Offensive Anti-Analysis - Holly Williams

hey guys um so wow I lost my nerve when the first dozen people came in and now there's like a dozen people trying to come in so uh Point number one is I'm not a public speaker and if I look a little bit nervous it's because I'm absolutely petrified however we'll get through this together um this is my talk offensive anti-analysis or what should probably more accurately be called adventures in antivirus aversion part three I've done quite a lot of work over the last maybe two years on antivirus evasion and this is kind of the end of it this is I've got through everything now I've talked about as much as I want to so here's a nice summary the tldr of

the me messing around with antivirus um so I am the author of that pink information security blog that these slides are themed around I I write a lot of content online about uh penetration testing penetration testing is my de job breaking into computers and buildings and I write about infrastructure security web application security but something that I don't talk about is what I would call my hobby which is um milicia software development yeah not really analysis it's kind of more development so because I'm not allowed to to do a talk on hey here's a tutorial on how to write a botn net I'm going to do a tutorial on how to Avid antivirus instead now antivirus has been

around for a long time and I'll talk about the origins of antivirus very very briefly and I'll talk about the kind of pre previous Works through you know uh evading signature analysis and things like that very briefly and I want to get on to um behavioral analysis engines towards the end and in particular online scanning engines like virus total and websites like that but starting right at the beginning um one of the problems with militia software and one of the problems with um detecting militia software is it's really hard to determine you know I mean well what is malicious Define malicious and if we can't accurate Define it then we can't accurately detect it so if I want to if

I want to know what something looks like I'll go Hey Okay Google uh what's a horse look like and Google will show me images of a horse and I'll go yeah man that's like those are definitely horses look at us stun in beasts easy apart from when it comes to the kind of stuff that we do I mean I introduced myself as a penetration tester sometimes I use the slang term hacker oh a professional hacker I break into computers and buildings and stuff like that Siri what's a hacker look like oh so we have a problem here we have a problem when it comes to stereotypes and we have a problem when it comes to actually defining the thing

that we're looking for if we can't Define milous we can't detect malicious so yeah Google Images is probably not the best place to go if you're looking for rigorous definitions but it's a good place to start now I'm a penetration tester I hail from the red team and for those who are unfamiliar information security is generally split into red team and blue team where the blue team are the Defenders people who look after our Network infrastructure and keep us safe online and the red team are the people who play the part of the attacker they're not malicious in nature they just play devil's advocate for the sake of network security so when it comes to being a

member of red team we have an Ethics boundary and in fact anyone in information security can talk to the ends of the the the world about ethics and where I draw line here is yeah I'm going to talk about militia software development but anything that we do should and and always must assist the blue team more than it assists the malicious citizens of the internet so I wrote some tools and I wrote some proof of Concepts and I'll release those I was going to demo them during this talk but we're on cable number seven and laptop number two so I'm not entirely convinced demos will happen I'm afraid but I wrote some malware and it did some cool things

to some antivirus scanners and I want to talk about that and my relationship with malware is a pretty simple one I really like malware I really like milicia software and I don't differentiate between the tools that I use in my day job hacking tools and militia software because they're doing the same jobs for the same reason I just have a certificate of Ethics that says when I steal your credit cards I'm going to give them back most of them so we're talking about um detecting viruses detecting worms detecting malware you know what's the virus look like yeah man this Google Images thing is really not working out for us is it tell you what we'll check out some

documentaries Instead This is CSI cyber turns out it's really easy guys you just look for the red code it's all of the red that's the malware now um yeah man detecting malware detecting um well detecting a malware attack is really really simple you know you turn your laptop on and it look like that and then you go yep that's malware that's definitely malware um so it's 2016 and our our headlines today are filled with ransomware ransomware is a pretty awesome thing it's um well it's a really really easy way of making money isn't it and you see ransomware is hitting the news in 2016 but it's not news it's not new a quick pause a quick detour 1971 the

first computer virus is released I'm talking about creeper here and by computer virus we're talking about PDP 10s and the arpet creeper creeps through the arpet infecting machines and then Reaper is released the reaper chases creeper through the arpanet and cleans it up so 1971 and we have the first virus and the first antivirus that is a long time ago do you remember the 70s so 1971 it's the first computer virus 1986 that's bran that's the first PC virus PCS as we would recognize in in this D Edge IBM PCS 1986 1989 the first ransomware talking about the aosion here a piece of software that'll encrypt the files on your computer and then ask you to pay a

