BG - Vaccination - An Anti-Honeypot Approach - Gal Bitensky

so I'm going to turn this over to Galba tanuki senior malware psychologist and vaccinations and honey pots yeah so yeah so hi i'm gal just like gal gadot which you all know when a woman and what we are about to talk here today about as an interesting way to repair attackers I think it's like really interesting instead of luring them we are doing the other way around we repel them this is like kind of an attempt to you know there's like the cat-and-mouse chase today yeah like those guys and well you know who wins in this race yeah yeah this is the guy who wins in this race you know and itchy-scratchy for those who you are not familiar with the

Simpsons and I'm trying to do something different something where I don't want to like to exchange the kind of mouse but I want that asked to be the mouth and the cats to be the guys right mad were and do like bad stuff hopefully what we are going to do today is well we will start we're talking about honey pots yeah it's going to be a problem iced tea it's crippling side a bit yeah that's better thanks thank you that's okay we'll start by talking a bit about honey pot like 60 seconds about honey pots then about the opposite of honey pots and how it happens in the nature this kind of anti honey pot thing sec yeah now we're good

and then we'll go to how we apply this kind of natural approach to repel attackers in the InfoSec world and will and with good idea bad idea when applying this approach you can do like really stupid stuff this way and we don't want you to do it we're going to be as efficient as it can be and we'll do a short demo but that's like fun time so it's even not here a bit about myself I don't know who like how many of those you have been like yesterday in my talk so we'll do it all over again hi I'm go for an annual geek from Tel Aviv I'm working a startup called Minerva labs there's like what you're

seeing you today is kind of my day job but let's note dr. Tina like a pitch or something I'd like to figure out myself for the scene rememeber psychologist and I'm fluent in all kinds of exotic languages like C sharp Ruby pearl Arabic are there any are Arabic speaker is a proud today are you like maybe shy so ah hello Salafi commando can be Manasa but Mortimer besides Elfie alpha no sabotage yeah yeah so this is like the couple of Arabic word that I was able to learn before well I did anything from like doing some scripting to ICS exploits which is just like sending commands to ICS have like all kinds of experience in

a Walt and that's nice our job is really funny and fun so if you want to follow me on twitter i'm jl underscore b1t you don't have to but if you have questions feel free to approach me I'm really friendly and I really liked you to have questions so what is the honeypot that's my my best animation in any presentation which I have ever did so on the right side you see xenia onatopp she's one of my favorite female villains in all James Bond movies on the left side you can see Sean Connery which is my second favorite Bond xenia onatopp is the honeypot she's that first lady to appear in every Bond movie you can think

about she tries to live on she'll do this little Dingle Dingle yeah James will come and think maybe he thinks she's a catch or something I don't know it just look like this my so genetics come back that he is and but up close he understands that she's in a bargain so bang he shuts her and no more honeypot yeah it happens in every Bond movie here you can check it out and 99 percent of them and this is the problem with honey pots some of them are good but in most cases attackers can detect it and I have like this what F moment and the stock where let's think what we can do like in

another way what if instead of like attracting the attackers we can repel them we can be like I know in in James Bond case the the ugliest girl in the room or boy were not judging so what is this anti honeypot it's simply natural approach of repelling attackers this is the the Texan tricks on a milk snake ya know it's it's the the coral snake it's the coral snake and you can have like this Mexican milk snake which is not dangerous you can see how similar they are they're not that similar but they are pretty similar and the the one on the right side is not venomous at all and the one on the left side is very

venomous and the one on the right side defend itself by by just looking like one and left very simple yeah so yeah butterflies are also hackers they don't do this kind of stuff yeah this is not butterfly hacking but they do try to look one like they another here you have a couple of butterflies you have the the monarch butterfly and the Viceroy butterfly one of them if like a bird will eat it cheese you'll have like a serious stuff in your stomach and everyone just looks like the first one so well again one of the of the butterflies the one on the right tries to look like the one on the left it's not that simple and it doesn't need

to be venomous it doesn't need to be anything just to look like the one which is it's called by the way mimicry bayesian mimicry for you a biologist and a proud so we need to take this kind of yeah attackers are not afraid of red and stripes you're just like don't go to paint your pcs in the enterprise and read the stripes and I know put some butterfly wings on the top or something it won't work so we need to translate this kind of tactic to the world of our world of the wall of InfoSec how we do it I start by classifying checkers fears in the four categories the first category is well how many of you in the crowd are

