Strategies to design FUD malware

Strategies to design FullyUnDetectable
malware
III Jornadas de InfoWeb - Universidade da Beira Interior
21 de março de 2019
Pedro Tavares <ptavares@dognaedis.com>

Pedro Tavares is a professional working as Malware
Researcher, Ethical Hacker and also Security
Evangelist. Pedro is also a founding member and
Pentester at CSIRT.UBI and Editor-in-Chief and
Creator of the security computer blog
seguranca-informatica.pt.
In recent years he has invested in the field of
information security, exploring and analyzing a wide
range of topics, such as pentesting (Kali Linux),
malware, hacking, cybersecurity, IoT and security in
computer networks. He is also Freelance Writer. LinkedIn
Twitter
<ptavares@dognaedis.com>

Dognaedis – A Prossegur Company
● Cyber Intelligence
● Managed Services
● Security Technologies
● Audit & Testing
● Consultancy
Service Lines

Required Software
- Virtual Machine (Windows 10, 8, 7 or XP)
Software:
● PeiD
● CFF Explorer
● UPX packer
● X64dbg
● Dev-C++ compiler
Recommended resources (to read):
“communicating
with the machine is
like communicating
with an alien”
● Intro to x86 Assembly Language
● How to use xdbg64 debugger

Agenda
0x01 What is a Malware?
0x02 Windows Internals 101
0x03 Portable Executable (PE) Files 101
0x04 Malware Protection 101
--0X041 Packers, Crypters and Protectors
--0X042 UPX Packer – How to Unpack UPX
--0X043 Creating a Simple XOR Crypter
0x05 Why Crypters can be Fully Undetectable (FUD)?

Malware is a generic term that describes any program or malicious
code that is dangerous to systems.
"Malware attacks would not work without the most important
ingredient: the user."
Malwarebytes

Adware
[designed to trigger ads]
Spyware
[observes user activities without
its knowledge/permission]
Virus
[malware attached to another program that
can replicate and spread after an frist execution]
Worms
[similar to viruses, but they don’t need
to be attached to spread]
Trojan (RAT)
[take control of users’ devices]
Ransonware
[encrypt users’ devices and
requests a ransom ]
Rootkit
[complex malware and hides its
activity and presence]
Reference: https://blog.malwarebytes.com/glossary/
Keylogger
[get all from users’ keyboard]
Cryptominer
[uses users’ CPU power to mine
cryptocurrency]

A shell is opened!! :)
Malware No Malware
- Invoice received in my
inbox! (pdf)
- Hum, why is it an .exe file?
- Why does it executes a shell?
The program does what
it should do!

● How it works
● What info is harvested
● How it collects info from victim
● Techniques used
Everything is object of analysis!
Manual Analysis
● Is it a malware?
● What kind of malware is it?
(trojan? ransomware?)
● What kind of data can it extract?
IOCs (IP, DNS, Windows registry keys
and files downloaded and droped).
Sandbox Analysis (automated)
Fast but limited analysis.

Stack
Heap
Code
Data
Main Memory
Low Memory Address
High Memory Address
The stack is used for local variables
and parameters for functions,
and to help control program flow.
We'll always look here! :D
It’s used for dynamic memory during
program execution, to allocate new
values and eliminate (free) values that
the program no longer needs.
Contains the executable code;
controls what the program does.
It contains values that are put in
place when a program is initially
loaded.
They not change while the program
is running.

User Application
Kernel32.dll
Ntdll.dll
Ntoskrnl.exe
Kernel Data Structures
User Mode (ring 3)
Kernel Mode (ring 0)
privileged mode
(rootkits run here)

sample.exe

hardware interfaces (buses, I/O devices, interrupts,
interval timers, DMA, memory cache control, etc., etc.)
System Service Dispatcher
Task Manager
Explorer
SvcHost.Exe
WinMgt.Exe
SpoolSv.Exe
Service
Control Mgr.
LSASS
Object
Mgr. Windows
USER,
GDI
File
System
Cache
I/O Mgr
User
Application
Subsystem DLLs
System Processes Applications
System
Threads
User
Mode
Kernel
Mode
NTDLL.DLL
Device &
File Sys.
Drivers
WinLogon
Session
Manager
Services.Exe
POSIX
Windows DLLs
Plugand
PlayMgr.
Power
Mgr.
Security
Reference
Monitor
Virtual
Memory
Processes
&
Threads
Local
Procedure
Call
Graphics
Drivers
Kernel
Hardware Abstraction Layer (HAL)
(kernel mode callable interfaces)
Configura-
tionMgr
(registry)
OS/2
Windows
Services

Header
Sections
DOS Header
PE Header
Optional Header
Sections Table
Code
Imports
Data
PE File
.text
.data
.rsrc
...
Sections
File properties, nº sections, machine type,
time stamp, and etc.)
It summarizes each sections’s raw size, virtual size, section
name, etc.
OEP and code
Reference: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format
Initialized data
Resource data
It’s not "optional" per se, because it is required in Executable
files. RVA of entry point is here!
File signature: MZ: Mark Zbikowski, who created the
first linker for DOS.

