Adventures in Asymmetric Warfare: Fighting the AV Vendors

this is adventures and asymmetric

Warfare so my name is Will Shader I go by the handle harm jooy I'm a security researcher and Red Team bur pin tester for a group called The adaptive threat division for a company called varis Group LLC we operate out in Northern Virginia we do a lot of you know like private sector and um kind of with government stuff like pen testing assessments all those kind of things I'm a CO founder and one of the active developers the veil framework so and I ask this every single time I talk now how many people use the veil framework on a regular basis awesome um our site is Veil framework. comom so I co-wrote Veil evasion which

is kind of the flagship tool that generates AV evading executables which I'll kind of dive into some of the guts of for this presentation I wrote Veil catapult which is a delivery tool Veil Power view which is a Powershell situational awareness tool Veil pillage which is a post exploitation framework that was released at Defcon and I also wrote a tool called PowerUp which is a power shell script that helps automate a lot of Windows uh privileg escalation vectors talked at shukan this past year on AV evasion with the veil framework I presented there Christopher trer who's one of the other main developers talked at Defcon on pillage and talked at derbycon a few weeks ago with my boss on

passing the torch old school red teaming new school tactics real kind of quick what I'm going to go over today I'm going to kind of go over the problems space um for antivirus detection and you know all these types of things uh kind of the initial motivation for Veil evasion and some of the ethical issues surrounding it you know some of the flak we got for releasing it you know just kind of wanted to let you guys know like we thought very heavily about these things we weren't just trying to you know arm script kitties or something like that then I'll start diving into some of the approaches and the general idea with I'm kind of walk through this talk is you

know we started from not really knowing what we were doing for grav evasion um we don't claim to invented most of this stuff or really much of any of it but for a lot of the opusc methods I'm going to go through I just kind of wanted to walk you guys through our thought process of okay this kind of works this seems more effective and just kind of Trace through the evolution of a lot of the opusc methods that are used in Veil evasion and then at the end I'll cap off with some kind of brief payload analysis for a few of the different classes a few of the different languages and show you how really in our opinion kind of the

static signature protection for executables is pretty worthless now so the halting problem I know this is kind of weird and kind of funky if you don't have a computer science background but essentially like 7080 years ago Alan Turin proved that it is not possible to decide whether an arbitrary program will eventually halt or whether it runs forever they're like okay what does this really matter what does this mean to me this is used by a lot of computer scientists to prove whether or not a specific task is impossible they'll show that by it's called by reduction to where if you can show that a task will result in solving the halting problem and that means that task is

impossible so what this is It's actually kind of a brief little um outline of a reduction proof and the the whole point of this is that antivirus is perfect antivirus detection is impossible it's an undecidable problem you cannot have a 100% effective antivirus solution it's like there's a proof on paper that says you can't do this so but even though a perfect approach is impossible approximations can be the reason we're kind of talking about this briefly is like we know that our task of breaking it is exponentially easier than actually building the appropriate detection we're not just sitting here saying hahaa antivirus is completely completely worthless we've been in this problem space for a couple years now and we know

this is a very very very hard problem but you know we still think that there are ways that we can push antivirus vendors to have bit better detection a bit better methods just kind of try to push stuff forward a little bit so our initial problem you know we're pin testers uh you know this is virus total if you guys don't know what virus total is you know just definitely don't submit all your payloads to it all the time even though people love to do that we tried to put a disclaimer and Veil evasion of like you know if you want this to keep working try not to submit it to virus total people still do

anyways but this is a stock uh interpreter Stager that's I think this is about a year year old or so um the issue is that these stock stagers around 2009 or so started getting picked up by antivirus and the way the msf Venom the exe generators will work is they'll use these stock templates that they have which you can change if you want to they'll throw like some shell code in after it's generated and it'll inject into memory and off you go so antivirus vendors just wrote static signatures for these kind of stock templates saying hahaa okay you're secure now but it uh even just ing the templates themselves gets you a lot better AV evasion so

