPP MESSAGES FOR DUMMIES
MODIFYING WHATSAPP MESSAGES FOR DUMMIESMODIFYING WHATSAPP MESSAGES FOR DUMMIES
MODIFYING WHATSAPP MESSAGES FOR DUMMIES
 
NoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirus
NoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirusNoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirus
NoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirus
 
Navaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virus
Navaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virusNavaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virus
Navaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virus
 
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDayAntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
 
Evasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamar
Evasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamarEvasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamar
Evasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamar
 
Evadiendo antivirus - uso de crypters
Evadiendo antivirus - uso de cryptersEvadiendo antivirus - uso de crypters
Evadiendo antivirus - uso de crypters
 
Seminario análisis forense - quién se ha llevado mi archivo
Seminario análisis forense - quién se ha llevado mi archivoSeminario análisis forense - quién se ha llevado mi archivo
Seminario análisis forense - quién se ha llevado mi archivo
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

Evading anti virus detection in downloader scripts - zusy

  • 1. Evading AntiVirus detection in downloaders scripts ZUSY - Practical case INCIDE Abraham Pasamar @apasamar Julio 2017
  • 2. ZUSY • The term Zusy has been used to name a thread that uses a downloader embedded in powerpoint documents (.ppsx). • The thread was found in-the-wild on early June 2017 • It does not use macros • It does not requiere even a single ‘click’ (in some scenarios)
  • 3. ZUSY • When a malicious ZUSY document is opened we see something like this:
  • 4. ZUSY • The document is opened in full-screen mode (.ppsx) and there is are more slides. This pretends to make the user roll the mouse over the “link”, when this is done, it activates the “trigger”
  • 5. ZUSY • Fortunately in Office 2013 and Office 2010 a warning message will pop up to prevent the user to execute the malware :P
  • 6. ZUSY • If the user allows ZUSYs execution or if the warning does not appear, the code will be executed as a consequence of the MouseOver action defined in ppt/slides/slide1.xml • <a:hlinkMouseOver r:id="rId2" action=“ppaction://program"/> • The id="rId2" is defined in ppt/slides/_rels/slide1.xml.rels
  • 7. ZUSY • The code is something like: • Target contains the malicious script URL encoded. Here you can see it decoded:
  • 8. ZUSY • After replacing [char] 0x2F with “/“ character and formatting the code a little bit: Execution of the file Downloads a malicious file in the temporary folder The ZUSY code is a Downloader
  • 9. ZUSY • At VirusTotal we can find this sample identified by its SHA226 hash: 796a386b43f12b99568f55166e339fcf43a4 792d292bdd05dafa97ee32518921
  • 10. • AntiVirus detection is 39 of 59 AVs (17-07-2017): ZUSY
  • 11. • We will now learn how to modify ZUSY to avoid AntiVirus detection. • The first modification made was the replacement of the malicious URL cccn.nl/c.php by “blabla.net” and the name of the original file by “svchost.exe” • The code is the following: Modifying ZUSY
  • 12. • The result in VirusTotal of this scan has the following detection rate (13 of 59 AVs): Modifying ZUSY
  • 13. • Clearly many AntiVirus have a signature only for the malicious site and / or the filename and not the script itself. • It is interesting, because if you think about it, a script that downloads a file and executes it does not have to necessarily be malware. • However, a powerpoint that uses a MouseOver action to run a powershell script that downloads a file from the internet and executes it, is difficult not to be considered malware. The criteria of certain AntiVirus is at least curious. • There are many AntiVirus which have chosen to establish a signature only for the site and the file. Among others: • Avast, AVG, CalmAV, Comodo, Ikarus, Fortinet, McAfee, Microsoft, Panda, Symantec, TrendMicro, etc. Modifying ZUSY
  • 14. • Since it was easy to lower the detection rate from 39 to 13 AVs, some additional tests were performed and the results indicate that the rest of the AVs focus on the execution of the powershell, the flags and the functions used (DownloadFile and Invoke-Item) • We decided to make a more radical modification, a different implementation of the downloader. Modifying ZUSY
  • 15. • This is a VBS (Visual Basic Script) that performs the same function: Modifying ZUSY
  • 16. • To be able to execute it the script must be implemented in this way: • The script creates a new script (asdf.vbs) that contains the powershell script and finally it is executed using cscript asdf.vbs (and deleted after execution) Modifying ZUSY
  • 17. • After the URL encoding we put it in ppt/slides/_rels/slide1.xml.rels: Modifying ZUSY
  • 18. • The VirusTotal detection of the modified script is the following (1 of 59 AVs): Modifying ZUSY
  • 19. • Only the Chinese AntiVirus Qihoo 360 notices it as suspicious file. • The script works, it downloads and executes the payload Modifying ZUSY
  • 20. • AntiVirus evasion of this kind of scripts (downloaders) is easy. • These threats are very dangerous and the computers should be protected in a proper way, not only by trusting the AntiVirus protection. • Our recommendation is to establish an advanced EndPoint protection that allows a higher level of detection of these threats and at the same time, a high level of logging of all the actions carried out by every process in order to use them to identify in depth the threat in case of an incident. Conclusión
  • 21. INCIDE Avda. Diagonal, 618 6a Planta E-F (Barcelona) 93 254 62 77 https://www.incide.es Abraham Pasamar @apasamar apasamar@incide.es Contact