Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
.
McAfee – Thomas Roccia
troccia.tdgt.org | Security Consultant Researcher
​Malware Evasion Techniques
​How to Defeat Malw...
.
McAfee – Thomas Roccia
Whoami
Thomas Roccia | @fr0gger_
French Security Consultant Researcher
Working at McAfee Foundsto...
.
McAfee – Thomas Roccia
Summary
Introduction
What is the goal of this presentation?
The increasing malware threat
History...
.
McAfee – Thomas Roccia
What is the goal of this presentation?
Introduction
Understand why Antivirus engine doesn’t detec...
.
McAfee – Thomas Roccia
The Increasing Malware Threat
Introduction
Today the malware threat is really
increasing and lot ...
.
McAfee – Thomas Roccia
History of Malware Protection
Introduction
The history of malwares began in the 1970s, but the hi...
.
McAfee – Thomas Roccia
History of Malware Protection
Introduction
7
Cascade Virus Representation of Chameleon Virus J
.
McAfee – Thomas Roccia
Why does Malware Use Self Defense Techniques?
Introduction
Cyber-criminals invest time to create ...
.
McAfee – Thomas Roccia
How does a Malware Succeed
in Infecting Me?
“I have the last update of the AV but I get
infected”...
.
McAfee – Thomas Roccia
Antivirus Engine can Fail
How does a Malware Succeed in Infecting Me?
Most of the time an Antivir...
.
McAfee – Thomas Roccia
Sandboxes can Fail
How does a Malware Succeed in Infecting Me?
Sandboxing is the current fashion ...
.
McAfee – Thomas Roccia
Analysts can Fail
How does a Malware Succeed in Infecting Me?
A lot of tricks can be used by a ma...
.
McAfee – Thomas Roccia
Overviewof Malware
Protection
A Malicious software in the Windows
environment has typically been ...
.
McAfee – Thomas Roccia
Examples of Underground Tools
Overviewof Malware Protection
14
.
McAfee – Thomas Roccia
Obfuscation
Overviewof Malware Protection
A Malware often uses obfuscation techniques to avoid de...
.
McAfee – Thomas Roccia
Obfuscation – eXclusive OR (XOR)
Overviewof Malware Protection
The XOR operation is the most comm...
.
McAfee – Thomas Roccia
Obfuscation - Other
Overviewof Malware Protection
A Malware also uses many other methods to obfus...
.
McAfee – Thomas Roccia
Packer
Overviewof Malware Protection
Malware coders often use packing in order to make the analys...
.
McAfee – Thomas Roccia
Process Hollowing
Overviewof Malware Protection
Process hollowing is a technique used by a malwar...
.
McAfee – Thomas Roccia
Process Hollowing
Overviewof Malware Protection
Process hollowing is basically used to avoid dete...
.
McAfee – Thomas Roccia
Anti-debug
Overviewof Malware Protection
The Windows API provides some functions that allow a mal...
.
McAfee – Thomas Roccia
Anti-debug
Overviewof Malware Protection
22
Teslacrypt Uncovered – Thomas Roccia
.
McAfee – Thomas Roccia
VM detection
Overviewof Malware Protection
Unfortunately the malware writers are aware that many ...
.
McAfee – Thomas Roccia
VM detection – Red Pill Technique
Overviewof Malware Protection
The Red Pill is an anti-VM techni...
.
McAfee – Thomas Roccia
VM detection – Other Techniques
Overviewof Malware Protection
No Pill: Use of the SGDT and SLDT i...
.
McAfee – Thomas Roccia
Unprotect Project
Malware protection can be hard to remove.
The main goal is to provide the first...
.
McAfee – Thomas Roccia
The first database about binary protection
Unprotect Project
The Unprotect Project is a database ...
.
McAfee – Thomas Roccia
Wiki
The Unprotect Project
The Wiki can be reach at unprotect.tdgt.org
It regroups malware self-d...
.
McAfee – Thomas Roccia
unprotect.tdgt.org
29
.
McAfee – Thomas Roccia
What Else?
During my research I get an idea:
30
Why not emulated a Virtual/Sandbox
environment in...
.
McAfee – Thomas Roccia
Stay protected by emulate a malware analysis machine
RocProtect
I coded a quick and dirty POC tha...
.
McAfee – Thomas Roccia
Stay protected by emulate a malware analysis machine
RocProtect
32
.
McAfee – Thomas Roccia
Conclusion
Malware protection and self-defending are the techniques that allow attackers to
remai...
.
McAfee – Thomas Roccia
34
• Thomas Roccia
• @fr0gger_
Thank you
Nächste SlideShare
Wird geladen in …5
×

