Date post: | 17-Dec-2015 |
Category: |
Documents |
Upload: | madeline-cole |
View: | 217 times |
Download: | 0 times |
University of PiraeusDepartment of Digital Systems«Security of Digital Systems»
Supervisor: Sokratis Katsikas
Bypassing antivirus detection with encryption
Tasiopoulos Vasilis
About Me
Studied at University of Piraeus Informatics Security in Digital Systems
Currently working KPMG as a IT Advisor and Penetration
tester
Contents
Related Research Background Knowledge-Antivirus Crypter Background Knowledge-Portable executable Background Knowledge-Portable Executable
Loader RunPE and Injection Our Implementation Results
Why?
It is easier to change crypterIt is harder to change ALL malwares
Who can use it:Penetration TestsAnyone for Legitimate purpose
Related Research
Implementation of Runtime Crypter by Christian Ammann
Packing Heat by Dimitrios A. Glynos
The Crypter BluePrint by crypters.net
Several tutorial on HackForums.net
Background Knowledge - Antivirus
Signature-based detection: Traditionally, antivirus software heavily relied on signatures to identify malware.
Heuristics: Another technique used in antivirus software is the use of heuristic analysis to identify new malware or variants of known malware.
Real-time protection: Newer antivirus software also has another mechanism called “real time” protection. It is known that some (malicious) code may be hidden, encrypted, obfuscated or even created instantly. To be able to deal with such tricks antivirus packages are also capable of monitoring and intercepting API calls and of performing a kind of "behavioral analysis". So, if a well-known process acts in an unusual manner the antivirus will mark it as suspicious.
Crypters: Types and behavior
Types:•Runtime•Scantime
Options•Internal Stub•External Stub
Crypter must:•Encrypt
Crypter’s behavior
Stub must:•Decrypt•Execute malware
Stub options:•Save in directory•Load it in memory
• Load it in stub’s process• Load in new process• Inject into another
process (optimal)
RunPE and Injection
Method discovered by T.keong
Injection:The stub is executedA new process is created in "suspended" stateThe Stub decrypts the malwareThe stub load the malware in the place of the suspended legitimate processThe process is unsuspended.
Limitation:32 bit process or 64 bit process Not in both
Different Implementations:Alternative way to call Apis Use of undocumented Apis
Our Implementation
Crypter’s TypeRuntime CrypterExternal Stub
DevelopedC#Visual Studio2500 lines of code
Encryption AES
Architecture1. User Selects the malware2. User configures the available options (optional)3. Crypter reads the malware byte per
byte4. Encrypting malware5. Crypter reads the Stub6. Adding assembly info to stub (optional)7. Encrypting injection path8. Adding injection process path to
stub9. Reading selected RunPE10. Adding startup code to stub (optional)
11. Adding Hide code to stub (optional)12. Removing comments from stub13. Adding Fake message to stub (optional)14. Adding Junk Code to stub (optional)15. Adding Fake Apis to stub (optional)16. Add decompression code to stub (optional)17. Adding Addi-… code to stub (optional)18. Randomizing class, function,
variable names and add them to stub and to RunPE
19. Adding Encryption Key to stub
Architecture
20. Compiling RunPE as DLL21. Reading DLL22. Encrypting DLL23. Compressing encrypted DLL(optional)
24. Adding encrypted Malware and DLL ass resources to stub
25. Adding Icon to stub(optional)26. Compiling Stub as executable27. Adding Eof data to executable (optional)
Architecture
Stub after execution:Read Encrypted DLLDecrypt DLLLoad DLL in memoryRead Encrypted malwareDecrypt malwareCall DLL for decrypted malwareMalware inject to another process
Key PointsUnique codeInjection implemented in encrypted DLLRandom Function Names, Class names, Variable namesEncrypted Strings
Result:Unique Executable
Architecture
Crypters GUI and Options
Crypters GUI and Options
Crypters GUI and Options
The lab: Windows XP 32/64 bit - Avast/AVGWindows Vista 32/64 bit – Kaspersky/NortonWindows 7 32/64 bit –Microsoft Security Essential/ESET
Online Scannerhttp://nodistribute.comhttps://www.metascan-online.com
Files TestedNetcat.exeDarkomet malwarePoison Ivy
Results
Results
Virus Injection MethodWindows Version
RunPE Choice Working Detection Notes
Darkcomet CSC 32bit 3 YES 0/40
Darkcomet CSC 64bit 3 YES 0/40
Darkcomet CSC 32bit 2 YES 0/40
Darkcomet CSC 64bit 2 YES 0/40
Darkcomet CSC 32bit 5 YES 0/40
Darkcomet CSC 64bit 5 YES 0/40
Darkcomet CSC 32bit 6 YES 0/40
Darkcomet CSC 64bit 6 YES 0/40
Darkcomet Default Browser 32bit 5 YES 0/40 Mozilla
Darkcomet Default Browser 64bit 5 YES 0/40 Mozilla/Chrome
Darkcomet Default Browser 32bit 5 YES 0/40 Internet explorer
Darkcomet Default Browser 64bit 5 YES 0/40 Internet explorer
Darkcomet svchost 32bit 5 YES 0/40
Darkcomet svchost 64bit 5 YES 0/40