SlideShare a Scribd company logo

Understand study

Antonio Costa aka Cooler_
Antonio Costa aka Cooler_

The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense. "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War

Engineering
1 of 50
Download to read offline
Understand malwares Practical steps for beginners
whoamy Just another Programmer four years experience Security Engineer Ten years experience Antonio Costa – github.com/CoolerVoid Twitter: @Cooler_freenode
Reference
Malwares Malware is the name for a program designed to mistreat its users. Viruses typically are malicious, but sometimes software products and software preinstalled in products can also be malicious — and often are, im not even joking, it’s a sad fact. You can see that these softwares sometimes stand in the whitelist of signatures of some antivirus. Malware often contains hidden behavior which is only activated when properly triggered.
Last microsoft report 2020 https://www.microsoft.com/en-us/wdsi/threats
Malware for Linux ? Fake pkg resources like fake deb, fake rpm, fake ko(kernel module)… Fake sudo Fake auth with QT/GTK/X11… keyloggers with X11 etc... Its not impossible ! github.com/GiacomoLaw/Keylogger - keylogger github.com/CoolerVoid/rootstealer - tool to manipulate X11 github.com/m0nad/Diamorphine - Rootkit for modern kernels github.com/mthbernardes/Derbie - Tool to generate malicious .deb pkgs
Malware for mobile ? Google and Apple invest a lot in security research, but that's not enough! As we have shown time after time, malware is still able to bypass market security ! (google play, appstore) Every day security vulnerabilities are discovered in a constant basis, and if your device is not patched, you are vulnerable!
Android Malware uses Android’s Accessibility Service to take over the phone, displaying a request prompt that would allow it to add itself to the device administrator list and become the default message manager. Once the takeover is complete, malware can send an SMS/whats app msg containing a specific text to any number, extract text messages and send them to the cracker, open links, change the address of the company center, steal data like phone call info. Other view, once the takeover is complete, malware can send msg to spread him self for your contacts… each malware have a different context!
Android
Android
Warning
The X-files This is my compendium of strange underground codes to make a schoolar joke, forbidden recipes, fallen functions from the depths... only to Windows platforms. Keep out of malicious feelings, Only to study security purposes! https://github.com/CoolerVoid/X_files/
Malware in Java... Everything uses libC, for example CoreUtils used by unix like systems like FreeBSD, Linux, Darwin(MacOS)... you can see commands like rm,ls,mv,mkdir... this programs uses libc, labels for syscalls in unistd.h etc...
The X-files Overview:
Unkillable process
Persistence Unix systems you can use rc.local, init… have other paths…
Hooking Operating systems and software may provide the means to easily insert event hooks at runtime. It is available provided that the process inserting the hook is granted enough permission to do so. Microsoft Windows for example, allows you to insert hooks that can be used to process or modify system events and application events for dialogs, scrollbars, and menus as well as other items. It also allows a hook to insert, remove, process or modify keyboard and mouse events. Linux provides another example where hooks can be used in a similar manner to process network events within the kernel through NetFilter( github.com/CoolerVoid/HiddenWall ).
Trial bypass history
Trial bypass history Hook time functions… GetSystemTime() GetTimeFormat() SystemTimeToFileTime()… If have NTP external check, make Pharming in hosts... docs.microsoft.com/en-us/windows/win32/sysinfo/time-functions
Antivirus uses hook
Antivirus uses hook
Keylogger function
Screenlogger function
Backdoor resources Socket(), listen(), bind()… libcurl… libnet… raw socket port knocking
Backdoor resources Send(), recv(), sendfile() etc...
Backdoor resources popen(), system(), execv()...
Port knocking Raw socket shell with AES256-GCM using Port Knocking technique github.com/CoolerVoid/ninja_shell Raw mode is basically there to allow you to bypass some of the way that your computer handles TCP/IP.
Fake process name
Fake process name
Danger docs... Macros, VBA, Exploits... Turn a normal PDF file into malicious. github.com/3gstudent/Worse-PDF Turn Doc files in malicious. https://github.com/sevagas/macro_pack
Other resources Replace QR-code Change render of bar code Steal Cookies form grabbing Steal DB of browser (Sqlite) Using browser to bypass firewall (headless) Uses bitlocker to encrypt data… (ransomware) Uses embedded lib to encrypt resources… Miner bot... Up fake driver (rootkit)...
Other resources bootkits… bios...
Protections To prolong the life of a malware, you can frequently see anti-VM and anti-debugging techniques being used to delay the analysis process performed by security experts. The good news for you is that you have a lot of ways to try and mitigate that, for example with ollydbg you can use OllyExt plugin to try bypassing anti- debugger resources, another way you can detect some behaviors while also following the hooking approach is, for example, when the debugger executes a malware, you can force by hooking the function IsDebuggerPresent() to make it always return zero( bypassing the debug detector).
Bypass malware protections But in any case, you can also protect the machine. You can use the function IsDebuggerPresent() and, with hooking, force it to always return value 1. By following this approach the malware is never going to start the trigger since he’s either frozen or called an exit() function by now, some other contexts may happen as well. Malware often contains hidden behavior which is only activated when properly triggered. No trigger, the malware quits, simple.
The enemy
Do you know your enemy ?
Do you know your enemy ?
Install vmware additions or virtualbox resourses to mimic a VM in your desktop… Manual unpack and Migrate DLLs, binarys etc
Trigger Anti-VM resources Inspired from the PowerShell script Fake Sandbox Processes (FSP), this script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools. github.com/NavyTitanium/Fake-Sandbox-Artifacts
Trigger Anti-VM resources
Problems in sandbox artifacts Bank desktop applications uses anti debugger and AntiVM resources… this can close your bank desktop application… Games(steam client/ origens client) have anti-cheat engines, that engines close application when detect VM resources or Debugger resources...
Warning
theZoo “theZoo is a project created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.”. https://github.com/ytisf/theZoo
Veil “Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions”. github.com/Veil-Framework/Veil
al-khaser “Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection. ”. https://github.com/LordNoteworthy/al-khaser
Other resources https://github.com/wtsxDev/reverse-engineering github.com/beerisgood/Windows10_Hardening github.com/LOLBAS-Project/LOLBAS github.com/mentebinaria (Brazilian cool stuff)
Other paths
Doubts ? Contact: coolerlair [at] gmail [dot] com
Thank you !

