PlagueScanner: An Open Source Multiple AV Scanner Framework

so can everyone hear me good in the back all right good good uh so my name is rob he has given me a very good introduction thank you very much uh so i'm gonna be speaking today on plague scanner and this is an open source project that has been in the works probably for about two and a half years it has coagulated into something real in the past six months and i've been uh going to a number of other conferences and giving talks on it and this is the latest iteration of it so who am i i'm a senior threat intelligence researcher for threat connect we're in arlington virginia my contact information is at the bottom

that's my twitter handle and email address i can also give you a card later after the talk so we can contact each other later so let's just go into the problem here so you have an unknown or malicious binary and you want to scan it with as many av engines as possible so there are a couple of there are a couple of ways that you can do this a couple of options available to you so the first option available is to upload the binary to a multiple av scanner site online and we all know which ones these are there are a few of them there there's a growing number of them people will actually put up a a version

of cuckoo sandbox and put it online and then just collect binaries from it it's a very good technique for gathering binaries and let me repeat that it's a very good technique for gathering binaries so they are gathering the binaries that you upload so let's say you're you're you've got a weaponized pdf and we'll we'll see some of that in a moment uh you don't necessarily want to upload that to any of these online sites because they are gathering the binaries and you don't know who they have who they're sharing those binaries with who has access to that data you have to trust them and i don't trust anybody so the second solution is to buy your own

av scanner engine system and these are very very very very expensive and when i say very expensive i mean very very very expensive on the order of 80 000 a year type expensive so that's not really an option for small guys uh that's an option for a giant enterprise but a giant enterprise might have other you know other resources available so that's not an option that's that's viable for me so solution number three is to create uh open source multiple av scanner framework and share it with the world all uh some of my favorite uh projects out there so uh let me give you a few real world use cases for this so i i originally had

spoken with a number of people at uh defcon about this and that's where the the whole idea came from and i'll get to that in a minute but uh my my you know my use case is blue team so targeted weaponized pdfs and other types of documents with corporate data embedded in there as bait those are the types of things that this is is meant for however when i was speaking at shmukhan this year uh i spoke with a a group of people who work on pen testing and they develop their own malware and they want something like this because they don't want to share their targeted uh you know custom malware that they're going to use on a red team

engagement with you know the the the general public of the variety of online sites so that's a different use case that i hadn't really thought about but it's a valid use case for this obviously i don't want to have adversaries looking at this and using it but it's open source if they want to go pay for all of it and and put it together you know it's it's out there so let me give you a quick demo of what i'm talking about here and what sort of things you would use this for so this so i recorded the demo just to appease the demo gods so as you you might recognize this is a reverse engineering malware workstation

uh environment i have a number of tools go ahead and take a screenshot if you don't know all those tools you know you might see some that you don't know you might see some that you do know so this is i've got process hacker open on the right some people use it different tools they're all essentially the same thing as task manager but on steroids so let's watch what happens so you can see in process hacker everything looks uh nice and clean let me hold on let me pause this and move the move that down so you can see process hacker fully okay so this is the pdf attachment to an email and boom huh current literature that's

very interesting that's from 1891 and what makes this really interesting is this pdf is six pages long that's actually very rare for malware to weaponize something that's more than just one page usually they just have one page to kind of you know bait you into uh clicking and or opening or remaining there so this is actually a six page document this this came in on uh on a sensor that i have and it actually has access to one of those online av scanner engines and let me pause this for a second so we can just go over that for a second so i collected this from an av on one of those online av scanner engines where

someone else had uploaded it right so this doesn't exactly look too scary however this peaked my interest and i thought you know this is a six page document this is an unusual way of weaponizing something so i started looking into it uh i reverse engineered this and the i'll actually hit play again so as you can see down here there is an extra dll host and also the the i will highlight it in a second come on there we go so that's the extra dll host and then uh it is also running still a copy of the reader which is the built-in 8.1 pdf reader for microsoft so both of those are the dll host is running that's

actually the malware and then sorry and the the reader is still running it didn't shut down properly even though i clicked shut down and closed so uh it it definitely affected the the the reader process also i'm going to highlight this is one of the reasons why i like process hacker because you can go into a running process and run strings on its memory so that's actually a very cool feature so let me pause this and let's go back to the presentation so if that so that's actually a little bit worrying uh where what's going on there so i went and took an ssd uh hash and if anyone's familiar with ssd it's a it's called a piecewise hash