after this started happening you know we kept burning time un limited limited time engagements you know if you have 3 to five days for a pen test you don't want to spend an entire day rolling a Navy bypass method we never fa we we were never able to not get by antivirus it was just a matter of time so in our opinion for our engagements if we wanted to demonstrate as much value as we could to a client you know saying okay we spent this entire day trying to bypass your AV if we could kind of weaponize that or you know script it up or automate it we can spend a lot more time we can spend that you know that full day

of work actually showing impact to the client and kind of push stuff

forward and also you know antivirus evasion is a problem that bad guys have already solved so we're not releasing you know like method OD or something like that or some crazy stuff like all the stuff is rep Publican out there the fact that it works it still works extremely well even though this Project's been out for almost 2 years is kind of sad but um and also our all of our initial efforts when we started researching this stuff two years ago Drew from previous work we don't claim to have invented any of this kind of stuff we didn't invent using python to inject Shell Code we didn't invent using pow shell to inject Shell Code we didn't

invent you know writing pum interpreter stages I'm going to try to site all the kind of the prior work along the way so spefic specifically the first kind of public resource to talk about using python to inject Shell Code which was kind of the first method we stumbled upon was a post by Mark baggot um worked for Sans saying tips suring antivirus during pin testing and in this post he talks about using a c types data structure in Python to just kind of do really basic shun injection Dave Kenny released a tool Pi injector in 2012 which is kind of a compiled up version of some of these same types of approaches you can run the executable

and then a string of Shell Code injects into memory and we actually ended up drawing mostly from I know I'm going to mispronounce this Deal's execute Shell Code using Python and this post talks uh talks about kind of the standard pattern where you use Virtual aloc to allocate a chunk of memory use create thread to um or sorry virtual Al to create a chunk of memory use some other methods to move Shell Code into that memory use create thread to kick off execution for all that so it just kind of goes and use waight for single object to wait for that Shell Code to finish execution so our solution after looking at all this kind of stuff and thinking

okay python seems like an effective way that people have been doing this is we wanted to build something that got around antivirus as easily as professional mware we didn't have to want to write our you know our own back door each time roll bypass method and one thing I'm sure a lot of you guys have done this like kind of how it was a few years ago the python stuff would be great but you'd have to have a Windows VM and use you know this Pine installer or pexe you know generate your shell code manually drop it into the python thing like Drop it into a Windows VM compile everything up like pull the XE

back out you know if you made one small mistake or something like that or wanted to change the Shell Code you had to like redo that entire process so it took a little bit um we started thinking there has to be a better way to do this so we uh Christopher trer um Michael Wright and myself the main developers we wanted to build a framework that generated payloads in a kind of language and technique a tic way we I think it was about a year and a half ago when the project kind of finally hit public for bail evasion um the codebase was private for a while beforehand you know we debated a lot of these ethical issues

for a while which I'll go over here in a second finally decided to open source it and the kind of the big premiere for it was this past year at shukan 2014 it was a presentation called AV evasion with the veil framework I think the slides and like the video and all that stuff are online if you want a little more of a detailed overview of the framework itself and a lot of its capabilities and how it ties into everything this is kind of the interface um we kind of a standard interface for most of our Veil tools but we have payload modules to where you can build these generation modules which generate the uh source code for whatever language

you want you can write your own custom bypass methods and actually just drop them into the structure so say you want some cool new python thing you could write a module for that drop it into the tree the framework will load it up you can inject Shell Code with it you know wrapping msf Venom um new custom shell code and all this kind of stuff but it's really nice to where if you don't want to we still haven't gotten a poll request for any modules because obviously people want to keep their bypass methods kind of close to the chest but if you want to write your own you can just drop them in and take

