![Page 1: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/1.jpg)
AVisDead!IsAVDead?AVisDead!IsAVDead?
1
AVisDead!
IsAVDead?
![Page 2: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/2.jpg)
AVisDead!IsAVDead?
“Thereisnoalgorithmthatcanperfectlydetectallpossiblecomputerviruses.”
FredCohen,1987PioneerComputerVirusTechnology
AndDefense
![Page 3: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/3.jpg)
AVisDead!IsAVDead?
Virus• Virusisanexecutableorpieceofcodethathasthe
capabilitytoreplicate andattach itselfontotargetfile
Malware• Istermusedtodenotemalicioussoftware,including
butnotlimitedtoworms,Trojans,ransomware andvirus
• Oftenreferredto,bysomepeople,as“virus”
![Page 4: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/4.jpg)
AVisDead!IsAVDead?
Mainquestionstobeanswered
WHO
WHY
WHATWhyaretheysayingthatAVisdead
WhoaretheonesthataresayingAVisdead
Whatshouldwelearnfromallofthis
![Page 5: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/5.jpg)
AVisDead!IsAVDead?
• HistoricMalwareFacts:ANeverEndingWar
• ProactiveDevelopmentOfNewWeapons
• BeingOpinionatedonData
• Derivation
Agenda
![Page 6: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/6.jpg)
AVisDead!IsAVDead?
AV- Anti-Virus
• Softwareoriginallydesignedtodetectandremovecomputervirus
• Initiallybasedonsignaturedetectionsandblacklistingtechniquewhichusesscan-detect-protect-cleanparadigm
• Althoughdevelopedduringthe80s,non-ITpeoplearestillusedtothetermAV(antivirus)torefertothesoftwaretheyusetoprotectagainstmalware
![Page 7: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/7.jpg)
AVisDead!IsAVDead?
ANeverEndingWarVirusWormsTrojans
Malware
Security
• Encryption,Polymorphism,Metamorphism
• Packing,Armouring,Protectors
• Anti-emulation,anti-debugging
1980- 1990 1990- 2000 2014- 20162010- 20142000- 2005 2005- 2010
Rootkit,Exploits HijackerAdwareSpywareRogueAV RansomwareAPT
• Botnet
• Vulnerabilityexploitation
• Dormancy
• Stealth
• EULA
• Lawsuits,greyware
• Socialengineering
• Stolendigitalsignatures
• Fastflux
• Rapidvariancegeneration
• Morelaserfocusedtargetedattacks
• Signaturebaseddetection
• Hashing
• Heuristic
• Emulation
• Intelligentscanning
• Genericunpacking
• Behaviouralanalysis
• Virtualizedenvironments
• Gatewaysolution
• Cloud
• Antirootkits
• Memoryprotection(PatchGuard)
• Machinelearning
• Datamining
• Anomalybasedetections
• NEXTGEN
![Page 8: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/8.jpg)
AVisDead!IsAVDead?
ANeverEndingWar
PE32GoEntryPoint()
Sig=MatchExactHexa
[0x600xe80x000x00 0x5d0x810xed0x0b…]
If(Sig)
returnInfected
![Page 9: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/9.jpg)
AVisDead!IsAVDead?
Usingheuristicbasedsignaturedetections,emulationandintelligentscanning.AVenginescannowremovegarbagecodesandproducetheactualmaliciouscode
Andagain,malwareauthorsrespondedbackwithanti-emulationtechniquessuchasnearinfiniteloopsandtimedbasedtechniquesbycountingthedifferenceinprocessorcyclesinbetween2points
ANeverEndingWar
![Page 10: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/10.jpg)
AVisDead!IsAVDead?
Heuristicbaseddetectionarethesignaturedetectionsthatweusenowadays.It’scalleda1tomanydetectionpattern.
Theusualheuristicsigcandetectfromhundredstothousandssamplepersig.
Iknowofacouplewhocancatchamillionsamplewith1heuristicbasedsignature.
Butthosearefewandrare,asitisveryhardtofindacommonpatternfromdifferentvariant,familiesanddifferentgenerationsofmalware.
