@NTXISSA#NTXISSACSC4
TheArtofEvadingAntivirus
QuentinRhoads-HerreraSecurityAnalyst
StateFarm9/28/2016
@NTXISSA#NTXISSACSC4
Background
• Workedinthefollowingroles:• Systemadministrator• Developer(.net /mobile)• Regulatory/complianceanalyst• SecurityAnalyst
• PentestingHobbyistJ
NTXISSACyberSecurityConference– October7-8,2016 2
@NTXISSA#NTXISSACSC4
TheProblem
• Pen-testersarecaughtbyantivirusprograms.• AntivirusprogramscatchstockMetasploitpayloads.• Maliciousmalwarecreatorshavealreadysolvedthisproblem.
NTXISSACyberSecurityConference– October7-8,2106 3
@NTXISSA#NTXISSACSC4
HowAntivirusWorks
• Signature-baseddetection• Heuristic-baseddetection• Behavioral-baseddetection• Sandboxdetection• Dataminingtechniques
NTXISSACyberSecurityConference– October7-8,2106 4
@NTXISSA#NTXISSACSC4
IsAntivirusDead?
• In2014theseniorvicepresidentofSymantecBrianDyedeclaredtotheWallStreetJournalthatantivirus“isdead.”– BrianDye,SeniorVicePresident,Symantec
Source:http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578-lMyQjAxMTA0MDAwNTEwNDUyWj
NTXISSACyberSecurityConference– October7-8,2106 5
@NTXISSA#NTXISSACSC4
IsAntivirusDead?
• “Relyingsolelyonantivirusisadeadend-andithasbeenforatleast8yearsnow.Butthat’slikesayingthataspirinisdeadbecauseit’snotthecureforcancer,AIDS,andallofhumanity'sotherillnesses.”–BogdanDomitru,ChiefTechnologyOfficer,Bitdefender
Source:http://securitywatch.pcmag.com/security/
NTXISSACyberSecurityConference– October7-8,2106 6
@NTXISSA#NTXISSACSC4
EvadingAntivirusWays
• Changingthesignature• Encode(ALOT)• Encrypt• Leverageyourownexecutable,oronethatisalreadytrustedbyWindows(notepad.exe)• Veil-Framework
NTXISSACyberSecurityConference– October7-8,2106 7
@NTXISSA#NTXISSACSC4
TheVeil-Framework
NTXISSACyberSecurityConference– October7-8,2106 8
@NTXISSA#NTXISSACSC4
HDMoore
• “Thestrongestcaseforinformationdisclosureiswhenthebenefitofreleasingtheinformationoutweighsthepossiblerisks.Inthiscase,likemanyothers,thebadguysalreadywon.”– HDMoore
Source:https://community.rapid7.com/community/metasploit/blog/2009/02/23/the-best-defense-is-information
NTXISSACyberSecurityConference– October7-8,2106 9
@NTXISSA#NTXISSACSC4
CheckingyourPayloads
• Virustotal isawebsitethatallowsyoutocheckhowsuccessfulyourpayloadiswhenevadingantiviruses.
• AntivirusvendorsreceiveinformationaboutwhatwasuploadedtoVirustotal.
NTXISSACyberSecurityConference– October7-8,2106 10
@NTXISSA#NTXISSACSC4
Virustotal
NTXISSACyberSecurityConference– October7-8,2106 11
Source:https://www.virustotal.com/
@NTXISSA#NTXISSACSC4
Meterpreter isCaught
NTXISSACyberSecurityConference– October7-8,2106 12
@NTXISSA#NTXISSACSC4
EncodedMeterpreter
NTXISSACyberSecurityConference– October7-8,2106 13
@NTXISSA#NTXISSACSC4
TheVeilWay
• TheVeilhashcheckmethod!!!(Reallyslick)• Recommendedtocheckthehashwhichislocatedat/veil/output/hashesthroughtheAPIonvirustotal insteadofsubmittingfiles.• checkvt willspawnallhashesandcheckviaAPIwithVirustotal.
NTXISSACyberSecurityConference– October7-8,2106 14
@NTXISSA#NTXISSACSC4
Demo
NTXISSACyberSecurityConference– October7-8,2106 15
@NTXISSA#NTXISSACSC4
WhenitisCaught
NTXISSACyberSecurityConference– October7-8,2106 16
@NTXISSA#NTXISSACSC4
Veil-Evasion
• IntegratedwithMetasploit• Leveragesencryption(AESencryptedshellcode)• Canleverageyourownpayloads• Usesnon-standardlanguagesforWindowsbinaries• Canintegrateintoyourownproject
NTXISSACyberSecurityConference– October7-8,2106 17
@NTXISSA#NTXISSACSC4
LanguagesUsed
• Python• Perl• PowerShell• C• C#• Go• Ruby
NTXISSACyberSecurityConference– October7-8,2106 18
@NTXISSA#NTXISSACSC4
Shellcodes
• VoidPointercasting:• Notaguaranteethatyourshellcodewilldropintoexecutablememory.
• VirtualAlloc:• Allocatesmemory(shellcodesize)• Determinespermissionsneeded
• HeapAlloc:• Manuallydropshellcode
NTXISSACyberSecurityConference– October7-8,2106 19
@NTXISSA#NTXISSACSC4
DEMO
NTXISSACyberSecurityConference– October7-8,2106 20
@NTXISSA#NTXISSACSC4
Veil-Ordnance
• Generatesshellcodethatcanbecopiedintoyourpayload.• Createdduetoshellcodebeing“broken”whenleveragingmsfvenom makinganon-workingpayload.
NTXISSACyberSecurityConference– October7-8,2106 21
@NTXISSA#NTXISSACSC4
Veil-Ordnance
NTXISSACyberSecurityConference– October7-8,2106 22
@NTXISSA#NTXISSACSC4
Veil-Catapult
• PayloadDeliverytool• Payloads:• PowerShell• BarebonesPython• Sethc backdoor
• CanautospawntheMetasploithandlerscript.
NTXISSACyberSecurityConference– October7-8,2106 23
@NTXISSA#NTXISSACSC4
DEMO
NTXISSACyberSecurityConference– October7-8,2106 24
@NTXISSA#NTXISSACSC4
HowtoStopVeil
• APIScanners(AmbushIPS)• PredictableBehaviors• EnhancedMitigationExperienceToolkit(EMET)
NTXISSACyberSecurityConference– October7-8,2106 25
@NTXISSA#NTXISSACSC4
OtherAVEvadingTools
• Hyperion:Thisisusedtoencryptthebinary
• peCloak:Automatedtoolthatattemptsmultipletrickstoevadeantiviruses
NTXISSACyberSecurityConference– October7-8,2106 26
@NTXISSA#NTXISSACSC4
Q&A
NTXISSACyberSecurityConference– October7-8,2106 27
@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 28
Thankyou
Top Related