or a fuzzy hash and what it does is it takes the entire binary file and it essentially chops it up into pieces and then takes sub hashes of the different parts of it and what this is good for is instead of having like a sha-1 or an md5 hash you can then take this hash and then see how similar the file that you have is to a group of other files that have had an ssd patch done to them so in mathematical terms the two hashes kind of make a three-dimensional distance between the two files but essentially you are you are looking for other files that are similar to this file so fortunately the same

online scanner engine that i found this file has a way to search via ssd so i took the ssd of this file and looked for other files that are similar to it so this is what this is where things get very scary this is this happened last week and this is all very new stuff so on i i've looked at some of the scanner results for this and it turns out that this piece of malware is called er sniff uh you might be familiar with it if you do malware analysis maybe not my focus is crimeware and that's one of the that's one of the types of crimeware out there and this is a new

new variant there was a a trend micro paper about it back in january and what it does is after it after you are infected it looks in your hard drive and weaponizes all of the pdfs that you have on your hard drive and then just lets them sit there right so then when you go to get your invoice that you want to send to your client you just drag the invoice to your email and send it off and you have unwittingly sent them a copy of ersniff which is a weaponized copy of your you know your pdf which is you know tailored to them almost perfectly because the malware author doesn't even have to think about what to

tailor to uh to the target so let me show you i this is going to look like a freedom of information act request because i've i have uh i have redacted a lot of these but this this is where things get very scary because i pulled all of these copies off of the the online malware scanner so this is a certificate of analysis for some sort of chemical no idea what it is and then this is the this is a check register from a company i've redacted the name of the real estate agent and this is a you know invoice for parts for a car at a car service center so these are the sorts of things that you save on your

hard drive right and keep for later these are the sort of things that this piece of malware is weaponizing this is a packing list for something oh and also by the way this is this this one um one of the things that i did with this uh set of documents uh was sort of a look into the idea of who the victims are and i could tell by the collection of documents who the kind of the initial infection uh points were because any business document essentially has two companies involved with it you know a sender and a receiver and so by taking all of these and making a you know a spreadsheet of the senders

and receivers i can see that okay this person uh has a this this company is in common with all of these different documents so they must have been the initial uh vector and then this company and this company and so the company here is actually a manufacturer of i you know i'm not familiar with the with the type of stuff they make i have some of their glossies which were weaponized but those uh the part they make little metal you know machine parts and stuff like that but i know who their clients are because this document is a packing list they sent for uh to a major car manufacturer so a major car manufacturer is one of their clients and then

this is a um this is the real estate agent so these are copies of their checks that were weaponized also very very scary and then this is just an email talking about i believe this is talking about making a donation to the humane society and then here is is that the check to the humane society no that's a check for a real estate agent there's actually oh i sorry that i didn't include the check but there's actually the check to the humane society that they'd weaponized so one of the very frightening parts about this is so i know now that there are three companies from these documents there's a real estate agent there's a manufacturer of machine parts

there is a shale oil fracking company doing like uh shale oil rigs in pennsylvania and then there's a uh a supplier for emt and fire you know equipment in montana so those are the ones that i talked that i figured out were the targets of the of the attack so these are the types of documents that you don't want to upload to an online av scanner right i think it should be obvious that you don't want to upload these and one thing that's interesting with these av scanners is they track who it is that's uploading it so they see the ip address that's uploading it um if you have an account with them then obviously it's

it's connected to that so you know each one of these came in from the web interface so these were you know people at one of these companies or a company that was doing business with them and was sent one of these and they probably just got an email with an attachment that was strange and then submitted it to the online av scanner and then i got a copy of all of them so and myself and lots of other people including av av companies and security companies in other countries you have no idea where the stuff is going so bad idea so the onwards to the next uh the next uh use case so the next use case i have

is for red teams and how many in here are pen testers two three four okay so do you guys use tailored malware in any of your engagements yes we got a yes over here would you want to share that piece of malware with anyone that's not uh exactly very good answer so uh and i just wanted to highlight because when i uh when i've given a talk at uh when i gave the talk at schmuck on i was actually followed by one of the guys that is in veil framework uh one of the authors of ale framework so this is a very great piece of software for uh for pen testing and what it does is you