![Page 11: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/11.jpg)
AVisDead!IsAVDead?
AmIrunningonaREALmachine???
GOTCHA!!!!
ANeverEndingWar
![Page 12: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/12.jpg)
AVisDead!IsAVDead?
Windows764bit
- CodeIntegrityPolicypreventsunsignedkernel-modedriversonloading- Windows PatchGuard protectsmodificationof
- SSDTSystemServiceDispatchTable- IDTInterruptDescriptorTable- GlobalDescriptorTable- Patchingcodesonkernel
ANeverEndingWar
![Page 13: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/13.jpg)
AVisDead!IsAVDead?
“TheMasterBootRecord(MBR)isthefirst512bytesofadatastoragedevicethatcontainscodeforbootstrappinganoperatingsystem.IthousesthetableofprimarypartitionsusingtheIBMpartitiontablescheme.It’sprimarypurposeistoloadthebootsectorandpasscontroltoit(volumebootrecord)”
![Page 14: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/14.jpg)
AVisDead!IsAVDead?
LoadMBR
LoadVBR
LoadBootmgr
Loadwinload.exeorwinresume.exe
Loadkernelandotherdrivers
MBRMasterBootRecord
LoadstheVBR
VBRVolumeBootRecord
LoadstheBootmgr
Bootmgr
ReadsBCD(BootConfigurationData)Loadseitherwinload.exeorwinresume.exe(restorethestateofhibernatingsystem)
Winload.exe
Initializescodeintegritypolicy
loadskernelanditsdependencieshal.dll,bootvid.dll,kdcom.dll
KernelInitializationCallsKdDebuggerInitialize1fromkdcom.dll toinitializethedebuggingfacilitiesofthesystem
ANeverEndingWar
![Page 15: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/15.jpg)
AVisDead!IsAVDead?
Call
KdDebuggerInitialize1
Loadntoskernel.exe,hal.dllandkdcom.dll
LoadinfectedMBR
LoadLDR16 fromitsfilesystem
HooksINT13andrestoreoriginalMBR
LoadVBR
LoadBootmgr
LoadWinload.exe(WINPEmode)
Initializekernel
InfectedMBRContainsmaliciouscodesforloadingTDL4
LoadsLDR16ReplacesakeyBCDvalueinregistrytoinitiateWinPEmode
HooksINT13HookINT13Waitsforkdcom.dlltobeloaded,thenreplacestheimageofitinmemorywithLDR32orLDR64(platformdependent)
WINPEmodeSincethevalueinBCDregistryhivewasreplacedWinPEmodeisactivated.
CodeIntegritydisabled
LoadskerneldependenciesLoadsdependencies,whenhookfindskdcom.dllinmemory,replacestheimagewithLDR32orLDR64WhyKDCOM.DLLContainsafunctionthatiscalledbythesystemtoinitializesystemdebuggers.
LDR32/64Containsthesamefunctionsasoriginalkdcom.dllbutonlyoneworks
KdDebuggerInitialize1
Allothersaredummiesandreturn0Kerneldebuggerdisabled
DRV32orDRV64(rootkit’smaincomponentforhooking)willbeloaded
Continueloadingasifnothinghappened
ANeverEndingWar
![Page 16: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/16.jpg)
AVisDead!IsAVDead?
"Weareessentiallygoingincircles.Weimproveonlyafterouradversariesdefeatourdefenses.Mostsoftwareisstillriddledwithvulnerabilities,butthevendorstypicallymakenomovetofixoneuntilitbecomespubliclydisclosed.”
DavidHoelzerDirectorofResearch,EnclaveForensics
ANeverEndingWar
![Page 17: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/17.jpg)
AVisDead!IsAVDead?
• Peoplewhohavelimitedknowledgeaboutthesubject
• Iratevictimsofamalwareattacks
• Peoplewhohaveotherintent
• Financialgain
• Ego
• Marketinganewtechnology(NextGen)
• 2008,2014BigAVcompanieswerequotedsayingin,essence,AVisnotsufficientanymore
WHO?
![Page 18: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/18.jpg)
AVisDead!IsAVDead?