Recommended

WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
0d1n
0d1n0d1n
0d1n
Antonio Costa aka Cooler_
 
Raptor web application firewall
Raptor web application firewallRaptor web application firewall
Raptor web application firewall
Antonio Costa aka Cooler_
 
Static analysis for beginners
Static analysis for beginnersStatic analysis for beginners
Static analysis for beginners
Antonio Costa aka Cooler_
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Os Cook
Os CookOs Cook
Os Cook
oscon2007
 

Recommended

WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
0d1n
0d1n0d1n
0d1n
Antonio Costa aka Cooler_
 
Raptor web application firewall
Raptor web application firewallRaptor web application firewall
Raptor web application firewall
Antonio Costa aka Cooler_
 
Static analysis for beginners
Static analysis for beginnersStatic analysis for beginners
Static analysis for beginners
Antonio Costa aka Cooler_
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Os Cook
Os CookOs Cook
Os Cook
oscon2007
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
egypt
 
Stealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploitStealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploit
Nullbyte Security Conference
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
Michael Boman
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOS
Sasha Goldshtein
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
E Hacking
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
n|u - The Open Security Community
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
Michael Boman
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk through
Anant Shrivastava
 
Extrabacon's sploit core
Extrabacon's sploit coreExtrabacon's sploit core
Extrabacon's sploit core
Daniel Reilly
 
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand..."Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
eLiberatica
 
virus.ppt
virus.pptvirus.ppt
virus.ppt
NabyenduMukherjee1
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 

More Related Content

What's hot

Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
egypt
 
Stealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploitStealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploit
Nullbyte Security Conference
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 

What's hot (19)

Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
 
Stealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploitStealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploit
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOS
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk through
 
Extrabacon's sploit core
Extrabacon's sploit coreExtrabacon's sploit core
Extrabacon's sploit core
 

Similar to Understand study

"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand..."Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
eLiberatica
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 

Similar to Understand study (20)

"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand..."Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
 
virus.ppt
virus.pptvirus.ppt
virus.ppt
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detection
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniques
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Malware
MalwareMalware
Malware
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 

More from Antonio Costa aka Cooler_

More from Antonio Costa aka Cooler_ (10)

Strange security mitigations
Strange security mitigationsStrange security mitigations
Strange security mitigations
 
Improving spam detection with automaton
Improving spam detection with automatonImproving spam detection with automaton
Improving spam detection with automaton
 
Burlando Waf 2.0
Burlando Waf 2.0Burlando Waf 2.0
Burlando Waf 2.0
 
burlando um WAF
burlando um WAFburlando um WAF
burlando um WAF
 
Development pitfalls
Development pitfallsDevelopment pitfalls
Development pitfalls
 
0d1n bsides2
0d1n bsides20d1n bsides2
0d1n bsides2
 
Vivendo de hacking
Vivendo de hackingVivendo de hacking
Vivendo de hacking
 
Bsides odin
Bsides odinBsides odin
Bsides odin
 
Bsides4cooler
Bsides4coolerBsides4cooler
Bsides4cooler
 
detector de ladrão com laser
detector de ladrão com laserdetector de ladrão com laser
detector de ladrão com laser
 

Recently uploaded

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Intro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdfIntro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdf
 