ransom ransomware in 1989 it wasn't perfect he used symmetric key cryptography as opposed to asymmetric key cryptography so any malware analysts out there will tell you that that's terrible you can pull a key out of the executable it's trivially easy to bypass but hey it was 1989 We Were Young some of us were I was born in 1990 malware and specifically ransomware has been a problem longer than I have so so why is why is ransomware such a big thing in this day why why is ransomware working out so well for the attackers well partly You could argue improvements in certain areas of security improvements in Perimeter security things like that alternatively you can argue Tech asymmetric key

cryptography Tech malicious throw in a little Bitcoin and you have a recipe for profit what kind of profits well taking a quick look on Wikipedia the source of all facts yeah that's right I don't only get my facts from Google Images um crypto Locker they made $3 million that's pretty good you're not buying a new car with $3 million you're buying an island crypto wall they're made $18 million I'm really sorry this this presentation's kind of I'm not trying to convince you to write malware that's not the am of this the am of this topic is uh an incoherent 45 minute rant about some parts of information security that frustrate me you see malare has been around for a

long time our advances in defending against malware have been around for a long time and we do some really cool stuff malware analysts put an awful lot of effort into pulling these these tools apart and writing quite fantastic blog posts about how naive malware is and and how a lot of it is um written like all software is it's copy and pasted from stack Overflow I I don't have the slide in here because I didn't want to steal someone else's work but there's a brilliant um article where a guy takes a piece of malware pulls it apart threatening basic and uh instead of talking about the features of the malware he links it back to the original stack Overflow um

articles articles if that's the right word it's like yeah this is copy and pasted from here and then that's like copy and fested from there so the malware analysts the antivirus companies are doing absolutely nextg stuff to detect this and then the malware writers are just like I'm not even going to learn my programming language I'm just going to use other people's Snippets so ransomware is very very strange my way is very very strange and it is absolutely all over the news um I set this as an animation originally but the problem was it wasted about seven minutes of just news headlines just coming up they deep that deep um ransomware is great because it gets

around a lot of the problems of traditional security I don't have to do things like breaching the perimeter and I don't have to hack hardened servers and get into the areas that we've invested in to protect uh I just have to get a user to click a link in an email and I work as a penetration tester so sending fishing emails is something that I do quite regularly and my I guess personal average or my team's average is 33% of users will give us their password over email that's not a gner statistic I can't link that back to a report it's our personal experiences our statistics and team around 50% of users will click a link and around 30% of users will give

us their passwords now it's not going to be as trivial as hey bro what's password or oh I lost my password can I borrow yours we're going to set up a scenario we're going to set up you know we're going to use psychology against users and that's the brilliant thing I'm not attacking a hardened server I'm T attacking a user who's non- Tey probably really busy doesn't really care about computers in fact probably hurts them as much as I do and just wants to get done with the task that's set before him so fishing attacks are effective link ransomware to fishing attacks and they're very effective now now in the context of computer security we opened with this problem and this is

the problem that runs throughout how do we Define malicious now there's certain well there's security devices out there that'll that'll detect vulnerability exploitation and detect things like privilege escalation and again Ransom ways getting around those because we're taking a user's files that they have permission to and messing with them in the context of that user the user has clicked a link in an email something like that a piece of software running as that user is messing with that user's files it's a different approach to security something we've never really come across before um ransomware it's a type of malware we have anti- malware it's existed for a long time I've previously written about it like I said really this talk is

adventures in antivirus evasion part three and when it comes to anti mware systems there's there's two types of engine and most people people in the room are familiar with both of these terms and the fact that there's two types if you read any of the vendors pamphlets any of their um information they'll tell you the seven types but it's like the seven signs of aging trust me there's two two detection engines the signature analysis engines which everyone should know hopefully if you're in it and you're at a security conference should know these are pretty broken they do have a place though they they do exist for a reason a signature engine it's less computationally expensive than a behavioral analysis