take your piece of malware and you can use veil framework to obfuscate it in ways so that it avoids being detected by av scanners so the veil framework folks were saying you know we've thought about making something like plague scanner for a while but now you're making it so great but they're really great guys and that's actually a great uh great project backdoor factory is another one where you are creating backdoored binaries that are real binaries from a system so you can take i saw the their their demo at uh derbycon which was fascinating he put a backdoor in safari the actual safari uh executable on the on a laptop and so it you know called back to his uh his uh c2

so backdoor factory is another one where if you're making a backdoor binary you want to make sure that it's not going to be shared out and you can get you you're not sharing how you backdoored it sidenote backdoor factory is has been in the news and it might not have been in the news directly but it was uh a instance of backdoor factory was uh reported i don't know if any has anyone heard of onion duke onion duke it's a piece of malware onion duke so onion duke you probably heard of onion duke but you didn't know it by the name onion duke so about six months ago there was a tor exit node discovered

that was backdooring all of the binaries that were going up and down through it right did you hear about that okay so that was actually someone in russia that had downloaded a copy of backdoor factory and installed it and combined it with the tor exit node and created a you know a fun malware transmission system so that was that that's how that's one use case of of that but so this is how i formulated the plan for plague scanner uh i don't know if you uh recognize this bar but it's shutters at the rio so this is where this is where i was talking to a number of other security heads and defcon con goers

about what to do in these different what to do with this problem and came up with the idea of flight scanner and i was actually curious at the time why this is sort of something that seems obvious to me to have an open source project to do this sort of thing but i realized the reason why it probably didn't happen yet is most people who are open source uh advocates and big open big time open source people they kind of get hives when they look at closed source software they don't want to work with stuff like that so they wouldn't want to write a layer of open source over lots of commercial software that's not

necessarily the the thing that the the first thing that comes to mind when you are a open source uh guru so i'm my background is security i love open source and so this this seemed obvious and so after about two years of mulling it over i finally put some parts together and started the project so let's go over the basic components of plug scanner so it's all written in python 3. every component is python 3 i try in everything that i do to not use python 2 anymore and only if there's a import that i have to use an old library or a library that still uses python 2 i will use python 2. but python 3.

this uses the yapsi plugin system this is a plugin system that you might recognize from other malware analysis project uh called mastiff they use yapsi mastiff is a static malware analysis framework uh so i they had a good idea so i took it and then zero mq is similar to rabbit mq if you if you're familiar with that it's just a little bit faster a little bit easier to use a little bit cleaner so i use 0mq for message queuing and that is how you know the the the malware sample and then the code to run the malware sample is is transmitted between the core and then each one of the av scanner vms so i use qmu originally and i added uh

about a month ago i added virtualbox virtualization for this so it supports both virtualbox and qmu uh the reason i like qmu is it has uh kernel same page merging which is a type of memory deduplication so if you have two or more vms and the vms all have a set of memory pages vmx and vmy if they're running the same operating system have almost the same set of memory pages so why take up that much space in the host operating system so kernel same page memory kernel same page merging works at the host level and so if you have one identical page of memory it's actually shared among all of the vms that have that same

page so uh virtualbox has a similar technology i don't remember it off the top of my head but it's in a further slide unfortunately the re well the reason why i used qmu is that virtualbox under mac os for some reason virtualbox's version of ksm does not work so they don't have a supported they don't have that technology supported under mac os so if you run virtualbox under mac os all of your vms have an entire you know you have this ever growing repetitive list of memory pages i use the pillow python image library and this is for taking screenshots of pop-up windows in the vms and then i use tesseract ocr and we'll go into why

why this is necessary a little bit later the report output is json i don't like xml xml is very last year so the output is json and then the reports can optionally be stored in elasticsearch and then you can do nice graph stuff and look at historical uh av engine results so uh the whole concept is that you bring the scanners so you have it's it's up to you to buy the licenses and get them installed correctly and follow the directions and read the manual of the manufacturer of those uh that is not my problem uh but i bring the plugins for each one of the scanners so i make sure that it's instrumented properly and make sure that there's each

one of these essentially the the core of this is each one of these is a regex or a set of regexes that takes the output from uh said av scanner pulls out the data that we need and then sends all that to a central core and then creates a master json file for that so i have identified four four general types of scanner engines out there so the first one is open source i believe unless anyone knows of any further ones i believe there's only one member of this category that would be clam av and then the second is a linux has has a linux version available so many commercial types of malware av malware and av

