This talk is about how a single python tool (Veil aka Veil-Evasion) is able to render AntiVirus useless. Veil's goal is to bypass antivirus products on workstations and servers.

1. Bringing Down the House - How
One Python Script Ruled Over
Antivirus
@ChrisTruncer

2. whoami
Chris Truncer
⊡ Systems Administrator turned
Red Teamer
⊡ Red Team Lead at Mandiant
⊡ Open Source Developer
□ Veil-Framework
□ EyeWitness
□ and others...

3. What’s this talk about?
⊡ A pen tester’s problem
⊡ Shellcode injection
⊡ Veil-Evasion
⊡ Veil-Evasion’s approach
⊡ Signature bypass
⊡ Questions

4. A Pen Tester’s
Problem
Veil’s Inception

5. What’s My Job?
⊡ Penetration testers and red teamers test the
security of …. Something..
□ A website
□ An application
□ An office’s domain
□ A global distributed network

6. What’s My Job?
⊡ Tests are objective oriented
⊡ We don’t just hack everything for the lulz
⊡ Targeted in nature
□ Access internal payroll systems
□ Access customer lists
□ Steal company secrets
□ Wire money to a controlled account
□ ...etc.

7. What’s My Job?

8. What’s My Job?

9. What’s My Job?

10. Path to the Objective
⊡ Typically we will need to compromise
workstations
⊡ To compromise systems, we introduce
controlled viruses
⊡ However, we run into the same
problems/roadblocks that real attackers do...

11. What’s My Job?

12. Our Problem
⊡ Bypassing antivirus is relatively trivial
(demoed later)
⊡ I wanted an automated means to bypass
antivirus
□ Let’s not waste time bypassing AV, use
that time to better assess our customer’s
environment

13. Veil-Evasion

14. Our Problem
⊡ Myself, Will Schroeder, and Michael Wright
decided to create a framework
□ Aggregate public AV bypass techniques
□ Automate the customization and
compilation process
□ Modularize Veil to easily add new payload
modules
⊡ The output is the source code, and an
executable “stager”

15. Stagers

16. Stagers
⊡ Stagers (Veil output) can be referred to as
“stage 1”
⊡ The goal for stagers is to inject shellcode into
memory and run it
⊡ The shellcode can connect to a remote
system, receive additional code
⊡ Think of stagers as a loader for your real
malware

17. Stagers
⊡ Any language that has access to Windows
function calls can be used to write a stager
⊡ So… we started writing them in Python at
first!
□ Debasish Mandal and Mark Baggett both
developed proof of concepts for injecting
shellcode into memory.

18. Stagers
⊡ It’s all done with four function calls
□ VirtualAlloc - Allocate space and assign
memory permissions
□ RtlMoveMemory - Move shellcode into
allocated space
□ CreateThread - Run the shellcode stored in
memory
□ WaitForSingleObject - Don’t exit the
process until the thread is done executing

19. Our Problem

20. Our Problem

21. Our Problem

22. Our Problem

23. Our Problem

24. Veil’s Approach to
Beating AV

25. Veil’s Approach
⊡ Veil is designed to beat on-disk detection
through a variety of techniques:
□ Increasing code obfuscation
□ Encrypted code
□ Non-standard languages for Windows
binaries
Python, Perl, Ruby

26. Veil’s Approach
⊡ Languages that Veil supports
□ Python
□ Perl
□ PowerShell
□ C#
□ C
□ Go
□ Ruby

27. Shellcode Injection
Observation

28. Veil’s Approach
⊡ We observed that using a non-C or C# based
language made a big difference
□ Antivirus didn’t understand how to
properly inspect non-standard languages
⊡ Example
□ C vs. Python

29. Our Problem

30. Our Problem

31. Veil’s Observation
Simply changing the
language the
executable was
developed in
completely bypassed
ALL antivirus engines

32. Veil’s Approach
⊡ Invested heavily in Python module
development
□ Basic letter substitution
□ Base64 encoded shellcode
□ Encrypted shellcode
⊡ Developed a payload which brute forces itself

33. Stallion
⊡ At runtime, the payload performs a chosen-
ciphertext attack
□ With known ciphertext, it observes the
cleartext output
⊡ Use a constrained keyspace
□ Ex: “IEjy2kDLJ*@%nfs9fSYEbdudfd” +
“123456”
⊡ Loop over the constrained keyspace
⊡ If the decoded ciphertext matches the known
plaintext value, then the key is discovered

34. Stallion

35. Stallion

37. Signature
⊡ After approximately 1 year, we were notified
that a signature was developed for Veil

38. Veil’s Signature
⊡ This was a step in the right direction by AV
companies
□ We want them to step up their game
⊡ Previous attempts to categorize Veil have
ended up quite humorous...

39. Stallion

42. Stallion

43. Signature Evasion

44. Signature Evasion

45. Signature Evasion

46. Signature Evasion

47. Generating Executables
⊡ Usability - Executable Generation
□ Wine became our best friend
□ Python installed within Wine
□ Required libraries installed within Wine
□ PyInstaller within Python on Wine
⊡ Extended this concept to all languages
□ Go
□ Ruby
□ C#

48. Generating Executables
⊡ We chose PyInstaller and Py2Exe since they
are widely used
□ To prevent AV companies from just
flagging all PyInstaller output
⊡ Some companies did this anyway...

49. Generating Executables

50. Generating Executables

51. A Better Solution

52. Better Options
⊡ Static string based antivirus detection is dead
⊡ Move to dynamic analysis and reputation
based detection

53. Test Your Security
⊡ Start testing your security “solutions” so you
know the level of protection they provide
⊡ Determine the level of risk security products
introduce
⊡ Python provided the way for us to do this

54. THANKS!
Any questions?
@ChrisTruncer
https://www.christophertruncer.com
https://github.com/ChrisTruncer
https://github.com/Veil-Framework