engine is if the signature engine gets a detection you don't need to worry about the time consuming behavioral uh behavioral analysis scan now there's two kinds of Behavioral engines really when you think about it or two approaches to using them there's whatever it is that you're deploying in your endpoint security and then there's websites like this so when I'm on a penetration test and I upload a tool to a server and I get command execution on a server I don't have to bypass all of the antivirus in the world I just have to bypass the one that you're using whatever your endpoint choice is um I bypass that and it's really good I'm good to go get my code execution however

if we've got a really on the- ball sock if anyone's ever met one then I'm sorry red I shouldn't take the out of blue team that's unfair um if we have a really on the ball soccer really on the ball CIS admin and he picks up in this executable or this service and he's like that looks dodgy you might CH choose to use a service like this you might choose to upload it to virus total to get effectively a second opinion about the security so systems out there exist already to bypass anti antivirus things like the veil framework a fantastic framework that does what you need on a pentex talks well into Cali Linux if

that's your flavor and now we've got this second system where people are uploading tools to virus total and things like that and we have to evade those as well the quick tldr for Signature analysis aversion lots of different techniques quick Google gole you find out about them don't bother with encoding it's not going to get you anywhere autoerotic exploitation is as fun as its Nam suggests but my personal favorite is crypting crypting is a a really simple concept really it's a slang term from the dirty hacker underground it's the idea that we pull the meat out of an executable we encrypt it edit encryption ST stick it all back together in and fire that as our Pirlo

and now a signature engine looks for previously seen patterns in an executable if I encrypt the executable there's no previously seen patterns the signatures don't work really really um simple thing really really simple concept not quite so simple to write yourself you're going to be Knee Deep and assembly and this talk is all about naive antivirus Aion I've previously written about the technical side I've got tutorials on there about assembly and things like that and when it comes to conference talks getting a slide filled with assembly and trying to rout people through code doesn't work very well so what I'm going to do instead is I'm going to say yeah antivirus evasion is still a thing 40 years after

antivirus came out and 27 years after R someware was invented and also a lot of the time it's terrifyingly simple so not going to pick on all vendors I'm not going to pick on any vendor specifically I'm just going to talk about some of the things that I did when I was messing around with the internet one of them was I wanted to download a tool that was a good control group a good hacking tool that should be detected by every an virus out there I chose mimic hats for this round it's a brilliant tool any penetration tester will tell you exactly what mimic hats do does we absolutely love it it pulls plantex credentials out

of memory a fantastic thing if you're a penetration tester by default it's detected 25 out of 56 on virus total scar 25 okay Point number one that's terrifyingly low for an out of the I haven't actually done any evasion yet and I'm over halfway there so that side um what I did for my opening evasion technique and this is naive lessons in antivirus evasion step one I renamed the file and I went from 25 to 20 it's a good start that's a 20% drop so I started at below 50% I dropped 20% I am Elite hacker let's be honest no seriously um and Eagle eyed viewers not at the back cuz there's no way you can

even see this slide but guys at the front might notice the hash is different so I'm lying to you when I say I rename the file um but not quite I renamed the file and then went into the portable executable and at the end of a p structure it has a thing called Original file name this tells what it was previously called I changed that as well so I get different hash but yeah I still renamed the file instead of going right click rename I opened it in a hex editor and renamed it basically the same thing not a difficult thing at all um but we're at we're at 20 already and we haven't really done a lot our Target by

the end of the day will be zero now um the problem with virus total and the problem with playing around with the system or I guess um naive item number two a lot of people don't realize that although virus total deploys a lot of antivirus engines 57 is engines depending on which day you catch it on um it doesn't deploy the full capability of those scanners so you might get as Zer score on the front page of virus total and then deploy it on a penetration test or deploy it when you're pushing out your ransomware making your millions and it gets picked up and that's frustrating but we'll get around that in a second um for those

that think I'm making that up no it's in their fq they don't hide this fact myus toal doesn't deploy the full capability of each scanning engine don't worry you don't have to read that so that you can trust me um they just use command line versions of it deploy most of the signature engines some of the behavioral engines if you want virus total's behavioral engine there's a separate tab for it so scanners on the front page behavior on the the uh fifth page so we're going to start on the front page bypass that we're going to use crypting because it's pretty simple and then we're going to look at the behavioral engine and mess with it I'm going to Tinker

