University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor:...
-
Upload
madeline-cole -
Category
Documents
-
view
224 -
download
0
Transcript of University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor:...
![Page 1: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/1.jpg)
University of PiraeusDepartment of Digital Systems«Security of Digital Systems»
Supervisor: Sokratis Katsikas
Bypassing antivirus detection with encryption
Tasiopoulos Vasilis
![Page 2: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/2.jpg)
About Me
Studied at University of Piraeus Informatics Security in Digital Systems
Currently working KPMG as a IT Advisor and Penetration
tester
![Page 3: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/3.jpg)
Contents
Related Research Background Knowledge-Antivirus Crypter Background Knowledge-Portable executable Background Knowledge-Portable Executable
Loader RunPE and Injection Our Implementation Results
![Page 4: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/4.jpg)
Why?
It is easier to change crypterIt is harder to change ALL malwares
Who can use it:Penetration TestsAnyone for Legitimate purpose
![Page 5: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/5.jpg)
Related Research
Implementation of Runtime Crypter by Christian Ammann
Packing Heat by Dimitrios A. Glynos
The Crypter BluePrint by crypters.net
Several tutorial on HackForums.net
![Page 6: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/6.jpg)
Background Knowledge - Antivirus
Signature-based detection: Traditionally, antivirus software heavily relied on signatures to identify malware.
Heuristics: Another technique used in antivirus software is the use of heuristic analysis to identify new malware or variants of known malware.
Real-time protection: Newer antivirus software also has another mechanism called “real time” protection. It is known that some (malicious) code may be hidden, encrypted, obfuscated or even created instantly. To be able to deal with such tricks antivirus packages are also capable of monitoring and intercepting API calls and of performing a kind of "behavioral analysis". So, if a well-known process acts in an unusual manner the antivirus will mark it as suspicious.
![Page 7: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/7.jpg)
Crypters: Types and behavior
Types:•Runtime•Scantime
Options•Internal Stub•External Stub
Crypter must:•Encrypt
![Page 8: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/8.jpg)
Crypter’s behavior
Stub must:•Decrypt•Execute malware
Stub options:•Save in directory•Load it in memory
• Load it in stub’s process• Load in new process• Inject into another
process (optimal)
![Page 9: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/9.jpg)
RunPE and Injection
Method discovered by T.keong
Injection:The stub is executedA new process is created in "suspended" stateThe Stub decrypts the malwareThe stub load the malware in the place of the suspended legitimate processThe process is unsuspended.
Limitation:32 bit process or 64 bit process Not in both
Different Implementations:Alternative way to call Apis Use of undocumented Apis
![Page 10: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/10.jpg)
Our Implementation
Crypter’s TypeRuntime CrypterExternal Stub
DevelopedC#Visual Studio2500 lines of code
Encryption AES
![Page 11: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/11.jpg)
Architecture1. User Selects the malware2. User configures the available options (optional)3. Crypter reads the malware byte per
byte4. Encrypting malware5. Crypter reads the Stub6. Adding assembly info to stub (optional)7. Encrypting injection path8. Adding injection process path to
stub9. Reading selected RunPE10. Adding startup code to stub (optional)
11. Adding Hide code to stub (optional)12. Removing comments from stub13. Adding Fake message to stub (optional)14. Adding Junk Code to stub (optional)15. Adding Fake Apis to stub (optional)16. Add decompression code to stub (optional)17. Adding Addi-… code to stub (optional)18. Randomizing class, function,
variable names and add them to stub and to RunPE
19. Adding Encryption Key to stub
![Page 12: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/12.jpg)
Architecture
20. Compiling RunPE as DLL21. Reading DLL22. Encrypting DLL23. Compressing encrypted DLL(optional)
24. Adding encrypted Malware and DLL ass resources to stub
25. Adding Icon to stub(optional)26. Compiling Stub as executable27. Adding Eof data to executable (optional)
![Page 13: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/13.jpg)
Architecture
Stub after execution:Read Encrypted DLLDecrypt DLLLoad DLL in memoryRead Encrypted malwareDecrypt malwareCall DLL for decrypted malwareMalware inject to another process
![Page 14: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/14.jpg)
Key PointsUnique codeInjection implemented in encrypted DLLRandom Function Names, Class names, Variable namesEncrypted Strings
Result:Unique Executable
Architecture
![Page 15: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/15.jpg)
Crypters GUI and Options
![Page 16: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/16.jpg)
Crypters GUI and Options
![Page 17: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/17.jpg)
Crypters GUI and Options
![Page 18: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/18.jpg)
The lab: Windows XP 32/64 bit - Avast/AVGWindows Vista 32/64 bit – Kaspersky/NortonWindows 7 32/64 bit –Microsoft Security Essential/ESET
Online Scannerhttp://nodistribute.comhttps://www.metascan-online.com
Files TestedNetcat.exeDarkomet malwarePoison Ivy
Results
![Page 19: University of Piraeus Department of Digital Systems «Security of Digital Systems» Supervisor: Sokratis Katsikas Bypassing antivirus detection with encryption.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649cef5503460f949bd730/html5/thumbnails/19.jpg)
Results
Virus Injection MethodWindows Version
RunPE Choice Working Detection Notes
Darkcomet CSC 32bit 3 YES 0/40
Darkcomet CSC 64bit 3 YES 0/40
Darkcomet CSC 32bit 2 YES 0/40
Darkcomet CSC 64bit 2 YES 0/40
Darkcomet CSC 32bit 5 YES 0/40
Darkcomet CSC 64bit 5 YES 0/40
Darkcomet CSC 32bit 6 YES 0/40
Darkcomet CSC 64bit 6 YES 0/40
Darkcomet Default Browser 32bit 5 YES 0/40 Mozilla
Darkcomet Default Browser 64bit 5 YES 0/40 Mozilla/Chrome
Darkcomet Default Browser 32bit 5 YES 0/40 Internet explorer
Darkcomet Default Browser 64bit 5 YES 0/40 Internet explorer
Darkcomet svchost 32bit 5 YES 0/40
Darkcomet svchost 64bit 5 YES 0/40