SlideShare une entreprise Scribd logo

Strategies to design FUD malware

P
Pedro Tavares

.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.

Présentations et discours publics
1  sur  55
Télécharger pour lire hors ligne
Strategies to design FullyUnDetectable malware III Jornadas de InfoWeb - Universidade da Beira Interior 21 de março de 2019 Pedro Tavares <ptavares@dognaedis.com>
Pedro Tavares is a professional working as Malware Researcher, Ethical Hacker and also Security Evangelist. Pedro is also a founding member and Pentester at CSIRT.UBI and Editor-in-Chief and Creator of the security computer blog seguranca-informatica.pt. In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks. He is also Freelance Writer. LinkedIn Twitter <ptavares@dognaedis.com>
Dognaedis – A Prossegur Company ● Cyber Intelligence ● Managed Services ● Security Technologies ● Audit & Testing ● Consultancy Service Lines
Required Software - Virtual Machine (Windows 10, 8, 7 or XP) Software: ● PeiD ● CFF Explorer ● UPX packer ● X64dbg ● Dev-C++ compiler Recommended resources (to read): “communicating with the machine is like communicating with an alien” ● Intro to x86 Assembly Language ● How to use xdbg64 debugger
Agenda 0x01 What is a Malware? 0x02 Windows Internals 101 0x03 Portable Executable (PE) Files 101 0x04 Malware Protection 101 --0X041 Packers, Crypters and Protectors --0X042 UPX Packer – How to Unpack UPX --0X043 Creating a Simple XOR Crypter 0x05 Why Crypters can be Fully Undetectable (FUD)?
0x01 What is a Malware?
0x01 What is a Malware? Malware is a generic term that describes any program or malicious code that is dangerous to systems. "Malware attacks would not work without the most important ingredient: the user." Malwarebytes
0x01 What is a Malware? Adware [designed to trigger ads] Spyware [observes user activities without its knowledge/permission] Virus [malware attached to another program that can replicate and spread after an frist execution] Worms [similar to viruses, but they don’t need to be attached to spread] Trojan (RAT) [take control of users’ devices] Ransonware [encrypt users’ devices and requests a ransom ] Rootkit [complex malware and hides its activity and presence] Reference: https://blog.malwarebytes.com/glossary/ Keylogger [get all from users’ keyboard] Cryptominer [uses users’ CPU power to mine cryptocurrency]
0x01 What is a Malware? A shell is opened!! :) Malware No Malware - Invoice received in my inbox! (pdf) - Hum, why is it an .exe file? - Why does it executes a shell? The program does what it should do!
0x01 What is a Malware? ● How it works ● What info is harvested ● How it collects info from victim ● Techniques used Everything is object of analysis! Manual Analysis ● Is it a malware? ● What kind of malware is it? (trojan? ransomware?) ● What kind of data can it extract? IOCs (IP, DNS, Windows registry keys and files downloaded and droped). Sandbox Analysis (automated) Fast but limited analysis.
0x02 Windows Internals 101
0x02 Windows Internals 101 Stack Heap Code Data Main Memory Low Memory Address High Memory Address The stack is used for local variables and parameters for functions, and to help control program flow. We'll always look here! :D It’s used for dynamic memory during program execution, to allocate new values and eliminate (free) values that the program no longer needs. Contains the executable code; controls what the program does. It contains values that are put in place when a program is initially loaded. They not change while the program is running.
0x02 Windows Internals 101 User Application Kernel32.dll Ntdll.dll Ntoskrnl.exe Kernel Data Structures User Mode (ring 3) Kernel Mode (ring 0) privileged mode (rootkits run here)
0x02 Windows Internals 101 sample.exe
