.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
Strategies to design FUD malware
1. Strategies to design FullyUnDetectable
malware
III Jornadas de InfoWeb - Universidade da Beira Interior
21 de março de 2019
Pedro Tavares <ptavares@dognaedis.com>
2. Pedro Tavares is a professional working as Malware
Researcher, Ethical Hacker and also Security
Evangelist. Pedro is also a founding member and
Pentester at CSIRT.UBI and Editor-in-Chief and
Creator of the security computer blog
seguranca-informatica.pt.
In recent years he has invested in the field of
information security, exploring and analyzing a wide
range of topics, such as pentesting (Kali Linux),
malware, hacking, cybersecurity, IoT and security in
computer networks. He is also Freelance Writer. LinkedIn
Twitter
<ptavares@dognaedis.com>
3. Dognaedis – A Prossegur Company
● Cyber Intelligence
● Managed Services
● Security Technologies
● Audit & Testing
● Consultancy
Service Lines
4. Required Software
- Virtual Machine (Windows 10, 8, 7 or XP)
Software:
● PeiD
● CFF Explorer
● UPX packer
● X64dbg
● Dev-C++ compiler
Recommended resources (to read):
“communicating
with the machine is
like communicating
with an alien”
● Intro to x86 Assembly Language
● How to use xdbg64 debugger
5. Agenda
0x01 What is a Malware?
0x02 Windows Internals 101
0x03 Portable Executable (PE) Files 101
0x04 Malware Protection 101
--0X041 Packers, Crypters and Protectors
--0X042 UPX Packer – How to Unpack UPX
--0X043 Creating a Simple XOR Crypter
0x05 Why Crypters can be Fully Undetectable (FUD)?
7. 0x01 What is a Malware?
Malware is a generic term that describes any program or malicious
code that is dangerous to systems.
"Malware attacks would not work without the most important
ingredient: the user."
Malwarebytes
8. 0x01 What is a Malware?
Adware
[designed to trigger ads]
Spyware
[observes user activities without
its knowledge/permission]
Virus
[malware attached to another program that
can replicate and spread after an frist execution]
Worms
[similar to viruses, but they don’t need
to be attached to spread]
Trojan (RAT)
[take control of users’ devices]
Ransonware
[encrypt users’ devices and
requests a ransom ]
Rootkit
[complex malware and hides its
activity and presence]
Reference: https://blog.malwarebytes.com/glossary/
Keylogger
[get all from users’ keyboard]
Cryptominer
[uses users’ CPU power to mine
cryptocurrency]
9. 0x01 What is a Malware?
A shell is opened!! :)
Malware No Malware
- Invoice received in my
inbox! (pdf)
- Hum, why is it an .exe file?
- Why does it executes a shell?
The program does what
it should do!
10. 0x01 What is a Malware?
● How it works
● What info is harvested
● How it collects info from victim
● Techniques used
Everything is object of analysis!
Manual Analysis
● Is it a malware?
● What kind of malware is it?
(trojan? ransomware?)
● What kind of data can it extract?
IOCs (IP, DNS, Windows registry keys
and files downloaded and droped).
Sandbox Analysis (automated)
Fast but limited analysis.
12. 0x02 Windows Internals 101
Stack
Heap
Code
Data
Main Memory
Low Memory Address
High Memory Address
The stack is used for local variables
and parameters for functions,
and to help control program flow.
We'll always look here! :D
It’s used for dynamic memory during
program execution, to allocate new
values and eliminate (free) values that
the program no longer needs.
Contains the executable code;
controls what the program does.
It contains values that are put in
place when a program is initially
loaded.
They not change while the program
is running.
13. 0x02 Windows Internals 101
User Application
Kernel32.dll
Ntdll.dll
Ntoskrnl.exe
Kernel Data Structures
User Mode (ring 3)
Kernel Mode (ring 0)
privileged mode
(rootkits run here)
17. 0x03 Portable Executable (PE) Files 101
Header
Sections
DOS Header
PE Header
Optional Header
Sections Table
Code
Imports
Data
PE File
.text
.data
.rsrc
...
Sections
File properties, nº sections, machine type,
time stamp, and etc.)
It summarizes each sections’s raw size, virtual size, section
name, etc.
OEP and code
Reference: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format
Initialized data
Resource data
It’s not "optional" per se, because it is required in Executable
files. RVA of entry point is here!