advantage of like the C the Ruby the python all the kind of the compilation stuff and the Shel cood generation we have some post on uh developing your own payload modules and all that kind of stuff up on our site the veil Dash framework so the ethical issues the disclosure debate has been going on for a long time you know it's kind of really centered on exploit disclosure but our view and most of the people I talk to seem to agree is that pint testers are at least five years behind the professional Mau Community I'm sure even further behind you know nation state communities but again like I mentioned this is a problem the bad guys have already solved and

they've done it better than we have so if we're trying to demonstrate value to clients and saying you know if you're trying to simulate what a bad guy is actually doing you need a method to at least simulate some of this type of stuff to get you know bypassing these types of defenses so anivirus it's pretty much a joke to professional ma guys you know I think one of the last point of sale Mau samples didn't get flagged by single antivirus engine um you like this isn't really an issue for people that are paid to do this however when we release this tool these are quotes from the original Reddit thread where a lot of people were

not happy uh I think one of the quotes was surely this will just result in 21 new signatures for all major AVS we're back to square one that hasn't been the case and isn't our field meant to be working towards increasing security rather than handing out fully functioning weapons so uh I think that's a little ridiculous if you know just wrapping public python shun injection methods is you know handing out cyber weapons then I whatever but uh one of the quotes we did like was someone pointed out and kind of we agree with the sentiment is that anything helps to expose how ineffective antivirus is it's stopping even a minimally sophisticated attacker is really a good thing and

that's kind of our Point like bad guys aren't dropping you know 4 megabyte like Pine instellar rat malware but you know we can actually at least simulate some of these actions on a limited time frame engagement using some of these techniques these are our favorite quotes uh from Twitter so the main thing this is during the ukan presentation but the main thing that bothers him about the veil framework is that new PIN testers will never know what it was like to do all this manually so like I talked about of having to like roll your own stuff or you know writing your own C Stag and all those types of things we wrapped all that stuff up and tried to opy skate as

much as we could which I'll go through um and then script chunky yeah uh responded back in my day we had to op Escape bits by hand uphill both ways so just shaking the fist we just made it too easy I guess but like I mentioned so we kind of started with python based show code injection techniques we soon started kind of branching into other languages because we wanted to make it like I mentioned kind of language and technique agnostic so if you have your payloads pretty similar each time kind of a stock template this is the problem that met started running into to where it's pretty easy for antivirus to just do you know a stock kind of static string

signature for it so we started thinking okay how do we start kind of just basic off for this so like all right let's just randomize every single variable every single method like just go through it and say anything that can be randomized like let's go ahead and do that um this is very simple this you know obviously is nothing crazy the sad thing is this is still really really really effective like much more so than it should be or you think it would be against a lot of antivirus vendors so this is kind of an example of what one of the Python payloads will look like now if you're extracting this out you know anyone that

knows knows how to re or like actually do manual reversing for this stuff or mal analysis is going to be able to figure out what this does the idea is not to you know sty like Advanced Mau reversers because we're not going to be able to do that but you know we wanted to have an automated solution that tries to scan this stuff you know we wanted to at least throw a couple wrenches into that automated detection process so sticking with the python stuff our next idea was okay how far can we take all that python opusc and what if vendors still find a way to trigger on you know some small components of the

Python script sources so we looked at the Hyperion project which is a kind of PE crypter it'll take any executable do like a little stub um encrypts it with the random AES key and then natur brute forces the key in memory so our approach kind of similar was you take this like little kind of crypter feed to any python import file and it'll do a random AES key base 64 It and Roll It up in this little kind of exec wrapper so you go from something that looks like this you see like all the Shell Code up there and all the stuff down there you can see like the create thread the wait for object uh the

virtual Outlook and all that kind of stuff so you know maybe they're doing some uh signatures for like you know that's series of calls or something like that that's what it'll look like now now it's really hard to read really small text but you basically import a couple things it just says exec and it's this giant b64 encoded thing um this will onbase 64 decrypt all this in memory like decrypt the entire script to inject Shell Code and then execute that in line so every single time you generate this even if it's the exact same payload input file this entire thing will change so we're like okay that's about seems like kind of about as much randomization