0x02 Windows Internals 101 hardware interfaces (buses, I/O devices, interrupts, interval timers, DMA, memory cache control, etc., etc.) System Service Dispatcher Task Manager Explorer SvcHost.Exe WinMgt.Exe SpoolSv.Exe Service Control Mgr. LSASS Object Mgr. Windows USER, GDI File System Cache I/O Mgr User Application Subsystem DLLs System Processes Applications System Threads User Mode Kernel Mode NTDLL.DLL Device & File Sys. Drivers WinLogon Session Manager Services.Exe POSIX Windows DLLs Plugand PlayMgr. Power Mgr. Security Reference Monitor Virtual Memory Processes & Threads Local Procedure Call Graphics Drivers Kernel Hardware Abstraction Layer (HAL) (kernel mode callable interfaces) Configura- tionMgr (registry) OS/2 Windows Services
0x03 Portable Executable (PE) Files 101
0x03 Portable Executable (PE) Files 101 Header Sections DOS Header PE Header Optional Header Sections Table Code Imports Data PE File .text .data .rsrc ... Sections File properties, nº sections, machine type, time stamp, and etc.) It summarizes each sections’s raw size, virtual size, section name, etc. OEP and code Reference: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format Initialized data Resource data It’s not "optional" per se, because it is required in Executable files. RVA of entry point is here! File signature: MZ: Mark Zbikowski, who created the first linker for DOS.
0x04 Malware Protection 101 - Evading antivirus engines - Evading sandbox analysis (Cuckoo, Falcon, etc.) - Making malware analysis harder - Protecting malware source-code
--0X041 Packers, Crypters and Protectors Packers: Short for “runtime packers”. Packers unpack software in memory and are used to make files smaller. Used by criminals to make reverse enginnering difficult. Crypters: This technique is also known as obfuscation. Cryptographic algorithms are used to make the hidden executable hard to detect by AV engines. This technique is the ultimate goal to turn malware FUD (Fully Undetectable) for its author. Protectors: A protector in this context is software that is intended to prevent tampering and reverse engineering of programs. The methods used can, and usually will, include both packing and encrypting. That combination plus some added features makes what is usually referred to as a protector. Reference: https://blog.malwarebytes.com/cybercrime/malware/2017/03/explained-packer-crypter-and-protector/
--0X042 UPX Packer – How to Unpack UPX
--0X042 UPX Packer – How to Unpack UPX Normal PE File Structure Before Packing UPX packed PE File Structure PE File after being unpacked and loaded into memory Fully unpacked PE File 1 2 3 4 Main Tasks ● Unpack the original executable into memory ● Resolve all the imports of the original executable ● Transfer execution to the original entry point (OEP)
--0X042 UPX Packer – How to Unpack UPX Packed file UPX #include <stdio.h> #include <stdlib.h> int main() { // printf() displays the string inside quotation printf("Hello, World!n"); system("PAUSE"); return 0; }
--0X042 UPX Packer – How to Unpack UPX Original PE File Packed File
--0X042 UPX Packer – How to Unpack UPX Original PE File Packed File
--0X042 UPX Packer – How to Unpack UPX Original PE File Packed File
--0X042 UPX Packer – How to Unpack UPX Packed File Original PE File
--0X042 UPX Packer – How to Unpack UPX
--0X042 UPX Packer – How to Unpack UPX Original strings Packed strings!
--0X042 UPX Packer – How to Unpack UPX
--0X042 UPX Packer – How to Unpack UPX
--0X042 UPX Packer – How to Unpack UPX
--0X042 UPX Packer – How to Unpack UPX 1) Find the executable Import Address Table (IAT). 2) Get Imports 3) Dump the executable (nonetheless, an error is presented; in fact, IAT was not included. 4) Fix Dump (final executable will be fixed and saved with SCY extension appended to the file name). Main tasks:
--0X043 Creating a Simple XOR Crypter
