Understand malwares

Transcript

1. Understand malwares Practical steps for beginners

2. whoamy Just another Programmer four years experience Security Engineer Ten

   years experience Antonio Costa – github.com/CoolerVoid Twitter: @Cooler_freenode

3. Reference

4. Malwares Malware is the name for a program designed to

   mistreat its users. Viruses typically are malicious, but sometimes software products and software preinstalled in products can also be malicious — and often are, im not even joking, it’s a sad fact. You can see that these softwares sometimes stand in the whitelist of signatures of some antivirus. Malware often contains hidden behavior which is only activated when properly triggered.

5. Last microsoft report 2020 https://www.microsoft.com/en-us/wdsi/threats

6. Malware for Linux ? Fake pkg resources like fake deb,

   fake rpm, fake ko(kernel module)… Fake sudo Fake auth with QT/GTK/X11… keyloggers with X11 etc... Its not impossible ! github.com/GiacomoLaw/Keylogger - keylogger github.com/CoolerVoid/rootstealer - tool to manipulate X11 github.com/m0nad/Diamorphine - Rootkit for modern kernels github.com/mthbernardes/Derbie - Tool to generate malicious .deb pkgs

7. Malware for mobile ? Google and Apple invest a lot

   in security research, but that's not enough! As we have shown time after time, malware is still able to bypass market security ! (google play, appstore) Every day security vulnerabilities are discovered in a constant basis, and if your device is not patched, you are vulnerable!

8. Android Malware uses Android’s Accessibility Service to take over the

   phone, displaying a request prompt that would allow it to add itself to the device administrator list and become the default message manager. Once the takeover is complete, malware can send an SMS/whats app msg containing a specific text to any number, extract text messages and send them to the cracker, open links, change the address of the company center, steal data like phone call info. Other view, once the takeover is complete, malware can send msg to spread him self for your contacts… each malware have a different context!

9. Android

10. Android

11. Warning

12. The X-files This is my compendium of strange underground codes

    to make a schoolar joke, forbidden recipes, fallen functions from the depths... only to Windows platforms. Keep out of malicious feelings, Only to study security purposes! https://github.com/CoolerVoid/X_files/

13. Malware in Java... Everything uses libC, for example CoreUtils used

    by unix like systems like FreeBSD, Linux, Darwin(MacOS)... you can see commands like rm,ls,mv,mkdir... this programs uses libc, labels for syscalls in unistd.h etc...

14. The X-files Overview:

15. Unkillable process

16. Persistence Unix systems you can use rc.local, init… have other

    paths…

17. Hooking Operating systems and software may provide the means to

    easily insert event hooks at runtime. It is available provided that the process inserting the hook is granted enough permission to do so. Microsoft Windows for example, allows you to insert hooks that can be used to process or modify system events and application events for dialogs, scrollbars, and menus as well as other items. It also allows a hook to insert, remove, process or modify keyboard and mouse events. Linux provides another example where hooks can be used in a similar manner to process network events within the kernel through NetFilter( github.com/CoolerVoid/HiddenWall ).

18. Trial bypass history

19. Trial bypass history Hook time functions… GetSystemTime() GetTimeFormat() SystemTimeToFileTime()… If

    have NTP external check, make Pharming in hosts... docs.microsoft.com/en-us/windows/win32/sysinfo/time-functions

20. Antivirus uses hook

21. Antivirus uses hook

22. Keylogger function

23. Screenlogger function

24. Backdoor resources Socket(), listen(), bind()… libcurl… libnet… raw socket port

    knocking

25. Backdoor resources Send(), recv(), sendfile() etc...

26. Backdoor resources popen(), system(), execv()...

27. Port knocking Raw socket shell with AES256-GCM using Port Knocking

    technique github.com/CoolerVoid/ninja_shell Raw mode is basically there to allow you to bypass some of the way that your computer handles TCP/IP.

28. Fake process name

29. Fake process name

30. Danger docs... Macros, VBA, Exploits... Turn a normal PDF file

    into malicious. github.com/3gstudent/Worse-PDF Turn Doc files in malicious. https://github.com/sevagas/macro_pack

31. Other resources Replace QR-code Change render of bar code Steal

    Cookies form grabbing Steal DB of browser (Sqlite) Using browser to bypass firewall (headless) Uses bitlocker to encrypt data… (ransomware) Uses embedded lib to encrypt resources… Miner bot... Up fake driver (rootkit)...

32. Other resources bootkits… bios...

33. Protections To prolong the life of a malware, you can

    frequently see anti-VM and anti-debugging techniques being used to delay the analysis process performed by security experts. The good news for you is that you have a lot of ways to try and mitigate that, for example with ollydbg you can use OllyExt plugin to try bypassing anti- debugger resources, another way you can detect some behaviors while also following the hooking approach is, for example, when the debugger executes a malware, you can force by hooking the function IsDebuggerPresent() to make it always return zero( bypassing the debug detector).

34. Bypass malware protections But in any case, you can also

    protect the machine. You can use the function IsDebuggerPresent() and, with hooking, force it to always return value 1. By following this approach the malware is never going to start the trigger since he’s either frozen or called an exit() function by now, some other contexts may happen as well. Malware often contains hidden behavior which is only activated when properly triggered. No trigger, the malware quits, simple.

35. The enemy

36. Do you know your enemy ?

37. Do you know your enemy ?

38. Install vmware additions or virtualbox resourses to mimic a VM

    in your desktop… Manual unpack and Migrate DLLs, binarys etc

39. Trigger Anti-VM resources Inspired from the PowerShell script Fake Sandbox

    Processes (FSP), this script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools. github.com/NavyTitanium/Fake-Sandbox-Artifacts
40. None

41. Trigger Anti-VM resources

42. Problems in sandbox artifacts Bank desktop applications uses anti debugger

    and AntiVM resources… this can close your bank desktop application… Games(steam client/ origens client) have anti-cheat engines, that engines close application when detect VM resources or Debugger resources...

43. Warning

44. theZoo “theZoo is a project created to make the possibility

    of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.”. https://github.com/ytisf/theZoo

45. Veil “Veil is a tool designed to generate metasploit payloads

    that bypass common anti-virus solutions”. github.com/Veil-Framework/Veil

46. al-khaser “Public malware techniques used in the wild: Virtual Machine,

    Emulation, Debuggers, Sandbox detection. ”. https://github.com/LordNoteworthy/al-khaser

47. Other resources https://github.com/wtsxDev/reverse-engineering github.com/beerisgood/Windows10_Hardening github.com/LOLBAS-Project/LOLBAS github.com/mentebinaria (Brazilian cool stuff)

48. Other paths

49. Doubts ? Contact: coolerlair [at] gmail [dot] com

50. Thank you !