scanners have a linux version available and if there's a linux version available that means there's a command line and if there's a command line it means it's easy for me to run it and get a regex and pull out all the data that i need so uh linux and i also i mean there are some companies that provide a freebsd version and other bsds and other unixes and stuff like that but i'm focused on linux just you know make it easy make one one that uh and there isn't one there is there are no av engines that make scanners for uh a different unix that don't make one for linux so i've i've focused on linux

the third type is a windows only scanner there's a lot of those out there there's only avert there's only a version of it in windows and the good ones are number three those are the ones that have a command line interface available again i you know i would prefer not using windows but where i have to use windows if i have a command line then i get a you know a pile of text and then i can use a regex on it pull it all out and do the same thing i did with the linux version uh the fourth type is where there's a gui only these are the the real nasty ones and difficult to work with so

that brings me to uh optical character recognition so that fourth category of malware and av scanner engine is the one that requires ocr so so with ocr you take a screenshot in the vm of the pop-up that says hi you're infected with er sniff or how you're infected with whatever and take a screenshot of that carve out the areas that that have the text that i want and then run that through ocr and then i get a pile of text that i run a regex on pull that to the central core and then add that into a json document this component of plug scanner is not fully working yet this is uh this is a tough uh this is actually

this is a a more difficult problem than you would think uh but it is under construction so this is the basic architectural diagram for uh plague scanner there is the the submission processing and reporting component in at the top center i've called that the core so that's a plague scanner core there is an elastic search option so this is something also that you would set up yourself uh you know like i'm not going to concern myself other than making sure that the code to write to elasticsearch is correct but where your elastic search is and all that sort of stuff is up to you so uh you have to you know create your cluster yourself uh the message queue is

that amorphous blob in the center and that's uh 0mq and that sends the messages between the core and each one of the variety of vms and let me just touch on one point about the way that i have designed this so each one of those vms in the bottom has an agent which is listening for the zero and q messages and so each one of those agents is actually dumb so they don't know anything about the type of vm that they're in they have no idea about what type of av scanner they're supposed to deal with and the reason i did this was to make it easy on the end user for setting up the whole

thing the end user shouldn't have to have like a huge pile of agents that they have to figure out okay i've got a clam av agent here and then which one of these vms is my clam av and i got to put that in here and make sure that this all works no so the the ultimate the end goal is each one of these is a dumb agent and this is actually very unsafe so you need to make sure that wherever you've put plague scanner is protected you know outside of plague scanner itself so you need to make sure that this is on a separate network because this i i make no effort whatsoever to to check the code those

agents are running so they get a message that contains the binary that they are going to scan and then they they get a blob of python script and then it just runs the python script and it puts the it it puts the binary in a set location runs the runs the script and then the script will go and look for the binary run the right and run the right scanner engine do the do the text processing and then send a json message back to the core so that's very dangerous because i do no checks whatsoever so you if you're if you're running plague scanner out there and have it open to the internet that would be very bad if you have it like on

your network that also is fairly bad because someone might discover that you have this and then just start running arbitrary code on your on the vm so make sure that you've protected this properly but this also leads me to the next part so i've had a few lessons learned about the development of this so when you're developing a distributed application such as this that uses a message queue and you have lots of little uh vms out there and then a central core so that the when you're doing development that adds time to each you know iteration of of a change in the code so when you're sitting there and you're banging away at code and then you

want to run and see if the thing that you did uh works or bombs when you hit run it then has to send that message out to all these things and this stuff has to come back and you know i'm impatient and i don't want to even wait that like you know few seconds or whatever so or actually it's more more more than like 15 20 seconds i don't want to wait that long i want to just go bam see if it runs bam see if it runs so i have implemented a sort of development version of the entire system which works backwards from a smart agent and makes each one of the so there's an

alternate agent where each of those agents is actually smart and has the entire code in there so that i can work on that vm itself not worry about the core not working worry about anything else have a binary in the proper location and then bam just keep running the uh that particular uh agent and then it has a rest api so that when i've got that one working then i can kind of back up run the core core goes out and asks all those rest apis to to do their stuff and then gets back the results so then the the second step of this is to write the yapsi plug-in so once i've got a plug-in once i have an agent that