0x04 Malware Protection 101
- Evading antivirus engines
- Evading sandbox analysis (Cuckoo, Falcon, etc.)
- Making malware analysis harder
- Protecting malware source-code

--0X041 Packers, Crypters and Protectors
Packers: Short for “runtime packers”. Packers unpack software in memory and are used to
make files smaller. Used by criminals to make reverse enginnering difficult.
Crypters: This technique is also known as obfuscation. Cryptographic algorithms are used
to make the hidden executable hard to detect by AV engines. This
technique is the ultimate goal to turn malware FUD (Fully Undetectable) for its
author.
Protectors: A protector in this context is software that is intended to prevent tampering
and reverse engineering of programs. The methods used can, and usually
will, include both packing and encrypting. That combination plus some
added features makes what is usually referred to as a protector.
Reference: https://blog.malwarebytes.com/cybercrime/malware/2017/03/explained-packer-crypter-and-protector/

Normal PE File Structure
Before Packing
UPX packed PE File Structure PE File after being unpacked
and loaded into memory
Fully unpacked PE File
1 2 3
4
Main Tasks
● Unpack the original executable into memory
● Resolve all the imports of the original executable
● Transfer execution to the original entry point (OEP)

Packed file
UPX
#include <stdio.h>
#include <stdlib.h>
int main()
{
// printf() displays the string inside quotation
printf("Hello, World!n");
system("PAUSE");
return 0;
}

Original PE File
Packed File

Original PE File Packed File

Packed File Original PE File

Original strings
Packed strings!

1) Find the executable Import Address
Table (IAT).
2) Get Imports
3) Dump the executable (nonetheless, an
error is presented; in fact, IAT was not
included.
4) Fix Dump (final executable will be fixed
and saved with SCY extension appended
to the file name).
Main tasks:

A crypter is a program which is used to assist malware for
evading antivirus signature-based detection.
Dark Comet Dark Comet crypted

Types of Crypters:
Scantime
A ScanTime crypter encrypts the file to evade antiviruses before execution
(signature based detection). This is a malware detection on disk.
Runtime
Runtime crypters are able to do this with the Windows API using a function called
CreateProcess. There is a flag CREATE_SUSPENDED which allows the malware to
be decrypted and then loaded into memory as a process before being executed.

Scantime Crypter

1) Run hello_world.exe in x64dbg
2) Identify .data VA
3) Identify .text code cave
4) Append XOR instructions
5) Set new EP
6) Run PE and generate a XORed file
7) Run PE again and change XOR
instructions to UNXOR .data section
8) Fix dump!
Menu

01010101
XOR 00010001
= 01000101
01000101
XOR 00010001
= 01010101
Example: XOR 1 byte
.text
.data
.rsrc
...
Sections

String “Hello World! visible!

identify .rdata section (start-end) and code cave :)

- set NEP
- assembly XOR code
- jump to OEP
Start .rdata: 0x404000
End .rdata: 0x40446B

MOV eax, 404000
ADD BYTE PTR DS:[EAX], 37
XOR BYTE PTR DS:[EAX], 0F
ADD BYTE PTR DS:[EAX], 13
INC EAX
CMP EAX, 40446B
JLE offset => ADD BYTE PTR DS:[EAX], 37
JMP OEP
$i= 404000
for ($i < 40446B)
{
EAX <= 37
XOR EAX, 0F
EAX <= 13
i++;
}
Code cave .text
XOR assembly code Pseudo-code

XOR code in code cave
.text section

EXCEPTION_ACCESS_VIOLATION :)
+WX permissions

Persistence permissions are needed!!

unXOR and create final patch
MOV eax, 404000
ADD BYTE PTR DS:[EAX], -13
XOR BYTE PTR DS:[EAX], 0F
ADD BYTE PTR DS:[EAX], -37
INC EAX
CMP EAX, 40446B
JLE offset => ADD BYTE PTR DS:[EAX], -13
JMP OEP

Crypter Original PE File
Nothing!

Result: Only PE File “strings” are hidden (obfuscated)! :-D
IOC: 1ef80e71e6d6d9415ffa65e655f473be IOC: 5dec959d88a999fb59e3995c34209a4a
VT crypterVT original

0x05 Why Crypters can be Fully
Undetectable (FUD)?
FUD crypters can be used to encrypt viruses, RAT, keyloggers, spywares, etc.
to make them undetectable from antiviruses.
The crypter takes the original binary file and applies many encryption on it
and stores on the end of file (EOF).
So a new crypted executable file is created.
The new exe is not detected by antiviruses because its code is scrambled by
the crypter.
Nonetheless, many (homemade) crypters can be detected via
Heuristic and Behavior Analysis!

My recent findings
[SI-LAB] – February 18th, 2019
The Muncy malware is on the rise
[SI-LAB] – March 1th, 2019
FlawedAmmyy Leveraging Undetected XLM Macros as an Infection
Vehicle
The story of the JCry ransomware spread in #OpJerusalem2019 is
now infecting Windows users
LockerGoga is the most active ransomware that focuses on targeti
ng companies and bypass AV signature-based detection

Take Home Messages
- Today, criminals are using novel tecnhiques to bypass AV detecions
- Manual debugging must be used to unpack malware
- Dissecting malware allows us to understand criminals’
modus operandi
- Manual analysis is always required to reveal FUD malware

Strategies to design FUD malware

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Strategies to design FUD malware

Similar to Strategies to design FUD malware (20)

Recently uploaded

Recently uploaded (19)

Strategies to design FUD malware