--0X043 Creating a Simple XOR Crypter A crypter is a program which is used to assist malware for evading antivirus signature-based detection. Dark Comet Dark Comet crypted
--0X043 Creating a Simple XOR Crypter Types of Crypters: Scantime A ScanTime crypter encrypts the file to evade antiviruses before execution (signature based detection). This is a malware detection on disk. Runtime Runtime crypters are able to do this with the Windows API using a function called CreateProcess. There is a flag CREATE_SUSPENDED which allows the malware to be decrypted and then loaded into memory as a process before being executed.
--0X043 Creating a Simple XOR Crypter Scantime Crypter
--0X043 Creating a Simple XOR Crypter 1) Run hello_world.exe in x64dbg 2) Identify .data VA 3) Identify .text code cave 4) Append XOR instructions 5) Set new EP 6) Run PE and generate a XORed file 7) Run PE again and change XOR instructions to UNXOR .data section 8) Fix dump! Menu
--0X043 Creating a Simple XOR Crypter 01010101 XOR 00010001 = 01000101 01000101 XOR 00010001 = 01010101 Example: XOR 1 byte .text .data .rsrc ... Sections
--0X043 Creating a Simple XOR Crypter
--0X043 Creating a Simple XOR Crypter
--0X043 Creating a Simple XOR Crypter String “Hello World! visible!
--0X043 Creating a Simple XOR Crypter identify .rdata section (start-end) and code cave :)
--0X043 Creating a Simple XOR Crypter - set NEP - assembly XOR code - jump to OEP Start .rdata: 0x404000 End .rdata: 0x40446B
--0X043 Creating a Simple XOR Crypter MOV eax, 404000 ADD BYTE PTR DS:[EAX], 37 XOR BYTE PTR DS:[EAX], 0F ADD BYTE PTR DS:[EAX], 13 INC EAX CMP EAX, 40446B JLE offset => ADD BYTE PTR DS:[EAX], 37 JMP OEP $i= 404000 for ($i < 40446B) { EAX <= 37 XOR EAX, 0F EAX <= 13 i++; } Code cave .text XOR assembly code Pseudo-code
--0X043 Creating a Simple XOR Crypter XOR code in code cave .text section
--0X043 Creating a Simple XOR Crypter EXCEPTION_ACCESS_VIOLATION :) +WX permissions
--0X043 Creating a Simple XOR Crypter Persistence permissions are needed!!
--0X043 Creating a Simple XOR Crypter
--0X043 Creating a Simple XOR Crypter unXOR and create final patch MOV eax, 404000 ADD BYTE PTR DS:[EAX], -13 XOR BYTE PTR DS:[EAX], 0F ADD BYTE PTR DS:[EAX], -37 INC EAX CMP EAX, 40446B JLE offset => ADD BYTE PTR DS:[EAX], -13 JMP OEP
--0X043 Creating a Simple XOR Crypter Crypter Original PE File Nothing!
--0X043 Creating a Simple XOR Crypter Result: Only PE File “strings” are hidden (obfuscated)! :-D IOC: 1ef80e71e6d6d9415ffa65e655f473be IOC: 5dec959d88a999fb59e3995c34209a4a VT crypterVT original
0x05 Why Crypters can be Fully Undetectable (FUD)? FUD crypters can be used to encrypt viruses, RAT, keyloggers, spywares, etc. to make them undetectable from antiviruses. The crypter takes the original binary file and applies many encryption on it and stores on the end of file (EOF). So a new crypted executable file is created. The new exe is not detected by antiviruses because its code is scrambled by the crypter. Nonetheless, many (homemade) crypters can be detected via Heuristic and Behavior Analysis!
My recent findings [SI-LAB] – February 18th, 2019 The Muncy malware is on the rise [SI-LAB] – March 1th, 2019 FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle [SI-LAB] – March 5th, 2019 The story of the JCry ransomware spread in #OpJerusalem2019 is now infecting Windows users [SI-LAB] – March 20th, 2019 LockerGoga is the most active ransomware that focuses on targeti ng companies and bypass AV signature-based detection
Take Home Messages - Today, criminals are using novel tecnhiques to bypass AV detecions - Manual debugging must be used to unpack malware - Dissecting malware allows us to understand criminals’ modus operandi - Manual analysis is always required to reveal FUD malware
Follow us@