Pre-filteringWhitelisting&
MetadataconfidenceSample
NextGenSoftwareX
MemorySpaceContinuouscheckforanomalousbehaviour
Behaviouralanalysis(almost
similartosandbox)
Bad
Parallelpipe
Badpipe
ProactiveDevelopmentOfNewWeapons
• Avoidknownnamesormicrosoft systemfilenames
• Useantisandboxtechniquestodefeatthebehaviouralanalysis
• Staydormantbutdon’tuseone’sthatwilltriggerthesandboxtraps
• Usetrialanderrortoescapetheanomalousbehaviourchecks
![Page 19: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/19.jpg)
AVisDead!IsAVDead?
2016VerizonDataBreachInvestigationsReport
BeingOpinionatedOnData
![Page 20: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/20.jpg)
AVisDead!IsAVDead?
2015MicrosoftSecurityIntelligenceReport
InfectionRatesForProtectedandUnprotectedComputers
RecentreleasesoftheMSRTcollectandreportdetailsaboutthestateofreal-timeantimalwaresoftwareonacomputer,ifthecomputer’sadministratorhaschosentooptintoprovidedatatoMicrosoft.Thistelemetrydatamakesitpossibletoanalyzesecuritysoftwareusagepatternsaroundtheworldandcorrelatethemwithinfectionrates.
Thisgraphtellsusthatcomputersthatwereunprotectedwerebetween2.7and5.6times aslikelytobeinfectedwithmalwareascomputersthatwereprotected.
BeingOpinionatedOnData
![Page 21: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/21.jpg)
AVisDead!IsAVDead?
“Antiviruswon'tprotectyoufromtheever-increasingpercentageofmalwarethat'sspecificallydesignedtobypassantivirussoftware,butitwillprotectyoufromalltherandomunsophisticatedattacksoutthere:the"backgroundradiation"oftheInternet.”
BeingOpinionatedOnData
https://www.schneier.com/blog/archives/2014/05/is_antivirus_de_1.html
![Page 22: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/22.jpg)
AVisDead!IsAVDead?
“Inanerawhereanti-malwarelabsprocesshundredsofthousandsofsamplesaday,failuretorealizethesignificanceofavanishinglysmallsetofstealthy,low-prevalencesamples– howevergreattheirsubsequentimpact– whilehardlydescribableasasuccess,ishardlyaspectacularfailureinstatisticalterms.“[1]
![Page 23: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/23.jpg)
AVisDead!IsAVDead?
Derivation
• Toreacttotheevolvingthreats,“AV”orAMhasevolvedtoo
• ItdoesnotSOLELYusethesimplesignaturebaseddetectionasitdid20yearsago
• Hash(blacklist),whitelisting,SmartpatternsorHeuristicsaretheBASICfunctionalitieswe’reusingfor“AV”thesedays
• Even20%protectionisbetterthannone(worsecasescenariofromAUSCERT)
![Page 24: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/24.jpg)
AVisDead!IsAVDead?
Derivation
GOODSECURITY
• Doesnotrelyonasingletechnologyforprotection
• Multi-layeredsecurityistherightapproach
• Goodendpointsecurity(AV/AM)
• Goodnetworkbasedsecurity
• Backups
• UpdatesandPatches
• Secureyourchannels
• Don’toverdoit
![Page 25: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/25.jpg)
AVisDead!IsAVDead?
“Considerwhetheryouwanttobaseyoursecuritystrategy(athomeoratwork)onaPRexercisebasedonstatisticalmisrepresentationandmisunderstanding.Don’tbetoooptimisticaboutfindingTheOneTrue(probablygeneric)Solution:lookforcombinationsofsolutionthatgiveyouthebestcoverageatapriceyoucanafford.Theprincipleappliestohomeuserstoo:therightfreeantivirusisalotbetterthannoprotection”[1]
Extra:GettingOpinionatedAgain
[1]www.welivesecurity.com/wp-content/uploads/.../avar-2013-paper.pdf
![Page 26: AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr](https://reader034.vdocument.in/reader034/viewer/2022051605/600aa95f60ce232ea237b86c/html5/thumbnails/26.jpg)
AVisDead!IsAVDead?
Q?