with it so um crypting from that slide of like seven different evasion techniques crypting is the one that you you're going to want to go with if you're doing antivirus evasion without actually learning how to program program if you're a ransomware author and you want to write ransomware entirely from stack Overflow so crypting is a really difficult thing to actually pull off and it involves assembly and probably a difficult language to write like C brilliant thing is um someone's already done it for you in fact there's a lot of working examples out there good one at the bottom uh hacked team hacking team graciously lent as their crypto which is nice of them um the one in the middle

presumably familiar with this it's a um it's a tutorial it's a full walkthrough nine nine page walk through on how to rate a crypto where they give you example code the hallway through and then at the end they give you a working solution top one's another example of that it's actually a it compresses it so it's a packer not Crypt over it's the same area text an executable modifies it in a way that an varus won't pick up signatures and then um you bypass the signature engine now a a crypt is going to allow you to bypass the signature engine quite well these Crypts however those should be detected their decryption stubs should be picked up straight away the reason

for that is one of those is 13 years old now it works just fine actually um so we we're at 25 originally got it down to 20 by renaming the file got it down to 12 by using a 13-year-old evasion tool antivirus is awesome you um so you download a tool you don't even learn how to program you run it the Tool's ancient should be picked up and it kind of is picked up but so far we're we're almost all the way there in terms of antivirus evasion we've not done anything Le and sorry were people expecting me to come in here and drop Zero D and stuff I totally will when I need to when a oh

when aversion is difficult um but there's still 12 detections to get through and we're still going to continue on our naive aversion techniques let's take a look at some hex then we feel like real hackers I opened a hex Ed a I am Le so one of the problems and one of the reasons that those 12 detections still exist is the fact that although the signature engine can't take a look at the exe and work out what the patterns are what it can do is take a look at the exe and say that's encrypted that looks weird um the way that it does this is it um checks the entropy of of each section in if the

entropy is particularly high above five generally for anyone who wants to get into the specifics it goes that's encrypted I'd best flag it just in case so how do we drop the entropy uh a naive verion step three throw a load of n null bites in there that is two lines of C really sorry I did say you don't have to learn any programming you're going to have to find on stacker over a floor how to do a for Loop um let's do a for Loop stick some null bites in there and you get your detections down even further um so yeah they're detecting the entropy and that's all looking detect on in that context

from a signature analysis engine drop the entropy with n byes it's pretty easy the next problem though is the fact that the behavioral engines are going to kick in now we've successfully bypassed signature engines this is not cool we did this 10 years ago behavioral engine kicks in if I encrypt my EXE the behavioral engine executes it it does dynamic analysis actually fires it up in a virtualized or emulated environment and watches execute so yeah I hid the Pats but as soon as the executable runs they'll work out what it was they'll work out that it in fact in this case is mimicat so how do we get around the behavioral engines and well we take a

look at how they actually work and we take a look at the don't be mean to the vendors they've got some difficult challenges some difficult problems it's a hard problem um one of the things that they're living with the reality of they can only scan for a finite amount of time so if I can stall the scanner long enough that you know oh don't do anything malicious for the however long it scans for I can aved them that way a really good example of this is uh Google's player store when they implemented the detection system their Dynamic analysis called Bounce up uh a researcher found out that if you just wait five minutes before doing anything

malicious it bypasses that protection mechanism and the same's true of the behavioral engines that I see apart from generally the ones that I work with the timeouts a lot shorter it's like 45 seconds on average so the scanning engine chokes the exe for 45 seconds if it if it doesn't do anything bad it lets it go through so how do we stall for that time well if I just did sleep 45 at the top of my exe obviously they're going to pick up on that they're going to mess with the system because they're virtualizing or emulating they have that benefit of they can increase the clock speed they can jump forward a day they can jump forward seven days things like

that mess around with our execution environment I can't just stall for 45 seconds one thing that I can do though well I encrypted my exe so instead of including the key in my executable just brute foret at runtime and then if they step forward if they go oh now it's tomorrow now it's a weaken the future cool still don't know what the password is still got to keep going and working on that password and again this is an old Technique 2012 I think that technique came out it's implemented in Hyperion and academic paper was written um so again a really naive way of getting around that that was 10 lines of C for anyone who's looking up the stack