blue teamers I'm blue Timur now so they're afraid of you guys the afraid of virtualized in an acid environment they try to evade like flesh and blood the researcher which I find with insulting because I can you know hmm he calls is debugger present I'm in a debugger so I can change the flag for example yeah but it's much more effective when we talk about massive automated analysis if they effectively detect VMs or sandbox or whatever it's very good for them because they can evade analysis and well they can make money out of it or intelligence or whatever their goal is they seek mostly for hands for static and dynamic analysis to like Wireshark I'd whatever and VM

infrastructure mostly VMware virtual box sometimes emulators but it's a bit more rare so my experience this is the simplest of simplest examples it is from like blackhat ten years ago I still see it used in the wild can you see it from from the back it's just like the simplest like find window all the dbg and windbg you can do anything which is similar than that it doesn't matter like example I I've met like about a year ago are there any asking in just in a crowd yeah I saw this like nice jumping weird pattern but when I reversed this it is a low-key sample from about a year ago and it's like cause I get username a here

and then shower up or buff a here and then it is doing all of those like weird comparisons with this is like the ASCII of whatever it is searching and this is well somebody guessed what is no sandbox surprise surprise it just like seeks the user named sandbox is just like I don't understand why people are naming their user in the sandbox sandbox but well we all know how it works when we hire pros sometimes yeah interesting example this is one cry just a nice guy from Twitter he said a honeypot and he got one a cry in three minutes this guy also nice guy from Twitter he didn't send a honeypot and he tried

to obtain a sample of a malware which did exactly the same thing you iwi Act what I don't know how to pronounce it even if it's something like you weeks or something I know and nobody was able to get samples of this malware which means it will be harder to get some behavioral analysis which will detect it why well it used the exactly same exploit and then I reversed this UI wix1 and I found that it used the simplest of simplest stuff ease debugger present but not only it also like search for pipes related to kuku I don't know like they had like a kind of issue with the escape cars I guess or something and they

checked if specific models are loaded this one relates to Komodos one of the kimonos product they did like the simplest of simple Sphinx check if VBox dll's and VMware deals are loaded and funnily enough it relates to my talk from yesterday about copy pasting your mail were doing clear like the simplest of simple stuff I took the list of like files they've searched and I find I was able to find it and online repositories it was very simple to do it and think about the like benefit of it yeah it's just like this pipes I actually found exactly in the same order also here and yeah I guess the the ones in front rows can see like the name of the forum I

don't know if I'm allowed to say live but it's vdot are you and you can see that they have here like a closing bracket and this is from legit site reverse engineering Stack Exchange they actually have the same arrow there as well so I know who copied from who maybe they copied from I know but at least like the guys of the like mad were had like the brain to remove this stupid thing yeah so second fear blue teamers but this time not like you but maybe upper portion of you you who are in charge of writing good AV software a good like network security software bad guys are afraid of it they try to evade it they know that they

can't win like all the fights but they are pretty sure that they can win like 90% of the fights and well think about you have a ransomware it's like a major operation to deploy it you need like c2 servers you need money mules setting all this up as a complex operation and let's say you you have it all ready and set up and then you tested your stuff offline because your dual attacker you have the attackers advantage and well in my case I saw that they detected ESET Kaspersky and Avast detected their mail way well three nice vendors out of I know 60 yeah we can go ahead but before we unpack our code and we load all of the you know the

get broke address evolved like the dangerous functions let's test like for the registry keys of those vendors we have a nice example for it afterwards in the live demo so and have a nice example for it no sweat yeah I guess that you've all heard about it it's like the first function which is called its checks for running processes it looks like it's kind of a wacky loop where it checks for like the the CRC of the processes it calls the Create will help snapshot 32 whatever API it iterates through the list of the processors and it compares every process name like the SD eggs a file name whatever it compares it to dislike black list of CRC's which are