Malware Evasion Techniques

2.365 Aufrufe

Veröffentlicht am

This talk was presented during the Security Day 2017. It presents an overview of the malware evasion techniques

Veröffentlicht in: Internet
  • Als Erste(r) kommentieren

Malware Evasion Techniques

  1. 1. . McAfee – Thomas Roccia troccia.tdgt.org | Security Consultant Researcher ​Malware Evasion Techniques ​How to Defeat Malware Protection? @fr0gger_
  2. 2. . McAfee – Thomas Roccia Whoami Thomas Roccia | @fr0gger_ French Security Consultant Researcher Working at McAfee Foundstone Malware Fighting Incident Response Threat Intelligence Red Team Assessment Education 2
  3. 3. . McAfee – Thomas Roccia Summary Introduction What is the goal of this presentation? The increasing malware threat History of malware protection Why malware use self-defense techniques? How does a Malware succeeds in infecting me? Overview of Malware protection Unprotect Project Conclusion Overview
  4. 4. . McAfee – Thomas Roccia What is the goal of this presentation? Introduction Understand why Antivirus engine doesn’t detect new generation of malware? Understand why Sandbox tools are not sufficient in front this threat? Understand why a Malware Analyst can fall into the malware tricks? Introduce the malware protection techniques and how to defeat them. Introduce the Unprotect Project. 4
  5. 5. . McAfee – Thomas Roccia The Increasing Malware Threat Introduction Today the malware threat is really increasing and lot of stolen data are sold in the underground markets. Malwares are new weapons used by a lot of actors: Governments Spies Hacktivist Mafia Even kids Remain undetected is vital for a malware. The challenge is huge for attackers and defenders. 5
  6. 6. . McAfee – Thomas Roccia History of Malware Protection Introduction The history of malwares began in the 1970s, but the history of malware self-defense didn’t start before the late 1980s. The first virus that attempted to defend itself from antivirus utilities then available was the DOS virus Cascade. It defended itself by partially by encrypting its own code. Two years later, the first polymorphic virus appeared:Chameleon. It used complex encryption and obfuscation methods to protect its code. Until recently, antivirus programs exclusively worked by analysis file codes. It is now becoming more complex with heuristic approach and threat intelligence. 6 https://securelist.com/analysis/publications/36156/the-evolution-of-self-defense-technologies-in-malware/
  7. 7. . McAfee – Thomas Roccia History of Malware Protection Introduction 7 Cascade Virus Representation of Chameleon Virus J
  8. 8. . McAfee – Thomas Roccia Why does Malware Use Self Defense Techniques? Introduction Cyber-criminals invest time to create a coriaceous programs. Some samples are really advanced and contain a lot of functionalities. The protection and self-defense are vital for the Attackers to avoid wasting several months of work. A lot of techniques could be implemented and we can classify them into 3 categories: Anti-SecTools (AV, Firewall…) Anti-Sandbox: detection of automatic analysis Anti-Analyst: detection of manual analysis Some techniques are common to these 3 categories. 8
  9. 9. . McAfee – Thomas Roccia How does a Malware Succeed in Infecting Me? “I have the last update of the AV but I get infected” Most of the time the AV engine detectsthe malicious payload but not the wrapper. A lot of techniquescan escape from the AV. Best practicesare not alwaysrespected. “I bought a really expensive sandbox, but when I run a malicious payload it is not detected” Sandboxesare often misconfigured, which prevents them from detectingmalware A lot of information can be retrieved by a malware. “I spent a lot of time to analyze this sample but I still get confused and don’t understand it” Obfuscation, packer, anti-analysis, give the analysts a hard time. 9 Overview
  10. 10. . McAfee – Thomas Roccia Antivirus Engine can Fail How does a Malware Succeed in Infecting Me? Most of the time an Antivirus engine is based on: Signature detection Scanning functionalities Heuristic engine A Malware can escape from these functionalities by different techniques: Adding Antivirus exceptions Disabling an Antivirus Using the Sleep Method Using Code injection Etc. 10
  11. 11. . McAfee – Thomas Roccia Sandboxes can Fail How does a Malware Succeed in Infecting Me? Sandboxing is the current fashion security tools but also the easiest to use to quickly understand a malware. However a lot of misconfiguration allow a malware to detect this analysis environment. The way to avoid this detection is to provide a real user machine, but it is difficult to maintain. Some security tools can help you to harden your sandbox. 11
