Adventures in Asymmetric Warfare
-
Upload
harmj0y -
Category
Technology
-
view
504 -
download
2
description
Transcript of Adventures in Asymmetric Warfare
Adventures in Asymmetric Warfare:Fighting the AV Vendors
Will@harmj0yVeris Group - Adaptive Threat Division
@harmj0y
● Security researcher and red teamer for the Adaptive Threat Division of Veris Group
● Co-founder of the Veil-Framework #avlolo www.veil-framework.como Shmoocon ‘14: AV Evasion with the Veil
Frameworko Defcon ‘14: Veil-Pillage: Post-exploitation 2.0o co-wrote Veil-Evasion, wrote Veil-Catapult,
Veil-PowerView,Veil-Pillage, and PowerUp
● Active Cortana and PowerShell hacker
tl;dr
● Problem Space
● How we got here and ethical issues
● Approaches #avlol
● Obfuscation methods
● Payload Analysis
Teh Halting Problem?
● Input:o a potentially malicious program P
● Output: o True if executing P would cause a the host
computer to be “compromised”o False otherwise
● def halts(P):return isMalicious(“removeMaliciousLogic(P)
compromiseHost()”)
Problem Space
● Anti-virus detection is an undecidable problemo That is, it’s impossible to design a 100%
effective anti-virus solution
● Though a perfect approach is impossible, approximations can be made
● But detection is really really hard
Our Problem
● From 2009 on, antivirus started snarfing up more and more stock MSF payloads
● We started researching basic ways to keep doing our job
● All of our initial efforts drew from prior work, we don’t claim to have invented any of this stuff!!
How We Got Here
Previous Work
● Mark Baggett’s post Tips for Evading Anti-Virus During Pen Testing was the first public resource to talk about using Python to inject shellcode
● We ended up mostly drawing from Debasish Mandal's Execute ShellCode Using Pythono Uses the
VirtualAlloc/CreateThread/WaitForSingleObject pattern
Our Solution
● A way to get around antivirus as easily as professional malwareo don’t want to roll our own backdoor each
timeo codebase built by myself, @ChrisTruncer and
@TheMightyShiv
● Generate payloads in a language and technique agnostic way
● See the Shmoocon ‘14 presentation AV Evasion with the Veil-Framework for more background
Our Solution
Ethical Issues
● The disclosure debate is nothing new...
● Pentesters are 5+ years behind the professional malware community
● This is a problem the bad guys have already solved, and better than we have!
Public Reaction
“surely this will just result in 21 new signatures for all major AVs and then we're back to square one?”
“Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?”
“The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.”
http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payload_generator_for_bypassing/
Twitter Reaction
● We started with Python based shellcode injection techniques, soon branched into other languages
● Similar payloads = : (o started implementing basic obfuscation
methodso and by basic, we mean basic
● static signatures = #avlol
Approaches
Obfuscation 1.0
● Let’s randomize everything we possibly cano This works better than you think
● Substitute in a randomized string for all variable and method names
● Shuffle up everything as appropriate
Obfuscation 1.0
“Pyherion”
● What if vendors still find a way to trigger on the malicious Python script sources?
● We introduced Pyherion, a python ‘crypter’ inspired by Hyperion
● Encrypts an entire Python file with a random AES key, base64’s it and and rolls it all up into an exec(*) wrapper
Obfuscation 1.5: Pure Stagers● What if vendors are triggering on the
raw shellcode and decoders?
● How about we eliminate shellcode all together, and build some native stagers?
● They aren’t that complicated, thanks Raffi!o https://github.com/rsmudge/metasploit-loadero http://blog.strategiccyber.com/2013/06/28/sta
ged-payloads-what-pen-testers-should-know/
Pure Stagers
The meterpreter stager is surprisingly simple:
1) a tcp connection is opened to the handler2) the handler spits back 4 bytes indicating the .dll size, and then the .dll itself3) socket number is pushed into EDI4) execution is passed to the .dll just like we do regular shellcode (void * or VirtualAlloc)
Pure Stagers
● The following are the pure stagers currently available in the framework:
Language Stager
Python meterpreter/reverse_tcp
Python meterpreter/reverse_http
Python meterpreter/reverse_https
C meterpreter/reverse_tcp
C meterpreter/reverse_tcp_service
C meterpreter/reverse_http
C meterpreter/reverse_http_service
Language Stager
C# meterpreter/reverse_tcp
C# meterpreter/reverse_http
C# meterpreter/reverse_https
Powershell meterpreter/reverse_tcp
Powershell meterpreter/reverse_http
Powershell meterpreter/reverse_https
Ruby meterpreter/reverse_tcp
Pure Stagers
Obfuscation 2.0
● Variable obfuscation is great
● But for things like C, this doesn’t work as well as we’d like
● Can we introduce something a little more interesting?