Recommandé

IP classes
IP classesIP classes
IP classesMeenakshi Paul
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
[ko] Kernel Networking Stack 진입 장벽 허물기
[ko] Kernel Networking Stack 진입 장벽 허물기[ko] Kernel Networking Stack 진입 장벽 허물기
[ko] Kernel Networking Stack 진입 장벽 허물기Juhee Kang
 
LOG4J
LOG4JLOG4J
LOG4JMourad HASSINI
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing BugcrowdCasey Ellis
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 

Recommandé

IP classes
IP classesIP classes
IP classesMeenakshi Paul
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
[ko] Kernel Networking Stack 진입 장벽 허물기
[ko] Kernel Networking Stack 진입 장벽 허물기[ko] Kernel Networking Stack 진입 장벽 허물기
[ko] Kernel Networking Stack 진입 장벽 허물기Juhee Kang
 
LOG4J
LOG4JLOG4J
LOG4JMourad HASSINI
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing BugcrowdCasey Ellis
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabTaeung Song
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngVõ Thái Lâm
 
CrypTool: Cryptography for the masses
CrypTool: Cryptography for the massesCrypTool: Cryptography for the masses
CrypTool: Cryptography for the massesGonzalo Álvarez Marañón
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTPAles Lichtenberg
 
Comprendre les scripts shell auto-extractible
Comprendre les scripts shell auto-extractibleComprendre les scripts shell auto-extractible
Comprendre les scripts shell auto-extractibleThierry Gayet
 
Breaking Down the Entry Barriers on Linux Kernel Networking Stack
Breaking Down the Entry Barriers on Linux Kernel Networking StackBreaking Down the Entry Barriers on Linux Kernel Networking Stack
Breaking Down the Entry Barriers on Linux Kernel Networking StackJuhee Kang
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Windows Security
Windows Security Windows Security
Windows Security Pooja Talreja
 
Manticore 6.pdf
Manticore 6.pdfManticore 6.pdf
Manticore 6.pdfSergeyNikolaev27
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilionAkihiro Suda
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
kali linux
kali linux kali linux
kali linux Avinash Hanwate
 
The Best (and Worst) of Django
The Best (and Worst) of DjangoThe Best (and Worst) of Django
The Best (and Worst) of DjangoJacob Kaplan-Moss
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptxanumeha bhatnagar
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
 
Using an FTP client - Client server computing
Using an FTP client - Client server computingUsing an FTP client - Client server computing
Using an FTP client - Client server computinglordmwesh
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Ricardo L0gan
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 

Contenu connexe

Tendances

Metasploit
MetasploitMetasploit
Metasploithenelpj
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabTaeung Song
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngVõ Thái Lâm
 
Comprendre les scripts shell auto-extractible
Comprendre les scripts shell auto-extractibleComprendre les scripts shell auto-extractible
Comprendre les scripts shell auto-extractibleThierry Gayet
 
Breaking Down the Entry Barriers on Linux Kernel Networking Stack
Breaking Down the Entry Barriers on Linux Kernel Networking StackBreaking Down the Entry Barriers on Linux Kernel Networking Stack
Breaking Down the Entry Barriers on Linux Kernel Networking StackJuhee Kang
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilionAkihiro Suda
 
The Best (and Worst) of Django
The Best (and Worst) of DjangoThe Best (and Worst) of Django
The Best (and Worst) of DjangoJacob Kaplan-Moss
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
 
Using an FTP client - Client server computing
Using an FTP client - Client server computingUsing an FTP client - Client server computing
Using an FTP client - Client server computinglordmwesh
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 

Tendances (20)

Metasploit
MetasploitMetasploit
Metasploit
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng Hưng
 
CrypTool: Cryptography for the masses
CrypTool: Cryptography for the massesCrypTool: Cryptography for the masses
CrypTool: Cryptography for the masses
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
 
Comprendre les scripts shell auto-extractible
Comprendre les scripts shell auto-extractibleComprendre les scripts shell auto-extractible
Comprendre les scripts shell auto-extractible
 
Breaking Down the Entry Barriers on Linux Kernel Networking Stack
Breaking Down the Entry Barriers on Linux Kernel Networking StackBreaking Down the Entry Barriers on Linux Kernel Networking Stack
Breaking Down the Entry Barriers on Linux Kernel Networking Stack
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Windows Security
Windows Security Windows Security
Windows Security
 
Manticore 6.pdf
Manticore 6.pdfManticore 6.pdf
Manticore 6.pdf
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
kali linux
kali linux kali linux
kali linux
 
The Best (and Worst) of Django
The Best (and Worst) of DjangoThe Best (and Worst) of Django
The Best (and Worst) of Django
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptx
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
Using an FTP client - Client server computing
Using an FTP client - Client server computingUsing an FTP client - Client server computing
Using an FTP client - Client server computing
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
 

Similaire à Strategies to design FUD malware

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileRicardo L0gan
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Itzik Kotler
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driverVandana Salve
 

Similaire à Strategies to design FUD malware (20)

Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o File
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Hta w22
Hta w22Hta w22
Hta w22
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)
 
Presentación1
Presentación1Presentación1
Presentación1
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
 
File000125
File000125File000125
File000125
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
 

Dernier

Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 

Dernier (20)

Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 

Strategies to design FUD malware

  • 1. Strategies to design FullyUnDetectable malware III Jornadas de InfoWeb - Universidade da Beira Interior 21 de março de 2019 Pedro Tavares <ptavares@dognaedis.com>
  • 2. Pedro Tavares is a professional working as Malware Researcher, Ethical Hacker and also Security Evangelist. Pedro is also a founding member and Pentester at CSIRT.UBI and Editor-in-Chief and Creator of the security computer blog seguranca-informatica.pt. In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks. He is also Freelance Writer. LinkedIn Twitter <ptavares@dognaedis.com>
  • 3. Dognaedis – A Prossegur Company ● Cyber Intelligence ● Managed Services ● Security Technologies ● Audit & Testing ● Consultancy Service Lines
  • 4. Required Software - Virtual Machine (Windows 10, 8, 7 or XP) Software: ● PeiD ● CFF Explorer ● UPX packer ● X64dbg ● Dev-C++ compiler Recommended resources (to read): “communicating with the machine is like communicating with an alien” ● Intro to x86 Assembly Language ● How to use xdbg64 debugger
  • 5. Agenda 0x01 What is a Malware? 0x02 Windows Internals 101 0x03 Portable Executable (PE) Files 101 0x04 Malware Protection 101 --0X041 Packers, Crypters and Protectors --0X042 UPX Packer – How to Unpack UPX --0X043 Creating a Simple XOR Crypter 0x05 Why Crypters can be Fully Undetectable (FUD)?
  • 6. 0x01 What is a Malware?
  • 7. 0x01 What is a Malware? Malware is a generic term that describes any program or malicious code that is dangerous to systems. "Malware attacks would not work without the most important ingredient: the user." Malwarebytes
  • 8. 0x01 What is a Malware? Adware [designed to trigger ads] Spyware [observes user activities without its knowledge/permission] Virus [malware attached to another program that can replicate and spread after an frist execution] Worms [similar to viruses, but they don’t need to be attached to spread] Trojan (RAT) [take control of users’ devices] Ransonware [encrypt users’ devices and requests a ransom ] Rootkit [complex malware and hides its activity and presence] Reference: https://blog.malwarebytes.com/glossary/ Keylogger [get all from users’ keyboard] Cryptominer [uses users’ CPU power to mine cryptocurrency]
  • 9. 0x01 What is a Malware? A shell is opened!! :) Malware No Malware - Invoice received in my inbox! (pdf) - Hum, why is it an .exe file? - Why does it executes a shell? The program does what it should do!
  • 10. 0x01 What is a Malware? ● How it works ● What info is harvested ● How it collects info from victim ● Techniques used Everything is object of analysis! Manual Analysis ● Is it a malware? ● What kind of malware is it? (trojan? ransomware?) ● What kind of data can it extract? IOCs (IP, DNS, Windows registry keys and files downloaded and droped). Sandbox Analysis (automated) Fast but limited analysis.
  • 12. 0x02 Windows Internals 101 Stack Heap Code Data Main Memory Low Memory Address High Memory Address The stack is used for local variables and parameters for functions, and to help control program flow. We'll always look here! :D It’s used for dynamic memory during program execution, to allocate new values and eliminate (free) values that the program no longer needs. Contains the executable code; controls what the program does. It contains values that are put in place when a program is initially loaded. They not change while the program is running.
  • 13. 0x02 Windows Internals 101 User Application Kernel32.dll Ntdll.dll Ntoskrnl.exe Kernel Data Structures User Mode (ring 3) Kernel Mode (ring 0) privileged mode (rootkits run here)