as we could get for python at least like okay you know thinking along these lines too you know we just started kind of brainstorming like what if for the Shell Code injection like AVS are actually triggering on some of the raw Shell Code itself started researching some stuff and the way that matp stagers work really aren't that complicated Raphael Mudge who's actually out there at the Cobalt strike table had a couple posts that I found it wasn't even post at the time it was um some like email threads uh on the medit Ming list back and forth with Egypt so in that he was kind of working out like how do interpreter loaders work and he actually put a post up I think

last year this is after we kind of deved our own stuff but he has a that blog. strategic cyber the stage payload is what pin testers should know he goes through kind of some proof of concept code and like really tells you exactly how this stuff works so before to me it was kind of a little bit of black magic I was like okay under the hood it does something and loads it all up but again it's actually pretty simple for the reverse TCP Stager a uh the Shell Code will open up a TCP connection back to your msf console your uh interpreter Handler the Handler will spit back four bytes which indicates the size of the dll it's about to give you

right after that it pushes out the uh dll itself so interpreter is a reflectively injectable dll which means that you know you can spit this back out and an agent or like the Shell Code of the loader can load it all in memory without touching dis and then you can migrate around do all your fun stuff then the Shell Code will push the socket number into EDI and the reason it does this is you know you kind of have your data Channel or you're staging the dll and then you want to have communications with the Handler itself so this basically saves off the socket number and uses that same channel for communications so you open up a socket

to download everything and you can keep using that same connection to do all your like C2 it does like a SSL negotiation I believe underneath the hood and then you do all your commands and stuff an execution is pass the dll just like you would with shell code injection you do the void pointer casting um the virtual out pattern I talked about all those kind of things so the reverse HTTP Handler or htps Handler are even easier you don't have to worry about the socket number because it's asynchronous you just connect to the Handler you get a Big Blob of data which is a dll and you inject that into memory and then it just takes care of its

execution so we started writing these pure stages for the framework um it's kind of an interesting approach and then once we kind of figured out what those stagers were we started translating them into different languages so we have several stagers available in the framework right now we reverse TCP HTTP and htps all in Python again because this is all modular you can use like that little Cryptor you can use any of the options we have things for python to have um like kill dates um additional acusation you know your shell code injection methods we can also do like Heap ALC for injection instead of virtual Outlook things like that we have a few versions of some uh C ones and

I'll go over the seof fation in a little more depth here in just a bit but we have reverse TCP and reverse HTTP and we also have service versions of those um what's nice with those is you can actually PS exec with them so they respond to the service control Handler you can generate these with ve evasion and then plug them into PSX for metas and just have them work so these have been pretty effective we found not it's a lot harder to write maare and C because it's easier for AV vendors to to detect it sorry it's a lot harder to write really good evasive malware in C as far as all this appucation goes

because python or any other kind of interpreted language you have standard ways that it's all packaged up and then you have the only malicious part is like the little script that's kind of you know compressed up so it's a little easier to write stuff for that we feel which is why that's been a lot more effective for two or three years because AV vendors can't just flag on the little loader at the front because that would block a lot of legitimate projects as well so we did some reasonable officiation for the C stuff and then did the service versions there's also actually some um Cortana scripts that will let you plug Veil evasion into Armitage or Cobalt strike kind of

generate this stuff transparently in the background so every time you PS exec it'll choose one of the C Service ones like substitute it in and do all that so this kind of helped our workflow so also we Branch into C and something that I didn't mention all the languages that we have in the framework we want to compile on Cali Linux but work on windows boxes so we don't want to have to have multiple VMS and do all those kind of things so everything we've released will compile up a Windows exe all on Cali kind of as a monolithic attack platform and then you can just drop them and they'll run on windows so with the python stuff we