Obfuscation 2.0
● Our (slightly) more “advanced” C obfuscation involves our interpretation of a method nopo muck up dynamic analysis without affecting
the actual execution of the program
● General idea:o throw in enough processing functions that
sufficiently complicate the call tree of the program
● This is a basic version of what malware has been doing for yearso shouldn’t be that effective, but it is!
Obfuscation 2.0
● Choose a set of randomized string processing functions (reverse, split, etc.)
● Malloc a randomized number of strings of randomized lengths
● Intersperse these randomized functions throughout the actual code
Obfuscation 2.0
● What if some vendors trigger on the Pyinstaller loader.exe itself?
● How about a (reasonably) obfuscated version of the Pyinstaller loader? :)o BSides Boston ‘14: Pwnstaller 1.0o https://github.com/harmj0y/pwnstaller/
● Integrated into Veil-Evasion this past May
Obfuscation 3.0
Pwnstaller
● On each run:o Obfuscated code for all* source files
associated with the Pyinstaller launcher are generated
o mingw32 is used to compile everything into a new runw.exe, all on Kali \m/
o copy the runw.exe into the correct locationo a randomized Windows icon is chosen for the
final packaged result
*see http://www.harmj0y.net/blog/python/pwnstaller-1-0/ for a full explanation
Obfuscation 4.0: Ruby
● Since some people have started to pay attention to Pyinstaller binaries, let’s try some other languages:● C? sure, with some obfuscation● C#? mono can help with .NET● PowerShell? no disk writes?
awesome● Ruby? Why not...
Ruby
● Ruby has a foreign function interface just like Python does, the win32-api gemo This means we can inject shellcode, and can
write native Meterpreter stagers!
● And it has its own Pyinstaller analogue: OCRA (One Click Ruby application)o http://ocra.rubyforge.org/
● I wonder if we can get this running on Kali :)
Ruby Shellcode Injection
Ruby OCRA Compilation
Ruby Module Releases
● The following payload modules are currently in the development branch, and will be merged into master for the 9/15/2014 V-Day:o ruby/shellcode_inject/flato ruby/meterpreter/reverse_tcp
● Everything is compiled to a self-extracting Windows executable, all on Kali!
A .NET Crypter
● C#/VB.net code is compiled, not interpreted, so we can’t build a dynamic obfuscator equivalent to Pyherion :(
● Or can we? .NET has an interesting feature called Reflection:o “you can use reflection to create type
instances at run time, and to invoke and access them”http://msdn.microsoft.com/en-us/library/f7ykdhsy(v=vs.110).aspx
A .NET Crypter
● If we have an array of raw bytes of a .NET binary, we can run the entire executable from memory with 3 lines by utilizing Reflection:o Assembly a = Assembly.Load(bytes);o MethodInfo m = a.EntryPoint;o m.Invoke(a.CreateInstance(m.Name), null);
● We can obfuscate these bytes in any way we want beforehand
● A crypter for all .NET binaries was just pushed along with the Ruby payloads
● A payload binary is generated and compiled as normal, the crypter then:o reads in the raw byteso base64 encodes the data and builds a random
substitution cipher for the stringo builds a launcher/dropper that decodes the
raw data and invokes the original binary using Reflection
Arya: a .NET Crypter
A .NET Crypter
Payload Analysis
ssdeep
● ssdeep is a ‘fuzzy hashing’ static malware comparison tool, allowing for the comparison of malware families
● “can match inputs that have homologies”o biology term, fancy way to saying degree of
shared ancestry
● Generated 1000 samples of some payload families did ssdeep runs over each set
python/meterpreter/rev_tcp● (1000 choose 2) = 499500 possible
pairing combinations for ssdeep
● 169107 pairings (33.8%) matched at a score of 75/100 or bettero Only 66 (.01%) scored at 90/100 or bettero Average pairwise score: 74
● What this means: only .01% of the samples scored as a ‘similar’ malware family
python/meterpreter/rev_tcp
c/meterpreter/rev_tcp
● Same 499500 possible pairings
● 267387 pairings (53.5%) matched at a score of 25/100 or bettero Only 2615 (0.5%) scored at 90/100 or bettero Average pairwise score: 37
● What this means: only .5% of the samples scored as a ‘similar’ malware familyo but wider variation than Python families
c/meterpreter/rev_tcp
cs/shellcode_inject/flat w/ Arya● Same 499500 possible pairings
● Only 5 pairings (0.001%) matched at a score of 25/100 or bettero none scored at 90/100 or better
● What this means: 0% of the samples scored as a ‘similar’ malware familyo variation was all over the map!
Recap
● Started our research out of necessity but continued it out of curiosity
● Fuxoring AV vendors really isn’t that difficult
● There are still ways to stop us :)
● #avlol
Questions?
● Contact me:o @harmj0yo [email protected]
● Read more:o https://www.veil-framework.com
● Get the the goods:o https://www.github.com/Veil-Framework/Veilo https://github.com/HarmJ0y/stagers