Kaspersky note on and Symantec which is just the same it's not on and I guess it they've just like checked offline which of them their modules trigger like alerts in those products and yeah I can avoid those products and I don't care I can deploy my mare way it was written pretty hastily according to some researchers so it just makes sense for each process which was detected they like they saved the the the value of it in this like variables it was evil like B or 7 and those are the bits you you'll see in a sec white mirrors well it matters because because of this those like all the references to this like variable and

you can see that there's like some kind of a test for like the LSB the least significant byte and some number in hacks and those functions like four and eight had like at least like the one for I think they were like very critical because if it wasn't executed you were able to restore your file system it won't infect the rest of your organization it's critical stuff so if you had any one of those ABS installed you could have like saved I know 20% you could like stop 20% of not petia it's not a lot but it's like quite effective but think about what we can do it vaccination as we're about to see what will happen if we will just

mimic it we won't have Kaspersky we won't have not on one if Symantec let's assume we'll have the best AV out there Windows Defender but we'll have processes named like Kaspersky and Norton and Symantec will prevent 40% of the malware instead of like having like those like bits will have test ones and you can see you can do that the logical ends between and to see that it is prevented this way next first fear they're afraid of themselves think about the scenario where you in fact the machine let's say with ransomware you don't want to rip the machine twice it's like kind of an interesting race condition where you start encrypted to whine instance and then the app instance

is running and you want to restore the files afterwards somehow so you don't want it to be like double encrypted or something so they actually abused proper mechanisms most of the times and they use murex earth just like we do also will see them demo and I will see it also now this is one of the most famous warms out there this is part of a country girl when I always like C mutex in malware I look for the compare B seven after there is like a get left here at last they all so this is my way to know that we have here a potential for a mutex which will prevent something yes really small just like

search Kentucky and murex and you'll get to it it's it's like it is from I think 2008 maybe it still happens today sometimes they have a different mechanism this is from locky instance again one of the first lucky two appeared he they actually had registry key hklm software completed with a value which they set either to I think to a zero or one and if you had completed set to one it won't equipped your machine amazingly that's nice if you can think about like the application will have fourth pair later on both those were taken from this nice guys a website by the way sylveon I guess he is like French submission he has a great block oh yeah and we also

have this for ransomware which the same thing like recently you know all of this like Hoffler text thing which led to the spore ransomware actually found that it created the mutex which is a concatenation yeah it's really small but this the volume serial number in decimal and I just like converted it to hacks and then you can see here the mutex which is like a concatenation it's pretty small but trust me and of course I will release this presentation later on yeah we actually released as a company a tool to vaccinate but I think it's not relevant anymore if you want you can browse to our website and there's like an entire blog most about it and yeah another case want

to try wanna cry had a mutex but there was a little problem with this mutex we actually released here to also to solve it this musics was local so if it is running in the same session as the user which created the mutex let's say I just created the script stupid script in the world which rates this mutex and as a researcher I download the malware I double clicked it it will run in the same session as me because yeah I create the mutex I'm executing the sample yeah everything is running the same windows session but in the scenario where it arrives via the exploit it will run in session zero which is not my session and

then it will not see my mutex which is well it is just like as it wasn't created and you like never like created so it's a problem yeah and we need of course to have this guy here in slide yeah yeah I salute you but this is not like not like the only ransomware which had some kind of kill switches and maybe some of you heard about not petia which we had before it also had like a kind of a kill switch mutex preventing thing and also we should thank this guy which is over there by the way yeah yeah yeah he's embarrassed but all of you should look at them make him more embarrassed

yeah thank you a meat and yeah we have a celebrity in the crowd today and he by the way will be the first to admit that this mutex was very nice its immunized against this wave of attack but in this case it is an example as we will discuss there for a mutex that wasn't effective because we detected this mutex after the attack was already gone so yeah it's a problem yeah so for fear Russian people it's an example for stuff it's not that I have nothing guest Russian people one of my grandmother's from like Russia somewhat Russia Azerbaijan just next to Russia and we need to be careful what we thought when we vaccinate because you

know some male were afraid of infecting you if you have Russian keyboard but I know maybe the afraid of let's say this guy I'm not sure why it's like this this you can see how fluffy and I see as I don't know why and he's like so cute but some of the other malware is what I call a comrade targeted malware yeah it was my you gene Kaspersky voice and yeah yeah and it will attack you only if you have Russian keyboard so when we do vaccination we need to have some considerations and we are not aware of it because it is an exciting new world and this is why I'm trying to share some