File signature: MZ: Mark Zbikowski, who created the
first linker for DOS.
19. --0X041 Packers, Crypters and Protectors
Packers: Short for “runtime packers”. Packers unpack software in memory and are used to
make files smaller. Used by criminals to make reverse enginnering difficult.
Crypters: This technique is also known as obfuscation. Cryptographic algorithms are used
to make the hidden executable hard to detect by AV engines. This
technique is the ultimate goal to turn malware FUD (Fully Undetectable) for its
author.
Protectors: A protector in this context is software that is intended to prevent tampering
and reverse engineering of programs. The methods used can, and usually
will, include both packing and encrypting. That combination plus some
added features makes what is usually referred to as a protector.
Reference: https://blog.malwarebytes.com/cybercrime/malware/2017/03/explained-packer-crypter-and-protector/
21. --0X042 UPX Packer – How to Unpack UPX
Normal PE File Structure
Before Packing
UPX packed PE File Structure PE File after being unpacked
and loaded into memory
Fully unpacked PE File
1 2 3
4
Main Tasks
● Unpack the original executable into memory
● Resolve all the imports of the original executable
● Transfer execution to the original entry point (OEP)
22. --0X042 UPX Packer – How to Unpack UPX
Packed file
UPX
#include <stdio.h>
#include <stdlib.h>
int main()
{
// printf() displays the string inside quotation
printf("Hello, World!n");
system("PAUSE");
return 0;
}
32. --0X042 UPX Packer – How to Unpack UPX
1) Find the executable Import Address
Table (IAT).
2) Get Imports
3) Dump the executable (nonetheless, an
error is presented; in fact, IAT was not
included.
4) Fix Dump (final executable will be fixed
and saved with SCY extension appended
to the file name).
Main tasks:
34. --0X043 Creating a Simple XOR Crypter
A crypter is a program which is used to assist malware for
evading antivirus signature-based detection.
Dark Comet Dark Comet crypted
35. --0X043 Creating a Simple XOR Crypter
Types of Crypters:
Scantime
A ScanTime crypter encrypts the file to evade antiviruses before execution
(signature based detection). This is a malware detection on disk.
Runtime
Runtime crypters are able to do this with the Windows API using a function called
CreateProcess. There is a flag CREATE_SUSPENDED which allows the malware to
be decrypted and then loaded into memory as a process before being executed.
37. --0X043 Creating a Simple XOR Crypter
1) Run hello_world.exe in x64dbg
2) Identify .data VA
3) Identify .text code cave
4) Append XOR instructions
5) Set new EP
6) Run PE and generate a XORed file
7) Run PE again and change XOR
instructions to UNXOR .data section
8) Fix dump!
Menu
51. --0X043 Creating a Simple XOR Crypter
Result: Only PE File “strings” are hidden (obfuscated)! :-D
IOC: 1ef80e71e6d6d9415ffa65e655f473be IOC: 5dec959d88a999fb59e3995c34209a4a
VT crypterVT original
52. 0x05 Why Crypters can be Fully
Undetectable (FUD)?
FUD crypters can be used to encrypt viruses, RAT, keyloggers, spywares, etc.
to make them undetectable from antiviruses.
The crypter takes the original binary file and applies many encryption on it
and stores on the end of file (EOF).
So a new crypted executable file is created.
The new exe is not detected by antiviruses because its code is scrambled by
the crypter.
Nonetheless, many (homemade) crypters can be detected via
Heuristic and Behavior Analysis!
53. My recent findings
[SI-LAB] – February 18th, 2019
The Muncy malware is on the rise
[SI-LAB] – March 1th, 2019
FlawedAmmyy Leveraging Undetected XLM Macros as an Infection
Vehicle
[SI-LAB] – March 5th, 2019
The story of the JCry ransomware spread in #OpJerusalem2019 is
now infecting Windows users
[SI-LAB] – March 20th, 2019
LockerGoga is the most active ransomware that focuses on targeti
ng companies and bypass AV signature-based detection
54. Take Home Messages
- Today, criminals are using novel tecnhiques to bypass AV detecions
- Manual debugging must be used to unpack malware
- Dissecting malware allows us to understand criminals’
modus operandi
- Manual analysis is always required to reveal FUD malware