  12. 12. . McAfee – Thomas Roccia Analysts can Fail How does a Malware Succeed in Infecting Me? A lot of tricks can be used by a malware to defeat the analyst. It is sometimes hard to bypass the protection and very time consuming. Some malwares are prepared to face analysis tools and try to improve their self- defending techniques to remain undetected and incomprehensible. Packers, anti disassembly, anti honeypot, obfuscation and more… are part of the attackers‘ arsenal. The goal for the analysts is to remove these protections to better understand the behavior of the sample. 12
  13. 13. . McAfee – Thomas Roccia Overviewof Malware Protection A Malicious software in the Windows environment has typically been armored, packed, encrypted or obfuscated to protect itself from classic reviews. There are several ways to avoid detection and analysis. Packer VM/Sandbox detection AV evasion Anti-disassembling Anti-debugging Obfuscation … 13 Overview
  14. 14. . McAfee – Thomas Roccia Examples of Underground Tools Overviewof Malware Protection 14
  15. 15. . McAfee – Thomas Roccia Obfuscation Overviewof Malware Protection A Malware often uses obfuscation techniques to avoid detection and analysis. Obfuscation is the fact of obscuring the intended meaning in communication, by making the message confusing, willfully ambiguous, or harder to understand. Malware obfuscation serves the one ultimate purpose: Survival. 15
  16. 16. . McAfee – Thomas Roccia Obfuscation – eXclusive OR (XOR) Overviewof Malware Protection The XOR operation is the most common used by a malware. This is because it is really easy to use to hide data. Basically a key is used and creates the cipher text. XOR is a reversible function that means it uses the same function to encode and decode. The XOR operation can be brute forced to obtain the key. XORsearch or XORStrings can be used. 16 https://blog.didierstevens.com/programs/xorsearch/
  17. 17. . McAfee – Thomas Roccia Obfuscation - Other Overviewof Malware Protection A Malware also uses many other methods to obfuscate its content. ROT13 (Caesar) Base64 Common Cryptographic algorithm Custom encoding Visual Basic encoding Commercial obfuscator Hash algorithm Packer 17
  18. 18. . McAfee – Thomas Roccia Packer Overviewof Malware Protection Malware coders often use packing in order to make the analysis more difficult. They sometimes contain multiple layers of armoring/packing. Many coders commonly use packers – some of which are used by commercial products. When a packer program is running the malware is unpacked. 18 Wrapper Program Packed Executable (non visible in static analysis) Original Executable
  19. 19. . McAfee – Thomas Roccia Process Hollowing Overviewof Malware Protection Process hollowing is a technique used by a malware to inject a malicious code into another process. For example a sample can create a notepad.exe process and inject its payload. To make process hollowing, a sample will use the following function: CreateProcess:in a suspended mode with the CreationFlag at 0x0000 0004. GetThreadContext: retrieves the context of the specified thread. ZwUnmapViewOfSection: Unmaps a view of a section from the virtual address space of a subject process. VirtualAllocEx: allocates memory within the suspended process’s address space. WriteProcessMemory:writes data of the PE file into the memory just allocated within the suspended process. SetThreadContext: sets the EAX registerto the entry point of the executable written. ResumeThread: resumes the thread of the suspended process. 19 http://www.autosectools.com/process-hollowing.pdf
  20. 20. . McAfee – Thomas Roccia Process Hollowing Overviewof Malware Protection Process hollowing is basically used to avoid detection. Usually a sample will create another process. It can be observed with a tool that monitors the activities of the sample. 20 http://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/
