• Who am I ?Agen • Why need AV bye passing ? • How AVs work ? • Bye pass ? HTF ? da • • W00t W00t More research requirement.. • Shoot your questions..
Who Am I ? • Security Consultant @ Hackplanet Technologies • Penetration tester • Spoken at various National Level Conferences (Techno Tryst 2012, NSWET 2011, etc.) • Current Areas : • > SOC, Malware Analysis, MSF, Network Forensics
Why need AV bypassing ? Firewalls can be bypassed with Client Side attacks, which require some piece of code on the remote machine but AV picks it up. You made a virus and sent it to remote machine, but AV picks it up. You have a payload which you want to execute. You social engineered the owner to execute your payload, but AV picks it up.
Byepass ? HTF ? Crypters (UPX, etc.) - Old approach Smart Crypter ( We will do it ) Shell code Injection ( We will do it too )
Crypters, hmm…But, AVs are not fool too. They have mind.
Smart Crypyters – PE Crypter Hyperion : By Christian Ammann (Null Security Team) Packs the PE file format with AES. Key used for encryption is “SMALL”. At runtime, the key is brute forced. Algorithm :- 1. Copy the encrypted file in memory as backup. 2. Guess the key. 3. Decrypt the DATA. 4. Verify the DATA with checksums”. 5. If key is right, cheers ! 6. If no, restore the data section from back and go to step 2. More info : http://www.nullsecurity.net , http://exploit-db.com
Shellcode Injection Inject you shellcode into a process. Can be used for backdooring; Can be used for getting different shells at remote system. Shellcodeexec (https://github.com/inquisb/shellcodeexec) Syringe.exe (http://www.securestate.com/Documents/syringe.c)
Syringe.exe References : 1. Paper on Exploit-db by infog33k 2. A comment on http://forums.mydigitallife.info/threads/23461-Batch-Hide-cmd-batch-window 3. Creating self extractor with 7zip. http://www.wikihow.com/Use-7Zip-to-Create-Self-Extracting-excutables
How it Works.. Calls Virtual Alloc to use its space in order to execute the shell code. Virtual Alloc : Windows specific call that holds a region with read, write and execute permissions. (Read, write permissions are req. for alphanumeric code). Copies shell code into memory from virtual alloc. Executes shell code with help of a Assembly stub pointing directly to the location of shell code.