< With Metasploit

Who am i?

• Independent Info. Sec Researcher.• Programmer.• Interest:Malware reverse engineering,Exploit Writing,Web Application • Twitter:@AbdulAdil02

Disclaimer[!]

No one(Me[Abdul Adil] or Organizer) will not be responsible for

your actions.Only for educational purpose.

What your going to learn?• Why this topic!?• What is a malware?• Types of Malware.• Statistics of malware.• Solution for malwares.• Signature based AV.• Heuristic based AV.• Generations of AV.• Standards and testing Anti-malware applications and who?• Important terms.• Methods to bypass AV.• How it works?:The Background process.• Demo for bypassing Anti-malware application.• Conclusion.• Mitigations.

Why this topic!?

A dedicated module for evading and bypassing in OSCPModule 18.

My Interest into anti-malware applications and Malware reverse engineering.

What is a malware?

Types of Malware

• Virus: A virus is a contagious program or code that attaches itself to another piece of software, and then reproduces itself when that software is run. Most often this is spread by sharing software or files between computers.

• Worm: A program that replicates itself and destroys data and files on the computer. Worms work to “eat” the system operating files and data files until the drive is empty.

• Trojan: The most dangerous Malware . They mainly acts as a backdoor for an intruder(Crackers!).

• Ransomware: It is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.

• And many more like rootkits,Adwares,Spywares,Ransomware,Browser Hijackers.∞Purpose : They all build for damaging computers, devices (Internet of Things, Phones…)

statistics of malware:

Mobile Device malware statistics

**Statistics are from security bulletin 2013& for the year 2014 android has 98%.

Solution for malwares &Can you depend on anti-malware solutions??

• Use of Anti-malware applications• If anti-malware solution is good,how can I bypass it?Ans: The malware sample has to be analyzed and a signature has to be generated and update Database of Anti-malware application.Then it’s good!.(Signature based Anti-malware solutions).Disadvantage of signature based AV solutions:• Until it’s signature is available ,it’s pretty much useless.Solution: Heuristic based Av solution(Behaviour based)[runs in sandbox environment]Question arises in your mind “Can you bypass it from detecting”?

How it AV works: Signature based

Heuristic Illustration

However, heuristic analysis operates on the basis of experience (by comparing the suspicious file to the code and functions of known viruses). This means it is likely to miss new viruses that contain previously unknown methods of operation not found in any known viruses. Hence, the effectiveness is fairly low regarding accuracy and the number of false positives.

Generations of AV:

Standards and Anti-malware app testing?

Who tests Anit-malware applications?1.Eicar.org and 2.Av-test.org

How they test it ?

Keywords to remember before you go hunting!• Payload: A payload refers as a component that executes a malicious

activity.• Signature: Through which anti-virus detects the malware.• Encoder.• Crypter.

Next Slide

Encoder

• Encoder: Encoding is the process of putting a sequence of characters into a special format for transmission or storage purposes.eg:x86/Shikata,HTML,Base64…so on.• Can maintain readability.

Eg:Base64“Hello n|u” =>“SGVsbG8gbnx1”.Decoder: Reverses the process of encoder Eg:“SGVsbG8gbnx1” =>“Hello n|u”.

Simple example for encoding:English: HelloEncoding:%48%65%6c%6c%6f(URL encoding)

Source: http://www.asciitable.com/

Encryption:

• Crypter: Encryption is the conversion of data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. eg: AES, DES, Blow fish…so on. Can’t maintain readability.• Old school eg:

ABCD CEGH

Secret message: This is a secret message =>uses AES 256 bit keyAfter encryption:EnCt23782e8f79decb65f687bc6bd9ebcad8293e66a303782e8f79decb65f687bc6bdWLifDgsiEQLbYcg4WFX864+XRc5u8ZGD2FqJtvLJNBwjlTunJ2c=IwEmS

Some methods to bypass AV

• DLL or Code Injection.• Divide exe.• Metasploit (Msfpayload+Msfencode) or Msfvenom.• Use crypters and binder.• Use of PowerShell as bait!(because av never stop powershell Thanks

to MS for giving Powershell).

Background process

Metasploit on April 5th

Metasploit on April 25th

Metasploit+Crypter on April 25th

It’s Demo Time:

Linux & Unix are safe from malware!• Mumblehard is here!.It’s a malware that targers Linux and unix like(BSD).Came to

an end after 5 years.

Conclusion and mitigations

• Conclusion is that now you can bypass AV.• Mitigations:• 1.Keep update your AV.• 2.Never run unknown binary files(.exe)• 3.Use Hashes to know the genuineness of the application.Eg: Most of the software websites provide md5(Message digest) and SHA(Secure hashing algorithm) hashes,RSA Sig.Md5sum in LINUX/UNIX/MACOSX ,MD5Calculator for windows

Mitigations

• Hashes are first line for defense!.• No torrent or crack downloads.• No pre-activated windows!.• Patch your OS with new updates.(Malware take advantages of

vulnerability).• Full system scan twice a month including rootkits.• Quick tip: If you have no way except using crack ,use virtual isolated

machine.

Importance of hashes for preventing malware

MD5 on Windows & MAC OS

The Unwilling guests ‘Malware’

but they visit you once in a while!

This is my system now!Thank you!

Any Questions?