works properly carve out the proper piece of of code from it and drop that into a yapsi plug-in in the other version so that's the development process um it might the the uh the the carving out and the making of the apse plug-in might be a little bit more cumbersome and the setup of it is a little bit more cumbersome but it just it makes it easy for someone that doesn't like to wait when they're doing development so i mentioned some of the cool features already and i wanted to highlight some of these some more of them so kernel same page merging as i said it allows many vms to share memory pages this is the name of that technology in

virtualbox it's called page fusion and if you go into virtualbox's uh document set and just grab it for page fusion you'll find the section on it and and how to and and how to set it up i don't think there's a i don't think you have to set it up but uh you can look in there and just double check i use mac so actually i don't don't necessarily use virtualbox for much of this stuff so 0mq is a very fast message queuing system elastic search is a good way to visualize and store and process and have a nosql basically a nosql-esque database of your of your results so one of the reasons why this is a

important is let's say you get a binary that is new to you and it doesn't get detected by anything so that's a little bit frightening right but as a researcher you may want to know or uh graph when different scanner engines began detecting it and see you know who who was better at detecting it who might be following whom because you know three or four of them might detect it all at the same time on a certain day and or maybe one of them got it and then you know a few days later a lot of them got it so you want to you know be able to highlight who it is that really got the got the good good

information on it so you want to be able to run the scan over and over and over and then take all of those scan results and plug them into elasticsearch so that you can see the trending of virus scanner results also another thing that this is good for is let's say i have a sample and i don't necessarily want to run it against a malware library to find things that are related to it so for example i can take there's three there's three major hashes that are good for this type of work one is called import hash one is called pe hash and one is ssd so each one of these is a way to find

related malware ssd i described earlier it's a piecewise hash and then import hash takes a hash of the import table of the malware and then it finds other malware that has a similar or matching import table so or it set a set of imports import table some of the stuff may not actually be in the import table by the way so it takes a set of uh of the imports and a pe hash takes a hash of uh components of the pe uh header so the uh the whole the whole idea here is to find other malware that's related to your piece of malware so those searches might find things that are uh known or not not necessarily known

but are you know by a test similar to malware however there might be other copies of that malware that do not fit that model that don't have a common ssd don't have an import hash don't have a pe hash however you have you know a host of av scanner companies that are out there working day and night on lots and lots and lots of malware they may have you know decided that this piece of malware is related to your piece of malware but the two of them don't have a common import hash don't have a common pe hash or ssd so there's no way for you to know if you have a malware library without you know looking through your

samples and and already have seen that one to connect the two but you could have had your entire malware library run through plex scanner had all the results in elasticsearch and then done a free text search for the name uh of of a piece of malware and then found all of the other so if you let's say you have run yours through here and it says hi i'm ursniff so then you search for everything else that's ersnif in there and you'll get samples that may not have a common import hash may not have a common pe hash and may not have a common ssd so you'll have other things to do research on and kind of figure out like

who's doing what and who's related to who so that's a very powerful feature of the software um so there are a number of open issues in here one of the major problems that i ran into is that so i keep all of this at a cloud you know cloud vm service so one of the problems with that is even though they're like you know two cents a two cents an hour to have your vm if you have two cents an hour but you've got lots and lots and lots of vms running together that adds up after a while and the problem with combining them all into one vm or you're stacking them in any way shape or form

in that way is that av scanners don't play well with each other they they actually look for each other and they say you know if you install av scanner x it will say dude there's av scanner y right there i'm not going to let you install me unless you remove that one or some of them go hi i found av scanner b i'm going to just remove it for you and then it's gone so that doesn't make it easy to install many av scanners together on the same machine so what i've come up with here is to use docker um you know i there are a few other competing uh open source projects that do the same thing as docker but

docker is very uh you know commonly found well supported and fairly easy to use what docker does is it creates containers inside of a linux machine and those containers you can install software and that and the software that's in that container can't see the software that's in another container so it's sort of a it's like a virtual it's not a vm but it's a virtual environment inside of a vm or inside of a bare metal machine so you could so you can install uh any number of different systems in those uh in those uh docker containers and they can all live on one vm and it would save money uh you know for for cloud services

um and if uh the next one ocr so ocr is still that's a tough that's a very tough problem um it's difficult to get that correct uh and so i'm still working on that demonization that's also something that i need to work on uh the plague scanner core is still just a set of scripts where you run it and then it does its work and the the information comes back i would like to have it similar to if you're familiar with cuckoo sandbox anybody heard of cuckoo so cuckoo actually sits there and runs and then you submit jobs to it via the the sql database that keeps its job job list in so i'd like to do something like that

