Post on 02-Nov-2014
description
Have You Seen My Malware?
Joshua PittsNovaHackersNov 18, 2013
About Me
• Twitter: @midnite_runr• I work for Leviathan Security• Reverse Engineering, Pentesting
Two Topics
• Recomposer• ??
Submitting To VirusTotal
Who here uses VT?– At Home? – On Family’s computers? – At Work?
The Dangers of VT
• VtNotify – By Mubix• Look up by hash• Easy for attackers to look up
Recomposer
• Python• Win 32/64• Two functions:– PE Editor– Signature Modifier or re-composer
• github.com/secretsquirrel/recomposer
Goal
Break the common signatures that enable malware to be easily tracked so we can once
again upload to online sandbox sites with less worry about being found out
How?
• Randomly change:– File and sections names– Section flags
• For each code cave over 20 bytes: – Randomly pick one of five nops– Inject a random number of those into the cave
• For the most part the binary still functions normally
Results
• Created 11,200 binaries from one binary• No collisions
Ssdeep ResultsCompared to the original file:(77) 155(79) 9(80) 1662(82) 46(83) 5056(85) 3292(86) 15(88) 849(90) 2(91) 107(93) 6(94) 1• 1.0357 % of the files are >= 90%
Ssdeep across all files
• 11200 * 11200 = 125,440,000 comparisons• Would take hours…• Let’s do >= 90%
Comparison Results(100) 11200 : Expected(99) 0(98) 0(97) 0(96) 168(95) 0(94) 62(93) 7,604(92) 0(91) 216,384(90) 0Total 235,418• 125,204,582 additional comparisons that are below 90 % matching.
Goal
Break the common signatures that enable malware to be easily tracked so we can once
again upload to online sandbox sites with less worry about being found out
GREAT SUCCESS!
Part 1 Conclusion
You should feel better about using online sandbox sites now?
Right?
Part 2: My Malware went where?
When you upload binaries to online AV/malware sites:– Is it truly sandboxed?– Could an attacker tell if it was executed?– Can you track the sandboxes?
Step 1: Make Malware
• Modified github.com/secretsquirrel/shellcode_retriever
• Each site had a unique URL (examples):– VT: herrovirus.html– Anibus: meow.html– Malwr.com: yawn.html
• Compile to binary with pyinstaller
Step 2: Run Web Server
#!/usr/bin/env python
import BaseHTTPServerserver = BaseHTTPServer.HTTPServerserver_address = ("", 88)
class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): def address_string(self): return str(self.client_address[0])
httpd = server(server_address, MyHandler)httpd.serve_forever()
Step 3: Upload
Selected Sandboxes:– Virustotal– Malwr– Threat– Jotti– Anibus– Garyshood– Virscan– ThreatTrack
Responses
Sandbox: Total; Unique IPs; response on upload• Virustotal: 50; 10; yes• Jotti: 33; 10; yes• Malwr: 4; 3; yes• Anubis: 4; 3; yes• ThreatTrack: 1; yes• ThreatExperts: 0• Garyshood: 0• Virscan: 0
Recognized IPs
• SourceFire• Amazon EC2• ThreatTrack• ThreatGrid• TOR• Kaspersky• Symantec
Part 1 Conclusion
You should feel better about using online sandbox sites now?
Right?
Questions?