This talk is about how a single python tool (Veil aka Veil-Evasion) is able to render AntiVirus useless. Veil's goal is to bypass antivirus products on workstations and servers.
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
Bringing Down the House - How One Python Script Ruled Over AntiVirus
1. Bringing Down the House - How
One Python Script Ruled Over
Antivirus
@ChrisTruncer
2. whoami
Chris Truncer
⊡ Systems Administrator turned
Red Teamer
⊡ Red Team Lead at Mandiant
⊡ Open Source Developer
□ Veil-Framework
□ EyeWitness
□ and others...
3. What’s this talk about?
⊡ A pen tester’s problem
⊡ Shellcode injection
⊡ Veil-Evasion
⊡ Veil-Evasion’s approach
⊡ Signature bypass
⊡ Questions
5. What’s My Job?
⊡ Penetration testers and red teamers test the
security of …. Something..
□ A website
□ An application
□ An office’s domain
□ A global distributed network
6. What’s My Job?
⊡ Tests are objective oriented
⊡ We don’t just hack everything for the lulz
⊡ Targeted in nature
□ Access internal payroll systems
□ Access customer lists
□ Steal company secrets
□ Wire money to a controlled account
□ ...etc.
10. Path to the Objective
⊡ Typically we will need to compromise
workstations
⊡ To compromise systems, we introduce
controlled viruses
⊡ However, we run into the same
problems/roadblocks that real attackers do...
12. Our Problem
⊡ Bypassing antivirus is relatively trivial
(demoed later)
⊡ I wanted an automated means to bypass
antivirus
□ Let’s not waste time bypassing AV, use
that time to better assess our customer’s
environment
14. Our Problem
⊡ Myself, Will Schroeder, and Michael Wright
decided to create a framework
□ Aggregate public AV bypass techniques
□ Automate the customization and
compilation process
□ Modularize Veil to easily add new payload
modules
⊡ The output is the source code, and an
executable “stager”
16. Stagers
⊡ Stagers (Veil output) can be referred to as
“stage 1”
⊡ The goal for stagers is to inject shellcode into
memory and run it
⊡ The shellcode can connect to a remote
system, receive additional code
⊡ Think of stagers as a loader for your real
malware
17. Stagers
⊡ Any language that has access to Windows
function calls can be used to write a stager
⊡ So… we started writing them in Python at
first!
□ Debasish Mandal and Mark Baggett both
developed proof of concepts for injecting
shellcode into memory.
18. Stagers
⊡ It’s all done with four function calls
□ VirtualAlloc - Allocate space and assign
memory permissions
□ RtlMoveMemory - Move shellcode into
allocated space
□ CreateThread - Run the shellcode stored in
memory
□ WaitForSingleObject - Don’t exit the
process until the thread is done executing
25. Veil’s Approach
⊡ Veil is designed to beat on-disk detection
through a variety of techniques:
□ Increasing code obfuscation
□ Encrypted code
□ Non-standard languages for Windows
binaries
Python, Perl, Ruby
28. Veil’s Approach
⊡ We observed that using a non-C or C# based
language made a big difference
□ Antivirus didn’t understand how to
properly inspect non-standard languages
⊡ Example
□ C vs. Python
32. Veil’s Approach
⊡ Invested heavily in Python module
development
□ Basic letter substitution
□ Base64 encoded shellcode
□ Encrypted shellcode
⊡ Developed a payload which brute forces itself
33. Stallion
⊡ At runtime, the payload performs a chosen-
ciphertext attack
□ With known ciphertext, it observes the
cleartext output
⊡ Use a constrained keyspace
□ Ex: “IEjy2kDLJ*@%nfs9fSYEbdudfd” +
“123456”
⊡ Loop over the constrained keyspace
⊡ If the decoded ciphertext matches the known
plaintext value, then the key is discovered
38. Veil’s Signature
⊡ This was a step in the right direction by AV
companies
□ We want them to step up their game
⊡ Previous attempts to categorize Veil have
ended up quite humorous...
47. Generating Executables
⊡ Usability - Executable Generation
□ Wine became our best friend
□ Python installed within Wine
□ Required libraries installed within Wine
□ PyInstaller within Python on Wine
⊡ Extended this concept to all languages
□ Go
□ Ruby
□ C#
48. Generating Executables
⊡ We chose PyInstaller and Py2Exe since they
are widely used
□ To prevent AV companies from just
flagging all PyInstaller output
⊡ Some companies did this anyway...
52. Better Options
⊡ Static string based antivirus detection is dead
⊡ Move to dynamic analysis and reputation
based detection
53. Test Your Security
⊡ Start testing your security “solutions” so you
know the level of protection they provide
⊡ Determine the level of risk security products
introduce
⊡ Python provided the way for us to do this