like have a have like a list of jobs coming up and then have a you know always running process that the jobs are submitted to and then have that do the processing uh constantly another problem that uh that these have so scanner updating this is sort of like herding cats like each one of these av scanner engines wants to update in a different way wants to update a different time and so they're all just you know they're doing kind of random things right to update themselves uh i don't have a way to watch monitor or uh you know coordinate any of the updating it just either doesn't happen and you have to do it manually or

it does its own automated updating it does it whenever it wants to or breaks or whatever so what i want to do is have some layer where it watches for updates or controls updates for each type of scanner engine and that's also valuable because it would give me a date or a time stamp when the update happens and i can add that to the json document for each one of the scanner results and that can be important because the the scanner signatures that a scanner uses might be different at 4 pm than they were at 8am and you know that's important because at 4 pm it began detecting er sniff and at 8 am it didn't

detect it so i want to know like i want to be able to see that in the data and be able to look at those sorts of changes so that's important to have in there but it doesn't do that yet that is also going to be a difficult problem because as i said it's like herding cats they all want to go in different directions and they you know they want some of them want to go outside so they want to go come back inside right after they go outside so uh the next thing that that's uh that is an open problem is resubmission automation so i want to and this is this depends on the demonization step uh i

want to be able to not burden someone with a scanner result of zero so if there's a scanner result of zero you could have a flag set for that job that says if it has zero rescan on a schedule don't ask me you know don't make me come back and do anything just rescan on a schedule until it hits a scanner result and when it hits a scanner result maybe send me an email or an alert or a nagios uh you know turn something yellow or whatever and so say like hey you've got a result so i want to automate that so you don't have to really think about it if you've got a lot of stuff coming in you don't want to

sit there and kind of fiddle with all of it you want to be able to automate your your your processes so i have resubmission automation another feature if you're familiar with again cuckoo sandbox or thug thug is a low interaction honey client it's for visiting a website and then when you visit the website getting the malware from it so it pretends to be a variety of uh browsers and it also pretends to have the correct uh the correct java version or flash version or reader version that is necessary to be infected and so it collects the binary from the from that visit so these two things cuckoo sandbox is a thing for sandboxing malware and getting

all of the indicators of compromise out of it and getting its behavioral uh and other other components cuckoo has lots more in it than that but both of them have the ability to use a protocol called hp feeds and i don't know if you're familiar with hp feeds but it's part of the honeynet project and what it is it's a publish and subscribe protocol for sandboxes and and collectors of malware data so you can have instances of thug and cuckoo out there in the world and then they can be producing uh binaries and also the binary analysis data right and it combines all of this into a feed and then the feed can be subscribed to

by other researchers and hp feeds actually has a social platform it's a social network based on malware called hp friends and hp friends you sign up for accounts and you know instead of it being facebook where you uh you know you message each other about like uh whatever you do and share photos and stuff like that you share malware feeds with hp feeds so you have your friends and hp friends and then if you're a friend or you know if you're in a group you get to you know you get to subscribe to all of the hp feeds that group publishes so it's an interesting concept i would love to have hp feeds ability in plague scanner so that you

could have a plague scanner instance out there and then if you so choose you could share all of the uh binaries and the the av results with your with your hp friends out there that is not in there yet it's just a a hope that i get to that eventually so let's do a demo of the of plug scanner so sorry about the resolution on this um it's another recorded demo and i apologize for the resolution but

okay so in the on the right side you see again uh that's process hacker i love process hacker this is just to show uh i i'm using it here just to show that the thing is working uh because this particular this particular vm that we're looking at right now is a windows vm and it's running uh trend micro scanners trend micros scanner and trend micro scanner is a little bit wonky at some times and it it can choke on some of the binaries and so i'll have to go in here and actually hit you know a click a button so that's actually one of the things that i want to work on uh is have

a button clicker you know if if if a window pops up with a button i just want to click the button who cares what it says i don't just click it um yeah like a user exactly i mean it's basically uh that there's a uh there's a button clicker in uh in in cuckoo sandbox and it's actually called human.pie so okay so uh we're gonna watch the session here so this is this is the this is one of the scanner engines it's uh trend micro and then in a moment we will go to we'll take a look at core i wish i had a little an easier fast forward okay so this is this is the core let me scoot

