Antivirus is dead-long live the antivirus! In the proverbial cat-and-mouse game of cybersecurity neither the attacker nor the defender can maintain their advantage for very long. But the bad guys don’t exactly take this challenge – they respond with their own bypass ideas. During this session we strive to understand if antivirus is really dead and if it has reached the status where it should not be the only protection used. I demonstrated techniques of bypassing the antivirus mechanisms and show tactics used today by malware that allow it to run and what are the prevention methods to avoid being attacked by the newest innovations.
9. Signature-based
Behavior-based
Attempts to open, view, delete, and/or modify files
Attempts to format disk drives and other unrecoverable disk
operations
Modifications to the logic of executable files, scripts of macros
Modification of critical system settings, such as start-up settings
Scripting of e-mail and instant messaging clients to send
executable content
Initiation of network communications
13. Custom code
User Mode Loaders
Executable is extracted and decrypted in memory
Code is loaded and executed dynamically
In Powershell.exe – not every module is embedded – they
can be created and loaded during the execution
In Win32API: Custom code mimics LoadLibrary()
Interesting: During the compilation, that’s what helps us:
CompilerParameters.CompilerOptions =
"/platform:x64";
22. Antimalware Scan Interface (AMSI)
It is a generic interface standard that allows applications and
services to integrate with any antimalware product
Techniques used
It supports a calling structure allowing for file and memory or
stream scanning, content source URL/IP reputation checks, and
other techniques
Allows correlation of events
The different fragments of a malicious payload can be associated to
reach a more informed decision, which would be much harder to
reach just by looking at those fragments in isolation.
26. 1. The only cure is a _complete_
code execution prevention
2. Anti-Exploit solutions make a lot
of sense
3. Sysmon (absolutely!)
4. At the end it is a matter of
budged and price
5. Code execution prevention
solutions are often misconfigured
Editor's Notes
W10 -> McAffion – remember to preset it!
StopmeIfyoucan
IMPHash -> Lista importow, powiedziec, ze mozna skorzystac ze standardowego ladowania Load Library
Nastolatek, google, stackoverflow -> 5 NY Minutes.
Wrappery – from 90s old school but not so old! Skrypty powershellowe pod skrypty powershellowe.
Wrapping:
Using static signatures to detect wrapper files is largely ineffective since new ones are easily and regularly created and often generates false positives. This technique is commonly used by Windows and OS X malware distributed via pirated software and P2P networks.
. IceFog is a well-known malware commonly wrapped with a legitimate-looking CleanMyMac application and used to target OS X users. On the Windows platform, OnionDuke has been used with legitimate Adobe installers shared over Tor networks to infect machines.
Obfuscation
Using XOR encoding is one way to do this. Hiding process and file names, registry entries, URLs and other useful information can significantly slow down the investigation/reverse engineering of new malware samples.
Hyperion – wykrywalne –
Mimikatza
Helloword
Obfuscation – zmianie kodu, po kompilacji wyglada inaczej, zmiana nazw fukcji, inny zapis stale, inne zmienne, a lot of spaghetti code.
Wrapping:
Using static signatures to detect wrapper files is largely ineffective since new ones are easily and regularly created and often generates false positives. This technique is commonly used by Windows and OS X malware distributed via pirated software and P2P networks.
. IceFog is a well-known malware commonly wrapped with a legitimate-looking CleanMyMac application and used to target OS X users. On the Windows platform, OnionDuke has been used with legitimate Adobe installers shared over Tor networks to infect machines.
Obfuscation
Using XOR encoding is one way to do this. Hiding process and file names, registry entries, URLs and other useful information can significantly slow down the investigation/reverse engineering of new malware samples.
Anti debugging:
. For example, the ZeroAccess malware implemented a self-debugging technique in order to block external debugging attempts. Another example is malware attempting to delay its execution (or sleep) for an extended period of time. This is useful for bypassing sandboxing solutions since these only keep binaries in an emulated environment for a specific period of time before classifying them as benign and releasing them to the network.
Targeting. This technique is implemented when malware is designed to attack a specific type of system (e.g. Windows XP SP 3), application (e.g. Internet Explorer 10) and/or configuration (e.g. detecting a machine not running VMWare tools, which is often a telltale sign for usage of virtualization). Targeting ensures that the malware is only triggered and installed when specific conditions are met, which enables it to evade detection in sandboxes because they do not resemble the host being attacked.
Kompilator nie ma pojecia o tym co bedzie ladowane.
Z metadanych
9.2 z Rootkit Arsenal 417
Mypaypalservices.com musi byc rozpoznawany na Victimie.
Polaczenie na porcie 666.
cmd.Exe - przekierowane wejscie I wyjscie na socket
cdb.exe -cf x64_calc.wds -o notepad.exe
Licence: Common
Nie ochroni przed WinDBG
Nie udostepniamy miejsc, ktore sa wykonywane