Overflow article there take the password out run another four Loop I'm sorry two four Loops in one day I know um Brute Force you're on key and then that way you guarantee that you've delayed execution for the amount of time and in most cases a evaded most antivirus doing that technique again like a four-year-old technique um however going back a second 12 detections 12 detections okay like we're almost all the way there but 12's still a high number got this Hyperion thing to play with but 12 12 12 12 that's annoying me scroll down the page a little bit and we've got the actual detections what this is virus total I'm I'm using here but other scanner engines

exist virus tot tells you what you're being picked up for now you won't be able to see it at the back but those at the front this is custom code that I've written that no one has seen before and yet six of the engines gave it the exact same name how did they all decide on the same name they're all the same engine it's not 12 scanning engines and those six in this case that's Bit Defender so F secure use bit Defenders antivirus engine again they don't hide this fact read their fqs go on the forums and they say that yes we license Bit Defender and F secure make their money on all of the

awesome research that they do and the other things the value ad isn't the engine it's the things around the engine awesome company one of my favorites but naive item number four is the enemy isn't as numerous as we think they are it's not 57 scanning engines that we're aing it's small collections of them and the way that we can bypass them is you know through these simple little jumps where we're dropping out five at a time and the reason we're dropping handfuls at a time is because we're just bypassing one of the engines so if you couldn't read that Forum post I increased it here this is uh F secure saying yes we use Bit

Defender in our corporate products now um what I was doing originally and what I was doing up to part two of this talk where we've joined in now is I was just arbitrarily messing with an executable to see if the detections went down trying things oh I wonder if I rename it will the detections go down oh yeah they did that's awesome just blindly changing things and at this point this is when I said well maybe I can use some of the penetration testing skills that I've got maybe I can take some of that red team knowledge and get a little bit more visibility into the engines so taking a look at again virus total malware those

types of scanning um the virtualized systems Cloud provided systems software as a service previous work has been done on detecting and avoiding virtualized systems um I didn't do this I I was specifically wanted to avoid scanners not virtual systems if you're a ransomware author it doesn't matter yeah argument if you evade virtual systems if your malware doesn't run on Virtual servers then you can't Target the virtual servers that the it company's deploying ransomware authors don't they target the end devices they target the humans they don't go after the servers they go after the doctors and the nurses in the offices and that's how they make their money so ransomware authors can do all of this cool stuff

they can apply all of this previous research and there's a whole world of proof of Concepts in here for them to do it I'm a penetration tester and sadly I do have to hack servers so we're going to step past this section but there's an awful lot of work already done for bypassing virtualization instead of bypassing virtualization what I did was I took a look at some real world scanning engines and I wanted to detect when I'm being scanned by that engine and then not be malicious oh I'm in virus tall okay I'll be a good girl for a little while so I took a look at a few engines and they all worked in roughly

the same way from the the point of view of this but um another frustration with information security is there's a lot of lot of techniques that have been deployed already that work there a lot of academic work out there to to fix these problems and all of these naive little jumps that I'm making shouldn't work shouldn't work but what I did was these systems are very very strange you've got remote command execution on virus toll of course you have you give it an exe and it executes it that's a strange starting point for a penetration tester but all I need to do is detect when I'm being scanned if I can detect when I'm being scanned and better which

scanning engine I'm in I can not um do my malicious behavior now the system isn't going to let me just expore a list of well it's not going to let me map it it's not going to say oh hey varus to uh can you give me a list of all of your files all of your users all of your running services and any other information that you can think of so I can draw an accurate map of the scanner they're going to block you from doing that in the same way that when you're doing a web application penetration test and you're exploiting SQL inject the system might hide error messages from you it might hide that kind of

information and blind SQL injection is a thing that's existed for a long time some people in the room who do web application testing right now are going to be like why are we talking about SQL injection all of a sudden because the technique is the same so the system won't let me just dump a whole list of files but these systems do tell you the behavior that the uh executable took like oh it created these files it wrote These registry systems so in the most naive of ways I could just say okay try and create a file for every file that exists on the system and then in the event log I get an error oh I tried to

write all of these files but I couldn't because those files exist so that's one way of pulling it out alternatively you could you know LS a directory get a list of files encode them pull them out that way or the hardest method to be would be to use Boolean um Boolean inference which is kind of the same thing we would do through SQL injection I might take a a value that I want to extract from a system like the name of the current running user and I'll say oh if the first letter of the current user is a perform this action if it's B perform that action if it's C perform that action and therefore when I look at the