of my experience here with you today yeah we need to be careful what we wish for so yeah we have like all the stuff but how the hell bad guys know when to back out again some categories static windows artifacts as a gas registry Keys files rates for kids and those files folders what you might expect those are good for us because we can vaccinate with those easily we can create those persistently on our machine good for us as blue teamers really easy and nice to do it's part of my script it's not available on github we'll see it later in action and we'll have a link to it of course as well we also have dynamic

windows artifacts like for example processors musics windows but this like kind of if you want to scale it it requires a different approach because my script it just like takes one executable duplicates it 50 times renames it and execute it it's nice it's working very effectively but you don't want to do this unlike an enterprise because like any user will see like this amount of processes and well some of them will think they have a virus or something Anna yeah you don't want to do it at least like if you're not in the like a demo I can talk with you later about how it can be done anyway you also have third category low level

tricks you can do amazing stuff the red pill by joanna rutkowska which is like 13 years old it looks somewhat like this this is equivalent for like for a zero-day from my point of view it's amazing to detect this kind of stuff it is out there there are those exploits out there but it's very complex you need to analyze the memory of hypervisors no I don't want to do it I want this simplest simpler stuff and you have timing attacks which are like not the most reliable things how many of you have heard about the fish the paranoid fish well you should know about it it's a free open source tool to detect sandbox and I from my personal

experience with it sometimes it's something it works sometimes it's not they have this they used a method to like Chester they use the opcode alle DTSC and it is quite reliable but it doesn't always work you also have Hardware feature when you can like test the vendor of the processor and other stuff but well all of those are not reliable we need like to be I know crazy in order to simulate this kind of stuff it's like super complex but why we should bother anyway because those guys which they were like talked about in Reuters today those are the copy kittens and we rein in a PT group they actually copy pasted per fish so they're malware so they have

like I think 29 different methods to detect vm virtualbox whatever and they search for those complex like artifacts to vaccinate with for us but they also search for I know a hklm software a vmware inc which is like yeah we can create this kind of easily and this like we don't need to like to bother so much it's just like too much yeah just before the demo yeah there's like my favorite part of the talk i many many x faint fan let's talk a bit about good ideas and better deist when we do vaccination this time from the attackers point of view how many of your red team is yeah i see that nobody here is almost

a red teamer or a blue team err that's nice but for those of you raising hands thank you you're amazing participants in this talk so what's a good idea beside like having a breakfast served in two by your bed as an attacker you want to always detect vm's easily and reliably so i would search for the file at the registry all the stuff which are out there which are easy for me to detect which doesn't make any noise I'm not like compiling assembly directly into my my code then I don't have like places where I can do some serious bad stuff to my code is reliable and that's good for me a bad idea having tennis balls served in to your

bed yeah that's a bad idea indeed I don't want to search for word like the complex stuff for the like you know the user name all the cursor movements no I don't want this to be like the focus of what I search as an attacker I want to have something which is not this cat and mouse we saw before because I released a tool about a year sorry a week ago which is called a smooth criminal this is an example for a bad tool I got I think almost hundred but we it's like through other people who were tweeted it and it is a bad tool what happens with this tool is well it instead of you know kuku and all the

other sandbox the when they analyze a sample the cursor just like jumps from one place to another and so it dislike to counter malware which searches if you move the mouse so yeah the mouse moves but how smoothly it moves moves sorry yeah not this one it is like just like jumped all over the place and I've just elected the basic calculus as newton and leibniz like taught us to do and I'd like just like calculated the derivative of the movement and I like yeah you can see it and like the link below it's like less than 50 lines of Python and I create an amazing evasion technique it bypasses all of the sandbox I've checked so far

but yeah tomorrow it can be countered it is like me as an attacker being on a wrong wrong side of this cat-and-mouse chase so don't get it this is bad idea yeah don't use it better so let's talk about defenders a bit what is like good for bad guys here is for the first time it is what good for defenders as well it is very easy to create the impression that you are running VMware or VirtualBox or whatever machine it is very easy for you to do it and you can like prevent tons of like apts and you can't imagine like the stupid stuff malware is searching it look like Ted stupid and it just like works and like

even malware if the malware they're trying for some reason to be like smartass or something and to search for new artifacts well there's like a new VM framework which was launched this year it doesn't happen you have like VMware virtual box box qmu and I don't know maybe like a couple of more but there are just like very few like products you need to chase and even if a new product is launched well there's like malware backward compatibility where they still need to search viewer and VirtualBox and all the other products because many sandbox like in enterprises still use VMware you know like how how much time it will take to convert an organization from VMware to a