actually run P installer under wine on Cali um the setup will install all this stuff transparently underneath the hood you don't have to configure everything you don't have to worry about it you just point and click the C stuff uses um Min uh Min 32 G or M w32 to compile everything up the C stuff uses mono now people have kind of yelled at us or saying that we have a huge number of dependencies for the project which is true but if you want to compile net code on Cali and have it run on Windows you have to use mono that's the only option unfortunately it's like 700 Megs of dependencies for Cali or something like

that but you know is the only option we also did we have some Powershell stuff also the the shell cut injectors as well as these pure stagers and we now have Ruby which I'll go over here a little bit more that was released about a few weeks ago about a month ago yes compil

windows for the interpreted languages I don't believe so because and I'll go into some of the details and how say p installer works but basically all it does is it has like a little static loader at the front and then it makes kind of a big um kind of semi compress something kind of like a zip that it attacks onto the end so because of that you're not really compiling anything you're just kind of compressing it and making a self-extracting exe so like python Ruby and that type of stuff no um the C stuff yeah it you can tell that it was compiled with like Mii W3 too and we've seen there was one vendor that

started flagging some things or using that as an indicator it's still it's not 100% or anything like that and we also we always have questions from people saying like oh have you looked into getting around this vendor have you seen that like there are a lot of Av vendors out there we don't have the the uh kind of like the time or resources to constantly test and fight against every single one of them that's why our approach is we always want to do a ton of methods the idea is is if you're going up against a Target and you know what the r is then you can just clone it off and like see what

works cool so okay I mentioned for some of the C stuff you know variable ausc really doesn't do as much for a like properly compiled language it can help for an interpreted language it's a little harder for C so we're like okay how can we go about this you know really basic officiation so again this is nothing crazy malor has been doing this for a long time I did not invent off C code but our kind of slightly more advanced or intensive opusc for C involves kind of our interpretation of a method knot so the idea is you want a lot of methods interspersed throughout the code that don't do anything functional for the program they just kind of waste

space and complicate the C tree so you have a lot of these methods you kind of Nest all of them our approach I think I did this in about an afternoon was maloc a whole lot of C strings and have a whole bunch of nested like string process processing functions and then spit these out in randomized places throughout the code like in between the virtual Outlook and in between the create thread a lot of times AV vendors like to say okay you're doing these two calls right next to each other allocating memory and then moving data into it and then creating a thread a lot of uh Stag stagers and loaders from hour do that so if you intersperse kind of

new data and processing in between those specific calls that seems to be really effective so this is what all the C methods are the C stages and stuff and Veil actually do right now again you want to muck up the dynamic analysis a bit without affecting the actual execution of the program anyone that's a reverser is going to be able to figure out what it's doing again that's not our goal to sty all the actual reversers but if we sufficiently complicate the culry of the program that seems reasonably effective against combating a lot of these antivirus vendors and this is a basic version of Mau has been doing this for a long time it's still really really

effective in like I mentioned we had a bunch of randomized string processing stuff Mal all the stuff maloc all the strings inter dispers randomized functions throughout the actual code that's kind of what it looks like I know it's really kind of small again but we have all of our randomized string stuff and you know we intersperse that all throughout um again this is an open source project AV vendors or you guys if you're curious can go look at the code and see exactly what's happening we uh whenever we generate an executable we also always give you the source file and the compiled version of the file I think Christopher trer actually just put up a post on our site recently about

how to actually extract the python source file from the exe so you can verify it against the source if you don't trust us we promise we're not backdoing the back doors or whatever but you know some people are paranoid no so the next thought was okay if some AV vendors you know what happens if they're actually triggering on that little Pine staller loader can mention it's this little exe it's static so every pin dollar binary is going to have the same little loader it creates this um C archive data type it compresses all a minimal python environment into it sticks at the end of that exe so when it runs it extracts that all the disc

temporarily invokes a script file and can off you go so you started thinking okay what if we made an opus skated version of the pinear loader so built that last year presented at bsides Boston um this past spring it's called hallar The Source code's been integrated into V evation so it's an option whenever you do python you can say Pine installer which is the default or this pone staller option which will generate completely randomized source files for the little loader at the front generate all that stuff compile everything up like move it in transparently so end result is like every single time that little Opus skated loader in the pinear binary is going to be as randomized as we felt we

