Unveiling the Challenges in Cybersecurity Landscape

Delve into the evolution of computer viruses, the limitations of traditional antivirus solutions, modern virus detection techniques, and strategies to bypass signature-based and heuristic-based detections. Explore the expertise shared by Mohamed Bedewi, a seasoned Security Researcher and Penetration Tester, shedding light on the ever-evolving threat landscape.

• Cybersecurity
• Virus Detection
• Antivirus Solutions
• Signature-Based Detection
• Heuristic-Based Detection

finnl Follow

Uploaded on Oct 01, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Crafting The Unavoidable by Mohamed Bedewi Senior Security Researcher and Penetration Tester CCNA | MCSE | RHCE | CEH | ECSA | OSCP | CISM | GCIH | LPT | OSCE

2. Introduction and Facts Creeper was the first known computer virus and it targeted TENEX OS back in 1971. Ray Tomlinson created what people believed the first antivirus to delete Creeper. Executables can be infected without getting their size nor functionality altered. NextGen antiviruses miss the obvious with high rate of false-positive detections. Malwares adapt an average of ten evasion techniques apart from sophistication. Antiviruses nowadays became dead and useless regardless the vendor or technology.

3. Virus Detection Techniques One of the few solid theoretical results in the study of computer viruses is Frederick Cohen's 1987 demonstration that there is no algorithm that can perfectly detect all possible viruses. However, using different layers of defense, a good detection rate may be achieved. Signature-Based Heuristic-Based Behavioral-Based Sandbox-Based Mining-Based observes the execution behavior of an object based on normal and abnormal measures to determine whether or not the behavior of a running process marks it as a threat and if so the process will be terminated. observes the execution behavior of an object based on normal and abnormal measures but in an isolated environment to determine whether the behavior of a running process marks it as a threat to the real system. detects patterns in large amounts of data such as byte code and use these patterns to detect future instances in similar data, it employs learning algorithms to classify whether or not an object is malicious. works by searching for particular sequences of bytes within an object in order to identify a specific version of a threat, it's the simplest form of scanning, constructed upon databases which have virus signatures. aims to generically detecting new threats by statically examining objects for suspicious characteristics without an exact signature match, it was developed to overcome the limitations of signature-based detection. Dynamic Analyses Static Analyses

4. What you just pull code from Rapid9 or some shit? since when did you become a script kiddie? Elliot on Mr. Robot

5. Bypassing Signature-Based Detection Find the signature that the antivirus is looking for inside the executable in question. Modify the found signature without affecting the execution flow of the executable. Escape Modify Split the Binary Dsplit or Evade Hex Editor or Disassembler Compress Each is > than prev Encode

6. Bypassing Heuristic-Based Detection Code cave is used to create a self-modifying code and is being allocated via VirtualAllocEx. Entry Point Entry Point Ensure that all malicious code is hidden via encryption for example with a simple stub. Encrypting the whole .text section will be considered malicious for some antiviruses. evil.exe evil.exe Signature Signature Encryption if done right can easily bypass the static analyses techniques employed by AVs Stub

7. Bypassing Behavioral-Based Detection Make sure to discourage the antivirus from running the stub to keep the evil hidden. Antiviruses have limitations which once identified can be abused to achieve a bypass. #define MAX_COUNT 1000000000 int main() { int cpt = 0; int i = 0; for(i =0; i < MAX_COUNT; i ++) { cpt++; } if(cpt == MAX_COUNT) { decryptionStub(); encryptedShell(); } return 0; } How about a for loop to increment one billion of times a counter? This operation is a resource intensive for AVs but not for the PC Antiviruses will typically ignore the stub and a bypass is achieved This is a clean method which won t leave any system evidence If the antivirus can t decode a malicious code which is already bypassing static analysis then it s defeating dynamic analysis

8. Bypassing Sandbox-Based Detection Detecting virtual systems isn t that hard and from there code can act boring or long. Sandboxes have hardware and processing time limitations which again can get abused. import multiprocessing if multiprocessing.cpu_count() <2: exit() else: doEvil() int main( void ){ LPVOID mem = NULL; mem = VirtualAllocExNuma(GetCurrentP rocess(), NULL, 1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE,0); if (mem != NULL){ decryptionStub(); encryptedShell(); } return 0; } If you think that detecting a Sandbox is hard! Think again Non Uniform Memory Access (NUMA) is used to increase the processor speed without increasing the load on the bus. NUMA is linked to a whole set of functions declare in Kernel32.dllwhich is huge for the emulation system to cover.

9. For Bypassing Mining-Based Detection I only have one word to say for the time being File-less

10. Creative Bypass Tools Observed in the Wild

11. AES Encrypted Payload via Hyperion Hyperion encrypts the supplied executable with 5 rounds of AES encryption by default. The AES encryption key is then discarded after encryption to defeat dynamic analyses. Once executed the executable will brute-force its own AES keys to execute the payload. Found Section: .text VSize: 0x924, VAddress: 0x1000, RawSize: 0xa00, RawAddress: 0x400 The logic behind Hyperion is awesome in my opinion but unfortunately this technique is not perfect since: Found Section: .data VSize: 0x5f0, VAddress: 0x2000, RawSize: 0x600, RawAddress: 0xe00 Found Section: .rdata VSize: 0xc0, VAddress: 0x3000, RawSize: 0x200, RawAddress: 0x1400 There s a noticeable delay in payload execution. Some antiviruses pick this routine as a packer. Found Section: .bss VSize: 0xe0, VAddress: 0x4000, RawSize: 0x0, RawAddress: 0x0 Found Section: .idata VSize: 0x268, VAddress: 0x5000, RawSize: 0x400, RawAddress: 0x1600 Input file size + Checksum: 0x4140 Rounded up to a multiple of key size: 0x4150 Generated Checksum: 0xcf0cc Generated Encryption Key: 0x0 0x2 0x1 0x2 0x3 0x3 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 Regardless the limitations of Hyperion, it s very effective and not detected by the majority of antivirus solutions

12. Polymorphic Executable via Shellter Shellter is capable of generating a unique polymorphic executable in every time. It will apply a random amount of XOR, ADD, SUB, NOT operations to supplied executable. Every time it will generate the payload decoder based on the chosen random operations. The decoding key can be dynamic and based on the values of specific CPU registers. Some basic sandboxing detection techniques were implemented to bypass sandboxing. Supported Encoding Operators: XOR --> x ADD --> + SUB --> - NOT --> ! Shellter looks very promising as it picks up from where Hyperion stopped, it s fairly documented and effective

13. How to Craft the Unavoidable?

14. Crafting the Most Evasive Executables Reconnaissance is required to understand the target s antivirus features and vendor. Depend on your own unique code as I would hate Elliot calling you a script kiddie. If you re not writing your own code encrypt the payload with an expensive stub. #include <windows.h> #include <iostream> int main(int argc, char **argv) { char b[] = {/* XORed shellcode with the key of crypt' shellcode i.e. 0x4C,0x4F, 0x4C */}; char c[sizeof b]; for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ crypt';} void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, c, sizeof c); ((void(*)())exec)(); } This code creates a character array with an XORed shellcode, performs an XOR operation with the key of crypt , allocates memory, copies the character array in defined allocated memory and executes it

15. Multiple Scan Results of a Metasploit Payload The screenshot on the right is the scan result of a metasploit reverse TCP payload! Antivirus as a technology is dead regardless the vendor but we shouldn t stop using them! Security researchers usually do PoCs and not statistics nor graphs since we re technical! Note: this slide was added after the personal argue in the presentation which wasn t helpful

16. Thanks and Have a Great Day