Bypassing antivirus detection with encryption

Slides:

Advertisements

Similar presentations

Sample chapter from Reverse Engineering Course.

Advertisements

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Operating System Security : David Phillips A Study of Windows Rootkits.

CSCE 145: Algorithmic Design I Chapter 1 Intro to Computers and Java Muhammad Nazmus Sakib.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Software Certification and Attestation Rajat Moona Director General, C-DAC.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.

1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.

TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.

Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.

Hacker Zombie Computer Reflectors Target.

Tutorial 11 Installing, Updating, and Configuring Software

Why do you need to think about security?  Data loss  System loss  Identity theft.

MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.

Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.

© 2011 Autodesk CP5239 Demand-Loading AutoCAD®.NET Plug-ins James E. Johnson Synergis Software Sr. CAD Developer.

BlowFish 2000 Copyright © by Gregory Braun. All rights reserved Installation and Users Guide by Robert Moncrief II.

1 Higher Computing Topic 8: Supporting Software Updated

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey

Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan.

KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al 이 승 민.

Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Android Security Auditing Slides and projects at samsclass.info.

Operating System What is an Operating System? A program that acts as an intermediary between a user of a computer and the computer hardware. An operating.

Dealing with Malware By: Brandon Payne Image source: TechTips.com.

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

CBI Platform Introduction: installation Jingxin Nie Medical Image Computing Lab Center for Biomedical Informatics The Methodist Hospital Research Institute.

Module 8 : Configuration II Jong S. Bok

LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.

Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.

Advanced Malware Detection Group 8: Alex Finkelstein, Josh Suess, Dom Amos, Mike Hite, Kevin Hao.

CISC Machine Learning for Solving Systems Problems Presented by: Suparna Manjunath Dept of Computer & Information Sciences University of Delaware.

Chapter 1 Basic Concepts of Operating Systems Introduction Software A program is a sequence of instructions that enables the computer to carry.

Visual Basic Integrated Development Environment (IDE) 56:150 Information System Design.

Computer Organization & Assembly Language Chapter _ 04 Ghazanfer Mirza.

Week-14 (Lecture-1) Malicious software and antivirus: 1. Malware A user can be tricked or forced into downloading malware comes in many forms, Ex. viruses,

Information Systems Design and Development Security Precautions Computing Science.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Malware Incident Response

Topic 7 Malware Analysis Basics

V. A. Memos and K. E. Psannis*

Chapter 1. Basic Static Techniques

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

Presented by Xiaohui (Amy) Lin

.NET Framework: Backdoors

CMSC 491/691 Malware Analysis

CSC 497/583 Advanced Topics in Computer Security

CSC 497/583 Advanced Topics in Computer Security

Presentation transcript:

Bypassing antivirus detection with encryption University of Piraeus Department of Digital Systems «Security of Digital Systems» Bypassing antivirus detection with encryption Tasiopoulos Vasilis Good afternoon I am Vasilis tasiopoulos and I am going to present you the research that I did during my master thesis with Mr Sokratis Katsika. The title is … Supervisor: Sokratis Katsikas

About Me Studied at University of Piraeus Currently working Informatics Security in Digital Systems Currently working KPMG as a IT Advisor and Penetration tester Before that I will say some things about me . I have studied at University of Piraeus in the department of informatics and then I did my master with title Security in Digital Systems in the department of digital systems. I am also certified with OSCP from Offencive Security and ISO27001 from TUV. Now I am currently working at KPMG as an IT advisor and especially as a penetration tester

Contents Related Research Background Knowledge-Antivirus Crypter Background Knowledge-Portable executable Background Knowledge-Portable Executable Loader RunPE and Injection Our Implementation Results Now lets start Here we can see the outline of this presentation .

Why? It is easier to change crypter It is harder to change ALL malwares Who can use it: Penetration Tests Anyone for Legitimate purpose There are a lot of times in my work as pentester that I must persuade someone that antivirus software does not provide ultimate security. So why we need Crypters . There are a lot of virus out there that antivirus can identify and we cannot use anymore. So … What if we could create something (I mean the crypter ) that can encrypt any malware and then if It gets identified by an antivirus we just need to change the crypter.

Related Research Implementation of Runtime Crypter by Christian Ammann Packing Heat by Dimitrios A. Glynos The Crypter BluePrint by crypters.net Several tutorial on HackForums.net Here we se related research in this subject that helped us in making our crypter.

