Antivirus HAX! Presented by Ehab Hussein Synapse Malware Research Team : Sofiane Talmat (Algeria) Ehab Hussein (Egypt) Saadtalaat (Egypt) Amr Thabet (Egypt)

Antivirus HAX! Presented by Ehab Hussein Synapse Malware Research Team : Sofiane Talmat (Algeria) Ehab Hussein (Egypt) Saadtalaat (Egypt) Amr Thabet (Egypt)

AntiVirus HAX! Presented by Ehab Hussein Synapse Malware research team : Sofiane Talmat (Algeria) Ehab Hussein (Egypt) SaadTalaat (Egypt) Amr Thabet (Egypt) http://www.synapse-labs.com [email protected] Synapse Intro History AV Detection Techniques Bypassing Sophos :) Demo Student Bounty Challenge $$$ http://www.synapse-labs.com [email protected] Security Corporate Services Services Solution Development Trainings http://www.synapse-labs.com [email protected] Viruses don't harm, ignorance does! « The Evolution of malware within the last ten years is described by the evolution of people who develop that » (Eugene kaspersky) http://www.synapse-labs.com [email protected] http://www.synapse-labs.com [email protected] – 1948 – 1966 (First theroical Approach) John von Neumann « Theory of self-reproducing automata » http://www.synapse-labs.com [email protected] – 1971 (First Worm) Robert (Bob) H. Thomas (BBN technologies) "I'm the creeper, catch me if you can!" Machine : PDP-10 System : TENEX Transport : ARPANET was the world's first operational packet switching network and the core network of a set that came to compose the global Internet. Funded by Darpa http://www.synapse-labs.com [email protected] WORM http://www.synapse-labs.com [email protected] TROJAN HORSE http://www.synapse-labs.com [email protected] – 1974/1975 (First Trojan Virus) John Walker « ANIMAL » UNIVAC 1108 http://www.synapse-labs.com [email protected] – 1982/1982 (First microcomputer Virus) Rich Skrenta « Elk Cloner » Apple II Boot Sector http://www.synapse-labs.com [email protected] BOOT SECTOR http://www.synapse-labs.com [email protected] – 1986 (First IBM-PC Virus) Basit & Amjad Farooq Alvi « Brain Boot Sector » « Pakistan Flu » « Lahore » http://www.synapse-labs.com [email protected] – 1986 (First File Infector Virus) VirDem Ver.: 1.06 (Generation #) aktive. Ralf Burger Copyright by R.Burger « Virdem model» 1986,1987 .com Phone.: D - 05932/5451 This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and x http://www.synapse-labs.com [email protected] COM INFECTION http://www.synapse-labs.com [email protected] 1987 (Destructive Virus) Vienna / Lehigh / Yale / Stoned / Ping Pong Cascade (self-encrypting file virus) IBM Antivirus http://www.synapse-labs.com [email protected] 1987 Jerusalem « Infecting .EXE » Interrupt 1808(EXE) Friday 13th 1813(COM) ArabStar BlackBox BlackWindow Friday13th HebrewUniversity Israeli PLO Russian http://www.synapse-labs.com [email protected] EXE Infection http://www.synapse-labs.com [email protected] 1988 (First Internet Worm) Robert Tappan Morris « The Morris worm » Buffer Overflow 6000 infections http://www.synapse-labs.com [email protected] BUFFER OVERFLOW http://www.synapse-labs.com [email protected] 1988 (First Multipartite Virus) Ghostball EXE/COM/Boot Sector http://www.synapse-labs.com [email protected] Multipartite virus A multipartite virus is a computer virus that infects and spreads in multiple ways. The term was coined to describe the first viruses that included DOS executable files and PC BIOS boot sector virus code, where both parts are viral themselves. For a complete cleanup, all parts of the virus must be removed. http://www.synapse-labs.com [email protected] 1988 (First Polymorphic Virus) Mark Washburn & Ralf Burger « the Chameleon family » « Vienna and Cascade » 1260 http://www.synapse-labs.com [email protected] Polymorphism http://www.synapse-labs.com [email protected] 1995 (First Macro Virus) « Concept » Sub MAIN REM That's enough to prove my point End Sub http://www.synapse-labs.com [email protected] Macro Virus Macro is a language built into a software application such as a word processor. Since some applications (notably, but not exclusively, the parts of Microsoft Office) allow macro programs to be embedded in documents, so that the programs may be run automatically when the document is opened http://www.synapse-labs.com [email protected] 1998 Chen Ing Hau CIH v1 « Chernobyl / Spacefiller » overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS. http://www.synapse-labs.com [email protected] 1999 (Year of the worms) Jan 20: Happy99 worm (emails) (Spanska) March 26: Melissa worm (Microsoft Word/ Outlook) June 06: ExploreZip worm(Microsoft Office documents) December 30: Kak worm (Javascript worm / Outlook Express bug) http://www.synapse-labs.com [email protected] 2000 (The most damaging worm ever) « ILOVEYOU worm (VBS/Loveletter) » VBScript http://www.synapse-labs.com [email protected] 2000 (The year of Exploits) Mai : Sadmind worm (Sun Solaris / Microsoft IIS) Juillet : Code Red worm (Microsoft IIS indexing) Septembre : Nimda worm (Windows/Code Red / Sadmind) Octobre : Klez