could reasonably make it and that was integrated into all the python payloads this past May so again obstated code sorry I'm repeating myself I guess associated with the pine Soler launcher generated m w32 is used to compile everything again all on Cali it's copied in a randomized Windows icon is chosen all that kind of stuff there's a blog post on my blog that kind of goes into some more detail about the specifics of that if you're interested or the biz Boston presentation so next thing um one one of the things we realized was any language you have that has a foreign function interface and and um or has access to a form function interface you can use to

inject Shell Code or write interpreter stages and it'd be really nice like okay we want all this stuff to work on Cali just like we mentioned so we had C with doation C with net mono po shell that's great we started looking into Ruby and it does have a form function interface 132 API it's this little gem it means we can you know wrer pure stagers and Ruby also kind of has an analog of P installer called Acra which is oneclick Ruby application and nicely we're able to get all this running on Cali so just like all the little python injection stuff there's everything equivalent for Ruby at this point like this is a little

stock template for uh Ruby shell coat injection it's only a handful of lines you kind of declare the functions and do that same pattern for there's your shell code you have your virtual outlock your move memory your create thread your single object so and here so in Veil evasion there's a couple Ruby payloads now there's a Shell Code injector and a pure reverse TCP Stager it'll compile it all up in the background you'll spit out the exe that works on Windows you again you don't have to set anything up you run the setup file it installs all the dependencies it does everything under wine does all that um about a month ago or so these

were released the Shell Code flat the sh basic kind of Shell Code injection is how we separate it we go by language technique and then specific approach the Ruby sh cut inject flat Ruby interpreter vers TCP everything compiled to a self- extracting exe so this is pretty new um we think it's neat I had hadn't seen there might be some public stuff out there we hadn't seen a lot of resources on Ruby stuff at the moment so the other thing we released last month was you know kind of this idea for a net like kind of Cryptor because C and VB code is compiled not interpreted you can't really build a little Dynamic offy skater like what we did for python

butn net has this really interesting feature called reflection and this is kind of quoting from the msdn stuff you can use reflection to create type instances at runtime and to invoke and access them basically what this means is you can like kind of manipulate components of certain structures and things like that in memory like in real time in a c program or a net program the end result is if you have a b array of raw bytes of a net binary so it can be VB it can be C or anything you can run that entire thing like that executable you can run that all in memory with three lines of net using reflection so it doesn't matter

how you get these bytes to that bite array you know you can download it from a third party like a dropper you can we have an option to where it like Opus skates it in a base 64 string in memory so after you decode that and you get that little array of B bytes you just say assembly load um you set the entry point to be the beginning of it and then you you just do this in voke and it just starts running so this is kind of like reflective dll injection but it works for any net compiled binary so we release this thing called a Cryptor called Arya which into the framework it's an option for all the C

payloads now where it'll read in all the bytes or so a payload binary a regular one for C or what not is generated it compiles it up and then it reads in all the raw byes B 64 encodes everything does a random sub substitution Cipher on it and then builds a little launcher that decodes the raw data injects it all into memory using reflection so that's kind of just a little overhead up there then we have you know all that kind of randomized string and everything like that that's the actual executable that injects all your shell code again as a proof of concept you can have this kind of Opus skated in memory it's really easy you

can do a couple lines just a couple lines to say download this blob from you know a web server and just inject it so you can essentially have like a stage one loader and net in like five or six lines or something like that so this is actually something that bad guys actually do so I think um one of the AP might have been putter Panda I think did some kind of like stage one loading with reflection.net stuff and then they had their um kind of stage two M stuff loaded up purely in net and kind of went in so it's a we're trying to again simulate that kind of stuff we're not claiming we did it better than any of