Background Knowledge - Antivirus Signature-based detection: Traditionally, antivirus software heavily relied on signatures to identify malware. Heuristics: Another technique used in antivirus software is the use of heuristic analysis to identify new malware or variants of known malware. Real-time protection: Newer antivirus software also has another mechanism called “real time” protection. It is known that some (malicious) code may be hidden, encrypted, obfuscated or even created instantly. To be able to deal with such tricks antivirus packages are also capable of monitoring and intercepting API calls and of performing a kind of "behavioral analysis". So, if a well-known process acts in an unusual manner the antivirus will mark it as suspicious. Before we continue we must say some things about antivirus and the mechanisms that detect malwares just to know what we must evade. We have …. We also have …. And newer antivirous have an option called ….

Crypters: Types and behavior Runtime Scantime Options Internal Stub External Stub A Runtime Crypter encrypts the specified file and when executed (run), it is decrypted in memory. In this way antivirus packages are incapable of analyzing the file before and after execution. A Scantime Crypter encrypts the specified file so that antiviruses become unable to analyze the file only before executed, but NOT when executed. Crypter must: Encrypt

Crypter’s behavior Stub must: Decrypt Execute malware Stub options: Save in directory Load it in memory Load it in stub’s process Load in new process Inject into another process (optimal)

RunPE and Injection Method discovered by T.keong Injection: The stub is executed A new process is created in "suspended" state The Stub decrypts the malware The stub load the malware in the place of the suspended legitimate process The process is unsuspended. Limitation: 32 bit process or 64 bit process Not in both Different Implementations: Alternative way to call Apis Use of undocumented Apis But just loading the malware to the memory is not enought . It is better to inject the malware in a legitimate process. This can be done with a method discovered by T.Keong . The method follow the below steps : This method exist for many years and has been extensively used for crypters and malwares and thats why we need modify it in order to bypass antivirus. Alternative way to call Apis Use of undocumented Apis

Our Implementation Crypter’s Type Runtime Crypter External Stub Developed C# Visual Studio 2500 lines of code Encryption AES Sting pass to md5 >output 128 > pass to aes as key .

Architecture User Selects the malware Removing comments from stub Adding Hide code to stub (optional) Removing comments from stub Adding Fake message to stub (optional) Adding Junk Code to stub (optional) Adding Fake Apis to stub (optional) Add decompression code to stub (optional) Adding Addi-… code to stub (optional) Randomizing class, function, variable names and add them to stub and to RunPE Adding Encryption Key to stub User Selects the malware User configures the available options (optional) Crypter reads the malware byte per byte Encrypting malware Crypter reads the Stub Adding assembly info to stub (optional) Encrypting injection path Adding injection process path to stub Reading selected RunPE Adding startup code to stub (optional) We have included several options to our crypter . This options are the ones that are stated as optional .

Architecture Compiling RunPE as DLL Reading DLL Encrypting DLL Compressing encrypted DLL(optional) Adding encrypted Malware and DLL ass resources to stub Adding Icon to stub(optional) Compiling Stub as executable Adding Eof data to executable (optional) RunPE is compiled as a DLL because we want to encrypt and load it directly in memory . This can be made is because we have created it with managed code. And .Net framework can do the work for us.

Architecture Stub after execution: Read Encrypted DLL Decrypt DLL Load DLL in memory Read Encrypted malware Decrypt malware Call DLL for decrypted malware Malware inject to another process

Architecture Key Points Unique code Injection implemented in encrypted DLL Random Function Names, Class names, Variable names Encrypted Strings Result: Unique Executable

Crypters GUI and Options

Crypters GUI and Options

Crypters GUI and Options

Results The lab: Online Scanner http://nodistribute.com Windows XP 32/64 bit - Avast/AVG Windows Vista 32/64 bit – Kaspersky/Norton Windows 7 32/64 bit –Microsoft Security Essential/ESET Online Scanner http://nodistribute.com https://www.metascan-online.com Files Tested Netcat.exe Darkomet malware Poison Ivy

Results Virus Injection Method Windows Version RunPE Choice Working Detection Notes Darkcomet CSC 32bit 3 YES 0/40 64bit 2 5 6 Default Browser Mozilla Mozilla/Chrome Internet explorer svchost