output of the behavioral analysis engine I can infer what these variables were now the reason that I've given you all three of those options there from the very simple literally listing files right down to Boolean inference is the fact that this is a hard problem so I'm saying that I can map these scanners and I've written a tool that will say hey I'm votal please don't do anything malicious um but the problem is difficult for them to fck so you know please don't please please don't be mean to the vendors but however I write a tool it Maps virus toall it Maps malware it gives me a whole list of everything that's going on on those systems yeah

let that one run overnight that took a long time especially the whole pulling things out character at a time thing but you map the system and then you don't give a demo even though the slide says that I'm supposed to give a demo because we're on laptop number two right now due to it difficulties if anyone wants to see the demo however I can show it later on show some groups and things um there are some screenshots of the tool working so we'll go through those instead but I can achieve a zero score and virus toll and I can control what the output of the behavioral engine is if I run the Exe on my laptop it does

bad things if I run it on virus total it doesn't do bad things on my or threat expert or any of the online scanning engines all the same issue so I can control what the it admin sees and I think that's a bad thing antivirus evasion is a bad thing the ability to control a scanning engine is a bad thing so I reported it to Google I said Hey Google uh bit of a vulnerability it's a bit of a weird one what I can do is I can evade your antivirus and Google wrote back you're never going to read that made it bigger you're still probably not going to read that how's that um so I said to virus toall I

can map your scanning engine and using the map information I can write a tool that'll accurately detect that I am in your scanning engine and therefore my malware won't perform any malicious behavior and therefore it's not detected apparently that's supposed to happen uh this is not a security vulnerability I'm really sorry guys I've pulled you in for a 40-minute talk about something that's not security vulnerability yeah I reckon it is um so what I can do is my tool that that I did say I was going to release today but um I used two Factor authentication on my phone died so now I'm now locked out of the internet which is a problem I won't be

on Twitter today but I will release the code and the the full write up of everything I'm saying right now tonight or whenever someone gets me an iPhone charger um but my tool which is free for the open world can detect not only if it's virtualized and which virtual system it's in I'm lying here it doesn't do Zen and Kimu yet because there's only so many hours in a day but it can't tell you when it's on VMware and when it's on Virtual box and it does that in the most naive of ways even spots wine um and that's cool but like I said that wasn't the priority this time around if you want to write some ransomware write some

better code than I did but it's a good proof of concept what I was interested interested in is writing a tool that can detect when it's in a scanner and which scanner it's in and it's pretty accurate and that's a scary thing because it's terrifyingly naive um but it'll tell you if you're in a scanner which scanner you're in and then which node of that scanner you're in so it's that accurate it can differentiate between the nodes of the scanners and I named them because I needed to I needed a unique way of identifying them but it's that accurate that it can say this executable is is being fired on virus total and it does that by taking a look

at the system what's the name of the current user what's the volume ID of the hard disk this laptop's about to run out of power so I'm going to talk a little bit quickly uh it tell you what's the volume idea of the hard disk what files exist what files are on the desktop really really trivially naive stuff and it can tell you that it's in a scanner and which scanning node it's on which means that if I'm in a scanner instead of doing malicious behavior I can control what the output of that scanning engine is and I can lie to the CIS admin and I can lie to the sock so the sock finds my

executable it's like this looks like a bot net with best get it scanned and this is what they get um yeah I can literally make it say anything I want to um so I'm going to be meaning them I'm going to rip roll them this is fear that's it telling me which node I'm on so there's a short number of nodes and it's saying we're running on fear today um and it's on virus toll so I can accurately detect run on virus toll don't want to pick on one vender though this is virus total that's malware that's threat expert works in the exact same way same naive level of detections so if anyone wants to catch

me later on and see the demo that's awesome if you don't have time I'll release the proof of Concepts and stuff tonight you can catch those on the internet my output from this this uh conference talk is that's probably a bad thing the fact that I can get a zero output and the fact that I can control scanners is probably a bad thing I'm really sorry that I lied to you though because it's to it's not so that was my talk that is offensive anti-analysis a naive look woo