November of 2.0 or whatever it it takes years okay okay and I hope you that you survive like the first part of the talk now we're about to do some some fun yeah it's demo time and this is the URL of the tool I'm about two years needless it's funny because it's like needles and I'm talking about vaccination and you need to do nothing when you try to prevent mad work with it just to execute it and yeah let's go to the demo not questions yet no yeah yeah so this is my machine stand out Windows 7 p.m. I know what this is all this is a magnifying glass yeah I have like magnifying glass here I'm about to

execute a couple of malware samples which are evasive they try to detect some indicators 4vm etc all the hashes are available on the repository anything which I'm using here today if you have a virus total subscription you can get it it is like you should have like proper like mechanisms - you know you don't have to infect your machine you mean really machine I trust you to use the VM carefully so first let's execute a fish this nice tool those of you don't I'm not familiar with it will be now you can see it how nice it is you can see that like the easy value present is okay it goes for a series of tests after

we will use a vaccination script you can see how like much like many more of those lines will be read not all of those but many of them will be you can see it is pretty green it's not perfect but this machine is pretty well hidden yeah yeah and so let's open a process explorer in the rock montrose explorer already have it opened because I'm smart boy yeah amazing and well let's start with non-vaccinated like state of the machine then we will roll back and we will test it again after it is being vaccinated so let's say I want to execute for example I know not petia let's say I have it already here I want

to execute love Korres you're a No yeah live demos this happens amazing do just like okay run the Atlantic you and over here and I want the this ordinal to be executed and yeah you can see it is running nobody bubbles bubbles it yeah nothing special to see here yeah it will run for an hour so I am NOT about like allowing it running or but it is running as you can see like yeah I can do the same with let's say want to try surprisingly it will run as well because you know this machine is protected by absolutely nothing it creates like million files and changes the desktop and yeah in a second we'll

see this just annoying screen yeah yeah yeah there the one from the stickers yeah it's not like limited to run somewhere we actually have a nice example of a sample related to ICS and SCADA systems this is the iron gate malware it was written in Python and then it was compiled using PI installer which can be decompiled with Y quite easily so this is actually the source of the malware you can see that the first function is detect VMware and well what the text VMware is is let's jump to it it this is detective gamer you can see that let's play it a bit more high it just like open the registry keys the VMware tools search for VM our VM host

guest filesystem they all the only read also commented out this section which is like search for this like bus and nothing which surprises any one of us if we needed to write malware which searches for virtual machines and honey pots and what's not we will write the same code I guess and well it's good for us they do the best they can but let's think about what we can do better now and I'm not even going to execute it because you know it is pretty obvious what will happen yeah it will run in this case with it will open a sub process called OD OD g it's not the actual audio DG it's a tool for

performing a network network recon by Neusoft if you are familiar with it and yeah we have this annoying yeah if you are interested in seeing this is annoying screen it was here I know you missed it let's close this one yeah we all wanna try it now yeah ooh scary let's vaccinate the endpoint I have like tons of malware here it will run it will look scary the CPU will go up it all look the same I'm just like trying to save you some time so yeah this thing maybe yeah so yeah this way that yeah ignore the all the AVS which are probably related to my talk yesterday yeah so now instead of directly going and executing the malware

we will execute a script it is a very simple script it's actually what I said which is a bad idea it it does both like the static artifacts and the dynamic artifacts it has flags everything is documented on github you can execute the flag for only for that dynamic artifacts only for the static artifacts for both if you are interested I also added a new capability you can execute it with the - W flag and then it will go to github and will download an updated list of the artifacts to create so I actually have a mechanism for updating the artifact it was like I did already here in Vegas it was like a last minute like Eureka

moment and let's execute it yeah it's like that's fast and now it's just like holes I know like ten different music sirs you can see the first explorer now is like looks like this yeah all of those processes are actually like you can see in the description or others are actually like FTP dot eggsy duplicated and renamed it sounds stupid but it works amazingly and let's like go to the fun part now I'm going to start clicking on stuff like I know let's start with want to cry as we did and yeah I can do it all day long and you can see one cry it was open for a second then shut down I can like do it again