all the way ahead sorry about that

just trying to move this up here where it's out of the way okay so all right this is the core and at this point we're running uh samples through it um

binary for that's the unicorn bug binary i don't know if anyone had heard of that one but it came out like last year or no earlier this year i think ibm researchers found it it was a bug in ole auth32.dll this is a dll that's loaded by everything and by the way it's not just loaded by a lot of things it is also loaded by a lot of things going back to windows 95 so i've heard people say oh if you want to be safe from malware you would just run windows 95 oh no this particular binary can exploit that dll the bug that's in that dll going back to windows 95 which is very interesting so that's why

they called it the unicorn it's something that can exploit a bug that just is hits all versions of windows it would have been really cool if it got windows 351 or something like that but you can only hope uh okay so the other samples that i'm running through here uh let's hit play so it's going through each one of these uh each one of these particular ex sorry each one of these particular binaries and these that are running right now are the two one fought 2015-0311 so this is a uh this is a trojan that was a flash exploit um from about a month and a half ago this was the flash exploit that was the oh day

that just appeared out of nowhere and then you know adobe took a little bit of time uh getting the getting the fix out there but there were binaries out there exploiting it in the wild so this was this is that particular one uh and as you can see um we've got the av scanner results here so each one of them uh you've got clam av and this is the clam av result uh eset result it's uh clam id is just saying that the general exploit agent it can't really tell you what it is uh we've got esac here and it's giving you the actual cve for it and then uh trending micro designs these are just three demo scanners for

it uh i have a lot a lot more so at the moment i've instrumented uh bitdefender eset uh avast uh windows defender um clam av komodo and that's it so uh there's more more on their way anyone who wants to join the project and help instrument av scanners please talk to me after this i definitely need your help it's a monumental task i would like to have this at par with uh with some of the main commercial and online scanners so let me scoot this back over here

so i wanted to just give a shameless plug for my employer they are awesome i started there in november so i'm one of their new newer employees uh threatconnect it provides a advanced collaborative threat intelligence platform um and it has a free version right so free level so it's not uh you know it's it's not uh there's no paid there are many levels of paid accounts but all of you can sign up for a free account in there and you can see the indicators of compromise that i share with the common community you can also share your indicators there's a lot of new you know new malware that shows up that we that we put data for in the platform um

and please sign up for an account and if you want to talk about this uh come come find me after my talk looks like he said i had five minutes so uh cool all right so any questions oh sorry i i meant to say so the uh so my my my handle is utkanos and uh utkanos is russian for duckbill platypus so leaving you with a baby duckbill platypus yes that's a very good question uh i don't uh so one of the so i think doing mobile uh mobile malware scanners would uh be a little bit redundant except for a few so there are a few av scanners that are mobile that are mobile targeted they're specific to mobile and

don't have a version that's windows or linux or anything like that so um i would like to however that would require uh you know putting up a you know android for android at least the android sdk and running it you know you can run android sdk and have like a little vm and you can run your that's actually how i run my mobile malware in the in uh

so if you're already

awesome i will after the talk i'll come get that info from you um yes so i do i do want to do mobile but right now i mean that i i'm i i've already got like a lot of up scope so i'm trying to to just uh get get the get the core of it done and then i can start working on upscope but a very good point i'll you know i'll make sure if you want to come talk to me i'll i'll uh i'll you know let you know when it's ready any other question so um

so that's another good point and no i have not begun trying to and you're talking in the windows world right yeah so i have not begun trying to shoehorn multiple av scanner engines onto the same box um i would love to and you know if you have any ideas please let me know um but uh so i i had focused first on the linux area and docker just seems like you know easy the easy button for doing that any other questions i would love to have docker for windows but it just it it's based on a linux only component so yes awesome i mean i i'm windows is not my favorite thing but docker and the concept of

docker makes things better makes everything better any other questions all right so i have some swag so lanyard who wants a lanyard lanyard lanyard uh and then this is the so since i'm so far from home i brought you a delaware b-side shirt so who wants a delaware b-side shirt it's a large i think

and a threat connect shirt with with that all the way no no no no interceptions allowed because i do have another one this one i think they're both the same size got another one you want it over here anyone over here want it all right all the way there orange all right actually where you get this one you don't know me

pass that one back there all right thanks everybody