1 / 19

University of Piraeus Department of Digital Systems « Security of Digital Systems »

University of Piraeus Department of Digital Systems « Security of Digital Systems ». Bypassing antivirus detection with encryption. Tasiopoulos Vasilis. Supervisor: Sokratis Katsikas. About Me. Studied at University of Piraeus Informatics Security in Digital Systems Currently working

shannon-adkins
Download Presentation

University of Piraeus Department of Digital Systems « Security of Digital Systems »

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. University of PiraeusDepartment of Digital Systems«Security of Digital Systems» Bypassing antivirus detection with encryption Tasiopoulos Vasilis Supervisor: Sokratis Katsikas

  2. About Me • Studied at University of Piraeus • Informatics • Security in Digital Systems • Currently working • KPMG as a IT Advisor and Penetration tester

  3. Contents • Related Research • Background Knowledge-Antivirus • Crypter • Background Knowledge-Portable executable • Background Knowledge-Portable Executable Loader • RunPE and Injection • Our Implementation • Results

  4. Why? It is easier to change crypter It is harder to change ALL malwares Who can use it: • Penetration Tests • Anyone for Legitimate purpose

  5. Related Research • Implementation of Runtime Crypter by Christian Ammann • Packing Heat by Dimitrios A. Glynos • The Crypter BluePrint by crypters.net • Several tutorial on HackForums.net

  6. Background Knowledge - Antivirus • Signature-based detection: Traditionally, antivirus software heavily relied on signatures to identify malware. • Heuristics: Another technique used in antivirus software is the use of heuristic analysis to identify new malware or variants of known malware. • Real-time protection: Newer antivirus software also has another mechanism called “real time” protection. It is known that some (malicious) code may be hidden, encrypted, obfuscated or even created instantly. To be able to deal with such tricks antivirus packages are also capable of monitoring andintercepting API calls and of performing a kind of "behavioral analysis". So, if a well-known process acts in an unusual manner the antivirus will mark it as suspicious.

  7. Crypters: Types and behavior • Types: • Runtime • Scantime • Options • Internal Stub • External Stub • Crypter must: • Encrypt

  8. Crypter’s behavior • Stub must: • Decrypt • Execute malware • Stub options: • Save in directory • Load it in memory • Load it in stub’s process • Load in new process • Inject into another process (optimal)

  9. RunPE and Injection Method discovered by T.keong Injection: • The stub is executed • A new process is created in "suspended" state • The Stub decrypts the malware • The stub load the malware in the place of the suspended legitimate process • The process is unsuspended. Limitation: • 32 bit process or 64 bit process Not in both Different Implementations: • Alternative way to call Apis • Use of undocumented Apis

  10. Our Implementation Crypter’s Type • Runtime Crypter • External Stub Developed • C# • Visual Studio • 2500 lines of code Encryption • AES

  11. Architecture • Adding Hide code to stub (optional) • Removing comments from stub • Adding Fake message to stub (optional) • Adding Junk Code to stub (optional) • Adding Fake Apis to stub (optional) • Add decompression code to stub (optional) • Adding Addi-… code to stub (optional) • Randomizing class, function, variable names and add them to stub and to RunPE • Adding Encryption Key to stub • User Selects the malware • User configures the available options (optional) • Crypter reads the malware byte per byte • Encrypting malware • Crypter reads the Stub • Adding assembly info to stub (optional) • Encrypting injection path • Adding injection process path to stub • Reading selected RunPE • Adding startup code to stub (optional)

  12. Architecture • Compiling RunPE as DLL • Reading DLL • Encrypting DLL • Compressing encrypted DLL(optional) • Adding encrypted Malware and DLL ass resources to stub • Adding Icon to stub(optional) • Compiling Stub as executable • Adding Eof data to executable (optional)

  13. Architecture Stub after execution: • Read Encrypted DLL • Decrypt DLL • Load DLL in memory • Read Encrypted malware • Decrypt malware • Call DLL for decrypted malware • Malware inject to another process

  14. Architecture Key Points • Unique code • Injection implemented in encrypted DLL • Random Function Names, Class names, Variable names • Encrypted Strings Result: • Unique Executable

  15. Crypters GUI and Options

  16. Crypters GUI and Options

  17. Crypters GUI and Options

  18. Results The lab: • Windows XP 32/64 bit - Avast/AVG • Windows Vista 32/64 bit – Kaspersky/Norton • Windows 7 32/64 bit –Microsoft Security Essential/ESET Online Scanner • http://nodistribute.com • https://www.metascan-online.com Files Tested • Netcat.exe • Darkomet malware • Poison Ivy

  19. Results

More Related