NTXISSACSC4 - The Art of Evading Anti-Virus

@NTXISSA#NTXISSACSC4

TheArtofEvadingAntivirus

QuentinRhoads-HerreraSecurityAnalyst

StateFarm9/28/2016


Background

• Workedinthefollowingroles:• Systemadministrator• Developer(.net /mobile)• Regulatory/complianceanalyst• SecurityAnalyst

• PentestingHobbyistJ

NTXISSACyberSecurityConference– October7-8,2016 2


TheProblem

• Pen-testersarecaughtbyantivirusprograms.• AntivirusprogramscatchstockMetasploitpayloads.• Maliciousmalwarecreatorshavealreadysolvedthisproblem.



HowAntivirusWorks

• Signature-baseddetection• Heuristic-baseddetection• Behavioral-baseddetection• Sandboxdetection• Dataminingtechniques



IsAntivirusDead?

• In2014theseniorvicepresidentofSymantecBrianDyedeclaredtotheWallStreetJournalthatantivirus“isdead.”– BrianDye,SeniorVicePresident,Symantec

Source:http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578-lMyQjAxMTA0MDAwNTEwNDUyWj



IsAntivirusDead?

• “Relyingsolelyonantivirusisadeadend-andithasbeenforatleast8yearsnow.Butthat’slikesayingthataspirinisdeadbecauseit’snotthecureforcancer,AIDS,andallofhumanity'sotherillnesses.”–BogdanDomitru,ChiefTechnologyOfficer,Bitdefender

Source:http://securitywatch.pcmag.com/security/



EvadingAntivirusWays

• Changingthesignature• Encode(ALOT)• Encrypt• Leverageyourownexecutable,oronethatisalreadytrustedbyWindows(notepad.exe)• Veil-Framework



TheVeil-Framework



HDMoore

• “Thestrongestcaseforinformationdisclosureiswhenthebenefitofreleasingtheinformationoutweighsthepossiblerisks.Inthiscase,likemanyothers,thebadguysalreadywon.”– HDMoore

Source:https://community.rapid7.com/community/metasploit/blog/2009/02/23/the-best-defense-is-information



CheckingyourPayloads

• Virustotal isawebsitethatallowsyoutocheckhowsuccessfulyourpayloadiswhenevadingantiviruses.

• AntivirusvendorsreceiveinformationaboutwhatwasuploadedtoVirustotal.



Virustotal


Source:https://www.virustotal.com/


Meterpreter isCaught



EncodedMeterpreter



TheVeilWay

• TheVeilhashcheckmethod!!!(Reallyslick)• Recommendedtocheckthehashwhichislocatedat/veil/output/hashesthroughtheAPIonvirustotal insteadofsubmittingfiles.• checkvt willspawnallhashesandcheckviaAPIwithVirustotal.



Demo



WhenitisCaught



Veil-Evasion

• IntegratedwithMetasploit• Leveragesencryption(AESencryptedshellcode)• Canleverageyourownpayloads• Usesnon-standardlanguagesforWindowsbinaries• Canintegrateintoyourownproject



LanguagesUsed

• Python• Perl• PowerShell• C• C#• Go• Ruby



Shellcodes

• VoidPointercasting:• Notaguaranteethatyourshellcodewilldropintoexecutablememory.

• VirtualAlloc:• Allocatesmemory(shellcodesize)• Determinespermissionsneeded

• HeapAlloc:• Manuallydropshellcode



DEMO



Veil-Ordnance

• Generatesshellcodethatcanbecopiedintoyourpayload.• Createdduetoshellcodebeing“broken”whenleveragingmsfvenom makinganon-workingpayload.



Veil-Ordnance



Veil-Catapult

• PayloadDeliverytool• Payloads:• PowerShell• BarebonesPython• Sethc backdoor

• CanautospawntheMetasploithandlerscript.



DEMO



HowtoStopVeil

• APIScanners(AmbushIPS)• PredictableBehaviors• EnhancedMitigationExperienceToolkit(EMET)



OtherAVEvadingTools

• Hyperion:Thisisusedtoencryptthebinary

• peCloak:Automatedtoolthatattemptsmultipletrickstoevadeantiviruses



Q&A


@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4

The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA

NorthTexasISSA(InformationSystemsSecurityAssociation)


Thankyou

NTXISSACSC4 - The Art of Evading Anti-Virus

Internet

Transcript of NTXISSACSC4 - The Art of Evading Anti-Virus