worm (MS IE / MS Outlook / Outlook Express) http://www.synapse-labs.com [email protected] 2002 (Metamorphic virus) Mental Driller « Win32/Simile » (Etap / MetaPHOR) 90% metamorphose May 14 / System locale http://www.synapse-labs.com [email protected] METAMORPHIC VIRUS metamorphic code is code that can reprogram itself. Often, it does this by translating its own code into a temporary representation, editing the temporary representation of itself, and then writing itself back to normal code again. This procedure is done with the virus itself, and thus also the metamorphic engine itself undergoes changes. This is used by some viruses when they are about to infect new files, and the result is that the "children" will never look like their "parents". http://www.synapse-labs.com [email protected] 2002/2003 (Rise of the RAT & Trojans) a RAT, or remote access trojan (sometimes remote administration tool) is a program that listens for and accepts connections from a remote 3rd party and carries out the commands that 3rd party gives it... Beast (Delphi) Optix Pro Graybird ProRat http://www.synapse-labs.com [email protected] 2004 (First Webworm) « Santy » - Target : phpbb forums - 40 000 sites infections http://www.synapse-labs.com [email protected] 2006 (First ever Mac OS X virus) « OSX/Leap-A or OSX/Oompa-A » Lan worm Bonjour Protocol (iChat buddy list) http://www.synapse-labs.com [email protected] 2007 « ZEUS » (drive-by downloads /phishing) June 2009 : 74,000 FTP 3.6 million infections in USA 28 Oct.2009 : 1.5 million messages phishing on facebook 14/15 Nov. 2009 : 9 million emails infected(Verizon Wireless) Credits cards of 15 banks compromised 1 Oct.2010 : FBI / 70 millions $ and 90 arrests May.2011 : source code release http://www.synapse-labs.com [email protected] 2007 (Mise a pirx : 250 000 $) « Conflicker » NetBIOS Exploits MS08-067 http://www.synapse-labs.com [email protected] BOTNET http://www.synapse-labs.com [email protected] Cyber Weapons !!!!! 2010 : STUXNET Destructive (targets industrial systems) 2011 : Duqu NON Destructive (targets industrial systems to gather information that could be useful in attacking) http://www.synapse-labs.com [email protected] AntiViruses http://www.synapse-labs.com [email protected] Possibly the first publicly documented removal of a computer virus in the wild was performed by Bernd Fix in 1987 Enough Said... http://www.synapse-labs.com [email protected] Detections http://www.synapse-labs.com [email protected] Signature Based Detection http://www.synapse-labs.com [email protected] Behaviour Based Detection http://www.synapse-labs.com [email protected] Normalization http://www.synapse-labs.com [email protected] What About rootkits Signature-Based File Integrity Monitoring (ex: Tripwire) Hooking Detection Network-Based Detection Heuristics-Based Detection http://www.synapse-labs.com [email protected] Lets Bypass That AV #Demo http://www.synapse-labs.com [email protected] 1- Locate the signature : in our case we have : A- the signature turko 0x00003F87 0x00000005 0x00004343 0x00000005 0x000044EF 0x00000005 0x0002E754 0x00000005 0x0002E76C 0x00000005 0x0002E78F 0x00000005 http://www.synapse-labs.com [email protected] B- the Starting of the MZ file to be dropped the MZ signature starts from 37D64 : MZP before the MZP there is another signature in unicode starting at 37D1A it starts the unicode string DENAME http://www.synapse-labs.com [email protected] 2- Patching the signature : A- the signature turko All what we can do is change some chars to capital letters (playing with case) for all the patterns found B- we need to encrypt the signature starting from 37D1A (43F11A in debugger) from Hexworkshop we load the exe and we go to the address 37D1A (43F11A in debugger) we select from there till the end of the file (approx 0xBC6E bytes) we go to tools/operations and we make some encryption for example : Add 20 Xor 27 http://www.synapse-labs.com [email protected] now back to debugger, we load the exe then we go to DATA section at address 43F11A : we select the following part : 0043F11A 44 00 45 00 4E 00 45 00 D.E.N.E. 0043F122 4D 00 45 00 06 00 44 00 M.E..D. 0043F12A 56 00 43 00 4C 00 41 00 V.C.L.A. 0043F132 4C 00 03 00 45 00 44 00 L..E.D. 0043F13A 54 00 0B 00 50 00 41 00 T..P.A. 0043F142 43 00 4B 00 41 00 47 00 C.K.A.G. 0043F14A 45 00 49 00 4E 00 46 00 E.I.N.F. 0043F152 4F 00 07 00 52 00 4F 00 O..R.O. 0043F15A 4F 00 54 00 4B 00 49 00 O.T.K.I. 0043F162 54 00 4D 5A 50 T.MZP we put a breakpoint on memory on access We run the exe, the breakpoint will be hit at the following instruction : 7C9350C0 0FB706 MOVZX EAX,WORD PTR DS:[ESI] http://www.synapse-labs.com [email protected] we can see it's in NTDLL.DLL, we look into the stack and we search for the return address to our binary so we locate the original call addres we find the following in the stack : 0012FF00 |00403EC9 É>@.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    59 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us