Understand study

  • 2. whoamy Just another Programmer four years experience Security Engineer Ten years experience Antonio Costa – github.com/CoolerVoid Twitter: @Cooler_freenode
  • 4. Malwares Malware is the name for a program designed to mistreat its users. Viruses typically are malicious, but sometimes software products and software preinstalled in products can also be malicious — and often are, im not even joking, it’s a sad fact. You can see that these softwares sometimes stand in the whitelist of signatures of some antivirus. Malware often contains hidden behavior which is only activated when properly triggered.
  • 5. Last microsoft report 2020 https://www.microsoft.com/en-us/wdsi/threats
  • 6. Malware for Linux ? Fake pkg resources like fake deb, fake rpm, fake ko(kernel module)… Fake sudo Fake auth with QT/GTK/X11… keyloggers with X11 etc... Its not impossible ! github.com/GiacomoLaw/Keylogger - keylogger github.com/CoolerVoid/rootstealer - tool to manipulate X11 github.com/m0nad/Diamorphine - Rootkit for modern kernels github.com/mthbernardes/Derbie - Tool to generate malicious .deb pkgs
  • 7. Malware for mobile ? Google and Apple invest a lot in security research, but that's not enough! As we have shown time after time, malware is still able to bypass market security ! (google play, appstore) Every day security vulnerabilities are discovered in a constant basis, and if your device is not patched, you are vulnerable!
  • 8. Android Malware uses Android’s Accessibility Service to take over the phone, displaying a request prompt that would allow it to add itself to the device administrator list and become the default message manager. Once the takeover is complete, malware can send an SMS/whats app msg containing a specific text to any number, extract text messages and send them to the cracker, open links, change the address of the company center, steal data like phone call info. Other view, once the takeover is complete, malware can send msg to spread him self for your contacts… each malware have a different context!
  • 12. The X-files This is my compendium of strange underground codes to make a schoolar joke, forbidden recipes, fallen functions from the depths... only to Windows platforms. Keep out of malicious feelings, Only to study security purposes! https://github.com/CoolerVoid/X_files/
  • 13. Malware in Java... Everything uses libC, for example CoreUtils used by unix like systems like FreeBSD, Linux, Darwin(MacOS)... you can see commands like rm,ls,mv,mkdir... this programs uses libc, labels for syscalls in unistd.h etc...
  • 16. Persistence Unix systems you can use rc.local, init… have other paths…
  • 17. Hooking Operating systems and software may provide the means to easily insert event hooks at runtime. It is available provided that the process inserting the hook is granted enough permission to do so. Microsoft Windows for example, allows you to insert hooks that can be used to process or modify system events and application events for dialogs, scrollbars, and menus as well as other items. It also allows a hook to insert, remove, process or modify keyboard and mouse events. Linux provides another example where hooks can be used in a similar manner to process network events within the kernel through NetFilter( github.com/CoolerVoid/HiddenWall ).
  • 19. Trial bypass history Hook time functions… GetSystemTime() GetTimeFormat() SystemTimeToFileTime()… If have NTP external check, make Pharming in hosts... docs.microsoft.com/en-us/windows/win32/sysinfo/time-functions
  • 24. Backdoor resources Socket(), listen(), bind()… libcurl… libnet… raw socket port knocking
  • 27. Port knocking Raw socket shell with AES256-GCM using Port Knocking technique github.com/CoolerVoid/ninja_shell Raw mode is basically there to allow you to bypass some of the way that your computer handles TCP/IP.
  • 30. Danger docs... Macros, VBA, Exploits... Turn a normal PDF file into malicious. github.com/3gstudent/Worse-PDF Turn Doc files in malicious. https://github.com/sevagas/macro_pack
  • 31. Other resources Replace QR-code Change render of bar code Steal Cookies form grabbing Steal DB of browser (Sqlite) Using browser to bypass firewall (headless) Uses bitlocker to encrypt data… (ransomware) Uses embedded lib to encrypt resources… Miner bot... Up fake driver (rootkit)...
  • 33. Protections To prolong the life of a malware, you can frequently see anti-VM and anti-debugging techniques being used to delay the analysis process performed by security experts. The good news for you is that you have a lot of ways to try and mitigate that, for example with ollydbg you can use OllyExt plugin to try bypassing anti- debugger resources, another way you can detect some behaviors while also following the hooking approach is, for example, when the debugger executes a malware, you can force by hooking the function IsDebuggerPresent() to make it always return zero( bypassing the debug detector).
  • 34. Bypass malware protections But in any case, you can also protect the machine. You can use the function IsDebuggerPresent() and, with hooking, force it to always return value 1. By following this approach the malware is never going to start the trigger since he’s either frozen or called an exit() function by now, some other contexts may happen as well. Malware often contains hidden behavior which is only activated when properly triggered. No trigger, the malware quits, simple.
  • 36. Do you know your enemy ?
  • 37. Do you know your enemy ?
  • 38. Install vmware additions or virtualbox resourses to mimic a VM in your desktop… Manual unpack and Migrate DLLs, binarys etc
  • 39. Trigger Anti-VM resources Inspired from the PowerShell script Fake Sandbox Processes (FSP), this script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools. github.com/NavyTitanium/Fake-Sandbox-Artifacts
  • 40.
  • 42. Problems in sandbox artifacts Bank desktop applications uses anti debugger and AntiVM resources… this can close your bank desktop application… Games(steam client/ origens client) have anti-cheat engines, that engines close application when detect VM resources or Debugger resources...
  • 44. theZoo “theZoo is a project created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.”. https://github.com/ytisf/theZoo
  • 45. Veil “Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions”. github.com/Veil-Framework/Veil
  • 46. al-khaser “Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection. ”. https://github.com/LordNoteworthy/al-khaser