  • 14. 0x02 Windows Internals 101 sample.exe
  • 15. 0x02 Windows Internals 101 hardware interfaces (buses, I/O devices, interrupts, interval timers, DMA, memory cache control, etc., etc.) System Service Dispatcher Task Manager Explorer SvcHost.Exe WinMgt.Exe SpoolSv.Exe Service Control Mgr. LSASS Object Mgr. Windows USER, GDI File System Cache I/O Mgr User Application Subsystem DLLs System Processes Applications System Threads User Mode Kernel Mode NTDLL.DLL Device & File Sys. Drivers WinLogon Session Manager Services.Exe POSIX Windows DLLs Plugand PlayMgr. Power Mgr. Security Reference Monitor Virtual Memory Processes & Threads Local Procedure Call Graphics Drivers Kernel Hardware Abstraction Layer (HAL) (kernel mode callable interfaces) Configura- tionMgr (registry) OS/2 Windows Services
  • 16. 0x03 Portable Executable (PE) Files 101
  • 17. 0x03 Portable Executable (PE) Files 101 Header Sections DOS Header PE Header Optional Header Sections Table Code Imports Data PE File .text .data .rsrc ... Sections File properties, nº sections, machine type, time stamp, and etc.) It summarizes each sections’s raw size, virtual size, section name, etc. OEP and code Reference: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format Initialized data Resource data It’s not "optional" per se, because it is required in Executable files. RVA of entry point is here! File signature: MZ: Mark Zbikowski, who created the first linker for DOS.
  • 18. 0x04 Malware Protection 101 - Evading antivirus engines - Evading sandbox analysis (Cuckoo, Falcon, etc.) - Making malware analysis harder - Protecting malware source-code
  • 19. --0X041 Packers, Crypters and Protectors Packers: Short for “runtime packers”. Packers unpack software in memory and are used to make files smaller. Used by criminals to make reverse enginnering difficult. Crypters: This technique is also known as obfuscation. Cryptographic algorithms are used to make the hidden executable hard to detect by AV engines. This technique is the ultimate goal to turn malware FUD (Fully Undetectable) for its author. Protectors: A protector in this context is software that is intended to prevent tampering and reverse engineering of programs. The methods used can, and usually will, include both packing and encrypting. That combination plus some added features makes what is usually referred to as a protector. Reference: https://blog.malwarebytes.com/cybercrime/malware/2017/03/explained-packer-crypter-and-protector/
  • 20. --0X042 UPX Packer – How to Unpack UPX
  • 21. --0X042 UPX Packer – How to Unpack UPX Normal PE File Structure Before Packing UPX packed PE File Structure PE File after being unpacked and loaded into memory Fully unpacked PE File 1 2 3 4 Main Tasks ● Unpack the original executable into memory ● Resolve all the imports of the original executable ● Transfer execution to the original entry point (OEP)
  • 22. --0X042 UPX Packer – How to Unpack UPX Packed file UPX #include <stdio.h> #include <stdlib.h> int main() { // printf() displays the string inside quotation printf("Hello, World!n"); system("PAUSE"); return 0; }
  • 23. --0X042 UPX Packer – How to Unpack UPX Original PE File Packed File
  • 24. --0X042 UPX Packer – How to Unpack UPX Original PE File Packed File
  • 25. --0X042 UPX Packer – How to Unpack UPX Original PE File Packed File
  • 26. --0X042 UPX Packer – How to Unpack UPX Packed File Original PE File
  • 27. --0X042 UPX Packer – How to Unpack UPX
  • 28. --0X042 UPX Packer – How to Unpack UPX Original strings Packed strings!
  • 29. --0X042 UPX Packer – How to Unpack UPX
  • 30. --0X042 UPX Packer – How to Unpack UPX
  • 31. --0X042 UPX Packer – How to Unpack UPX
  • 32. --0X042 UPX Packer – How to Unpack UPX 1) Find the executable Import Address Table (IAT). 2) Get Imports 3) Dump the executable (nonetheless, an error is presented; in fact, IAT was not included. 4) Fix Dump (final executable will be fixed and saved with SCY extension appended to the file name). Main tasks:
  • 33. --0X043 Creating a Simple XOR Crypter
  • 34. --0X043 Creating a Simple XOR Crypter A crypter is a program which is used to assist malware for evading antivirus signature-based detection. Dark Comet Dark Comet crypted
  • 35. --0X043 Creating a Simple XOR Crypter Types of Crypters: Scantime A ScanTime crypter encrypts the file to evade antiviruses before execution (signature based detection). This is a malware detection on disk. Runtime Runtime crypters are able to do this with the Windows API using a function called CreateProcess. There is a flag CREATE_SUSPENDED which allows the malware to be decrypted and then loaded into memory as a process before being executed.
  • 36. --0X043 Creating a Simple XOR Crypter Scantime Crypter
  • 37. --0X043 Creating a Simple XOR Crypter 1) Run hello_world.exe in x64dbg 2) Identify .data VA 3) Identify .text code cave 4) Append XOR instructions 5) Set new EP 6) Run PE and generate a XORed file 7) Run PE again and change XOR instructions to UNXOR .data section 8) Fix dump! Menu
  • 38. --0X043 Creating a Simple XOR Crypter 01010101 XOR 00010001 = 01000101 01000101 XOR 00010001 = 01010101 Example: XOR 1 byte .text .data .rsrc ... Sections
  • 39. --0X043 Creating a Simple XOR Crypter
  • 40. --0X043 Creating a Simple XOR Crypter
  • 41. --0X043 Creating a Simple XOR Crypter String “Hello World! visible!
  • 42. --0X043 Creating a Simple XOR Crypter identify .rdata section (start-end) and code cave :)
  • 43. --0X043 Creating a Simple XOR Crypter - set NEP - assembly XOR code - jump to OEP Start .rdata: 0x404000 End .rdata: 0x40446B
  • 44. --0X043 Creating a Simple XOR Crypter MOV eax, 404000 ADD BYTE PTR DS:[EAX], 37 XOR BYTE PTR DS:[EAX], 0F ADD BYTE PTR DS:[EAX], 13 INC EAX CMP EAX, 40446B JLE offset => ADD BYTE PTR DS:[EAX], 37 JMP OEP $i= 404000 for ($i < 40446B) { EAX <= 37 XOR EAX, 0F EAX <= 13 i++; } Code cave .text XOR assembly code Pseudo-code
  • 45. --0X043 Creating a Simple XOR Crypter XOR code in code cave .text section
  • 46. --0X043 Creating a Simple XOR Crypter EXCEPTION_ACCESS_VIOLATION :) +WX permissions
  • 47. --0X043 Creating a Simple XOR Crypter Persistence permissions are needed!!
  • 48. --0X043 Creating a Simple XOR Crypter
  • 49. --0X043 Creating a Simple XOR Crypter unXOR and create final patch MOV eax, 404000 ADD BYTE PTR DS:[EAX], -13 XOR BYTE PTR DS:[EAX], 0F ADD BYTE PTR DS:[EAX], -37 INC EAX CMP EAX, 40446B JLE offset => ADD BYTE PTR DS:[EAX], -13 JMP OEP
  • 50. --0X043 Creating a Simple XOR Crypter Crypter Original PE File Nothing!
  • 51. --0X043 Creating a Simple XOR Crypter Result: Only PE File “strings” are hidden (obfuscated)! :-D IOC: 1ef80e71e6d6d9415ffa65e655f473be IOC: 5dec959d88a999fb59e3995c34209a4a VT crypterVT original
  • 52. 0x05 Why Crypters can be Fully Undetectable (FUD)? FUD crypters can be used to encrypt viruses, RAT, keyloggers, spywares, etc. to make them undetectable from antiviruses. The crypter takes the original binary file and applies many encryption on it and stores on the end of file (EOF). So a new crypted executable file is created. The new exe is not detected by antiviruses because its code is scrambled by the crypter. Nonetheless, many (homemade) crypters can be detected via Heuristic and Behavior Analysis!
  • 53. My recent findings [SI-LAB] – February 18th, 2019 The Muncy malware is on the rise [SI-LAB] – March 1th, 2019 FlawedAmmyy Leveraging Undetected XLM Macros as an Infection Vehicle [SI-LAB] – March 5th, 2019 The story of the JCry ransomware spread in #OpJerusalem2019 is now infecting Windows users [SI-LAB] – March 20th, 2019 LockerGoga is the most active ransomware that focuses on targeti ng companies and bypass AV signature-based detection
  • 54. Take Home Messages - Today, criminals are using novel tecnhiques to bypass AV detecions - Manual debugging must be used to unpack malware - Dissecting malware allows us to understand criminals’ modus operandi - Manual analysis is always required to reveal FUD malware