nobody cares it won't do a thing yay and that's the same with not petia and this time I'll just like add Odin on at the end yeah it opens for a second yeah well in this case it is it is running because I generate Amit's infection mark but you can see that it doesn't try to going through the TCP tab it doesn't try to infect any neighboring endpoints I haven't tested like in the previous like snapshot but you should write on your own it will immediately go through all the endpoints in your segment and well you don't want it to happen and yeah yeah it's just like you're not petia cross infection free right now

which is nice it was like I just created I do placated FTP dot eggsy renamed it and well yeah it's like it stopped the cross in fact thing about the Ukraine if they had this stupid thing and it is not the first time with a BP da taxi prevents a PT's or ransomware like NOS petia a vp that avpu i that eggsy prevented the campaign called a USB fief which was detected by ESET a couple of years ago a VP also prevented another a PT which I forgot its name those are like very constant artifacts sought by malware moreover it is a bit more complex to show it here but you know exploit kids the rig exploit kit

searches for VMware fiddler the optimum exploit kid searches for our like type of artifacts you can actually prevent exploit kids by having those artifacts it sounds a bit stupid and weird and foolish but it works they have a cheap exploit against ie which enables them to enumerate endpoint and well yeah it simply works I can just like click on all those like stuff all day long lucky it will run for a second this one is actually like quite nice because we can see in proc Mon I will open the magnifying glass and I will start the capture because I want to see stuff yeah it did not fit a low key understand or haven't ever kicked it

yeah yeah so let's open the magnifying glass once again magnifier wow much magnified and this low key is performing some kind of annoying loops where it searches for registry keys and sleeps for a while and then it searches if registry registry key of ESET is present and then it terminates this one already terminated like as I can see yeah let's magnify it and we'll go and actually see it and you can see that it queried yeah here you can see it over here it query he's installed why the hell a random executable out there in the world will seek if ESET is already installed no but reason and you can see that the next thing it performs it's just like

unloads some stuff and process exit if you execute it in a machine without this registry key it will start loading in this point all of the malicious DLL which relate to encryption URL leap and of those it will start to resolve the addresses of the dangerous functions dynamically all the stuff it wants to hide from ESET in this case I think it is not for elect live demo from now but I have also like an instance of Tesla crypt which reforms exactly the same test also through the registry this is nice for us because this way we can be sure that once we know what to do you know a vaccination like one time we can

reuse it many times one malware sphere is also the same fear as the diplomat was here and I think that now we'll move to questions I'm just like seeking my mouse here it is and yeah so shift f5 and I must like use one slide with a kitten because you know it's mandatory so yeah question time

have you run in any malware that does something destructive when it thinks it's in a virtual environment could you be making the problem worse I know that there are like extremely rare examples for it I don't think I ever ran into something I know that there is example where someone spotted like point us oh look at this network this one is destructive but think about large enterprises let's say that the endpoint was destructed it is much better to distract what destroy one endpoint then having an undetected threat in your organization and when you deploy this kind of stuff in large enterprises you have like much more clever solutions I don't want to like to talk business so

let's stop it here but you will know as an enterprise that you have this kind of stuff in your machine and actually yesterday in my talk I did a copy-paste malware which if it detects something which is like marked by Perficient malicious it will trigger BSOD but it is stupid you want to stay stealth if you detect the sandbox you don't want to do like something which will raise the alarm yeah another question back there

so if I see all these markers and I'm actually going to drop something the the alternative would be dropping something they would actually look to see if it would actually be destroyed or even if it's not and I'm going to then go ahead and assume that all these markers are then a feign and then I'm gonna go ahead and destroy the box or go ahead and go forward with anything so well it's just like it's a paradox because let's say that I do the same thing that created same infection marks on like under sandbox for example or on the analyst machine sure the men were has a problem here because it doesn't know when it is real

and when it is not real and it's actually like a logical attack on the decision making of the male were doing this kind of stuff that's like the fun part of they're doing stuff okay if there's no more questions this is again like the URL if anyone of you wants to have a look at it and of course I'll be glad to answer any questions afterwards peer list for example yes please follow gal and continue the conversation on peer list and we thank you very much for attending today's talk thank you [Applause]