those guys but you know kind of approximate some of these techniques cool so I'm going to go over a little bit of the payload analysis of a couple of the families and then wrap up and take some questions so SS deep is a very kind of basic static analysis tool for malware it's a fuzzy hashing comparison tool so the other word for this the nice official word is context context triggered piecewise hashes so it does this thing from the man page saying it can match inputs that have homologies so it's this biology biology term it's it's a fancy way of saying can we measure the degree of shared ancestry between two bits of data so if you have two

executables this will kind of do it'll break it all up into components do like hashes of a lot of the small components and then do a comparison and give you a score saying how much of these code bases are similar from like a static kind of standpoint I'm not a reverser I ask some like kind of reversing friend saying like what's is there a really easy tool I can use to just compare some of these malare families they said for triage a lot of times they'll use this and that kind of you know stage triage spit a whole bunch of samples through it and kind of say okay if it scores at least like an 85 or 90 then

they're probably kind of the same payload family they have most the same kind of ancestral code base so what I did was for a couple of these families I generated a th samples of each and then did a run of comparisons so it did 1,000 choose two it compared every single possible pair of the entire thing then I ran some stats on some of the scores and everything like the python interpreter verse TCP of those thousand samples the Thousand choose 2 gave you almost 500,000 possible parings and only onethird of them match at a score of 75 or better um only 66 of them are 0.1% scored at 90 are better out of 100 and from my friends kind of

like basic you know information he gave me saying like Okay only .01% of these kind of count is the the same hour family even though they're generated using the same kind of technique um this didn't use theeran stuff or anything like that it didn't use the office G loader you still get kind of pretty good variation of a lot of it the average Paris wise score was 74 um and a lot of these like you know really kind of scored off to where they weren't similar at all so these techniques give you kind of like a really nice kind of spread to where like this these aren't the same kind of payload family where this shows kind of a graph

the SSD matches for the python interpreter TCP you see it kind of spikes up around 74 but it Trails off pretty fast so as reasonable variation the c um like I said this is it gets a little little more difficult for the fation we did the same same thousand samples same you know about 500,000 possible pairings about half of them scored at 25 or better so about half of them scored is completely dissimilar which is pretty awesome and only .5% scored at 90 or better the average par wise score was 37 so very few of these just kind of like the python stuff scored as a similar Mal family but there was a lot wider

variation than the python stuff like there's no super specific spike is a lot more kind of all over the place and kind of fell off after it hit I think the threshold for any score at all is like 35 or something like that but so this is why you know this is going to be a lot better to use this kind of your stock PSS EXA stuff than just using the same template this is a little harder it's not impossible it's a little harder to write just a static straight static signature for it then doing the the C stuff with the little D net crypter only about five parings matched at 25 or better none

scored at 90 or better so this variation I didn't even graph this because the variation was there was like one data point so it was just completely off the map so none of these scored is a similar malare family based on SSD if a reverser started looking at this they would see okay these are actually very similar but again that kind of you know first automatic triage type stuff that's where we're kind of trying to get by so some of the recap we started this research out of necessity but then we kind of continued out of curiosity you know we again a couple years ago we knew absolutely nothing about any of this stuff we were able to build some really

effective approaches very very quickly this is not rocket science this stuff isn't that hard like said beating up AV vendors isn't extremely difficult but there's still ways to stop us we went over this in the shukan presentation you know proper behavioral analysis is really the way to go um some vendors have started doing this to where you're like okay let's see let's hook the virtual allet calls you know kind of at least detect to start that virtual Alec pattern that's a pretty effective thing um there's a project called Ambush IPS released by Script junky which is a very granular kind of host-based ips system you can write rules that say if you do this call then this call and this

call with these types of arguments than flag or block so you can write rules that block all interpreter loaders or things like that um again you know the problem is though we don't want vendors to just stop pin testing tools you want them to actually stop real mware because they're just trying to simulate this stuff um one thing we've seen that's been really effective that a couple vendors do is kind of crowd sourcing the reputation of the exe so if they've never seen an executable before and it hits dis they say okay we don't know necessarily if this is good bad so we'll pop up to the user and ask them if they actually want to run it or they'll apply

