The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
2. whoamy
Just another Programmer
four years experience
Security Engineer
Ten years experience
Antonio Costa – github.com/CoolerVoid
Twitter: @Cooler_freenode
4. Malwares
Malware is the name for a program designed to mistreat its
users. Viruses typically are malicious, but sometimes software
products and software preinstalled in products can also be
malicious — and often are, im not even joking, it’s a sad fact.
You can see that these softwares sometimes stand in the
whitelist of signatures of some antivirus. Malware often
contains hidden behavior which is only activated when
properly triggered.
6. Malware for Linux ?
Fake pkg resources like fake deb, fake rpm, fake ko(kernel
module)…
Fake sudo
Fake auth with QT/GTK/X11… keyloggers with X11 etc...
Its not impossible !
github.com/GiacomoLaw/Keylogger - keylogger
github.com/CoolerVoid/rootstealer - tool to manipulate X11
github.com/m0nad/Diamorphine - Rootkit for modern kernels
github.com/mthbernardes/Derbie - Tool to generate malicious .deb pkgs
7. Malware for mobile ?
Google and Apple invest a lot in security research, but that's not enough!
As we have shown time after time, malware is still able to bypass market
security ! (google play, appstore)
Every day security vulnerabilities are discovered in a constant basis, and if your
device is not patched, you are vulnerable!
8. Android
Malware uses Android’s Accessibility Service to take over the phone, displaying a
request prompt that would allow it to add itself to the device administrator list
and become the default message manager.
Once the takeover is complete, malware can send an SMS/whats app msg
containing a specific text to any number, extract text messages and send them
to the cracker, open links, change the address of the company center, steal data
like phone call info.
Other view, once the takeover is complete, malware can send msg to spread him
self for your contacts… each malware have a different context!
12. The X-files
This is my compendium of strange underground codes to make a schoolar
joke, forbidden recipes, fallen functions from the depths... only to
Windows platforms.
Keep out of malicious feelings, Only to
study security purposes!
https://github.com/CoolerVoid/X_files/
13. Malware in Java...
Everything uses libC, for example CoreUtils used by unix like systems
like FreeBSD, Linux, Darwin(MacOS)... you can see commands like
rm,ls,mv,mkdir... this programs uses libc, labels for syscalls in unistd.h
etc...
17. Hooking
Operating systems and software may provide the means to easily
insert event hooks at runtime. It is available provided that the
process inserting the hook is granted enough permission to do so.
Microsoft Windows for example, allows you to insert hooks that can
be used to process or modify system events and application events
for dialogs, scrollbars, and menus as well as other items. It also
allows a hook to insert, remove, process or modify keyboard and
mouse events. Linux provides another example where hooks can be
used in a similar manner to process network events within the
kernel through NetFilter( github.com/CoolerVoid/HiddenWall ).
19. Trial bypass history
Hook time functions…
GetSystemTime()
GetTimeFormat()
SystemTimeToFileTime()…
If have NTP external check, make Pharming in hosts...
docs.microsoft.com/en-us/windows/win32/sysinfo/time-functions
27. Port knocking
Raw socket shell with AES256-GCM
using Port Knocking technique
github.com/CoolerVoid/ninja_shell
Raw mode is basically there to allow you to bypass
some of the way that your computer handles TCP/IP.
30. Danger docs...
Macros, VBA, Exploits...
Turn a normal PDF file into malicious.
github.com/3gstudent/Worse-PDF
Turn Doc files in malicious.
https://github.com/sevagas/macro_pack
31. Other resources
Replace QR-code
Change render of bar code
Steal Cookies
form grabbing
Steal DB of browser (Sqlite)
Using browser to bypass firewall (headless)
Uses bitlocker to encrypt data… (ransomware)
Uses embedded lib to encrypt resources…
Miner bot...
Up fake driver (rootkit)...
33. Protections
To prolong the life of a malware, you can frequently see anti-VM
and anti-debugging techniques being used to delay the analysis
process performed by security experts. The good news for you is
that you have a lot of ways to try and mitigate that, for example
with ollydbg you can use OllyExt plugin to try bypassing anti-
debugger resources, another way you can detect some behaviors
while also following the hooking approach is, for example, when
the debugger executes a malware, you can force by hooking the
function IsDebuggerPresent() to make it always return
zero( bypassing the debug detector).
34. Bypass malware protections
But in any case, you can also protect the machine. You can use the
function IsDebuggerPresent() and, with hooking, force it to always
return value 1. By following this approach the malware is never
going to start the trigger since he’s either frozen or called an exit()
function by now, some other contexts may happen as well. Malware
often contains hidden behavior which is only activated when
properly triggered. No trigger, the malware quits, simple.
38. Install vmware additions
or virtualbox resourses
to mimic a VM
in your desktop…
Manual unpack and Migrate DLLs, binarys etc
39. Trigger Anti-VM resources
Inspired from the PowerShell script Fake Sandbox Processes (FSP),
this script allows you to create various artifacts on a bare-metal
Windows computer in an attempt to trick malwares that looks for
VM or analysis tools.
github.com/NavyTitanium/Fake-Sandbox-Artifacts
42. Problems in sandbox artifacts
Bank desktop applications uses anti debugger and AntiVM
resources… this can close your bank desktop application…
Games(steam client/ origens client) have anti-cheat engines, that
engines close application when detect VM resources or Debugger
resources...
44. theZoo
“theZoo is a project created to make the possibility of malware
analysis open and available to the public. Since we have found out
that almost all versions of malware are very hard to come by in a
way which will allow analysis, we have decided to gather all of them
for you in an accessible and safe way. theZoo was born by Yuval tisf
Nativ and is now maintained by Shahak Shalev.”.
https://github.com/ytisf/theZoo
45. Veil
“Veil is a tool designed to generate metasploit payloads that bypass
common anti-virus solutions”.
github.com/Veil-Framework/Veil
46. al-khaser
“Public malware techniques used in the wild: Virtual Machine,
Emulation, Debuggers, Sandbox detection. ”.
https://github.com/LordNoteworthy/al-khaser