  21. 21. . McAfee – Thomas Roccia Anti-debug Overviewof Malware Protection The Windows API provides some functions that allow a malware to detect if it is currently being debugged. If a debugging setting is detected, the malware terminates its process or changes its behavior to fool the analyst. Several anti-debug functions used by a malware: IsDebuggerPresent:Searches in the PEB (Process Environment Block) structure if IsDebugged field has a non-zero value (Which implies a debugger is running). CheckRemoteDebuggerPresent:Similar to above, does a simple check for itself or any other process, needs a process handle as input parameter. FindWindow: WinAPI call to check if a window with a certain name is present ("OllyDbg..") NtQueryInformationProcess: Retrieves Info about a specific process using its process handle. If it turns into a non-zero value which would be the port number, then the malware knows it is being debugged. 21 http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/
  22. 22. . McAfee – Thomas Roccia Anti-debug Overviewof Malware Protection 22 Teslacrypt Uncovered – Thomas Roccia
  23. 23. . McAfee – Thomas Roccia VM detection Overviewof Malware Protection Unfortunately the malware writers are aware that many analysts are using virtualization to perform their analysis. It is trivial to build virtualization detection into the malware – which could cause a number of interesting effects: The Malware may simply refuse to execute It May act as a totally innocent utility / clean file It May Attempt to crash the virtual machine It May Attempt to exploit vulnerability to infect the physical machine 23
  24. 24. . McAfee – Thomas Roccia VM detection – Red Pill Technique Overviewof Malware Protection The Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The IDTR register can be used only by one OS. VMware relocates the address of IDT for emulation with 0xFFXXXXXX. 24 http://www.simonganiere.ch/2012/11/20/malware-anti-vm-technics/
  25. 25. . McAfee – Thomas Roccia VM detection – Other Techniques Overviewof Malware Protection No Pill: Use of the SGDT and SLDT instruction for Vmware Detection. Detection of VM process (VmwareService.exe, VmwareTray.exe…). Detection of VM registry keys. Detection of hooking functions (DeleteFileA, CreateFile…). 25
  26. 26. . McAfee – Thomas Roccia Unprotect Project Malware protection can be hard to remove. The main goal is to provide the first database about binary protection. The database is a Wiki with: Explanation of the protection technique How to defeat this protection 26 Overview
  27. 27. . McAfee – Thomas Roccia The first database about binary protection Unprotect Project The Unprotect Project is a database that aims to group all the protection and self- defending techniques used by malware and binary. The Unprotect is a project community based on contributors and on a Wiki. The goal is to provide to the security community and IT people a knowledge base to detect new generations of malware. Multiple goals: Provide knowledge about malware protection capabilities Provide information to defeat it against Sandbox and Security Tools Provide the way to manually unprotect for malware analysts 27
  28. 28. . McAfee – Thomas Roccia Wiki The Unprotect Project The Wiki can be reach at unprotect.tdgt.org It regroups malware self-defense by classification All the people that want to add content can make a request to get account. Content could be: New or unknown malware protection Theoretical malware protection Adding an entry with full description (definition, code, unprotection…) Adding an entry with just definition field 28
  29. 29. . McAfee – Thomas Roccia unprotect.tdgt.org 29
  30. 30. . McAfee – Thomas Roccia What Else? During my research I get an idea: 30 Why not emulated a Virtual/Sandbox environment in my physical machine to stay protected against malware? If a malware detect my fake environment, it will not run and I will not get infected J
  31. 31. . McAfee – Thomas Roccia Stay protected by emulate a malware analysis machine RocProtect I coded a quick and dirty POC that creates VM artifacts on a machine. RocProtect is an OpenSource POC coded in C++. The tool will create on your system: Fake registry key of Vmware/VirtualBox/Qemu Fake process (VmwareTray.exe, VboxService.exe, wireshark.exe...) Fake directory (Wine, Vmware Tools, VirtualBox Tools...) Fake files (vmouse.sys, vboxhook.dll, VboxGuest.sys...) Fake MAC address related to Vmware or VirtualBox 31
  32. 32. . McAfee – Thomas Roccia Stay protected by emulate a malware analysis machine RocProtect 32
  33. 33. . McAfee – Thomas Roccia Conclusion Malware protection and self-defending are the techniques that allow attackers to remain undetected. Many techniques can be used to evade Antivirus, Security tools and Analysts. Knowing these techniques can help the IT Security Industry to be more powerful against the malware threats. 33
  34. 34. . McAfee – Thomas Roccia 34 • Thomas Roccia • @fr0gger_ Thank you

×