much more stringent kind of heris to it if they've never seen that sample before so that's really kind of flumm us a bit but um luckily Powershell gets by all that stuff so you don't have to worry about it um and it's it's still kind of interesting it's that's at least they're they're thinking in a different way besides just static signatures so that's really a really awesome approach that we would encourage the vendors to kind of move towards and then yeah that's our hashtag a so that's it and it was a little short um if you guys have any questions always feel free I'm on Twitter or my email the site we try to do a lot of blog post um

pretty much kind of diving into technical information or releases for any the modules and things like that one things I didn't mention is we actually have a um standard kind of release cycle we do so it's called vday kind of modeling after patch Tuesday to where the 15th of every month for the last year or last 13 14 months we've released at at least one new module our payload family so this past month was a ruby stuff uh we actually are a couple days late for this month but it's going to be some the Ruby reverse HTTP and htps stagers next month we got some you know we have enough research to where at least for a few months out we always try

to stack stuff up so we've got I think probably at least nine more months of releases if we didn't do any more research at this point so again we didn't want to just kind of drop it all at once we're just trying to as we figure out stuff and kind of move ahead we want to keep releasing it to let people know this project is a lie we're still doing this we still think it's interesting so and then uh the GitHub is Veil framework that has all the separate tools underneath it Veil evasion is kind of the main tool we have a super project called Veil that we recommend you clone that down and run the setup and that'll

run everything for the standard configuration for the additional tools like pillage and actually this fall or pretty soon we're going to start rewriting the entire code base from scratch so all the tools actually work together it won't be you know the setups won't stomp on each other and everything anymore but uh oh all right um so yeah it's going to be a complete rewrite for kind of like a 3.0 release that's going to be sometime in the spring so and we also just released our own kind of a port of msf Venom into python so now we don't have to wrap we're basically independent of uh metas now or we don't need it as a

dependency if you don't want it so you don't have to wait for the whole metas stuff to like spin up it can just be like instant shell Cod generation So Co any questions yes you to worry about your scores all um we haven't looked as much into that yet because we haven't had to um we know some approaches for some AV vendors are saying like Okay if this section has a whole lot of Randomness that might be suspicious or might be a kind of Packer or something like that it it hasn't really it hasn't we haven't looked into it yet because we just haven't had to but that's something we'll probably start looking into in the next um few

months but uh you know maybe a way to instead of making it look completely random trying to mask it as like normal looking text or you know different kind of encoding method or something like that yes how much does this look like commercial IP OB protction um honestly I don't really know I haven't looked at any of the the commercial solutions for the office Gators and Packers outside of you know the like kind of the standard open source ones like upx or whatever um the the thing is with us at least like there each language is really it's very very different it's kind of a different approach so um at some point you know we

we'll probably look into some of the commercial things but you know this has been effective enough to where we just haven't had to look at the commercial stuff but it's something to definitely look into

yes sorry could you repeat the

question yeah we so you know I talked to a couple friends who are reversers um there's a couple other like techniques for Shell coat injection that we're planning on introducing and things like that but um yeah I don't like we I'm not our shop doesn't really do reversing ourselves so we don't have a huge amount of insight outside of you know kind of what's publicly out there in reports Y is there any plans for we've been asked about that a lot that was one of the biggest questions we got at Defcon so we actually assume soon as um I sto traveling non-stop I'm going to try to actually start looking into it but we've got a few new people that come

on board and once we start doing the um the framework rewrite from the ground up we've kind of pushed a couple of the feature requests to be like okay we're going to reset everything anyways so we're definitely going to try to look into how to programmatically um integrate 64-bit stuff and compile it especially because things with patch guard and all that make it really like 64-bit can be really really effective in evasion stuff so that's for on disk evasion that's going to be like kind of one of the the next iterations for it so cool unless anyone has any other questions that's it thank

you